[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45136/apache-jena
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c3f5d05 by Salvatore Bonaccorso at 2022-11-15T07:52:44+01:00 Add CVE-2022-45136/apache-jena - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -916,7 +916,9 @@ CVE-2022-45138 CVE-2022-45137 RESERVED CVE-2022-45136 (** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is ...) - TODO: check + - apache-jena + NOTE: https://www.openwall.com/lists/oss-security/2022/11/14/5 + TODO: check correctness/details if src:apache-jena affected CVE-2022-45135 RESERVED CVE-2022-43668 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c3f5d052447900adc4a3e3628c33d356f0358b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c3f5d052447900adc4a3e3628c33d356f0358b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-39353/node-xmldom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f402348f by Salvatore Bonaccorso at 2022-11-15T07:46:21+01:00 Add CVE-2022-39353/node-xmldom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18158,7 +18158,9 @@ CVE-2022-39355 (Discourse Patreon enables syncronization between Discourse Group CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum Virtu ...) NOT-FOR-US: Rust crate evm CVE-2022-39353 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...) - TODO: check + - node-xmldom + NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 + NOTE: https://github.com/jindw/xmldom/issues/150 CVE-2022-39352 (OpenFGA is a high-performance authorization/permission engine inspired ...) NOT-FOR-US: OpenFGA CVE-2022-39351 (Dependency-Track is a Component Analysis platform that allows organiza ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f402348f9c7e92b49f6956cbca51f94d3c0695b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f402348f9c7e92b49f6956cbca51f94d3c0695b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for various mysql-8.0 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6c1da0b by Salvatore Bonaccorso at 2022-11-14T22:54:17+01:00 Track fixed version for various mysql-8.0 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18022,11 +18022,11 @@ CVE-2022-39412 (Vulnerability in the Oracle Access Manager product of Oracle Fus CVE-2022-39411 (Vulnerability in the Oracle Transportation Management product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-39410 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-39409 (Vulnerability in the Oracle Transportation Management product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-39408 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-39407 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2022-39406 (Vulnerability in the PeopleSoft Enterprise Common Components product o ...) @@ -18038,11 +18038,11 @@ CVE-2022-39404 (Vulnerability in the MySQL Installer product of Oracle MySQL (co CVE-2022-39403 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) NOT-FOR-US: Oracle (MySQL Shell) CVE-2022-39402 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-39401 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2022-39400 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-11 11.0.17+8-1 [bullseye] - openjdk-11 (Minor issue, fix along with next CPU) @@ -76983,13 +76983,13 @@ CVE-2021-3962 (A flaw was found in ImageMagick where it did not properly sanitiz CVE-2022-21641 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.30-1 CVE-2022-21640 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21639 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2022-21638 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.30-1 CVE-2022-21637 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21636 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2022-21635 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -76997,9 +76997,9 @@ CVE-2022-21635 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21634 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2022-21633 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21632 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21631 (Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle ...) NOT-FOR-US: Oracle CVE-2022-21630 (Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle ...) @@ -77022,7 +77022,7 @@ CVE-2022-21626 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E [bullseye] - openjdk-11 (Minor issue, fix along with next CPU) [buster] - openjdk-11 (Minor issue, fix along with next CPU) CVE-2022-21625 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21624 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u352-ga-1 - openjdk-11 11.0.17+8-1 @@ -77051,7 +77051,7 @@ CVE-2022-21618 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-17 17.0.5+8-1 [bullseye] - openjdk-17 (Minor issue, fix along with next CPU) CVE-2022-21617 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1024016) + - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21616
[Git][security-tracker-team/security-tracker][master] Record upstream fixed version for CVE-2022-31630
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c99a4a9a by Salvatore Bonaccorso at 2022-11-14T22:03:09+01:00 Record upstream fixed version for CVE-2022-31630 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39251,7 +39251,7 @@ CVE-2022-31630 (In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using i - php8.1 8.1.12-1 - php7.4 - php7.3 (Vulnerable code introduced later) - NOTE: Fixed in 8.1.12, 8.0.25 + NOTE: Fixed in 8.1.12, 8.0.25, 7.4.33 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=81739 NOTE: Introduced by: https://github.com/php/php-src/commit/88b603768f8e5074ad5cbdccc1e0779089fac9d0 (php-7.4.0alpha2) NOTE: Fixed by: https://github.com/php/php-src/commit/ac45ce85c8750a6fb9745093180674d029acc5bd (PHP-8.1.12) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c99a4a9ad120396304ad30903dc7eacde90873a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c99a4a9ad120396304ad30903dc7eacde90873a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41854/snakeyaml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6506538d by Salvatore Bonaccorso at 2022-11-14T21:59:20+01:00 Add CVE-2022-41854/snakeyaml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12060,7 +12060,9 @@ CVE-2022-41856 CVE-2022-41855 RESERVED CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulnerable ...) - TODO: check + - snakeyaml + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 + TODO: check details CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...) - hsqldb (bug #1023573) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6506538d6abc2df0c90bf8edf75c5bcf1c5914ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6506538d6abc2df0c90bf8edf75c5bcf1c5914ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d3a91ba by Salvatore Bonaccorso at 2022-11-14T21:41:57+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -285,7 +285,7 @@ CVE-2022-45380 CVE-2022-45379 RESERVED CVE-2022-45378 (** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache ...) - TODO: check + NOT-FOR-US: Apache SOAP CVE-2022-45377 RESERVED CVE-2022-45376 @@ -641,7 +641,7 @@ CVE-2022-45200 CVE-2022-3993 (Authentication Bypass by Primary Weakness in GitHub repository kareadi ...) TODO: check CVE-2022-3992 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Sanitization Management System CVE-2022-3991 RESERVED CVE-2022-3990 @@ -649,7 +649,7 @@ CVE-2022-3990 CVE-2022-3989 RESERVED CVE-2022-3988 (A vulnerability was found in Frappe. It has been rated as problematic. ...) - TODO: check + NOT-FOR-US: Frappe Framework CVE-2022-3987 RESERVED CVE-2022-3986 @@ -754,7 +754,7 @@ CVE-2022-45186 CVE-2022-45185 RESERVED CVE-2022-45184 (The Web Server in Ironman Software PowerShell Universal v3.x and v2.x ...) - TODO: check + NOT-FOR-US: Ironman Software PowerShell Universal CVE-2022-45183 (Escalation of privileges in the Web Server in Ironman Software PowerSh ...) NOT-FOR-US: Ironman CVE-2022-45182 (Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module ...) @@ -7284,11 +7284,11 @@ CVE-2022-43696 CVE-2022-43695 RESERVED CVE-2022-43694 (Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9 ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2022-43693 (Concrete CMS is vulnerable to CSRF due to the lack of "State" paramete ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2022-43692 (Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9 ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2022-43691 RESERVED CVE-2022-43690 @@ -8363,7 +8363,7 @@ CVE-2022-43344 CVE-2022-43343 (N-Prolog v1.91 was discovered to contain a global buffer overflow vuln ...) NOT-FOR-US: N-Prolog CVE-2022-43342 (A stored cross-site scripting (XSS) vulnerability in the Add function ...) - TODO: check + NOT-FOR-US: Eramba GRC Software CVE-2022-43341 RESERVED CVE-2022-43340 (A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows ...) @@ -8471,7 +8471,7 @@ CVE-2022-43290 (Canteen Management System v1.0 was discovered to contain a SQL i CVE-2022-43289 RESERVED CVE-2022-43288 (Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerabi ...) - TODO: check + NOT-FOR-US: Rukovoditel CVE-2022-43287 RESERVED CVE-2022-43286 (Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d3a91badda70b9b311e856e6d2506b81f07496a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d3a91badda70b9b311e856e6d2506b81f07496a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2022-40303
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5bcc07d by Salvatore Bonaccorso at 2022-11-14T21:37:42+01:00 Add additional reference for CVE-2022-40303 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15972,6 +15972,7 @@ CVE-2022-40303 [integer overflows with XML_PARSE_HUGE] RESERVED {DSA-5271-1 DLA-3172-1} - libxml2 2.9.14+dfsg-1.1 (bug #104) + NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/381 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 (v2.10.3) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2336 CVE-2022-40302 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5bcc07dfb0112f14282e371696771a40e46dda5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5bcc07dfb0112f14282e371696771a40e46dda5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64769f56 by Salvatore Bonaccorso at 2022-11-14T21:35:43+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7973,9 +7973,9 @@ CVE-2022-3633 (A vulnerability classified as problematic has been found in Linux [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8c21c54a53ab21842f5050fa090f26b03c0313d6 (6.0-rc1) CVE-2022-3632 (The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3631 (The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3630 (A vulnerability was found in Linux Kernel. It has been rated as proble ...) - linux 5.19.6-1 [bullseye] - linux (Vulnerable code not present) @@ -8223,7 +8223,7 @@ CVE-2022-3580 (A vulnerability, which was classified as problematic, has been fo CVE-2022-3579 (A vulnerability classified as critical was found in SourceCodester Cas ...) NOT-FOR-US: SourceCodester Cashier Queuing System CVE-2022-3578 (The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and es ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3577 (An out-of-bounds memory write flaw was found in the Linux kernel ...) - linux 5.18.5-1 [bullseye] - linux 5.10.127-1 @@ -8274,7 +8274,7 @@ CVE-2022-41642 CVE-2022-3575 (Frauscher Sensortechnik GmbH FDS102 for FAdC R2 and FAdCi R2 v2.8.0 to ...) NOT-FOR-US: Frauscher Sensortechnik CVE-2022-3574 (The WPForms Pro WordPress plugin before 1.7.7 does not validate its fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3573 RESERVED CVE-2022-3572 @@ -9218,9 +9218,9 @@ CVE-2022-3541 (A vulnerability classified as critical has been found in Linux Ke CVE-2022-3540 (An issue has been discovered in hunter2 affecting all versions before ...) NOT-FOR-US: hunter2 CVE-2022-3539 (The Testimonials WordPress plugin before 2.7, super-testimonial-pro Wo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3538 (The Webmaster Tools Verification WordPress plugin through 1.2 does not ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3537 (The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 d ...) NOT-FOR-US: WordPress plugin CVE-2022-3536 (The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 d ...) @@ -9592,7 +9592,7 @@ CVE-2022-3486 (An open redirect vulnerability in GitLab EE/CE affecting all vers CVE-2022-3485 RESERVED CVE-2022-3484 (The WPB Show Core WordPress plugin through TODO does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3483 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab CVE-2022-3482 @@ -9661,7 +9661,7 @@ CVE-2022-42890 (A vulnerability in Batik of Apache XML Graphics allows an attack NOTE: https://issues.apache.org/jira/browse/BATIK-1345 NOTE: http://svn.apache.org/viewvc?view=revision=1904549 CVE-2022-3477 (The tagDiv Composer WordPress plugin before 3.5, required by the Newsp ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3476 RESERVED CVE-2022-3475 @@ -9677,7 +9677,7 @@ CVE-2022-3471 (A vulnerability was found in SourceCodester Human Resource Manage CVE-2022-3470 (A vulnerability was found in SourceCodester Human Resource Management ...) NOT-FOR-US: SourceCodester CVE-2022-3469 (The WP Attachments WordPress plugin before 5.0.5 does not sanitize and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3468 RESERVED CVE-2022-3467 (A vulnerability classified as critical was found in Jiusi OA. Affected ...) @@ -10720,7 +10720,7 @@ CVE-2022-3417 CVE-2022-3416 RESERVED CVE-2022-3415 (The Chat Bubble WordPress plugin before 2.3 does not sanitise and esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3414 (A vulnerability was found in SourceCodester Web-Based Student Clearanc ...) NOT-FOR-US: SourceCodester Web-Based Student Clearance System CVE-2022-3413 (Incorrect authorization during display of Audit Events in GitLab EE af ...) @@ -20062,7 +20062,7 @@ CVE-2022-38707 CVE-2022-38706 RESERVED CVE-2022-38705 (IBM CICS TX 11.1 Standard and Advanced could allow a remote attacker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-38458 RESERVED CVE-2022-38394 (Use of hard-coded credentials for the telnet server of CentreCOM AR260 ...) @@ -27116,9 +27116,9 @@ CVE-2022-2451 CVE-2022-36126 (An issue was discovered in Inductive
[Git][security-tracker-team/security-tracker][master] Track fixes for dpdk issues via experimental
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60ea61a3 by Salvatore Bonaccorso at 2022-11-14T21:33:23+01:00 Track fixes for dpdk issues via experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32616,6 +32616,7 @@ CVE-2022-2133 (The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't v NOT-FOR-US: WordPress plugin CVE-2022-2132 (A permissive list of allowed inputs flaw was found in DPDK. This issue ...) {DSA-5222-1 DLA-3092-1} + [experimental] - dpdk 22.11~rc2-1 - dpdk (bug #1019589) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=1031 NOTE: https://git.dpdk.org/dpdk/commit/?id=71bd0cc536ad6d84188d947d6f24c17400d8f623 (main) @@ -49559,6 +49560,7 @@ CVE-2022-28200 (NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfg NOT-FOR-US: NVIDIA CVE-2022-28199 (NVIDIAs distribution of the Data Plane Development Kit (MLNX_DP ...) {DSA-5222-1} + [experimental] - dpdk 22.11~rc2-1 - dpdk (bug #1019589) [buster] - dpdk (Vulnerable code introduced later) NOTE: https://git.dpdk.org/dpdk/commit/?id=60b254e3923d007bcadbb8d410f95ad89a2f13fa (main) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60ea61a37f8d15f690fa73b68fb0ed6cf609356b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60ea61a37f8d15f690fa73b68fb0ed6cf609356b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] p0 references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 58046883 by Moritz Muehlenhoff at 2022-11-14T21:28:51+01:00 p0 references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15967,11 +15967,13 @@ CVE-2022-40304 [dict corruption caused by entity reference cycles] {DSA-5271-1 DLA-3172-1} - libxml2 2.9.14+dfsg-1.1 (bug #105) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b (v2.10.3) + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2335 CVE-2022-40303 [integer overflows with XML_PARSE_HUGE] RESERVED {DSA-5271-1 DLA-3172-1} - libxml2 2.9.14+dfsg-1.1 (bug #104) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 (v2.10.3) + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2336 CVE-2022-40302 RESERVED CVE-2022-40301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58046883c5435f8f6af6713374fa5e40941ee134 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58046883c5435f8f6af6713374fa5e40941ee134 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9ac79d by security tracker role at 2022-11-14T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,673 @@ +CVE-2023-21518 + RESERVED +CVE-2023-21517 + RESERVED +CVE-2023-21516 + RESERVED +CVE-2023-21515 + RESERVED +CVE-2023-21514 + RESERVED +CVE-2023-21513 + RESERVED +CVE-2023-21512 + RESERVED +CVE-2023-21511 + RESERVED +CVE-2023-21510 + RESERVED +CVE-2023-21509 + RESERVED +CVE-2023-21508 + RESERVED +CVE-2023-21507 + RESERVED +CVE-2023-21506 + RESERVED +CVE-2023-21505 + RESERVED +CVE-2023-21504 + RESERVED +CVE-2023-21503 + RESERVED +CVE-2023-21502 + RESERVED +CVE-2023-21501 + RESERVED +CVE-2023-21500 + RESERVED +CVE-2023-21499 + RESERVED +CVE-2023-21498 + RESERVED +CVE-2023-21497 + RESERVED +CVE-2023-21496 + RESERVED +CVE-2023-21495 + RESERVED +CVE-2023-21494 + RESERVED +CVE-2023-21493 + RESERVED +CVE-2023-21492 + RESERVED +CVE-2023-21491 + RESERVED +CVE-2023-21490 + RESERVED +CVE-2023-21489 + RESERVED +CVE-2023-21488 + RESERVED +CVE-2023-21487 + RESERVED +CVE-2023-21486 + RESERVED +CVE-2023-21485 + RESERVED +CVE-2023-21484 + RESERVED +CVE-2023-21483 + RESERVED +CVE-2023-21482 + RESERVED +CVE-2023-21481 + RESERVED +CVE-2023-21480 + RESERVED +CVE-2023-21479 + RESERVED +CVE-2023-21478 + RESERVED +CVE-2023-21477 + RESERVED +CVE-2023-21476 + RESERVED +CVE-2023-21475 + RESERVED +CVE-2023-21474 + RESERVED +CVE-2023-21473 + RESERVED +CVE-2023-21472 + RESERVED +CVE-2023-21471 + RESERVED +CVE-2023-21470 + RESERVED +CVE-2023-21469 + RESERVED +CVE-2023-21468 + RESERVED +CVE-2023-21467 + RESERVED +CVE-2023-21466 + RESERVED +CVE-2023-21465 + RESERVED +CVE-2023-21464 + RESERVED +CVE-2023-21463 + RESERVED +CVE-2023-21462 + RESERVED +CVE-2023-21461 + RESERVED +CVE-2023-21460 + RESERVED +CVE-2023-21459 + RESERVED +CVE-2023-21458 + RESERVED +CVE-2023-21457 + RESERVED +CVE-2023-21456 + RESERVED +CVE-2023-21455 + RESERVED +CVE-2023-21454 + RESERVED +CVE-2023-21453 + RESERVED +CVE-2023-21452 + RESERVED +CVE-2023-21451 + RESERVED +CVE-2023-21450 + RESERVED +CVE-2023-21449 + RESERVED +CVE-2023-21448 + RESERVED +CVE-2023-21447 + RESERVED +CVE-2023-21446 + RESERVED +CVE-2023-21445 + RESERVED +CVE-2023-21444 + RESERVED +CVE-2023-21443 + RESERVED +CVE-2023-21442 + RESERVED +CVE-2023-21441 + RESERVED +CVE-2023-21440 + RESERVED +CVE-2023-21439 + RESERVED +CVE-2023-21438 + RESERVED +CVE-2023-21437 + RESERVED +CVE-2023-21436 + RESERVED +CVE-2023-21435 + RESERVED +CVE-2023-21434 + RESERVED +CVE-2023-21433 + RESERVED +CVE-2023-21432 + RESERVED +CVE-2023-21431 + RESERVED +CVE-2023-21430 + RESERVED +CVE-2023-21429 + RESERVED +CVE-2023-21428 + RESERVED +CVE-2023-21427 + RESERVED +CVE-2023-21426 + RESERVED +CVE-2023-21425 + RESERVED +CVE-2023-21424 + RESERVED +CVE-2023-21423 + RESERVED +CVE-2023-21422 + RESERVED +CVE-2023-21421 + RESERVED +CVE-2023-21420 + RESERVED +CVE-2023-21419 + RESERVED +CVE-2022-45421 + RESERVED +CVE-2022-45420 + RESERVED +CVE-2022-45419 + RESERVED +CVE-2022-45418 + RESERVED +CVE-2022-45417 + RESERVED +CVE-2022-45416 + RESERVED +CVE-2022-45415 + RESERVED +CVE-2022-45414 + RESERVED +CVE-2022-45413 + RESERVED +CVE-2022-45412 + RESERVED +CVE-2022-45411 + RESERVED +CVE-2022-45410 + RESERVED +CVE-2022-45409 + RESERVED +CVE-2022-45408 + RESERVED +CVE-2022-45407 + RESERVED +CVE-2022-45406 + RESERVED +CVE-2022-45405 + RESERVED +CVE-2022-45404 + RESERVED +CVE-2022-45403 + RESERVED +CVE-2022-45402 + RESERVED +CVE-2022-45401 + RESERVED +CVE-2022-45400 + RESERVED +CVE-2022-45399 + RESERVED +CVE-2022-45398 + RESERVED +CVE-2022-45397 + RESERVED +CVE-2022-45396 + RESERVED +CVE-2022-45395 + RESERVED +CVE-2022-45394 + RESERVED +CVE-2022-45393 + RESERVED +CVE-2022-45392 + RESERVED +CVE-2022-45391 + RESERVED +CVE-2022-45390 + RESERVED +CVE-2022-45389 + RESERVED +CVE-2022-45388 + RESERVED +CVE-2022-45387 + RESERVED +CVE-2022-45386 + RESERVED +CVE-2022-45385 + RESERVED +CVE-2022-45384 + RESERVED +CVE-2022-45383 + RESERVED +CVE-2022-45382 + RESERVED +CVE-2022-45381 +
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-37599 and CVE-2022-37603
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b84dc09 by Salvatore Bonaccorso at 2022-11-14T21:00:18+01:00 Update information for CVE-2022-37599 and CVE-2022-37603 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22479,8 +22479,10 @@ CVE-2022-37605 CVE-2022-37604 RESERVED CVE-2022-37603 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...) - - node-loader-utils + - node-loader-utils 2.0.4-1 NOTE: https://github.com/webpack/loader-utils/issues/213 + NOTE: https://github.com/webpack/loader-utils/pull/225 + NOTE: https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb (v2.0.4) CVE-2022-37602 (Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 vi ...) NOT-FOR-US: karma-runner grunt-karma CVE-2022-37601 (Prototype pollution vulnerability in function parseQuery in parseQuery ...) @@ -22493,6 +22495,8 @@ CVE-2022-37600 CVE-2022-37599 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...) - node-loader-utils 2.0.4-1 NOTE: https://github.com/webpack/loader-utils/issues/211 + NOTE: https://github.com/webpack/loader-utils/pull/225 + NOTE: https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb (v2.0.4) CVE-2022-37598 (Prototype pollution vulnerability in function DEFNODE in ast.js in mis ...) - uglify-js (unimportant) - uglifyjs (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b84dc09583138829cd2cba8c645910d51963d73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b84dc09583138829cd2cba8c645910d51963d73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-3037 and CVE-2022-2982 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 17be5252 by Salvatore Bonaccorso at 2022-11-14T20:49:05+01:00 Mark CVE-2022-3037 and CVE-2022-2982 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18501,6 +18501,7 @@ CVE-2022-3038 (Use after free in Network Service in Google Chrome prior to 105.0 [buster] - chromium (see DSA 5046) CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0322. ...) - vim 2:9.0.0626-1 (bug #1019590) + [bullseye] - vim (Minor issue) [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) @@ -19312,6 +19313,7 @@ CVE-2022-2983 RESERVED CVE-2022-2982 (Use After Free in GitHub repository vim/vim prior to 9.0.0260. ...) - vim 2:9.0.0626-1 (bug #1019590) + [bullseye] - vim (Minor issue) [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be NOTE: https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 (v9.0.0260) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17be52520bc77dde9be3f6d78fe75fd4c2935b12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17be52520bc77dde9be3f6d78fe75fd4c2935b12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-2580
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c23ede1f by Salvatore Bonaccorso at 2022-11-14T20:48:09+01:00 Update information on CVE-2022-2580 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24138,11 +24138,10 @@ CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104 NOTE: https://github.com/vim/vim/commit/f50940531dd57135fe60aa393ac9d3281f352d88 (v9.0.0105) NOTE: Crash in CLI tool, no security impact CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - - vim 2:9.0.0135-1 - [bullseye] - vim (interpolation introduced in 8.2.4930) - [buster] - vim (interpolation introduced in 8.2.4930) + - vim (Interpolation introduced in 8.2.4930; no released version in Debian affected) NOTE: https://huntr.dev/bounties/c5f2f1d4-0441-4881-b19c-055acaa16249/ - NOTE: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) + NOTE: Introduced in: https://github.com/vim/vim/commit/0abc2871c105882ed1c1effb9a7757fad8a395bd (v8.2.4930) + NOTE: Fixed by: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...) NOT-FOR-US: SourceCodester CVE-2022-2578 (A vulnerability, which was classified as critical, has been found in S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c23ede1f61a9578be8ec811b11b2b3d64627fc46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c23ede1f61a9578be8ec811b11b2b3d64627fc46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3189-1 for postgresql-11
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 7877ac9b by Utkarsh Gupta at 2022-11-15T01:16:19+05:30 Reserve DLA-3189-1 for postgresql-11 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[15 Nov 2022] DLA-3189-1 postgresql-11 - bugfix update + [buster] - postgresql-11 11.18-0+deb10u1 [14 Nov 2022] DLA-3188-1 sysstat - security update {CVE-2019-16167 CVE-2019-19725 CVE-2022-39377} [buster] - sysstat 12.0.3-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7877ac9ba39444f6d909e27fee817801edddaf0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7877ac9ba39444f6d909e27fee817801edddaf0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 24563c0c by Moritz Muehlenhoff at 2022-11-14T19:00:28+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11286,11 +11286,11 @@ CVE-2022-41908 CVE-2022-41907 RESERVED CVE-2022-41906 (OpenSearch Notifications is a notifications plugin for OpenSearch that ...) - TODO: check + NOT-FOR-US: OpenSearch plugin CVE-2022-41905 (WsgiDAV is a generic and extendable WebDAV server based on WSGI. Imple ...) - TODO: check + NOT-FOR-US: WsgiDAV CVE-2022-41904 (Element iOS is an iOS Matrix client provided by Element. It is based o ...) - TODO: check + NOT-FOR-US: Element iOS CVE-2022-41903 RESERVED CVE-2022-41902 @@ -11314,7 +11314,7 @@ CVE-2022-41894 CVE-2022-41893 RESERVED CVE-2022-41892 (Arches is a web platform for creating, managing, visualizing geo ...) - TODO: check + NOT-FOR-US: Arches CVE-2022-41891 RESERVED CVE-2022-41890 @@ -11346,7 +11346,7 @@ CVE-2022-41878 (Parse Server is an open source backend that can be deployed to a CVE-2022-41877 RESERVED CVE-2022-41876 (ezplatform-graphql is a GraphQL server implementation for Ibexa DXP an ...) - TODO: check + NOT-FOR-US: ezplatform-graphql CVE-2022-41875 RESERVED CVE-2022-41874 (Tauri is a framework for building binaries for all major desktop platf ...) @@ -17382,7 +17382,7 @@ CVE-2022-39397 CVE-2022-39396 (Parse Server is an open source backend that can be deployed to any inf ...) NOT-FOR-US: Node parse-server CVE-2022-39395 (Vela is a Pipeline Automation (CI/CD) framework built on Linux contain ...) - TODO: check + NOT-FOR-US: Vela CVE-2022-39394 (Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0 ...) NOT-FOR-US: wasmtime CVE-2022-39393 (Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0 ...) @@ -17458,7 +17458,7 @@ CVE-2022-39368 (Eclipse Californium is a Java implementation of RFC7252 - Constr CVE-2022-39367 (QTIWorks is a software suite for standards-based assessment delivery. ...) NOT-FOR-US: QTIWorks CVE-2022-39366 (DataHub is an open-source metadata platform. Prior to version 0.8.45, ...) - TODO: check + NOT-FOR-US: DataHub CVE-2022-39365 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2022-39364 (Nextcloud Server is the file server software for Nextcloud, a self-hos ...) @@ -17490,7 +17490,7 @@ CVE-2022-39352 (OpenFGA is a high-performance authorization/permission engine in CVE-2022-39351 (Dependency-Track is a Component Analysis platform that allows organiza ...) NOT-FOR-US: Dependency-Track CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) used in D ...) - TODO: check + NOT-FOR-US: @dependencytrack/frontend CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do lists and re ...) NOT-FOR-US: Tasks.org Android app CVE-2022-39348 (Twisted is an event-based framework for internet applications. Started ...) @@ -17557,7 +17557,7 @@ CVE-2022-39323 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is CVE-2022-39322 (@keystone-6/core is a core package for Keystone 6, a content managemen ...) NOT-FOR-US: Keystone CMS CVE-2022-39321 (GitHub Actions Runner is the application that runs a job from a GitHub ...) - TODO: check + NOT-FOR-US: GitHub Actions Runner CVE-2022-39320 RESERVED CVE-2022-39319 @@ -17575,7 +17575,7 @@ CVE-2022-39314 (Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, CVE-2022-39313 (Parse Server is an open source backend that can be deployed to any inf ...) NOT-FOR-US: Node parse-server CVE-2022-39312 (Dataease is an open source data visualization analysis tool. Dataease ...) - TODO: check + NOT-FOR-US: Dataease CVE-2022-39311 (GoCD is a continuous delivery server. GoCD helps you automate and stre ...) NOT-FOR-US: GoCD CVE-2022-39310 (GoCD is a continuous delivery server. GoCD helps you automate and stre ...) @@ -19573,7 +19573,7 @@ CVE-2022-38654 (HCL Domino is susceptible to an information disclosure vulnerabi CVE-2022-38653 RESERVED CVE-2022-38652 (** UNSUPPORTED WHEN ASSIGNED ** A remote insecure deserialization vuln ...) - TODO: check + NOT-FOR-US: VMware CVE-2022-38651 (** UNSUPPORTED WHEN ASSIGNED ** A security filter misconfiguration exi ...) NOT-FOR-US: VMware CVE-2022-38650 (** UNSUPPORTED WHEN ASSIGNED ** A remote unauthenticated insecure dese ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24563c0cfe397e7611856e140ab9c8249d086a09 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] new ffmpeg "issues"
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 961c092e by Moritz Muehlenhoff at 2022-11-14T18:52:24+01:00 new ffmpeg issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,9 +47,13 @@ CVE-2022-3967 (A vulnerability, which was classified as critical, was found in V CVE-2022-3966 (A vulnerability, which was classified as critical, has been found in U ...) NOT-FOR-US: Ultimate Member Plugin CVE-2022-3965 (A vulnerability classified as problematic was found in ffmpeg. This vu ...) - TODO: check + - ffmpeg + [bullseye] - ffmpeg (Wait until it lands in 4.1.x) + NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd CVE-2022-3964 (A vulnerability classified as problematic has been found in ffmpeg. Th ...) - TODO: check + - ffmpeg + [bullseye] - ffmpeg (Wait until it lands in 4.1.x) + NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984 CVE-2022-45197 RESERVED CVE-2022-45196 (Hyperledger Fabric 2.3 allows attackers to cause a denial of service ( ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/961c092e72616135056423a3c8cecb9a50869065 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/961c092e72616135056423a3c8cecb9a50869065 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dbf76de by Moritz Muehlenhoff at 2022-11-14T16:21:32+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,7 +14,7 @@ CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified a [bullseye] - nagvis (Minor issue) NOTE: https://github.com/NagVis/nagvis/commit/7574fd8a2903282c2e0d1feef5c4876763db21d5 (nagvis-1.9.34) CVE-2022-3978 (A vulnerability, which was classified as problematic, was found in Nod ...) - TODO: check + NOT-FOR-US: NodeBB CVE-2022-3977 RESERVED - linux 6.0.2-1 @@ -22,7 +22,7 @@ CVE-2022-3977 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/3a732b46736cd8a29092e4b0b1a9ba83e672bf89 (6.1-rc1) CVE-2022-3976 (A vulnerability has been found in MZ Automation libiec61850 up to 1.4 ...) - TODO: check + NOT-FOR-US: libIEC61850 CVE-2022-3975 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: NukeViet CMS CVE-2022-3974 (A vulnerability classified as critical was found in Axiomatic Bento4. ...) @@ -32,7 +32,7 @@ CVE-2022-3973 (A vulnerability classified as critical has been found in Pingkon CVE-2022-3972 (A vulnerability was found in Pingkon HMS-PHP. It has been rated as cri ...) NOT-FOR-US: Pingkon HMS-PHP CVE-2022-3971 (A vulnerability was found in matrix-appservice-irc up to 0.35.1. It ha ...) - TODO: check + NOT-FOR-US: matrix-appservice-irc CVE-2022-3970 (A vulnerability was found in LibTIFF. It has been classified as critic ...) - tiff NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 @@ -53,11 +53,11 @@ CVE-2022-3964 (A vulnerability classified as problematic has been found in ffmpe CVE-2022-45197 RESERVED CVE-2022-45196 (Hyperledger Fabric 2.3 allows attackers to cause a denial of service ( ...) - TODO: check + NOT-FOR-US: Hyperledger Fabric CVE-2022-45195 (SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not a ...) - TODO: check + NOT-FOR-US: SimpleXMQ CVE-2022-3963 (A vulnerability was found in gnuboard5. It has been classified as prob ...) - TODO: check + NOT-FOR-US: Gnuboard CVE-2022-45194 (CBRN-Analysis before 22 allows XXE attacks via am mws XML document, le ...) NOT-FOR-US: CBRN-Analysis CVE-2022-45193 (CBRN-Analysis before 22 has weak file permissions under Public Profile ...) @@ -82,7 +82,7 @@ CVE-2022-45185 CVE-2022-45184 RESERVED CVE-2022-45183 (Escalation of privileges in the Web Server in Ironman Software PowerSh ...) - TODO: check + NOT-FOR-US: Ironman CVE-2022-45182 (Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module ...) NOT-FOR-US: Pi-Star_DV_Dash (for Pi-Star DV) CVE-2022-45181 @@ -162,7 +162,7 @@ CVE-2022-45148 CVE-2022-45147 RESERVED CVE-2022-3959 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Drogon CVE-2022-3958 RESERVED CVE-2022-3957 (A vulnerability classified as problematic was found in GPAC. Affected ...) @@ -196,7 +196,7 @@ CVE-2022-3947 (A vulnerability classified as critical has been found in eolinker CVE-2022-3946 RESERVED CVE-2022-3945 (Improper Restriction of Excessive Authentication Attempts in GitHub re ...) - TODO: check + NOT-FOR-US: Kavita CVE-2022-3944 (A vulnerability was found in jerryhanjj ERP. It has been declared as c ...) NOT-FOR-US: jerryhanjj ERP CVE-2022-3943 (A vulnerability was found in ForU CMS. It has been classified as probl ...) @@ -210,11 +210,11 @@ CVE-2022-45145 CVE-2022-45144 RESERVED CVE-2022-3941 (A vulnerability has been found in Activity Log Plugin and classified a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3940 (A vulnerability, which was classified as problematic, was found in lan ...) - TODO: check + NOT-FOR-US: lanyulei ferry CVE-2022-3939 (A vulnerability, which was classified as critical, has been found in l ...) - TODO: check + NOT-FOR-US: lanyulei ferry CVE-2022-3938 RESERVED CVE-2022-3937 @@ -6646,7 +6646,7 @@ CVE-2022-43680 (In libexpat through 2.4.9, there is a use-after free caused by o NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/5290462a7ea1278a8d5c0d5b2860d4e244f997e4 (R_2_5_0) NOTE: Testcase: https://github.com/libexpat/libexpat/commit/43992e4ae25fc3dc0eec0cd3a29313555d56aee2 (R_2_5_0) CVE-2022-43679 (The Docker image of ownCloud Server through 10.11 contains a misconfig ...) - TODO: check + NOT-FOR-US: Docker image of ownCloud Server CVE-2022-43678 RESERVED
[Git][security-tracker-team/security-tracker][master] node-loader-utils fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f718a129 by Moritz Muehlenhoff at 2022-11-14T12:19:43+01:00 node-loader-utils fixed in sid fix typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22485,7 +22485,7 @@ CVE-2022-37601 (Prototype pollution vulnerability in function parseQuery in pars CVE-2022-37600 RESERVED CVE-2022-37599 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...) - - node-loader-utils + - node-loader-utils 2.0.4-1 NOTE: https://github.com/webpack/loader-utils/issues/211 CVE-2022-37598 (Prototype pollution vulnerability in function DEFNODE in ast.js in mis ...) - uglify-js (unimportant) @@ -45379,8 +45379,8 @@ CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc CVE-2022-1381 (global heap buffer overflow in skip_range in GitHub repository vim/vim ...) - vim 2:8.2.4793-1 - [bullseye] - vim (affects visual range prasing, which was added in 8.2.4633) - [buster] - vim (affects visual range prasing, which was added in 8.2.4633) + [bullseye] - vim (affects visual range parsing, which was added in 8.2.4633) + [buster] - vim (affects visual range parsing, which was added in 8.2.4633) NOTE: https://huntr.dev/bounties/55f9c0e8-c221-48b6-a00e-bdcaebaba4a4/ NOTE: https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47 (v8.2.4763) CVE-2022-29403 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f718a1291a83a955dd17767752ad9a84682de74c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f718a1291a83a955dd17767752ad9a84682de74c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage vim CVEs
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 01f74ec8 by Helmut Grohne at 2022-11-14T11:48:24+01:00 triage vim CVEs apos vim lts upload actually fixed CVE-2021-3872, but he forgot mentioning it. Add number of not-affected for buster and sometimes bullseye. Remove two stretch annotations to avoid conflicts with the ELTS tracker. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -18497,6 +18497,7 @@ CVE-2022-3038 (Use after free in Network Service in Google Chrome prior to 105.0 [buster] - chromium (see DSA 5046) CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0322. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) CVE-2022-3036 (The Gettext override translations WordPress plugin before 2.0.0 does n ...) @@ -19307,6 +19308,7 @@ CVE-2022-2983 RESERVED CVE-2022-2982 (Use After Free in GitHub repository vim/vim prior to 9.0.0260. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be NOTE: https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 (v9.0.0260) CVE-2022-2981 (The Download Monitor WordPress plugin before 4.5.98 does not ensure th ...) @@ -24133,6 +24135,8 @@ CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104 NOTE: Crash in CLI tool, no security impact CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0135-1 + [bullseye] - vim (interpolation introduced in 8.2.4930) + [buster] - vim (interpolation introduced in 8.2.4930) NOTE: https://huntr.dev/bounties/c5f2f1d4-0441-4881-b19c-055acaa16249/ NOTE: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...) @@ -29718,6 +29722,8 @@ CVE-2022-2289 (Use After Free in GitHub repository vim/vim prior to 9.0. ...) NOTE: Crash in CLI tool, no security impact CVE-2022-2288 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. ...) - vim 2:9.0.0135-1 (bug #1015984) + [bullseye] - vim (vulnerable code introduced in 8.2.4763) + [buster] - vim (vulnerable code introduced in 8.2.4763) NOTE: https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad/ NOTE: https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a (v9.0.0025) CVE-2022-34910 @@ -44910,8 +44916,7 @@ CVE-2022-1421 (The Discy WordPress theme before 5.2 lacks CSRF checks in some AJ CVE-2022-1420 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) - vim 2:8.2.4793-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [buster] - vim (method call operator -> introduced in 8.1.1803) NOTE: https://huntr.dev/bounties/a4323ef8-90ea-4e1c-90e9-c778f0ecf326 NOTE: https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca (v8.2.4774) CVE-2021-46784 (In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due ...) @@ -45374,9 +45379,8 @@ CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc CVE-2022-1381 (global heap buffer overflow in skip_range in GitHub repository vim/vim ...) - vim 2:8.2.4793-1 - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [bullseye] - vim (affects visual range prasing, which was added in 8.2.4633) + [buster] - vim (affects visual range prasing, which was added in 8.2.4633) NOTE: https://huntr.dev/bounties/55f9c0e8-c221-48b6-a00e-bdcaebaba4a4/ NOTE: https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47 (v8.2.4763) CVE-2022-29403 @@ -66103,6 +66107,7 @@ CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the NOT-FOR-US: Kentico Xperience CMS CVE-2022-0156 (vim is vulnerable to Use After Free ...) - vim 2:8.2.4659-1 (unimportant) + [buster] - vim (vim9script functionality not present in buster and earlier) NOTE: https://huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36 NOTE:
[Git][security-tracker-team/security-tracker][master] update note in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e5e3d80 by Abhijith PA at 2022-11-14T15:47:19+05:30 update note in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -367,6 +367,8 @@ tiff trafficserver NOTE: 20220905: Programming language: C. NOTE: 20221024: WIP, big changeset in security fix (abhijith) + NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) + NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- twisted NOTE: 20221030: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new airflow issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 64f260cc by Moritz Muehlenhoff at 2022-11-14T10:45:43+01:00 new airflow issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15763,6 +15763,7 @@ CVE-2022-40134 RESERVED CVE-2022-40127 RESERVED + - airflow (bug #819700) CVE-2022-38972 (Cross-site scripting vulnerability in Movable Type plugin A-Form versi ...) NOT-FOR-US: Movable Type plugin CVE-2022-3142 (The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise ...) @@ -49691,6 +49692,7 @@ CVE-2022-27950 (In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a m NOTE: https://www.openwall.com/lists/oss-security/2022/03/13/1 CVE-2022-27949 RESERVED + - airflow (bug #819700) CVE-2022-27948 (** DISPUTED ** Certain Tesla vehicles through 2022-03-26 allow attacke ...) NOT-FOR-US: Tesla CVE-2022-1110 (A buffer overflow vulnerability in Lenovo Smart Standby Driver prior t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f260ccdcbb68b3893057d4074410f8b7ab4a8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f260ccdcbb68b3893057d4074410f8b7ab4a8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5311755 by Moritz Muehlenhoff at 2022-11-14T10:35:38+01:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,10 +6,12 @@ CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL NOTE: https://github.com/python-pillow/Pillow/pull/6700 CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compressed GI ...) - pillow 9.2.0-1 + [bullseye] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4 (9.2.0) NOTE: https://github.com/python-pillow/Pillow/pull/6402 CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified as pro ...) - nagvis 1:1.9.34-1 + [bullseye] - nagvis (Minor issue) NOTE: https://github.com/NagVis/nagvis/commit/7574fd8a2903282c2e0d1feef5c4876763db21d5 (nagvis-1.9.34) CVE-2022-3978 (A vulnerability, which was classified as problematic, was found in Nod ...) TODO: check @@ -64660,10 +64662,10 @@ CVE-2022-0214 (The Popup | Custom Popup Builder WordPress plugin before 1.3.1 au NOT-FOR-US: WordPress plugin CVE-2022-0213 (vim is vulnerable to Heap-based Buffer Overflow ...) {DLA-3182-1 DLA-2947-1} - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) NOTE: https://huntr.dev/bounties/f3afe1a5-e6f8-4579-b68a-6e5c7e39afed NOTE: Fixed by: https://github.com/vim/vim/commit/de05bb25733c3319e18dca44e9b59c6ee389eb26 (v8.2.4074) + NOTE: Crash in CLI tool, no security impact CVE-2022-0212 (The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise a ...) NOT-FOR-US: WordPress plugin CVE-2022-0211 (The Shield Security WordPress plugin before 13.0.6 does not sanitise a ...) @@ -66031,12 +66033,12 @@ CVE-2021-23154 (In Lens prior to 5.3.4, custom helm chart configuration creates CVE-2022-0159 (orchardcore is vulnerable to Improper Neutralization of Input During W ...) NOT-FOR-US: orchardcore CVE-2022-0158 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) [buster] - vim (The vulnerable code was introduced later) [stretch] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/ NOTE: https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39 (v8.2.4049) + NOTE: Crash in CLI tool, no security impact CVE-2022-0157 (phoronix-test-suite is vulnerable to Improper Neutralization of Input ...) - phoronix-test-suite CVE-2022-22848 @@ -66098,12 +66100,10 @@ CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the Media ...) NOT-FOR-US: Kentico Xperience CMS CVE-2022-0156 (vim is vulnerable to Use After Free ...) - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) NOTE: https://huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36 NOTE: https://github.com/vim/vim/commit/9f1a39a5d1cd7989ada2d1cb32f97d84360e050f (v8.2.4040) + NOTE: Crash in CLI tool, no security impact CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an in ...) {DSA-5073-1 DLA-2904-1} - expat 2.4.3-1 (bug #1003474) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5311755dd15aa1f9b32c7030fb46b1931cd5dbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5311755dd15aa1f9b32c7030fb46b1931cd5dbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3979/nagvis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d61aefd by Salvatore Bonaccorso at 2022-11-14T09:56:57+01:00 Add CVE-2022-3979/nagvis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,8 @@ CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compres NOTE: https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4 (9.2.0) NOTE: https://github.com/python-pillow/Pillow/pull/6402 CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified as pro ...) - TODO: check + - nagvis 1:1.9.34-1 + NOTE: https://github.com/NagVis/nagvis/commit/7574fd8a2903282c2e0d1feef5c4876763db21d5 (nagvis-1.9.34) CVE-2022-3978 (A vulnerability, which was classified as problematic, was found in Nod ...) TODO: check CVE-2022-3977 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d61aefd440cb538592221d9e7a65b8cb6f90167 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d61aefd440cb538592221d9e7a65b8cb6f90167 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2022-45199/pillow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbe5a9ca by Salvatore Bonaccorso at 2022-11-14T09:55:36+01:00 Add CVE-2022-45199/pillow - - - - - 09eb68dd by Salvatore Bonaccorso at 2022-11-14T09:55:39+01:00 Add CVE-2022-45198/pillow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,10 +2,12 @@ CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL - pillow [bullseye] - pillow (Vulnerable code not present, introduced in 9.2.0) [buster] - pillow (Vulnerable code not present, introduced in 9.2.0) - NOTE: https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3 + NOTE: https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3 (9.3.0) NOTE: https://github.com/python-pillow/Pillow/pull/6700 CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compressed GI ...) - TODO: check + - pillow 9.2.0-1 + NOTE: https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4 (9.2.0) + NOTE: https://github.com/python-pillow/Pillow/pull/6402 CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified as pro ...) TODO: check CVE-2022-3978 (A vulnerability, which was classified as problematic, was found in Nod ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddc995050dd95522d1a099dc94c65b68444b5289...09eb68dddb1b91b235ddc678f1854152e446e30f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddc995050dd95522d1a099dc94c65b68444b5289...09eb68dddb1b91b235ddc678f1854152e446e30f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pillow issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ddc99505 by Moritz Muehlenhoff at 2022-11-14T09:48:20+01:00 new pillow issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,9 @@ CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. ...) - TODO: check + - pillow + [bullseye] - pillow (Vulnerable code not present, introduced in 9.2.0) + [buster] - pillow (Vulnerable code not present, introduced in 9.2.0) + NOTE: https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3 + NOTE: https://github.com/python-pillow/Pillow/pull/6700 CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compressed GI ...) TODO: check CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified as pro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddc995050dd95522d1a099dc94c65b68444b5289 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddc995050dd95522d1a099dc94c65b68444b5289 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02d91ddf by security tracker role at 2022-11-14T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. ...) + TODO: check +CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compressed GI ...) + TODO: check +CVE-2022-3979 (A vulnerability was found in NagVis up to 1.9.33 and classified as pro ...) + TODO: check CVE-2022-3978 (A vulnerability, which was classified as problematic, was found in Nod ...) TODO: check CVE-2022-3977 @@ -66,8 +72,8 @@ CVE-2022-45185 RESERVED CVE-2022-45184 RESERVED -CVE-2022-45183 - RESERVED +CVE-2022-45183 (Escalation of privileges in the Web Server in Ironman Software PowerSh ...) + TODO: check CVE-2022-45182 (Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module ...) NOT-FOR-US: Pi-Star_DV_Dash (for Pi-Star DV) CVE-2022-45181 @@ -17398,6 +17404,7 @@ CVE-2022-39379 (Fluentd collects events from various data sources and writes the CVE-2022-39378 (Discourse is a platform for community discussion. Under certain condit ...) NOT-FOR-US: Discourse CVE-2022-39377 (sysstat is a set of system performance tools for the Linux operating s ...) + {DLA-3188-1} - sysstat (bug #1023832) [bullseye] - sysstat (Minor issue) NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x @@ -38539,8 +38546,7 @@ CVE-2022-31632 RESERVED CVE-2022-31631 RESERVED -CVE-2022-31630 - RESERVED +CVE-2022-31630 (In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imagelo ...) {DSA-5277-1} - php8.1 8.1.12-1 - php7.4 @@ -92216,10 +9,10 @@ CVE-2021-38830 RESERVED CVE-2021-38829 RESERVED -CVE-2021-38828 - RESERVED -CVE-2021-38827 - RESERVED +CVE-2021-38828 (Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.0 is vu ...) + TODO: check +CVE-2021-38827 (Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.0 is vu ...) + TODO: check CVE-2021-38826 RESERVED CVE-2021-38825 @@ -98454,6 +98460,7 @@ CVE-2021-36370 (An issue was discovered in Midnight Commander through 4.8.26. Wh [stretch] - mc (Minor issue) NOTE: https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f CVE-2021-36369 (An issue was discovered in Dropbear through 2020.81. Due to a non-RFC- ...) + {DLA-3187-1} - dropbear 2022.82-1 [bullseye] - dropbear (Minor issue) NOTE: https://github.com/mkj/dropbear/pull/128 @@ -214685,6 +214692,7 @@ CVE-2017-18640 (The Alias feature in SnakeYAML before 1.26 allows entity expansi CVE-2019-19726 (OpenBSD through 6.6 allows local users to escalate to root because a c ...) NOT-FOR-US: OpenBSD CVE-2019-19725 (sysstat through 12.2.0 has a double free in check_file_actlst in sa_co ...) + {DLA-3188-1} - sysstat 12.2.0-2 (unimportant; bug #946657) [stretch] - sysstat (Vulnerable code introduced in v11.7.1) [jessie] - sysstat (Vulnerable code introduced in v11.7.1) @@ -231138,6 +231146,7 @@ CVE-2019-16170 (An issue was discovered in GitLab Enterprise Edition 11.x and 12 CVE-2019-16169 RESERVED CVE-2019-16167 (sysstat before 12.1.6 has memory corruption due to an Integer Overflow ...) + {DLA-3188-1} - sysstat 12.1.7-1 (bug #939914) [stretch] - sysstat (Vulnerable code introduced later) [jessie] - sysstat (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d91ddff178ef1131b0f9a73d980d3744e1639d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d91ddff178ef1131b0f9a73d980d3744e1639d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits