[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 35bd5b59 by Neil Williams at 2022-09-02T11:00:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36891,7 +36891,7 @@ CVE-2022-25304 (All versions of package opcua; all versions of package asyncua a CVE-2022-25303 (The package whoogle-search before 0.7.2 are vulnerable to Cross-site S ...) NOT-FOR-US: whoogle-search CVE-2022-25302 (All versions of package asneg/opcuastack are vulnerable to Denial of S ...) - TODO: check + NOT-FOR-US: ASNeG/OpcUaStack CVE-2022-25301 (All versions of package jsgui-lang-essentials are vulnerable to Protot ...) NOT-FOR-US: jsgui-lang-essentials CVE-2022-25300 @@ -36935,7 +36935,7 @@ CVE-2022-24430 CVE-2022-24429 (The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary ...) NOT-FOR-US: Node convert-svg-core CVE-2022-24381 (All versions of package asneg/opcuastack are vulnerable to Denial of S ...) - TODO: check + NOT-FOR-US: ASNeG/OpcUaStack CVE-2022-24377 RESERVED CVE-2022-24376 (All versions of package git-promise are vulnerable to Command Injectio ...) @@ -36945,7 +36945,7 @@ CVE-2022-24375 (The package node-opcua before 2.74.0 are vulnerable to Denial of CVE-2022-24373 RESERVED CVE-2022-24298 (All versions of package freeopcua/freeopcua are vulnerable to Denial o ...) - TODO: check + NOT-FOR-US: FreeOpcUa/freeopcua CVE-2022-24279 (The package madlib-object-utils before 0.1.8 are vulnerable to Prototy ...) NOT-FOR-US: madlib-object-utils CVE-2022-24278 (The package convert-svg-core before 0.6.4 are vulnerable to Directory ...) @@ -44837,9 +44837,11 @@ CVE-2022-23462 CVE-2022-23461 RESERVED CVE-2022-23460 (Jsonxx or Json++ is a JSON parser, writer and reader written in C++. I ...) - TODO: check + TODO: check - numerous jsonxx repositories exist on github + NOTE: https://github.com/advisories/GHSA-h8mv-q3c4-8hw2 CVE-2022-23459 (Jsonxx or Json++ is a JSON parser, writer and reader written in C++. I ...) - TODO: check + TODO: check - numerous jsonxx repositories exist on github + NOTE: https://github.com/advisories/GHSA-8662-6hf9-cr47 CVE-2022-23458 RESERVED CVE-2022-23457 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...) @@ -52859,7 +52861,7 @@ CVE-2022-21943 CVE-2022-21942 RESERVED CVE-2022-21941 (All versions of iSTAR Ultra prior to version 6.8.9.CU01are vulnerable ...) - TODO: check + NOT-FOR-US: Sensormatic Electronics, LLC CVE-2022-21940 RESERVED CVE-2022-21939 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35bd5b59da3caf4505fd1b6fda5e609051a1c979 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35bd5b59da3caf4505fd1b6fda5e609051a1c979 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 70168e2d by Neil Williams at 2022-09-02T10:38:32+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -295,7 +295,7 @@ CVE-2022-3074 CVE-2022-3073 RESERVED CVE-2022-3072 (Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacqu ...) - TODO: check + NOT-FOR-US: francoisjacquet/rosariosis CVE-2006-20001 RESERVED CVE-2022- [wordpress 6.0.2] @@ -36901,7 +36901,7 @@ CVE-2022-25233 CVE-2022-25232 RESERVED CVE-2022-25231 (The package node-opcua before 2.74.0 are vulnerable to Denial of Servi ...) - TODO: check + NOT-FOR-US: node-opcua/node-opcua CVE-2022-25171 RESERVED CVE-2022-24913 @@ -36941,7 +36941,7 @@ CVE-2022-24377 CVE-2022-24376 (All versions of package git-promise are vulnerable to Command Injectio ...) NOT-FOR-US: Node git-promise CVE-2022-24375 (The package node-opcua before 2.74.0 are vulnerable to Denial of Servi ...) - TODO: check + NOT-FOR-US: node-opcua/node-opcua CVE-2022-24373 RESERVED CVE-2022-24298 (All versions of package freeopcua/freeopcua are vulnerable to Denial o ...) @@ -37014,7 +37014,7 @@ CVE-2022-21213 (This affects all versions of package mout. The deepFillIn functi CVE-2022-21211 (This affects all versions of package posix. When invoking the toString ...) NOT-FOR-US: Node posix CVE-2022-21208 (The package node-opcua before 2.74.0 are vulnerable to Denial of Servi ...) - TODO: check + NOT-FOR-US: node-opcua/node-opcua CVE-2022-21195 (All versions of package url-regex are vulnerable to Regular Expression ...) NOT-FOR-US: AlexFlipnote/url_regex CVE-2022-21192 @@ -37034,7 +37034,7 @@ CVE-2022-21169 CVE-2022-21167 (All versions of package masuit.tools.core are vulnerable to Arbitrary ...) NOT-FOR-US: masuit.tools CVE-2022-21165 (All versions of package font-converter are vulnerable to Arbitrary Com ...) - TODO: check + NOT-FOR-US: zgec/node-js-font-converter CVE-2022-21164 (The package node-lmdb before 0.9.7 are vulnerable to Denial of Service ...) NOT-FOR-US: Node lmdb CVE-2022-21149 (The package s-cart/s-cart before 6.9; the package s-cart/core before 6 ...) @@ -63416,7 +63416,7 @@ CVE-2022-20361 (In btif_dm_auth_cmpl_evt of btif_dm.cc, there is a possible vuln CVE-2022-20360 (In setChecked of SecureNfcPreferenceController.java, there is a missin ...) NOT-FOR-US: Android CVE-2022-20359 (In various methods of NotificationManagerService.java, there is a poss ...) - TODO: check + TODO: check - not listed in linked bulletin CVE-2022-20358 (In startSync of AbstractThreadedSyncAdapter.java, there is a possible ...) NOT-FOR-US: Android CVE-2022-20357 (In writeToParcel of SurfaceControl.cpp, there is a possible informatio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70168e2dafe1db371a550c15d388342872e028bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70168e2dafe1db371a550c15d388342872e028bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-2764/undertow unfixed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 120d880a by Neil Williams at 2022-09-02T10:22:28+01:00 CVE-2022-2764/undertow unfixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3083,7 +3083,8 @@ CVE-2022-2766 (A vulnerability was found in SourceCodester Loan Management Syste CVE-2022-2765 (A vulnerability was found in SourceCodester Company Website CMS 1.0. I ...) NOT-FOR-US: SourceCodester Company Website CMS CVE-2022-2764 (A flaw was found in Undertow. Denial of service can be achieved as Und ...) - TODO: check + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2117506 CVE-2022-2763 RESERVED CVE-2022-2762 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/120d880a0873ae36af8c790616b6d72b0313dede -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/120d880a0873ae36af8c790616b6d72b0313dede You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 2626e781 by Neil Williams at 2022-09-02T10:16:11+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7868,7 +7868,7 @@ CVE-2022-31473 (In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4 CVE-2022-30535 (In versions 2.x before 2.3.0 and all versions of 1.x, An attacker auth ...) NOT-FOR-US: F5 CVE-2022-2466 (It was found that Quarkus 2.10.x does not terminate HTTP requests head ...) - TODO: check + NOT-FOR-US: quarkusio/quarkus CVE-2022-2465 (Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6. ...) NOT-FOR-US: Rockwell Automation CVE-2022-2464 (Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6. ...) @@ -19498,7 +19498,7 @@ CVE-2022-31799 (Bottle before 0.12.20 mishandles errors during early request bin CVE-2022-1931 (Incorrect Synchronization in GitHub repository polonel/trudesk prior t ...) NOT-FOR-US: Trudesk CVE-2022-1930 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - TODO: check + NOT-FOR-US: ethereum/eth-account CVE-2022-1929 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) NOT-FOR-US: devcert Nodejs module CVE-2022-1928 (Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gite ...) @@ -20148,7 +20148,7 @@ CVE-2022-1890 CVE-2022-1889 (The Newsletter WordPress plugin before 7.4.6 does not escape and sanit ...) NOT-FOR-US: WordPress plugin CVE-2022-1888 (Alpha7 PC Loader (All versions) is vulnerable to a stack-based buffer ...) - TODO: check + NOT-FOR-US: Fuji Electric CVE-2021-4231 (A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It ha ...) NOT-FOR-US: angular/angular - replacement for deprecated angularjs NOTE: AngularJS upstream support has officially ended as of January 2022 @@ -20690,7 +20690,7 @@ CVE-2022-31479 (An unauthenticated attacker can update the hostname with a speci CVE-2022-31478 (The UserTakeOver plugin before 4.0.1 for ILIAS allows an attacker to l ...) NOT-FOR-US: UserTakeOver plugin for ILIAS CVE-2022-1841 (In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parame ...) - TODO: check + NOT-FOR-US: zephyr-rtos CVE-2022-1840 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Home Clean Services Management System CVE-2022-1839 (A vulnerability classified as critical was found in Home Clean Service ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2626e78121aa29504b4af6d72ccf86fd3879e636 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2626e78121aa29504b4af6d72ccf86fd3879e636 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1615/samba unfixed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b05bdafa by Neil Williams at 2022-09-02T09:58:30+01:00 CVE-2022-1615/samba unfixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24079,7 +24079,9 @@ CVE-2022-29483 (Incorrect Default Permissions vulnerability in ABB e-Design allo CVE-2022-28702 (Incorrect Default Permissions vulnerability in ABB e-Design allows att ...) NOT-FOR-US: ABB e-Design CVE-2022-1615 (In Samba, GnuTLS gnutls_rnd() can fail and give predictable random val ...) - TODO: check + - samba + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15103 + NOTE: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (v4-17-stable) CVE-2022-1614 (The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visi ...) NOT-FOR-US: WordPress plugin CVE-2022-1613 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b05bdafa585a89c3b7324d19195d5668afdf4473 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b05bdafa585a89c3b7324d19195d5668afdf4473 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1325/cimg unfixed #1018941
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: f946b3bc by Neil Williams at 2022-09-02T09:50:41+01:00 CVE-2022-1325/cimg unfixed #1018941 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27729,7 +27729,13 @@ CVE-2022-1327 (The Image Gallery WordPress plugin before 1.1.6 does not sanitize CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not saniti ...) NOT-FOR-US: WordPress plugin CVE-2022-1325 (A flaw was found in Clmg, where with the help of a maliciously crafted ...) - TODO: check + - cimg (bug #1018941) + NOTE: https://access.redhat.com/security/cve/CVE-2022-1325 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2074549 + NOTE: https://github.com/GreycLab/CImg/commit/619cb58dd90b4e03ac68286c70ed98acbefd1c90 (v3.1.0) + NOTE: https://github.com/GreycLab/CImg/issues/343 + NOTE: https://github.com/GreycLab/CImg/pull/348 + NOTE: https://huntr.dev/bounties/a5e4fc45-8f14-4dd1-811b-740fc50c95d2/ CVE-2022-1324 (The Event Timeline WordPress plugin through 1.1.5 does not sanitize an ...) NOT-FOR-US: WordPress plugin CVE-2022-1323 (The Discy WordPress theme before 5.0 lacks authorization checks then p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f946b3bc56747c2ec0390e1c8af268b677e5caab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f946b3bc56747c2ec0390e1c8af268b677e5caab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d4b1c62 by Neil Williams at 2022-09-02T09:12:55+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53343,7 +53343,7 @@ CVE-2021-45029 (Groovy Code Injection SpEL Injection which lead to Remote CVE-2021-45028 RESERVED CVE-2021-45027 (An arbitrary file download vulnerability in Oliver v5 Library Server V ...) - TODO: check + NOT-FOR-US: Oliver Library Server CVE-2021-45026 (ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2 ...) NOT-FOR-US: ASG technologies CVE-2021-45025 (ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform ...) @@ -58499,9 +58499,9 @@ CVE-2021-43769 CVE-2021-43768 RESERVED CVE-2021-43767 (Odyssey passes to client unencrypted bytes from man-in-the-middle When ...) - TODO: check + NOT-FOR-US: yandex/odyssey CVE-2021-43766 (Odyssey passes to server unencrypted bytes from man-in-the-middle When ...) - TODO: check + NOT-FOR-US: yandex/odyssey CVE-2021-43765 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) NOT-FOR-US: Adobe CVE-2021-43764 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) @@ -59826,7 +59826,7 @@ CVE-2021-43311 CVE-2021-43310 RESERVED CVE-2021-43309 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - TODO: check + NOT-FOR-US: Node uri-template-lite CVE-2021-43308 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) NOT-FOR-US: Node markdown-link-extractor CVE-2021-43307 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4b1c62d28de4b11a49c79eaa77092136e2d737 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4b1c62d28de4b11a49c79eaa77092136e2d737 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a1490101 by Neil Williams at 2022-09-02T08:52:00+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61418,7 +61418,7 @@ CVE-2021-43059 CVE-2021-43058 (An open redirect vulnerability exists in Replicated Classic versions p ...) NOT-FOR-US: Replicated CVE-2021-3914 (It was found that the smallrye health metrics UI component did not pro ...) - TODO: check + NOT-FOR-US: SmallRye Health CVE-2021-43057 (An issue was discovered in the Linux kernel before 5.14.8. A use-after ...) - linux 5.14.9-1 [bullseye] - linux (Vulnerable code introduced later) @@ -107123,7 +107123,7 @@ CVE-2020-36200 (TinyCheck before commits 9fd360d and ea53de8 allowed an authenti CVE-2020-36199 (TinyCheck before commits 9fd360d and ea53de8 was vulnerable to command ...) NOT-FOR-US: TinyCheck CVE-2021-25642 (ZKConfigurationStore which is optionally used by CapacityScheduler of ...) - TODO: check + - hadoop (bug #793644) CVE-2021-25641 (Each Apache Dubbo server will set a serialization id to tell the clien ...) NOT-FOR-US: Apache Dubbo CVE-2021-25640 (In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14901013a6ffbbaf557885fd99af2710e27f55a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14901013a6ffbbaf557885fd99af2710e27f55a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-3020/crmsh 4.3.1
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 24ec2bd1 by Neil Williams at 2022-09-02T08:40:07+01:00 CVE-2021-3020/crmsh 4.3.1 Vulnerable in bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114046,7 +114046,13 @@ CVE-2021-3022 (An issue was discovered on LG mobile devices with Android OS 10 s CVE-2021-3021 (ISPConfig before 3.2.2 allows SQL injection. ...) NOT-FOR-US: ISPConfig CVE-2021-3020 (An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) throu ...) - TODO: check + - crmsh 4.3.1 + [bullseye] - crmsh + [buster] - crmsh (Vulnerable code introduced later) + NOTE: https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82 (4.3.1) + NOTE: Introduced in https://github.com/ClusterLabs/crmsh/commit/086a8a9e995eae1041a25d8aa27da4b3da5e1236 (4.2.1) + NOTE: https://github.com/ClusterLabs/hawk/releases + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1180571 (private) CVE-2021-22685 RESERVED CVE-2021-22684 (Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec2bd174972d723fb161395cb8a28d6adc7c10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec2bd174972d723fb161395cb8a28d6adc7c10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 38ead3de by Neil Williams at 2022-09-02T08:24:48+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117237,7 +117237,7 @@ CVE-2020-35994 CVE-2020-35993 RESERVED CVE-2020-35992 (Fiserv Prologue through 2020-12-16 does not properly protect the datab ...) - TODO: check + NOT-FOR-US: Fiserv Prologue CVE-2020-35991 RESERVED CVE-2020-35990 @@ -129957,9 +129957,9 @@ CVE-2021-0949 CVE-2021-0948 RESERVED CVE-2021-0947 (The method PVRSRVBridgeTLDiscoverStreams allocates puiStreamsInt on th ...) - TODO: check + NOT-FOR-US: Android CVE-2021-0946 (The method PVRSRVBridgePMRPDumpSymbolicAddr allocates puiMemspaceNameI ...) - TODO: check + NOT-FOR-US: Android CVE-2021-0945 RESERVED CVE-2021-0944 @@ -130098,7 +130098,7 @@ CVE-2021-0893 (In apusys, there is a possible memory corruption due to a use aft CVE-2021-0892 RESERVED CVE-2021-0891 (An unprivileged app can trigger PowerVR driver to return an uninitiali ...) - TODO: check + NOT-FOR-US: Android CVE-2021-0890 RESERVED CVE-2021-0889 (In Android TV , there is a possible silent pairing due to lack of rate ...) @@ -130106,7 +130106,7 @@ CVE-2021-0889 (In Android TV , there is a possible silent pairing due to lack of CVE-2021-0888 RESERVED CVE-2021-0887 (In PVRSRVBridgeHeapCfgHeapConfigName, there is a possible leak of kern ...) - TODO: check + NOT-FOR-US: Android CVE-2021-0886 RESERVED CVE-2021-0885 @@ -130487,7 +130487,7 @@ CVE-2021-0700 CVE-2021-0699 RESERVED CVE-2021-0698 (In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel ...) - TODO: check + NOT-FOR-US: Android CVE-2021-0697 RESERVED CVE-2021-0696 @@ -135525,7 +135525,7 @@ CVE-2020-26939 (In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2020-26939 NOTE: https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1 (r1rv61) CVE-2020-26938 (In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of ...) - TODO: check + NOT-FOR-US: node-oauth2-server CVE-2020-26937 RESERVED CVE-2020-26936 (Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ead3de808430633e6ab208cf51d453477cd243 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ead3de808430633e6ab208cf51d453477cd243 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-27790 && CVE-2020-27788/upx-ucl 3.96-1
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f2c7153 by Neil Williams at 2022-08-19T10:26:01+01:00 CVE-2020-27790 CVE-2020-27788/upx-ucl 3.96-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130555,11 +130555,15 @@ CVE-2020-27792 CVE-2020-27791 REJECTED CVE-2020-27790 (A floating point exception issue was discovered in UPX in PackLinuxElf ...) - TODO: check + - upx-ucl 3.96-1 + NOTE: https://github.com/upx/upx/issues/331 + NOTE: https://github.com/upx/upx/commit/eb90eab6325d009004ffb155e3e33f22d4d3ca26 (v3.96) CVE-2020-27789 REJECTED CVE-2020-27788 (An out-of-bounds read access vulnerability was discovered in UPX in Pa ...) - TODO: check + - upx-ucl 3.96-1 + NOTE: https://github.com/upx/upx/issues/332 + NOTE: https://github.com/upx/upx/commit/1bb93d4fce9f1d764ba57bf5ac154af515b3fc83 (v3.96) CVE-2020-27787 (A Segmentaation fault was found in UPX in invert_pt_dynamic() function ...) - upx-ucl 3.96-1 NOTE: https://github.com/upx/upx/issues/333 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2c71536279d28ffd462b5b33a76cc5e754366c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2c71536279d28ffd462b5b33a76cc5e754366c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process an NFU
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a1eaad5a by Neil Williams at 2022-08-19T10:15:13+01:00 Process an NFU - - - - - e3a4d500 by Neil Williams at 2022-08-19T10:20:20+01:00 CVE-2020-27787/upx-ucl 3.96-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130561,7 +130561,9 @@ CVE-2020-27789 CVE-2020-27788 (An out-of-bounds read access vulnerability was discovered in UPX in Pa ...) TODO: check CVE-2020-27787 (A Segmentaation fault was found in UPX in invert_pt_dynamic() function ...) - TODO: check + - upx-ucl 3.96-1 + NOTE: https://github.com/upx/upx/issues/333 + NOTE: https://github.com/upx/upx/commit/e2f60adc95334f47e286838dac33160819c5d74d (v3.96) CVE-2020-27786 (A flaw was found in the Linux kernels implementation of MIDI, w ...) - linux 5.6.14-1 [buster] - linux 4.19.131-1 @@ -141439,7 +141441,7 @@ CVE-2020-23468 CVE-2020-23467 RESERVED CVE-2020-23466 (Cross Site Scripting (XSS) vulnerability exists in the phpgurukul Onli ...) - TODO: check + NOT-FOR-US: phpgurukul Online Marriage Registration System CVE-2020-23465 RESERVED CVE-2020-23464 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95558f4bde806c389ea53b5f645d69dae19bdb1...e3a4d500aed405f36f46c90b7e5901e7c92d44df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95558f4bde806c389ea53b5f645d69dae19bdb1...e3a4d500aed405f36f46c90b7e5901e7c92d44df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35133/cherrytree add Suse bug reference
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: f95558f4 by Neil Williams at 2022-08-19T10:02:12+01:00 CVE-2022-35133/cherrytree add Suse bug reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8427,6 +8427,7 @@ CVE-2022-35134 CVE-2022-35133 (A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allo ...) - cherrytree NOTE: https://drive.google.com/file/d/1Pidkh2MAQkue81dS7SI-d16Vun_s5tot/view?usp=sharing + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1202513 NOTE: Unclear status, checking with upstream CVE-2022-35132 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95558f4bde806c389ea53b5f645d69dae19bdb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95558f4bde806c389ea53b5f645d69dae19bdb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: efcc70ea by Neil Williams at 2022-08-18T11:34:45+01:00 Process 2 NFUs - - - - - 30e67ce4 by Neil Williams at 2022-08-18T11:35:19+01:00 CVE-2022-35434/jpegqs unfixed #1017608 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7454,7 +7454,9 @@ CVE-2022-35436 CVE-2022-35435 RESERVED CVE-2022-35434 (jpeg-quantsmooth before commit 8879454 contained a floating point exce ...) - TODO: check + - jpegqs (bug #1017608) + NOTE: https://github.com/ilyakurdyukov/jpeg-quantsmooth/commit/8879454401722ea603c6e3abfafdeb30c0880c8e + NOTE: https://github.com/ilyakurdyukov/jpeg-quantsmooth/issues/25 CVE-2022-35433 (ffjpeg commit caade60a69633d74100bd3c2528bddee0b6a1291 was discovered ...) NOT-FOR-US: ffjpeg CVE-2022-35432 @@ -8178,13 +8180,13 @@ CVE-2022-35156 CVE-2022-35155 RESERVED CVE-2022-35154 (Shopro Mall System v1.3.8 was discovered to contain a SQL injection vu ...) - TODO: check + NOT-FOR-US: Shopro Mall System CVE-2022-35153 (FusionPBX 5.0.1 was discovered to contain a command injection vulnerab ...) NOT-FOR-US: FusionPBX CVE-2022-35152 RESERVED CVE-2022-35151 (kkFileView v4.1.0 was discovered to contain multiple cross-site script ...) - TODO: check + NOT-FOR-US: kkFileview CVE-2022-35150 RESERVED CVE-2022-35149 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d9fa454e24fbccca41819170e22e938c1eac278b...30e67ce4aa9cf779fa6a4c995908457ee843b5c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d9fa454e24fbccca41819170e22e938c1eac278b...30e67ce4aa9cf779fa6a4c995908457ee843b5c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35133/cherrytree undetermined
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d9fa454e by Neil Williams at 2022-08-18T11:13:32+01:00 CVE-2022-35133/cherrytree undetermined - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8220,7 +8220,9 @@ CVE-2022-35135 CVE-2022-35134 RESERVED CVE-2022-35133 (A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allo ...) - TODO: check + - cherrytree + NOTE: https://drive.google.com/file/d/1Pidkh2MAQkue81dS7SI-d16Vun_s5tot/view?usp=sharing + NOTE: Unclear status, checking with upstream CVE-2022-35132 RESERVED CVE-2022-35131 (Joplin v2.8.8 allows attackers to execute arbitrary commands via a cra ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fa454e24fbccca41819170e22e938c1eac278b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fa454e24fbccca41819170e22e938c1eac278b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a8e3a15 by Neil Williams at 2022-08-18T10:45:19+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7782,7 +7782,7 @@ CVE-2022-35301 CVE-2022-35300 REJECTED CVE-2022-33939 (CENTUM VP / CS 3000 controller FCS (CP31, CP33, CP345, CP401, and CP45 ...) - TODO: check + NOT-FOR-US: Yokogawa CENTUM CS 3000 CVE-2022-2346 RESERVED CVE-2022-2345 (Use After Free in GitHub repository vim/vim prior to 9.0.0046. ...) @@ -8472,37 +8472,37 @@ CVE-2022-35015 CVE-2022-35014 RESERVED CVE-2022-35013 (PNGDec commit 8abf6be was discovered to contain a FPE via SaveBMP at / ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35012 (PNGDec commit 8abf6be was discovered to contain a heap buffer overflow ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35011 (PNGDec commit 8abf6be was discovered to contain a global buffer overfl ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35010 (PNGDec commit 8abf6be was discovered to contain a heap buffer overflow ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35009 (PNGDec commit 8abf6be was discovered to contain a memory allocation pr ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35008 (PNGDec commit 8abf6be was discovered to contain a stack overflow via / ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35007 (PNGDec commit 8abf6be was discovered to contain a heap buffer overflow ...) - TODO: check + NOT-FOR-US: bitbank2/PNGdec CVE-2022-35006 RESERVED CVE-2022-35005 RESERVED CVE-2022-35004 (JPEGDEC commit be4843c was discovered to contain a FPE via TIFFSHORT a ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-35003 (JPEGDEC commit be4843c was discovered to contain a global buffer overf ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-35002 (JPEGDEC commit be4843c was discovered to contain a segmentation fault ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-35001 RESERVED CVE-2022-35000 (JPEGDEC commit be4843c was discovered to contain a segmentation fault ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-34999 (JPEGDEC commit be4843c was discovered to contain a FPE via DecodeJPEG ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-34998 (JPEGDEC commit be4843c was discovered to contain a global buffer overf ...) - TODO: check + NOT-FOR-US: bitbank2/JPEGDEC CVE-2022-34997 RESERVED CVE-2022-34996 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a8e3a1511bd70d17015e218b114c6212a021388 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a8e3a1511bd70d17015e218b114c6212a021388 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 10890ef4 by Neil Williams at 2022-08-18T10:28:10+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -201,6 +201,7 @@ CVE-2022-2839 RESERVED CVE-2022-2838 (In Eclipse Sphinx before version 0.13.1, Apache Xerces XML Pars ...) TODO: check + NOTE: https://bugs.eclipse.org/580542 (private) CVE-2022-2837 RESERVED - coredns (bug #880676) @@ -18616,7 +18617,7 @@ CVE-2022-31264 (Solana solana_rbpf before 0.2.29 has an addition integer overflo CVE-2022-31263 (app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail ...) - mastodon (bug #859741) CVE-2022-31262 (An exploitable local privilege escalation vulnerability exists in GOG ...) - TODO: check + NOT-FOR-US: GOG Galaxy CVE-2022-31261 (An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x throu ...) NOT-FOR-US: Morpheus CVE-2022-1809 (Access of Uninitialized Pointer in GitHub repository radareorg/radare2 ...) @@ -20651,9 +20652,9 @@ CVE-2022-30578 CVE-2022-30577 RESERVED CVE-2022-30576 (The Web Console component of TIBCO Software Inc.'s TIBCO Data Science ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30575 (The Web Console component of TIBCO Software Inc.'s TIBCO Data Science ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30574 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) NOT-FOR-US: TIBCO CVE-2022-30573 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) @@ -21639,7 +21640,7 @@ CVE-2022-30264 (The Emerson ROC and FloBoss RTU product lines through 2022-05-02 CVE-2022-30263 RESERVED CVE-2022-30262 (The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mish ...) - TODO: check + NOT-FOR-US: Emerson CVE-2022-30261 RESERVED CVE-2022-30260 @@ -25986,9 +25987,9 @@ CVE-2022-28754 (Zoom On-Premise Meeting Connector MMR before version 4.8.129.202 CVE-2022-28753 (Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 ...) NOT-FOR-US: Zoom CVE-2022-28752 (Zoom Rooms for Conference Rooms for Windows versions before 5.11.0 are ...) - TODO: check + NOT-FOR-US: Zoom CVE-2022-28751 (The Zoom Client for Meetings for MacOS (Standard and for IT Admin) bef ...) - TODO: check + NOT-FOR-US: Zoom CVE-2022-28750 (Zoom On-Premise Meeting Connector Zone Controller (ZC) before version ...) NOT-FOR-US: Zoom CVE-2022-28749 (Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 ...) @@ -34617,7 +34618,7 @@ CVE-2022-25801 (Best Practical RT for Incident Response (RTIR) before 4.0.3 and CVE-2022-25800 (Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x be ...) NOT-FOR-US: Best Practical RT for Incident Response CVE-2022-25799 (An open redirect vulnerability exists in CERT/CC VINCE software prior ...) - TODO: check + NOT-FOR-US: CERT/CC VINCE CVE-2022-25798 RESERVED CVE-2022-25797 (A Memory Corruption Vulnerability in Autodesk TrueView 2022 and 2021 m ...) @@ -41600,9 +41601,9 @@ CVE-2022-23767 CVE-2022-23766 RESERVED CVE-2022-23765 (This vulnerability occured by sending a malicious POST request to a sp ...) - TODO: check + NOT-FOR-US: ipTIME NAS product CVE-2022-23764 (The vulnerability causing from insufficient verification procedures fo ...) - TODO: check + NOT-FOR-US: WebCube for Windows CVE-2022-23763 (Origin validation error vulnerability in NeoRSs ActiveX moudle ...) NOT-FOR-US: NeoRS for Windows CVE-2022-23762 @@ -41636,7 +41637,7 @@ CVE-2022-23749 CVE-2022-23748 RESERVED CVE-2022-23747 (In Sony Xperia series 1, 5, and Pro, an out of bound memory access can ...) - TODO: check + NOT-FOR-US: Sony CVE-2022-23746 RESERVED CVE-2022-23745 (A potential memory corruption issue was found in Capsule Workspace And ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10890ef4341b4ac7a4c1e57a15baad572bba1478 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10890ef4341b4ac7a4c1e57a15baad572bba1478 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-2862/vim unfixed
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
52e7860a by Neil Williams at 2022-08-18T09:59:53+01:00
CVE-2022-2862/vim unfixed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -85,7 +85,9 @@ CVE-2022-2864
CVE-2022-2863
RESERVED
CVE-2022-2862 (Use After Free in GitHub repository vim/vim prior to 9.0.0220.
...)
- TODO: check
+ - vim
+ NOTE: https://huntr.dev/bounties/71180988-1ab6-4311-bca8-e9a879b06765
+ NOTE:
https://github.com/vim/vim/commit/1889f499a4f248cd84e0e0bf6d0d820016774494
(v9.0.0221)
CVE-2022-2861
RESERVED
{DSA-5212-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e7860a22d649c9f8da5f5f54587cc44112c541
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e7860a22d649c9f8da5f5f54587cc44112c541
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a5b30f6c by Neil Williams at 2022-08-18T09:45:12+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4180,7 +4180,7 @@ CVE-2022-35401 CVE-2022-2548 RESERVED CVE-2022-2547 (A crafted HTTP packet without a content-type header can create a denia ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-36787 RESERVED CVE-2022-36786 @@ -7855,15 +7855,15 @@ CVE-2022-33150 CVE-2022-2339 (With this SSRF vulnerability, an attacker can reach internal addresses ...) NOT-FOR-US: nocodb CVE-2022-2338 (Softing Secure Integration Server V1.22 is vulnerable to authenticatio ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-2337 (A crafted HTTP packet with a missing HTTP URI can create a denial-of-s ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-2336 (Softing Secure Integration Server, edgeConnector, and edgeAggregator s ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-2335 (A crafted HTTP packet with a -1 content-length header can create a den ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-2334 (The application searches for a library dll that is not found. If an at ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-2333 RESERVED CVE-2022-2332 @@ -19541,7 +19541,7 @@ CVE-2022-1750 (The Sticky Popup plugin for WordPress is vulnerable to Stored Cro CVE-2022-1749 (The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Requ ...) NOT-FOR-US: WordPress plugin CVE-2022-1748 (Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnecto ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-1747 (The authentication mechanism used by voters to activate a voting sessi ...) NOT-FOR-US: Dominion CVE-2022-1746 (The authentication mechanism used by poll workers to administer voting ...) @@ -24537,7 +24537,7 @@ CVE-2022-1375 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) h CVE-2022-1374 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) NOT-FOR-US: Delta Electronics CVE-2022-1373 (The restore configuration feature of Softing Secure Inte ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-1372 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) NOT-FOR-US: Delta Electronics CVE-2022-1371 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) @@ -28820,7 +28820,7 @@ CVE-2022-1071 (User after free in mrb_vm_exec in GitHub repository mruby/mruby p CVE-2022-1070 RESERVED CVE-2022-1069 (A crafted HTTP packet with a large content-length header can create a ...) - TODO: check + NOT-FOR-US: Softing Industrial Automation CVE-2022-1068 (Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to ...) NOT-FOR-US: Modbus Tools Modbus Slave CVE-2022-1067 (Navigating to a specific URL with a patient ID number will result in t ...) @@ -93310,9 +93310,9 @@ CVE-2021-30073 CVE-2021-30072 (An issue was discovered in prog.cgi on D-Link DIR-878 1.30B08 devices. ...) NOT-FOR-US: D-Link CVE-2021-30071 (A cross-site scripting (XSS) vulnerability in /admin/list_key.html of ...) - TODO: check + NOT-FOR-US: Hestia Control Panel CVE-2021-30070 (An issue was discovered in HestiaCP before v1.3.5. Attackers are able ...) - TODO: check + NOT-FOR-US: Hestia Control Panel CVE-2021-30069 RESERVED CVE-2021-30068 @@ -101846,7 +101846,7 @@ CVE-2021-26641 CVE-2021-26640 RESERVED CVE-2021-26639 (This vulnerability is caused by the lack of validation of input values ...) - TODO: check + NOT-FOR-US: WISA Smart Wing CMS CVE-2021-26638 (Improper Authentication vulnerability in SD smarthome(smartcare) ...) NOT-FOR-US: SmartHome Android app CVE-2021-26637 (There is no account authentication and permission check logic in the f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b30f6ca04b0f20f473cc2511dc2c82a10b9393 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b30f6ca04b0f20f473cc2511dc2c82a10b9393 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 202bf3e2 by Neil Williams at 2022-08-18T09:32:02+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23888,7 +23888,7 @@ CVE-2022-1412 (The Log WP_Mail WordPress plugin through 0.1 saves sent email in CVE-2022-1411 (Unrestructed file upload in GitHub repository yetiforcecompany/yetifor ...) NOT-FOR-US: yetiforcecrm CVE-2022-1410 (OS Command Injection vulnerability in the db_optimize component of Dev ...) - TODO: check + NOT-FOR-US: Device42 Asset Management Appliance CVE-2022-1409 (The VikBooking Hotel Booking Engine PMS WordPress plugin before ...) NOT-FOR-US: WordPress plugin CVE-2022-1408 (The VikBooking Hotel Booking Engine PMS WordPress plugin before ...) @@ -23932,11 +23932,11 @@ CVE-2022-1403 (ASDA-Soft: Version 5.4.1.0 and prior does not properly sanitize i CVE-2022-1402 (ASDA-Soft: Version 5.4.1.0 and prior does not properly sanitize input ...) NOT-FOR-US: ASDA-Soft CVE-2022-1401 (Improper Access Control vulnerability in the /Exago/WrImageResource.ad ...) - TODO: check + NOT-FOR-US: Device42 Asset Management Appliance CVE-2022-1400 (Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi ...) - TODO: check + NOT-FOR-US: Device42 Asset Management Appliance CVE-2022-1399 (An Argument Injection or Modification vulnerability in the "Change Sec ...) - TODO: check + NOT-FOR-US: Device42 CMDB CVE-2022-1398 (The External Media without Import WordPress plugin through 1.1.2 does ...) NOT-FOR-US: WordPress plugin CVE-2022-1397 (API Privilege Escalation in GitHub repository alextselegidis/easyappoi ...) @@ -49109,7 +49109,7 @@ CVE-2021-45456 (Apache kylin checks the legitimacy of the project before executi CVE-2021-45455 RESERVED CVE-2021-45454 (Ampere Altra before SRP 1.08b and Altra Max before SRP 2.05 all ...) - TODO: check + NOT-FOR-US: Ampere Altra CVE-2021-45453 RESERVED CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...) @@ -62710,7 +62710,7 @@ CVE-2021-42054 (ACCEL-PPP 1.12.0 has an out-of-bounds read in triton_context_sch CVE-2021-42053 (The Unicorn framework through 0.35.3 for Django allows XSS via compone ...) NOT-FOR-US: Django Unicorn, different from src:unicorn CVE-2021-42052 (IPESA e-Flow 3.3.6 allows path traversal for reading any file within t ...) - TODO: check + NOT-FOR-US: IPESA e-Flow CVE-2021-42051 (An issue was discovered in AbanteCart before 1.3.2. Any low-privileged ...) NOT-FOR-US: AbanteCart CVE-2021-42050 (An issue was discovered in AbanteCart before 1.3.2. It allows DOM Base ...) @@ -92208,7 +92208,7 @@ CVE-2021-30492 CVE-2021-30491 RESERVED CVE-2021-30490 (upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21 ...) - TODO: check + NOT-FOR-US: ViewPowerHTML CVE-2021-30489 RESERVED CVE-2021-30488 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/202bf3e273952161099a240077c514945d5645e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/202bf3e273952161099a240077c514945d5645e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: da6a56e0 by Neil Williams at 2022-08-16T11:14:41+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,9 +139,9 @@ CVE-2022-2823 CVE-2022-2822 (An attacker can freely brute force username and password and can takeo ...) - octoprint (bug #718591) CVE-2022-2821 (Missing Critical Step in Authentication in GitHub repository namelessm ...) - TODO: check + NOT-FOR-US: NamelessMC/Nameless CVE-2022-2820 (Improper Access Control in GitHub repository namelessmc/nameless prior ...) - TODO: check + NOT-FOR-US: NamelessMC/Nameless CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59 @@ -36809,13 +36809,13 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent ad [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal Terminal pr ...) - TODO: check + - et (bug #861635) CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 6.2.0 whi ...) - TODO: check + - et (bug #861635) CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 6.2.0 tha ...) - TODO: check + - et (bug #861635) CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal prior to ver ...) - TODO: check + - et (bug #861635) CVE-2022-24948 (A carefully crafted user preferences for submission could trigger an X ...) - jspwiki CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF attacks, wh ...) @@ -37906,7 +37906,7 @@ CVE-2022-24656 (HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By p CVE-2022-24655 (A stack overflow vulnerability exists in the upnpd service in Netgear ...) NOT-FOR-US: Netgear CVE-2022-24654 (Authenticated stored cross-site scripting (XSS) vulnerability in "Fiel ...) - TODO: check + NOT-FOR-US: Intelbras ATA 200 CVE-2022-24653 RESERVED CVE-2022-24652 (sentcms 4.0.x allows remote attackers to cause arbitrary file uploads ...) @@ -140624,7 +140624,7 @@ CVE-2020-23624 CVE-2020-23623 RESERVED CVE-2020-23622 (** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thli ...) - TODO: check + NOT-FOR-US: 4thline/cling CVE-2020-23621 (The Java Remote Management Interface of all versions of SVI MS Managem ...) NOT-FOR-US: Squire Remote Management Interface CVE-2020-23620 (The Java Remote Management Interface of all versions of Orlansoft ERP ...) @@ -144906,9 +144906,9 @@ CVE-2020-21644 CVE-2020-21643 RESERVED CVE-2020-21642 (Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropuse ...) - TODO: check + NOT-FOR-US: ManageEngine Analytics Plus CVE-2020-21641 (Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho Manage ...) - TODO: check + NOT-FOR-US: ManageEngine Analytics Plus CVE-2020-21640 RESERVED CVE-2020-21639 (Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to contain a cros ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-21365/wkhtmltopdf 0.12.6-1
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b60603f3 by Neil Williams at 2022-08-16T11:01:26+01:00 CVE-2020-21365/wkhtmltopdf 0.12.6-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -145559,7 +145559,9 @@ CVE-2020-21367 CVE-2020-21366 RESERVED CVE-2020-21365 (Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows ...) - TODO: check + - wkhtmltopdf 0.12.6-1 + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/commit/2a5f25077895fb075812c0f599326f079a59d6cf (0.12.6) + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 CVE-2020-21364 RESERVED CVE-2020-21363 (An arbitrary file deletion vulnerability exists within Maccms10. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: f11651e7 by Neil Williams at 2022-08-11T10:22:29+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,7 @@ CVE-2022-38163 CVE-2022-38162 RESERVED CVE-2022-38161 (The Gumstix Overo SBC on the VSKS board through 2022-08-09, as used on ...) - TODO: check + NOT-FOR-US: Gumstix Overo SBC CVE-2022-38160 RESERVED CVE-2022-38159 @@ -27,7 +27,7 @@ CVE-2022-38157 CVE-2022-38156 RESERVED CVE-2022-38155 (TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted applicatio ...) - TODO: check + NOT-FOR-US: Samsung mTower CVE-2022-38154 RESERVED CVE-2022-38153 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f11651e7270a4482941a5fe59a47cfbed5c333f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f11651e7270a4482941a5fe59a47cfbed5c333f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 98bf5cef by Neil Williams at 2022-08-11T10:13:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,9 +53,9 @@ CVE-2022-38132 CVE-2022-38131 RESERVED CVE-2022-38130 (The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip ...) - TODO: check + NOT-FOR-US: Keysight Sensor Management Server CVE-2022-38129 (A path traversal vulnerability exists in the com.keysight.tentacle.lic ...) - TODO: check + NOT-FOR-US: Keysight Sensor Management Server CVE-2022-38128 RESERVED CVE-2022-38127 @@ -6492,7 +6492,7 @@ CVE-2022-35511 CVE-2022-35510 RESERVED CVE-2022-35509 (An issue was discovered in EyouCMS 1.5.8. There is a Storage XSS vulne ...) - TODO: check + NOT-FOR-US: Eyoucms CVE-2022-35508 RESERVED CVE-2022-35507 @@ -8552,7 +8552,7 @@ CVE-2022-34718 CVE-2022-34717 (Microsoft Office Remote Code Execution Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-34716 (.NET Spoofing Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-34715 (Windows Network File System Remote Code Execution Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-34714 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) @@ -8662,9 +8662,9 @@ CVE-2022-34663 (A vulnerability has been identified in RUGGEDCOM ROS M2100 (All CVE-2022-34662 RESERVED CVE-2022-34661 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-34660 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-2225 (By using warp-cli subcommands (disable-ethernet, disable-wifi), it was ...) NOT-FOR-US: Cloudflare Warp CVE-2022-2224 (The WordPress plugin Gallery for Social Photo is vulnerable to Cross-S ...) @@ -8723,7 +8723,7 @@ CVE-2017-20110 (A vulnerability, which was classified as problematic, has been f CVE-2017-20109 (A vulnerability classified as problematic was found in Teleopti WFM up ...) NOT-FOR-US: Teleopti WFM CVE-2022-34659 (A vulnerability has been identified in Simcenter STAR-CCM+ (All versio ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-34647 RESERVED CVE-2022-34646 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98bf5cef2acc328ced0af2e3f92828eae25b684a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98bf5cef2acc328ced0af2e3f92828eae25b684a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 6533052b by Neil Williams at 2022-08-11T10:04:49+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9497,7 +9497,7 @@ CVE-2022-34367 (Dell EMC Data Protection Central versions 19.1, 19.2, 19.3, 19.4 CVE-2022-34366 RESERVED CVE-2022-34365 (WMS 3.7 contains a Path Traversal Vulnerability in Device API. An atta ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34364 RESERVED CVE-2022-34363 @@ -19805,9 +19805,9 @@ CVE-2022-30576 CVE-2022-30575 RESERVED CVE-2022-30574 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30573 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30572 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) NOT-FOR-US: TIBCO CVE-2022-30571 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) @@ -33158,7 +33158,7 @@ CVE-2022-25975 CVE-2022-25974 RESERVED CVE-2022-25973 (All versions of package mc-kill-port are vulnerable to Arbitrary Comma ...) - TODO: check + NOT-FOR-US: Node mc-kill-port CVE-2022-25971 RESERVED CVE-2022-25970 @@ -33763,7 +33763,7 @@ CVE-2022-25795 (A maliciously crafted PDF file can be used to dereference for a CVE-2022-25794 (An Out-Of-Bounds Read Vulnerability in Autodesk FBX Review version 1.5 ...) NOT-FOR-US: Autodesk CVE-2022-25793 (A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-25792 (A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2 ...) NOT-FOR-US: Autodesk CVE-2022-25791 (A Memory Corruption vulnerability for DWF and DWFX files in Autodesk A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6533052b0bfe50ff253fdf879d3cd621b2f9c7c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6533052b0bfe50ff253fdf879d3cd621b2f9c7c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
29010636 by Neil Williams at 2022-08-11T09:50:59+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -111,7 +111,7 @@ CVE-2022-2758
CVE-2022-2757
RESERVED
CVE-2022-2756 (Server-Side Request Forgery (SSRF) in GitHub repository
kareadita/kavi ...)
- TODO: check
+ NOT-FOR-US: Kareadita/Kavita
CVE-2022-2755
RESERVED
CVE-2022-2754
@@ -8437,7 +8437,7 @@ CVE-2022-2244 (An improper authorization vulnerability in
GitLab EE/CE affecting
CVE-2022-2243 (An access control vulnerability in GitLab EE/CE affecting all
versions ...)
- gitlab
CVE-2022-2242 (The KUKA SystemSoftware V/KSS in versions prior to 8.6.5 is
prone to i ...)
- TODO: check
+ NOT-FOR-US: Kuka
CVE-2022-2241 (The Featured Image from URL (FIFU) WordPress plugin before
4.0.0 does ...)
NOT-FOR-US: WordPress plugin
CVE-2022-2240 (The Request a Quote WordPress plugin through 2.3.7 does not
validate u ...)
@@ -42457,7 +42457,7 @@ CVE-2022-0229 (The miniOrange's Google Authenticator
WordPress plugin before 5.5
CVE-2022-0228 (The Popup Builder WordPress plugin before 4.0.7 does not
validate and ...)
NOT-FOR-US: WordPress plugin
CVE-2021-46304 (A vulnerability has been identified in CP-8000 MASTER MODULE
WITH I/O ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14
allows local ...)
{DSA-5050-1}
- linux 5.15.15-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29010636662b64f9fde392f504f00dba0d03b318
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29010636662b64f9fde392f504f00dba0d03b318
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-31031/asterisk & ring - both pkgs provide STUN support via PJSIP
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3567264e by Neil Williams at 2022-08-11T09:34:41+01:00
CVE-2022-31031/asterisk ring - both pkgs provide STUN support via PJSIP
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -18372,10 +18372,11 @@ CVE-2022-31033 (The Mechanize library is used for
automating interaction with we
CVE-2022-31032 (Tuleap is a Free Open Source Suite to improve management
of soft ...)
NOT-FOR-US: Tuleap
CVE-2022-31031 (PJSIP is a free and open source multimedia communication
library writt ...)
+ - asterisk (bug #1017004)
- pjproject
+ - ring (bug #1017005)
NOTE:
https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
NOTE:
https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
- TODO: check impact for src:asterisk and src:ring and update entry
CVE-2022-31030 (containerd is an open source container runtime. A bug was
found in the ...)
{DSA-5162-1}
- containerd 1.6.6~ds1-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3567264ee4da511d6af3b3811fd76e1b9ca4e900
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3567264ee4da511d6af3b3811fd76e1b9ca4e900
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: de018a28 by Neil Williams at 2022-08-11T09:01:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59763,35 +59763,35 @@ CVE-2022-20363 CVE-2022-20362 RESERVED CVE-2022-20361 (In btif_dm_auth_cmpl_evt of btif_dm.cc, there is a possible vulnerabil ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20360 (In setChecked of SecureNfcPreferenceController.java, there is a missin ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20359 (In various methods of NotificationManagerService.java, there is a poss ...) - TODO: check + TODO: check - not listed in linked bulletin CVE-2022-20358 (In startSync of AbstractThreadedSyncAdapter.java, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20357 (In writeToParcel of SurfaceControl.cpp, there is a possible informatio ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20356 (In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, th ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20355 (In get of PacProxyService.java, there is a possible system service cra ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20354 (In onDefaultNetworkChanged of Vpn.java, there is a possible way to dis ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20353 (In onSaveRingtone of DefaultRingtonePreference.java, there is a possib ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20352 (In addProviderRequestListener of LocationManagerService.java, there is ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20351 RESERVED CVE-2022-20350 (In onCreate of NotificationAccessConfirmationActivity.java, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20349 (In WifiScanningPreferenceController and BluetoothScanningPreferenceCon ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20348 (In updateState of LocationServicesWifiScanningPreferenceController.jav ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20347 (In onAttach of ConnectedDeviceDashboardFragment.java, there is a possi ...) - TODO: check + NOT-FOR-US: Android CVE-2022-20346 (In updateAudioTrackInfoFromESDS_MPEG4Audio of MPEG4Extractor.cpp, ther ...) NOT-FOR-US: Android CVE-2022-20345 (In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de018a28454d2b8ae8328444b81cca095bc77494 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de018a28454d2b8ae8328444b81cca095bc77494 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c7fcae9e by Neil Williams at 2022-08-11T08:39:50+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1739,7 +1739,7 @@ CVE-2022-2635
CVE-2022-37393
RESERVED
CVE-2022-2634 (An attacker may be able to execute malicious actions due to the
lack o ...)
- TODO: check
+ NOT-FOR-US: Digi ConnectPort X2D
CVE-2022-37392
RESERVED
CVE-2022-37391
@@ -59793,11 +59793,11 @@ CVE-2022-20348 (In updateState of
LocationServicesWifiScanningPreferenceControll
CVE-2022-20347 (In onAttach of ConnectedDeviceDashboardFragment.java, there is
a possi ...)
TODO: check
CVE-2022-20346 (In updateAudioTrackInfoFromESDS_MPEG4Audio of
MPEG4Extractor.cpp, ther ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2022-20345 (In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible
out of bo ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2022-20344 (In stealReceiveChannel of EventThread.cpp, there is a possible
way to ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2022-20343
RESERVED
CVE-2022-20342
@@ -60007,7 +60007,7 @@ CVE-2022-20241
CVE-2022-20240
RESERVED
CVE-2022-20239 ('remap_pfn_range' here may map out of size kernel memory (for
example, ...)
- TODO: check
+ NOT-FOR-US: Unisoc
CVE-2022-20238 ('remap_pfn_range' here may map out of size kernel memory (for
example, ...)
NOT-FOR-US: Unisoc
CVE-2022-20237
@@ -66872,7 +66872,7 @@ CVE-2021-40042 (There is a release of invalid pointer
vulnerability in some Huaw
CVE-2021-40041 (There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI
WS318n pr ...)
NOT-FOR-US: Huawei
CVE-2021-40040 (Vulnerability of writing data to an arbitrary address in the
HW_KEYMAS ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2021-40039 (There is a Null pointer dereference vulnerability in the
camera module ...)
NOT-FOR-US: Huawei
CVE-2021-40038 (There is a Double free vulnerability in the AOD module in
smartphones. ...)
@@ -66884,7 +66884,7 @@ CVE-2021-40036 (The bone voice ID TA has a memory
overwrite vulnerability. Succe
CVE-2021-40035 (There is a Buffer overflow vulnerability due to a boundary
error with ...)
NOT-FOR-US: Huawei
CVE-2021-40034 (The video framework has the memory overwriting vulnerability
caused by ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2021-40033 (There is an information exposure vulnerability on several
Huawei Produ ...)
NOT-FOR-US: Huawei
CVE-2021-40032 (The bone voice ID TA has a vulnerability in information
management,Suc ...)
@@ -66892,7 +66892,7 @@ CVE-2021-40032 (The bone voice ID TA has a
vulnerability in information manageme
CVE-2021-40031 (There is a Null pointer dereference vulnerability in the
camera module ...)
NOT-FOR-US: Huawei
CVE-2021-40030 (The My HUAWEI app has a defect in the design. Successful
exploitation ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2021-40029 (There is a Buffer overflow vulnerability due to a boundary
error with ...)
NOT-FOR-US: Huawei
CVE-2021-40028 (The eID module has an out-of-bounds memory write
vulnerability,Success ...)
@@ -67628,7 +67628,7 @@ CVE-2021-39698 (In aio_poll_complete_work of aio.c,
there is a possible memory c
CVE-2021-39697 (In checkFileUriDestination of DownloadProvider.java, there is
a possib ...)
NOT-FOR-US: Android
CVE-2021-39696 (In Task.java, there is a possible escalation of privilege due
to a con ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2021-39695 (In createOrUpdate of BasePermission.java, there is a possible
permissi ...)
NOT-FOR-US: Android
CVE-2021-39694 (In parse of RoleParser.java, there is a possible way for
default apps ...)
@@ -82595,13 +82595,13 @@ CVE-2021-33648 (When performing the inference shape
operation of Affine, Concat,
CVE-2021-33647 (When performing the inference shape operation of the Tile
operator, if ...)
NOT-FOR-US: Mindspore deep learning
CVE-2021-33646 (The th_read() function doesnt free a variable
t-th_buf.gnu_ ...)
- TODO: check
+ NOT-FOR-US: Huawei OpenEuler OS
CVE-2021-33645 (The th_read() function doesnt free a variable
t-th_buf.gnu_ ...)
- TODO: check
+ NOT-FOR-US: Huawei OpenEuler OS
CVE-2021-33644 (An attacker who submits a crafted tar file with size in header
struct ...)
- TODO: check
+ NOT-FOR-US: Huawei OpenEuler OS
CVE-2021-33643 (An attacker who submits a crafted tar file with size in header
struct ...)
- TODO: check
+ NOT-FOR-US: Huawei OpenEuler OS
CVE-2021-33642
RESERVED
CVE-2021-33641
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7fcae9e0822e0d01e9cc18f32eb926c2ad53ec6
[Git][security-tracker-team/security-tracker][master] Update information for salmon in stretch
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 69608770 by Neil Williams at 2022-08-09T09:58:25+01:00 Update information for salmon in stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139020,6 +139020,7 @@ CVE-2020-23915 (An issue was discovered in cpp-peglib through v0.1.12. peg::reso - retroarch (peglib.h is not compiled in Debian builds) - salmon 1.4.0+ds1-1 [buster] - salmon (Vulnerable code not present) + [stretch] - salmon (Vulnerable code not present) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/b3b29ce8f3acf3a32733d930105a17d7b0ba347e NOTE: https://github.com/yhirose/cpp-peglib/issues/122 @@ -139027,6 +139028,7 @@ CVE-2020-23914 (An issue was discovered in cpp-peglib through v0.1.12. A NULL po - retroarch (peglib.h is not compiled in Debian builds) - salmon 1.4.0+ds1-1 [buster] - salmon (Vulnerable code not present) + [stretch] - salmon (Vulnerable code not present) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/0061f393de54cf0326621c079dc2988336d1ebb3 NOTE: https://github.com/yhirose/cpp-peglib/issues/121 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69608770d7ef55a4bcc23426735e2fb6d3cd271d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69608770d7ef55a4bcc23426735e2fb6d3cd271d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update version information for salmon
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fc98e7a by Neil Williams at 2022-08-09T09:51:25+01:00 Update version information for salmon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139018,13 +139018,15 @@ CVE-2020-23916 RESERVED CVE-2020-23915 (An issue was discovered in cpp-peglib through v0.1.12. peg::resolve_es ...) - retroarch (peglib.h is not compiled in Debian builds) - - salmon 1.6.0+ds1-1 + - salmon 1.4.0+ds1-1 + [buster] - salmon (Vulnerable code not present) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/b3b29ce8f3acf3a32733d930105a17d7b0ba347e NOTE: https://github.com/yhirose/cpp-peglib/issues/122 CVE-2020-23914 (An issue was discovered in cpp-peglib through v0.1.12. A NULL pointer ...) - retroarch (peglib.h is not compiled in Debian builds) - - salmon 1.6.0+ds1-1 + - salmon 1.4.0+ds1-1 + [buster] - salmon (Vulnerable code not present) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/0061f393de54cf0326621c079dc2988336d1ebb3 NOTE: https://github.com/yhirose/cpp-peglib/issues/121 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc98e7a430d1606495666caf93c61efd341a3f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc98e7a430d1606495666caf93c61efd341a3f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a7c85ff by Neil Williams at 2022-08-09T09:38:34+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -413,7 +413,7 @@ CVE-2022-2715 CVE-2022-2714 RESERVED CVE-2022-2713 (Insufficient Session Expiration in GitHub repository cockpit-hq/cockpi ...) - TODO: check + NOT-FOR-US: Cockpit-HQ/Cockpit CVE-2022-2712 RESERVED CVE-2022-2711 @@ -32928,7 +32928,7 @@ CVE-2022-25910 CVE-2022-25908 RESERVED CVE-2022-25907 (The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Poll ...) - TODO: check + NOT-FOR-US: voodoocreation/ts-deepmerge CVE-2022-25906 RESERVED CVE-2022-25904 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a7c85ffed97cd6df18aa16eeb83dd0197609bc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a7c85ffed97cd6df18aa16eeb83dd0197609bc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-23914/5 salmon fixed in sid, retroarch unaffected in Debian
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e0bd5e1 by Neil Williams at 2022-08-09T09:02:45+01:00 CVE-2020-23914/5 salmon fixed in sid, retroarch unaffected in Debian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -138646,11 +138646,15 @@ CVE-2020-23917 CVE-2020-23916 RESERVED CVE-2020-23915 (An issue was discovered in cpp-peglib through v0.1.12. peg::resolve_es ...) - TODO: retroarch and salmon embed peglib, check if it's actually a security issue + - retroarch (peglib.h is not compiled in Debian builds) + - salmon 1.6.0+ds1-1 + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/b3b29ce8f3acf3a32733d930105a17d7b0ba347e NOTE: https://github.com/yhirose/cpp-peglib/issues/122 CVE-2020-23914 (An issue was discovered in cpp-peglib through v0.1.12. A NULL pointer ...) - TODO: retroarch and salmon embed peglib, check if it's actually a security issue + - retroarch (peglib.h is not compiled in Debian builds) + - salmon 1.6.0+ds1-1 + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/0061f393de54cf0326621c079dc2988336d1ebb3 NOTE: https://github.com/yhirose/cpp-peglib/issues/121 CVE-2020-23913 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e0bd5e137df7b0d12e40aed59d377c5094967fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e0bd5e137df7b0d12e40aed59d377c5094967fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: c345ecb2 by Neil Williams at 2022-08-05T10:53:35+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2022-37418 CVE-2022-37417 RESERVED CVE-2022-37416 (Ittiam libmpeg2 before 2022-07-27 uses memcpy with overlapping memory ...) - TODO: check + NOT-FOR-US: Android CVE-2022-37415 (The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buff ...) NOT-FOR-US: Uniwill SparkIO.sys driver CVE-2022-37414 @@ -14385,7 +14385,7 @@ CVE-2022-1927 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) CVE-2022-1926 (Integer Overflow or Wraparound in GitHub repository polonel/trudesk pr ...) NOT-FOR-US: Trudesk CVE-2022-31793 (do_request in request.c in muhttpd before 1.1.7 allows remote attacker ...) - TODO: check + NOT-FOR-US: Arris CVE-2022-31792 RESERVED CVE-2022-31791 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c345ecb2a206d19c8c8f4f5121044e9e5871e176 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c345ecb2a206d19c8c8f4f5121044e9e5871e176 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
83a81e98 by Neil Williams at 2022-08-05T10:29:24+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3756,9 +3756,9 @@ CVE-2022-35932
CVE-2022-35931
RESERVED
CVE-2022-35930 (PolicyController is a utility used to enforce supply chain
policy in K ...)
- TODO: check
+ NOT-FOR-US: sigstore/policy-controller
CVE-2022-35929 (cosign is a container signing and verification utility. In
versions pr ...)
- TODO: check
+ NOT-FOR-US: Cosign
CVE-2022-35928 (AES Crypt is a file encryption software for multiple
platforms. AES Cr ...)
NOT-FOR-US: AES Crypt
CVE-2022-35927 (Contiki-NG is an open-source, cross-platform operating system
for IoT ...)
@@ -3995,7 +3995,7 @@ CVE-2022-35860
CVE-2022-35859
RESERVED
CVE-2022-35858 (The TEE_PopulateTransientObject and __utee_from_attr functions
in Sams ...)
- TODO: check
+ NOT-FOR-US: Samsung mTower
CVE-2022-35857 (kvf-admin through 2022-02-12 allows remote attackers to
execute arbitr ...)
NOT-FOR-US: kvf-admin
CVE-2022-35856
@@ -5976,7 +5976,7 @@ CVE-2022-34994
CVE-2022-34993 (Totolink A3600R_Firmware V4.1.2cu.5182_B20201102 contains a
hard code ...)
NOT-FOR-US: Totolink
CVE-2022-34992 (Luadec v0.9.9 was discovered to contain a heap-buffer overflow
via the ...)
- TODO: check
+ NOT-FOR-US: viruscamp/luadec
CVE-2022-34991 (Paymoney v3.3 was discovered to contain multiple reflected
cross-site ...)
NOT-FOR-US: Paymoney
CVE-2022-34990
@@ -6020,7 +6020,7 @@ CVE-2022-34972 (So Filter Shop v3.x was discovered to
contain multiple blind SQL
CVE-2022-34971 (An arbitrary file upload vulnerability in the Advertising
Management m ...)
NOT-FOR-US: Feehi CMS
CVE-2022-34970 (Crow before v1.0+4 was discovered to contain a buffer overflow
via the ...)
- TODO: check
+ NOT-FOR-US: CrowCpp
CVE-2022-34969 (PingCAP TiDB v6.1.0 was discovered to contain a NULL pointer
dereferen ...)
NOT-FOR-US: pingcap/tidb
CVE-2022-34968 (An issue in the fetch_step function in Percona Server for
MySQL v8.0.2 ...)
@@ -16264,7 +16264,7 @@ CVE-2022-31177 (Flask-AppBuilder is an application
development framework built o
CVE-2022-31176
RESERVED
CVE-2022-31175 (CKEditor 5 is a JavaScript rich text editor. A cross-site
scripting vu ...)
- TODO: check
+ NOT-FOR-US: ckeditor5-{markdown-gfm,html-support,html-embed} CKEditor 5
packages
CVE-2022-31174
RESERVED
CVE-2022-31173 (Juniper is a GraphQL server library for Rust. Affected
versions of Jun ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a81e989f1269384e7781d719eb53f5210169eb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a81e989f1269384e7781d719eb53f5210169eb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 45176ee7 by Neil Williams at 2022-08-05T10:05:19+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3762,9 +3762,9 @@ CVE-2022-35929 (cosign is a container signing and verification utility. In versi CVE-2022-35928 (AES Crypt is a file encryption software for multiple platforms. AES Cr ...) NOT-FOR-US: AES Crypt CVE-2022-35927 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) - TODO: check + NOT-FOR-US: Contiki-NG CVE-2022-35926 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) - TODO: check + NOT-FOR-US: Contiki-NG CVE-2022-35925 (BookWyrm is a social network for tracking reading. Versions prior to 0 ...) NOT-FOR-US: BookWyrm CVE-2022-35924 (NextAuth.js is a complete open source authentication solution for Next ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45176ee729cd9fad68faa067cba8b9e135fdec3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45176ee729cd9fad68faa067cba8b9e135fdec3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a509869d by Neil Williams at 2022-08-05T10:02:46+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -119,7 +119,7 @@ CVE-2022-2655 CVE-2022-2654 RESERVED CVE-2022-2653 (With this vulnerability an attacker can read many sensitive files like ...) - TODO: check + NOT-FOR-US: plankanban/planka CVE-2022-2652 (Depending on the way the format strings in the card label are crafted ...) - v4l2loopback (bug #1016685) NOTE: https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5 @@ -5672,11 +5672,11 @@ CVE-2022-35146 CVE-2022-35145 RESERVED CVE-2022-35144 (Renato v0.17.0 was discovered to contain a cross-site scripting (XSS) ...) - TODO: check + NOT-FOR-US: gilbitron/Renato CVE-2022-35143 (Renato v0.17.0 employs weak password complexity requirements, allowing ...) - TODO: check + NOT-FOR-US: gilbitron/Renato CVE-2022-35142 (An issue in Renato v0.17.0 allows attackers to cause a Denial of Servi ...) - TODO: check + NOT-FOR-US: gilbitron/Renato CVE-2022-35141 RESERVED CVE-2022-35140 @@ -31853,7 +31853,7 @@ CVE-2022-21189 (The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4. CVE-2022-21187 (The package libvcs before 0.11.1 are vulnerable to Command Injection v ...) NOT-FOR-US: libvcs CVE-2022-21186 (The package @acrontum/filesystem-template before 0.0.2 are vulnerable ...) - TODO: check + NOT-FOR-US: acrontum/filesystem-template CVE-2022-21169 RESERVED CVE-2022-21167 (All versions of package masuit.tools.core are vulnerable to Arbitrary ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a509869d57ee09117cb51f9853c08cc6b491d048 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a509869d57ee09117cb51f9853c08cc6b491d048 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-2652/v4l2loopback already fixed in sid
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d9f9912 by Neil Williams at 2022-08-05T09:34:05+01:00 CVE-2022-2652/v4l2loopback already fixed in sid - - - - - 6ad6fb6d by Neil Williams at 2022-08-05T09:48:05+01:00 CVE-2022-2652 v4l2loopback unfixed in 0.12.7-1 bug 1016685 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -121,7 +121,9 @@ CVE-2022-2654 CVE-2022-2653 (With this vulnerability an attacker can read many sensitive files like ...) TODO: check CVE-2022-2652 (Depending on the way the format strings in the card label are crafted ...) - TODO: check + - v4l2loopback (bug #1016685) + NOTE: https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5 + NOTE: https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd CVE-2022-2651 (Authentication Bypass by Primary Weakness in GitHub repository bookwyr ...) NOT-FOR-US: BookWyrm CVE-2022-2650 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/524fe19f5aeb939c32bb175749964be2666e8797...6ad6fb6d8675926da7861d0120b5462c312b16ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/524fe19f5aeb939c32bb175749964be2666e8797...6ad6fb6d8675926da7861d0120b5462c312b16ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 524fe19f by Neil Williams at 2022-08-05T09:26:41+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -131,7 +131,7 @@ CVE-2022-2649 CVE-2022-2648 (A vulnerability was found in SourceCodester Multi Language Hotel Manag ...) NOT-FOR-US: SourceCodester Multi Language Hotel Management Software CVE-2022-2647 (A vulnerability was found in jeecg-boot. It has been declared as criti ...) - TODO: check + NOT-FOR-US: Jeecg-boot CVE-2022-37397 RESERVED CVE-2022-37345 @@ -83263,7 +83263,7 @@ CVE-2021-32773 (Racket is a general-purpose programming language and an ecosyste CVE-2021-32772 (Poddycast is a podcast app made with Electron. Prior to version 0.8.1, ...) NOT-FOR-US: Poddycast CVE-2021-32771 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) - TODO: check + NOT-FOR-US: Contiki-NG CVE-2021-32770 (Gatsby is a framework for building websites. The gatsby-source-wordpre ...) NOT-FOR-US: Gatsby CVE-2021-32769 (Micronaut is a JVM-based, full stack Java framework designed for build ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/524fe19f5aeb939c32bb175749964be2666e8797 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/524fe19f5aeb939c32bb175749964be2666e8797 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 3 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 3989d365 by Neil Williams at 2022-08-03T15:00:19+01:00 Process 3 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3570,9 +3570,9 @@ CVE-2022-35926 CVE-2022-35925 (BookWyrm is a social network for tracking reading. Versions prior to 0 ...) NOT-FOR-US: BookWyrm CVE-2022-35924 (NextAuth.js is a complete open source authentication solution for Next ...) - TODO: check + NOT-FOR-US: Node NextAuth.js CVE-2022-35923 (v8n is a javascript validation library. Versions of v8n prior to 1.5.1 ...) - TODO: check + NOT-FOR-US: Node v8n CVE-2022-35922 (Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In ve ...) NOT-FOR-US: Rust crate websocket CVE-2022-35921 (fof/byobu is a private discussions extension for Flarum forum. Affecte ...) @@ -5820,7 +5820,7 @@ CVE-2022-34971 (An arbitrary file upload vulnerability in the Advertising Manage CVE-2022-34970 RESERVED CVE-2022-34969 (PingCAP TiDB v6.1.0 was discovered to contain a NULL pointer dereferen ...) - TODO: check + NOT-FOR-US: pingcap/tidb CVE-2022-34968 (An issue in the fetch_step function in Percona Server for MySQL v8.0.2 ...) NOT-FOR-US: Percona Server for MySQL v8 CVE-2022-34967 (The assertion `stmt-Dbc-FirstStmt' failed in MonetDB Database ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3989d365b39b17b2bab7386fa943b843df3cf36e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3989d365b39b17b2bab7386fa943b843df3cf36e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: e199a6b2 by Neil Williams at 2022-08-03T12:01:02+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5822,9 +5822,9 @@ CVE-2022-34970 CVE-2022-34969 (PingCAP TiDB v6.1.0 was discovered to contain a NULL pointer dereferen ...) TODO: check CVE-2022-34968 (An issue in the fetch_step function in Percona Server for MySQL v8.0.2 ...) - TODO: check + NOT-FOR-US: Percona Server for MySQL v8 CVE-2022-34967 (The assertion `stmt-Dbc-FirstStmt' failed in MonetDB Database ...) - TODO: check + NOT-FOR-US: MonetDB CVE-2022-34966 (OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered ...) NOT-FOR-US: OpenTeknik CVE-2022-34965 (OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e199a6b274a7b2b0eb66dad9bc421f41f37e4eca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e199a6b274a7b2b0eb66dad9bc421f41f37e4eca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-34927/milkytracker unfixed bug 1016578
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: ae8439b7 by Neil Williams at 2022-08-03T11:43:21+01:00 CVE-2022-34927/milkytracker unfixed bug 1016578 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5904,7 +5904,9 @@ CVE-2022-34929 CVE-2022-34928 (JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerabil ...) NOT-FOR-US: JFinal CMS CVE-2022-34927 (MilkyTracker v1.03.00 was discovered to contain a stack overflow via t ...) - TODO: check + - milkytracker (bug #1016578) + NOTE: https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b + NOTE: https://github.com/milkytracker/MilkyTracker/issues/275 CVE-2022-34926 RESERVED CVE-2022-34925 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae8439b759b1bc3c3143e0fe5d354e180ba577a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae8439b759b1bc3c3143e0fe5d354e180ba577a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d9778ff by Neil Williams at 2022-08-03T11:25:07+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6882,7 +6882,7 @@ CVE-2022-34627 CVE-2022-34626 RESERVED CVE-2022-34625 (Mealie1.0.0beta3 was discovered to contain a Server-Side Template Inje ...) - TODO: check + NOT-FOR-US: hay-kot/mealie CVE-2022-34624 RESERVED CVE-2022-34623 @@ -6894,9 +6894,9 @@ CVE-2022-34621 CVE-2022-34620 RESERVED CVE-2022-34619 (A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 all ...) - TODO: check + NOT-FOR-US: hay-kot/mealie CVE-2022-34618 (A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 ...) - TODO: check + NOT-FOR-US: hay-kot/mealie CVE-2022-34617 RESERVED CVE-2022-34616 @@ -6906,7 +6906,7 @@ CVE-2022-34615 CVE-2022-34614 RESERVED CVE-2022-34613 (Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability whic ...) - TODO: check + NOT-FOR-US: hay-kot/mealie CVE-2022-34612 (Rizin v0.4.0 and below was discovered to contain an integer overflow v ...) NOT-FOR-US: Rizin CVE-2022-34611 (A cross-site scripting (XSS) vulnerability in /index.php/?p=report of ...) @@ -20236,7 +20236,7 @@ CVE-2022-1470 (The Ultimate WooCommerce CSV Importer WordPress plugin through 2. CVE-2022-1469 (The FiboSearch WordPress plugin before 1.17.0 does not sanitise and es ...) NOT-FOR-US: WordPress plugin CVE-2022-29808 (In Quest KACE Systems Management Appliance (SMA) through 12.0, predict ...) - TODO: check + NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-29807 (A SQL injection vulnerability exists within Quest KACE Systems Managem ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-29806 (ZoneMinder before 1.36.13 allows remote code execution via an invalid ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d9778ff9b3752ff0a5ac4f82e7cf81591c4a6fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d9778ff9b3752ff0a5ac4f82e7cf81591c4a6fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 53345ef4 by Neil Williams at 2022-08-03T11:12:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15961,17 +15961,17 @@ CVE-2022-31190 (DSpace open source software is a repository application which pr CVE-2022-31189 (DSpace open source software is a repository application which provides ...) NOT-FOR-US: DSpace CVE-2022-31188 (CVAT is an opensource interactive video and image annotation tool for ...) - TODO: check + NOT-FOR-US: cvat-ai/cvat CVE-2022-31187 RESERVED CVE-2022-31186 (NextAuth.js is a complete open source authentication solution for Next ...) NOT-FOR-US: NextAuth.js CVE-2022-31185 (mprweb is a hosting platform for the makedeb Package Repository. Email ...) - TODO: check + NOT-FOR-US: makedeb/mprweb CVE-2022-31184 (Discourse is the an open source discussion platform. In affected versi ...) NOT-FOR-US: Discourse CVE-2022-31183 (fs2 is a compositional, streaming I/O library for Scala. When establis ...) - TODO: check + NOT-FOR-US: typelevel/fs2 CVE-2022-31182 (Discourse is the an open source discussion platform. In affected versi ...) NOT-FOR-US: Discourse CVE-2022-31181 (PrestaShop is an Open Source e-commerce platform. In versions from 1.6 ...) @@ -15992,7 +15992,7 @@ CVE-2022-31175 CVE-2022-31174 RESERVED CVE-2022-31173 (Juniper is a GraphQL server library for Rust. Affected versions of Jun ...) - TODO: check + NOT-FOR-US: graphql-rust/juniper CVE-2022-31172 (OpenZeppelin Contracts is a library for smart contract development. Ve ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2022-31171 @@ -17805,9 +17805,9 @@ CVE-2022-30574 CVE-2022-30573 RESERVED CVE-2022-30572 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30571 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-30570 (The Column Based Security component of TIBCO Software Inc.'s TIBCO Dat ...) NOT-FOR-US: TIBCO CVE-2022-30569 @@ -18731,7 +18731,7 @@ CVE-2022-30287 (Horde Groupware Webmail Edition through 5.2.22 allows a reflecti CVE-2022-30286 (pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 ...) NOT-FOR-US: pyscriptjs CVE-2022-30285 (In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash ...) - TODO: check + NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-30284 (** DISPUTED ** In the python-libnmap package through 0.7.2 for Python, ...) NOTE: Bogus python-libnmap issue CVE-2022-30283 @@ -20238,7 +20238,7 @@ CVE-2022-1469 (The FiboSearch WordPress plugin before 1.17.0 does not sanitise a CVE-2022-29808 (In Quest KACE Systems Management Appliance (SMA) through 12.0, predict ...) TODO: check CVE-2022-29807 (A SQL injection vulnerability exists within Quest KACE Systems Managem ...) - TODO: check + NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-29806 (ZoneMinder before 1.36.13 allows remote code execution via an invalid ...) - zoneminder 1.36.13+dfsg1-1 (unimportant) NOTE: https://forums.zoneminder.com/viewtopic.php?t=31638 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53345ef4ced203289797969a134533d440629a7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53345ef4ced203289797969a134533d440629a7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
732dbf14 by Neil Williams at 2022-08-03T09:51:33+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -22503,7 +22503,7 @@ CVE-2022-1295 (Prototype Pollution in GitHub repository
alvarotrigo/fullpage.js
CVE-2022-1294 (The IMDB info box WordPress plugin through 2.0 does not
sanitize and e ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1293 (The embedded neutralization of Script-Related HTML Tag, was
by-passed ...)
- TODO: check
+ NOT-FOR-US: Ercom citadel
CVE-2022-1292 (The c_rehash script does not properly sanitise shell
metacharacters to ...)
{DSA-5139-1 DLA-3008-1}
- openssl 1.1.1o-1
@@ -26601,17 +26601,17 @@ CVE-2022-27623
CVE-2022-27622
RESERVED
CVE-2022-27621 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2022-27620 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2022-27619 (Cleartext transmission of sensitive information vulnerability
in authe ...)
- TODO: check
+ NOT-FOR-US: Synology Note Station Client
CVE-2022-27618 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2022-27617 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2022-27616 (Improper neutralization of special elements used in an OS
command ('OS ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2022-27615 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
NOT-FOR-US: Synology
CVE-2022-27614 (Exposure of sensitive information to an unauthorized actor
vulnerabili ...)
@@ -31321,7 +31321,7 @@ CVE-2022-25869 (All versions of package angular are
vulnerable to Cross-site Scr
- angular.js
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: socket.io-client-java
CVE-2022-25866 (The package czproject/git-php before 4.0.3 are vulnerable to
Command I ...)
NOT-FOR-US: git-php
CVE-2022-25865 (The package workspace-tools before 0.18.4 are vulnerable to
Command In ...)
@@ -38761,7 +38761,7 @@ CVE-2022-23735
CVE-2022-23734
RESERVED
CVE-2022-23733 (A stored XSS vulnerability was identified in GitHub Enterprise
Server ...)
- TODO: check
+ NOT-FOR-US: Github Enterprise Server
CVE-2022-23732 (A path traversal vulnerability was identified in GitHub
Enterprise Ser ...)
NOT-FOR-US: Github Enterprise Server
CVE-2022-23731 (V8 javascript engine (heap vulnerability) can cause privilege
escalati ...)
@@ -123961,11 +123961,11 @@ CVE-2020-28455 (This affects all versions of
package markdown-it-toc. The title
CVE-2020-28454
RESERVED
CVE-2020-28453 (This affects all versions of package npos-tesseract. The
injection poi ...)
- TODO: check
+ NOT-FOR-US: Node npos-tesseract
CVE-2020-28452 (This affects the package
com.softwaremill.akka-http-session:core_2.12 ...)
NOT-FOR-US: akka-http-session
CVE-2020-28451 (This affects the package image-tiler before 2.0.2. ...)
- TODO: check
+ NOT-FOR-US: Node image-tiler
CVE-2020-28450 (This affects all versions of package decal. The vulnerability
is in th ...)
NOT-FOR-US: Node decal
CVE-2020-28449 (This affects all versions of package decal. The vulnerability
is in th ...)
@@ -123993,15 +123993,15 @@ CVE-2020-28439 (This affects all versions of
package corenlp-js-prefab. The inje
CVE-2020-28438 (This affects all versions of package deferred-exec. The
injection poin ...)
NOT-FOR-US: Node deferred-exec
CVE-2020-28437 (This affects all versions of package heroku-env. The injection
point i ...)
- TODO: check
+ NOT-FOR-US: Node heroku-env
CVE-2020-28436 (This affects all versions of package
google-cloudstorage-commands. ...)
NOT-FOR-US: Node google-cloudstorage-commands
CVE-2020-28435 (This affects all versions of package ffmpeg-sdk. The injection
point i ...)
NOT-FOR-US: Node ffmpeg-sdk
CVE-2020-28434 (This affects all versions of package gitblame. The injection
point is ...)
- TODO: check
+ NOT-FOR-US: Node gitblame
CVE-2020-28433 (This affects all versions of package node-latex-pdf. ...)
- TODO: check
+ NOT-FOR-US: node-latex-pdf
CVE-2020-28432
REJECTED
CVE-2020-28431
@@ -124017,11 +124017,11 @@ CVE-2020-28427
CVE-2020-28426 (All versions
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 508ebd2d by Neil Williams at 2022-08-02T12:20:14+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15819,9 +15819,9 @@ CVE-2022-31182 (Discourse is the an open source discussion platform. In affected CVE-2022-31181 (PrestaShop is an Open Source e-commerce platform. In versions from 1.6 ...) TODO: check CVE-2022-31180 (Shescape is a simple shell escape package for JavaScript. Affected ver ...) - TODO: check + NOT-FOR-US: Node shescape CVE-2022-31179 (Shescape is a simple shell escape package for JavaScript. Versions pri ...) - TODO: check + NOT-FOR-US: Node shescape CVE-2022-31178 (eLabFTW is an electronic lab notebook manager for research teams. A vu ...) TODO: check CVE-2022-31177 (Flask-AppBuilder is an application development framework built on top ...) @@ -15877,9 +15877,9 @@ CVE-2022-31156 (Gradle is a build tool. Dependency verification is a security fe - gradle (Vulnerable node not yet uploaded; introduced in 6.2) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j CVE-2022-31155 (Sourcegraph is an opensource code search and navigation engine. In Sou ...) - TODO: check + NOT-FOR-US: Sourcegraph CVE-2022-31154 (Sourcegraph is an opensource code search and navigation engine. It is ...) - TODO: check + NOT-FOR-US: Sourcegraph CVE-2022-31153 (OpenZeppelin Contracts for Cairo is a library for contract development ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2022-31152 @@ -27359,7 +27359,7 @@ CVE-2022-27257 (A PHP Local File Inclusion vulneraility in the default Redbasic CVE-2022-27256 (A PHP Local File inclusion vulnerability in the Redbasic theme for Hub ...) NOT-FOR-US: Redbasic theme for Hubzilla CVE-2022-27255 (In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function th ...) - TODO: check + NOT-FOR-US: Realtek eCos RSDK CVE-2022-27254 (The remote keyless system on Honda Civic 2018 vehicles sends the same ...) NOT-FOR-US: Honda CVE-2022-27253 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508ebd2d1c440eff52cbac2567d4854abb9d41dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508ebd2d1c440eff52cbac2567d4854abb9d41dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a6bf2df6 by Neil Williams at 2022-08-02T12:01:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18993,7 +18993,7 @@ CVE-2022-1563 CVE-2022-1562 (The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploade ...) NOT-FOR-US: WordPress plugin CVE-2022-1561 (Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions ...) - TODO: check + NOT-FOR-US: Lura Project CVE-2022-1560 (The Amministrazione Aperta WordPress plugin before 3.8 does not valida ...) NOT-FOR-US: WordPress plugin CVE-2022-1559 (The Clipr WordPress plugin through 1.2.3 does not sanitise and escape ...) @@ -29676,45 +29676,45 @@ CVE-2022-26447 CVE-2022-26446 RESERVED CVE-2022-26445 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26444 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26443 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26442 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26441 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26440 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26439 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26438 (In wifi driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26437 (In httpclient, there is a possible out of bounds write due to uninitia ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-26436 (In emi mpu, there is a possible out of bounds read due to a missing bo ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26435 (In mailbox, there is a possible out of bounds write due to type confus ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26434 (In mailbox, there is a possible out of bounds write due to a missing b ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26433 (In mailbox, there is a possible out of bounds write due to type confus ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26432 (In mailbox, there is a possible out of bounds write due to a missing b ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26431 (In mailbox, there is a possible out of bounds write due to a missing b ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26430 (In mailbox, there is a possible out of bounds write due to type confus ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26429 (In cta, there is a possible way to write permission usage records of a ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26428 (In video codec, there is a possible memory corruption due to a race co ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26427 (In camera isp, there is a possible out of bounds write due to a missin ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26426 (In camera isp, there is a possible out of bounds write due to a missin ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-26418 RESERVED CVE-2022-26416 @@ -30198,11 +30198,11 @@ CVE-2022-26312 CVE-2022-26311 (Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to ...) NOT-FOR-US: Couchbase Operator CVE-2022-26310 (Pandora FMS v7.0NG.760 and below allows an improper authorization in U ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2022-26309 (Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk opera ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2022-26308 (Pandora FMS v7.0NG.760 and below allows an improper access control in ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2022-26307 (LibreOffice supports the storage of passwords for web connections in t ...) - libreoffice 1:7.3.3~rc1-2 [bullseye] - libreoffice (Minor issue) @@ -50152,15 +50152,15 @@ CVE-2021-44232 (SAF-T Framework Transaction SAFTN_G allows an attacker to exploi CVE-2021-44231 (Internally used text extraction
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a1bba78e by Neil Williams at 2022-07-07T10:22:45+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31492,7 +31492,7 @@ CVE-2022-24142 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack over CVE-2022-24141 (The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to d ...) NOT-FOR-US: iTop VPN CVE-2022-24140 (IOBit Advanced System Care 15, iTop Screen Recorder 2.1, iTop VPN 3.2, ...) - TODO: check + NOT-FOR-US: IOBit Advanced System Care CVE-2022-24139 (In IOBit Advanced System Care (AscService.exe) 15, an attacker with SE ...) NOT-FOR-US: IOBit Advanced System Care CVE-2022-24138 (IOBit Advanced System Care (Asc.exe) 15 and Action Download Center bot ...) @@ -33466,9 +33466,9 @@ CVE-2022-23716 CVE-2022-23715 RESERVED CVE-2022-23714 (A local privilege escalation (LPE) issue was discovered in the ransomw ...) - TODO: check + NOT-FOR-US: Elastic Endpoint Security for Windows CVE-2022-23713 (A cross-site-scripting (XSS) vulnerability was discovered in the Vega ...) - TODO: check + NOT-FOR-US: Kibana addon CVE-2022-23712 (A Denial of Service flaw was discovered in Elasticsearch. Using this v ...) - elasticsearch CVE-2022-23711 (A vulnerability in Kibana could expose sensitive information related t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1bba78ed8c63a3aa9031ec2a1cb8e667ca650ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1bba78ed8c63a3aa9031ec2a1cb8e667ca650ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d464746 by Neil Williams at 2022-07-07T09:57:53+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49732,7 +49732,7 @@ CVE-2022-20810 CVE-2022-20809 (Multiple vulnerabilities in the API and web-based management interface ...) NOT-FOR-US: Cisco CVE-2022-20808 (A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20807 (Multiple vulnerabilities in the API and web-based management interface ...) NOT-FOR-US: Cisco CVE-2022-20806 (Multiple vulnerabilities in the API and web-based management interface ...) @@ -401437,9 +401437,9 @@ CVE-2015-3174 (mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6. - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3173 (custom-content-type-manager Wordpress plugin can be used by an adminis ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2015-3172 (EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via malici ...) - TODO: check + NOT-FOR-US: jkk/eidogo CVE-2015-3171 (sosreport 3.2 uses weak permissions for generated sosreport archives, ...) - sosreport 3.2-2 (bug #769521) NOTE: https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d46474637b67fda83786d1c2ae4a17ddc0a3a72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d46474637b67fda83786d1c2ae4a17ddc0a3a72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f714b048 by Neil Williams at 2022-07-07T09:43:20+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -12314,7 +12314,7 @@ CVE-2022-30621
CVE-2022-30620
RESERVED
CVE-2022-30619 (Editable SQL Queries behind Base64 encoding sending from the
Client-Si ...)
- TODO: check
+ NOT-FOR-US: Agile Point
CVE-2022-30618 (An authenticated user with access to the Strapi admin panel
can view p ...)
NOT-FOR-US: Strapi
CVE-2022-30617 (An authenticated user with access to the Strapi admin panel
can view p ...)
@@ -35370,9 +35370,9 @@ CVE-2022-23175
CVE-2022-23174
RESERVED
CVE-2022-23173 (this vulnerability affect user that even not allowed to access
via the ...)
- TODO: check
+ NOT-FOR-US: Priority
CVE-2022-23172 (An attacker can access to "Forgot my password" button, as soon
as he p ...)
- TODO: check
+ NOT-FOR-US: Priority
CVE-2022-23171 (AtlasVPN - Privilege Escalation Lack of proper security
controls on na ...)
NOT-FOR-US: AtlasVPN
CVE-2022-23170 (SysAid - Okta SSO integration - was found vulnerable to XML
External E ...)
@@ -37273,7 +37273,7 @@ CVE-2022-22683
CVE-2022-22682
RESERVED
CVE-2022-22681 (Session fixation vulnerability in access control management in
Synolog ...)
- TODO: check
+ NOT-FOR-US: Synology
CVE-2022-22680 (Exposure of sensitive information to an unauthorized actor
vulnerabili ...)
NOT-FOR-US: Synology
CVE-2022-22679 (Improper limitation of a pathname to a restricted directory
('Path Tra ...)
@@ -49619,13 +49619,13 @@ CVE-2022-20864
CVE-2022-20863
RESERVED
CVE-2022-20862 (A vulnerability in the web-based management interface of Cisco
Unified ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20861
RESERVED
CVE-2022-20860
RESERVED
CVE-2022-20859 (A vulnerability in the Disaster Recovery framework of Cisco
Unified Co ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20858
RESERVED
CVE-2022-20857
@@ -49713,13 +49713,13 @@ CVE-2022-20817 (A vulnerability in Cisco Unified IP
Phones could allow an unauth
CVE-2022-20816
RESERVED
CVE-2022-20815 (A vulnerability in the web-based management interface of Cisco
Unified ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20814
RESERVED
CVE-2022-20813 (Multiple vulnerabilities in the API and in the web-based
management in ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20812 (Multiple vulnerabilities in the API and in the web-based
management in ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20811
RESERVED
CVE-2022-20810
@@ -49745,7 +49745,7 @@ CVE-2022-20802 (A vulnerability in the web interface of
Cisco Enterprise Chat an
CVE-2022-20801 (Multiple vulnerabilities in the web-based management interface
of Cisc ...)
NOT-FOR-US: Cisco
CVE-2022-20800 (A vulnerability in the web-based management interface of Cisco
Unified ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20799 (Multiple vulnerabilities in the web-based management interface
of Cisc ...)
NOT-FOR-US: Cisco
CVE-2022-20798 (A vulnerability in the external authentication functionality
of Cisco ...)
@@ -49772,7 +49772,7 @@ CVE-2022-20792
[buster] - clamav (clamav is updated via -updates)
NOTE:
https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20791 (A vulnerability in the database user privileges of Cisco
Unified Commu ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20790 (A vulnerability in the web-based management interface of Cisco
Unified ...)
NOT-FOR-US: Cisco
CVE-2022-20789 (A vulnerability in the software upgrade process of Cisco
Unified Commu ...)
@@ -49830,7 +49830,7 @@ CVE-2022-20770 (On April 20, 2022, the following
vulnerability in the ClamAV sca
CVE-2022-20769
RESERVED
CVE-2022-20768 (A vulnerability in the logging component of Cisco TelePresence
Collabo ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20767 (A vulnerability in the Snort rule evaluation function of Cisco
Firepow ...)
NOT-FOR-US: Cisco Firepower
CVE-2022-20766
@@ -49862,7 +49862,7 @@ CVE-2022-20754 (Multiple vulnerabilities in the API and
web-based management int
CVE-2022-20753 (A vulnerability in web-based management interface of Cisco
Small Busin ...)
NOT-FOR-US: Cisco
CVE-2022-20752 (A vulnerability in Cisco Unified Communications Manager
(Unified CM), ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20751 (A vulnerability in the Snort detection engine integration for
Cisco Fi ...)
NOT-FOR-US: Cisco Firepower
CVE-2022-20750 (A vulnerability in the checkpoint manager implementation of
Cisco
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d519edad by Neil Williams at 2022-07-07T09:30:34+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8083,7 +8083,7 @@ CVE-2022-1957 CVE-2022-1956 RESERVED CVE-2022-1955 (Session 1.13.0 allows an attacker with physical access to the victim's ...) - TODO: check + NOT-FOR-US: oxen-io/session-android CVE-2022-1954 (A Regular Expression Denial of Service vulnerability in GitLab CE/EE a ...) - gitlab CVE-2022-1953 (The Product Configurator for WooCommerce WordPress plugin before 1.2.3 ...) @@ -44970,55 +44970,55 @@ CVE-2022-21789 CVE-2022-21788 RESERVED CVE-2022-21787 (In audio DSP, there is a possible out of bounds write due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21786 (In audio DSP, there is a possible memory corruption due to improper ca ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21785 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21784 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21783 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21782 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21781 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21780 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21779 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21778 RESERVED CVE-2022-21777 (In Autoboot, there is a possible permission bypass due to a missing pe ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21776 (In MDP, there is a possible use after free due to a race condition. Th ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21775 (In sched driver, there is a possible use after free due to improper lo ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21774 (In TEEI driver, there is a possible use after free due to a race condi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21773 (In TEEI driver, there is a possible use after free due to a race condi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21772 (In TEEI driver, there is a possible type confusion due to a race condi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21771 (In GED driver, there is a possible use after free due to a race condit ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21770 (In sound driver, there is a possible information disclosure due to sym ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21769 (In CCCI, there is a possible out of bounds read due to a missing bound ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21768 (In Bluetooth, there is a possible out of bounds write due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21767 (In Bluetooth, there is a possible out of bounds write due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21766 (In CCCI, there is a possible out of bounds write due to a missing boun ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21765 (In CCCI, there is a possible out of bounds write due to a missing boun ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21764 (In telecom service, there is a possible information disclosure due to ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21763 (In telecom service, there is a possible information disclosure due to ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21762 (In apusys driver, there is a possible system crash due to an integer o ...) NOT-FOR-US: MediaTek driver for Android CVE-2022-21761 (In apusys driver, there is a possible system crash due to an integer o ...) @@ -45056,7
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: ce9eda12 by Neil Williams at 2022-07-07T09:18:46+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28376,19 +28376,19 @@ CVE-2022-0588 (Exposure of Sensitive Information to an Unauthorized Actor in Pac CVE-2022-0587 (Improper Authorization in Packagist librenms/librenms prior to 22.2.0. ...) NOT-FOR-US: LibreNMS CVE-2021-46687 (JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable t ...) - TODO: check + NOT-FOR-US: JFrog Artifactory CVE-2021-46270 (JFrog Artifactory before 7.31.10, is vulnerable to Broken Access Contr ...) NOT-FOR-US: JFrog Artifactory CVE-2021-45730 (JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Con ...) NOT-FOR-US: JFrog Artifactory CVE-2021-45721 (JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to ...) - TODO: check + NOT-FOR-US: JFrog Artifactory CVE-2021-45074 (JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken A ...) NOT-FOR-US: JFrog Artifactory CVE-2021-41834 (JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable t ...) NOT-FOR-US: JFrog Artifactory CVE-2021-23163 (JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable t ...) - TODO: check + NOT-FOR-US: JFrog Artifactory CVE-2022-25146 (The Remote App module in Liferay Portal through v7.4.3.8 and Liferay D ...) NOT-FOR-US: Liferay CVE-2022-25145 @@ -80588,13 +80588,13 @@ CVE-2021-31681 CVE-2021-31680 RESERVED CVE-2021-31679 (An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerabilit ...) - TODO: check + NOT-FOR-US: PESCMS Team CVE-2021-31678 (An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerabilit ...) - TODO: check + NOT-FOR-US: PESCMS Team CVE-2021-31677 (An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerabilit ...) - TODO: check + NOT-FOR-US: PESCMS Team CVE-2021-31676 (A reflected XSS was discovered in PESCMS-V2.3.3. When combined with CS ...) - TODO: check + NOT-FOR-US: PESCMS Team CVE-2021-31675 RESERVED CVE-2021-31674 (Cyclos 4 PRO 4.14.7 and before does not validate user input at error i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce9eda12e24f2a7978e45cc2069c3fbf8de0ce8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce9eda12e24f2a7978e45cc2069c3fbf8de0ce8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bc11825 by Neil Williams at 2022-07-05T10:36:14+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10625,13 +10625,13 @@ CVE-2022-31115 (opensearch-ruby is a community-driven, open source fork of elast CVE-2022-31114 RESERVED CVE-2022-31113 (Canarytokens is an open source tool which helps track activity and act ...) - TODO: check + NOT-FOR-US: thinkst/canarytokens CVE-2022-31112 (Parse Server is an open source backend that can be deployed to any inf ...) - TODO: check + NOT-FOR-US: Node parse-server CVE-2022-3 RESERVED CVE-2022-31110 (RSSHub is an open source, extensible RSS feed generator. In commits pr ...) - TODO: check + NOT-FOR-US: RSSHub CVE-2022-31109 RESERVED CVE-2022-31108 (Mermaid is a JavaScript based diagramming and charting tool that uses ...) @@ -10648,15 +10648,15 @@ CVE-2022-31105 CVE-2022-31104 (Wasmtime is a standalone runtime for WebAssembly. In affected versions ...) NOT-FOR-US: wasmtime CVE-2022-31103 (lettersanitizer is a DOM-based HTML email sanitizer for in-browser ema ...) - TODO: check + NOT-FOR-US: Node lettersanitizer CVE-2022-31102 RESERVED CVE-2022-31101 (prestashop/blockwishlist is a prestashop extension which adds a block ...) NOT-FOR-US: prestashop extension CVE-2022-31100 (rulex is a new, portable, regular expression language. When parsing un ...) - TODO: check + NOT-FOR-US: rulex-rs/pomsky CVE-2022-31099 (rulex is a new, portable, regular expression language. When parsing un ...) - TODO: check + NOT-FOR-US: rulex-rs/pomsky CVE-2022-31098 (Weave GitOps is a simple open source developer platform for people who ...) NOT-FOR-US: Weave GitOps CVE-2022-31097 @@ -10686,7 +10686,7 @@ CVE-2022-31090 (Guzzle, an extensible PHP HTTP client. `Authorization` headers o NOTE: https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r NOTE: https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) CVE-2022-31089 (Parse Server is an open source backend that can be deployed to any inf ...) - TODO: check + NOT-FOR-US: Node parse-server CVE-2022-31088 (LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. ...) - ldap-account-manager 8.0.1-1 NOTE: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-wxf8-9x99-6gp4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bc118256b303f338eb6cef64aa9326a51a040d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bc118256b303f338eb6cef64aa9326a51a040d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-30045/ezxml - ezxml_decode in mapcache, navit & scilab unfixed, bugs filed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: e92e0ed9 by Neil Williams at 2022-07-05T10:24:29+01:00 CVE-2022-30045/ezxml - ezxml_decode in mapcache, navit scilab unfixed, bugs filed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13807,7 +13807,10 @@ CVE-2022-30047 (Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection v CVE-2022-30046 RESERVED CVE-2022-30045 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) - TODO: check + - mapcache (bug #1014389) + - navit (bug #1014390) + - scilab (bug #1014391) + NOTE: https://sourceforge.net/p/ezxml/bugs/29/ CVE-2022-30044 RESERVED CVE-2022-30043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e92e0ed9a1a4fa0492a1bab62d838c207218c8a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e92e0ed9a1a4fa0492a1bab62d838c207218c8a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: edcf1894 by Neil Williams at 2022-07-05T10:06:10+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25679,9 +25679,9 @@ CVE-2022-25902 CVE-2022-25901 RESERVED CVE-2022-25900 (All versions of package git-clone are vulnerable to Command Injection ...) - TODO: check + NOT-FOR-US: Node git-clone CVE-2022-25898 (The package jsrsasign before 10.5.25 are vulnerable to Improper Verifi ...) - TODO: check + NOT-FOR-US: Node jsrsasign CVE-2022-25897 RESERVED CVE-2022-25896 (This affects the package passport before 0.6.0. When a user logs in or ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcf189498f125debb78e0102113ed94fb061efb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcf189498f125debb78e0102113ed94fb061efb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-25896/passportjs unfixed bug 1014385
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 47810606 by Neil Williams at 2022-07-05T10:01:12+01:00 CVE-2022-25896/passportjs unfixed bug 1014385 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25685,7 +25685,10 @@ CVE-2022-25898 (The package jsrsasign before 10.5.25 are vulnerable to Improper CVE-2022-25897 RESERVED CVE-2022-25896 (This affects the package passport before 0.6.0. When a user logs in or ...) - TODO: check + - passportjs (bug #1014385) + NOTE: https://github.com/jaredhanson/passport/commit/42630cbd1ffd44d146ff96f0a4be6f3c12f81d75 (v0.6.0) + NOTE: https://github.com/jaredhanson/passport/pull/900 + NOTE: https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631 CVE-2022-25895 RESERVED CVE-2022-25894 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4781060661bdf94adecc0634487cfaccf939bb63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4781060661bdf94adecc0634487cfaccf939bb63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 44d5ee5e by Neil Williams at 2022-07-05T09:49:41+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25721,7 +25721,7 @@ CVE-2022-25878 (The package protobufjs before 6.11.3 are vulnerable to Prototype CVE-2022-25877 RESERVED CVE-2022-25876 (The package link-preview-js before 2.1.16 are vulnerable to Server-sid ...) - TODO: check + NOT-FOR-US: Node link-preview-js CVE-2022-25875 RESERVED CVE-2022-25874 @@ -25805,7 +25805,7 @@ CVE-2022-25760 (All versions of package accesslog are vulnerable to Arbitrary Co CVE-2022-25759 RESERVED CVE-2022-25758 (All versions of package scss-tokenizer are vulnerable to Regular Expre ...) - TODO: check + - node-scss-tokenizer (bug #885456) CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command Injection via ...) - ruby-git (bug #1009926) NOTE: https://github.com/ruby-git/ruby-git/pull/569 @@ -33065,7 +33065,7 @@ CVE-2022-23765 CVE-2022-23764 RESERVED CVE-2022-23763 (Origin validation error vulnerability in NeoRSs ActiveX moudle ...) - TODO: check + NOT-FOR-US: NeoRS for Windows CVE-2022-23762 RESERVED CVE-2022-23761 @@ -33141,7 +33141,7 @@ CVE-2022-23727 (There is a privilege escalation vulnerability in some webOS TVs. CVE-2022-23726 RESERVED CVE-2022-23725 (PingID Windows Login prior to 2.8 does not properly set permissions on ...) - TODO: check + NOT-FOR-US: pingidentity CVE-2022-23724 (Use of static encryption key material allows forging an authentication ...) NOT-FOR-US: pingidentity CVE-2022-23723 (An MFA bypass vulnerability exists in the PingFederate PingOne MFA Int ...) @@ -54274,7 +54274,7 @@ CVE-2021-41997 CVE-2021-41996 RESERVED CVE-2021-41995 (A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerab ...) - TODO: check + NOT-FOR-US: pingidentity CVE-2021-41994 (A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerabl ...) NOT-FOR-US: pingidentity CVE-2021-41993 (A misconfiguration of RSA in PingID Android app prior to 1.19 is vulne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d5ee5e89f96291d24b5587a3a3b0f9b02ac42c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d5ee5e89f96291d24b5587a3a3b0f9b02ac42c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-0085/php-dompdf not affected, introduced later.
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 89201151 by Neil Williams at 2022-07-05T09:35:25+01:00 CVE-2022-0085/php-dompdf not affected, introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38019,7 +38019,10 @@ CVE-2022-22294 (A SQL injection vulnerability exists in ZFAKA=1.43 which an CVE-2022-0086 (uppy is vulnerable to Server-Side Request Forgery (SSRF) ...) NOT-FOR-US: Node uppy CVE-2022-0085 (Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf ...) - TODO: check + - php-dompdf (Vulnerable code introduced in 0.7.0, fixed in 2.0.0) + NOTE: https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd (v2.0.0) + NOTE: Introduced by https://github.com/dompdf/dompdf/commit/7454ec8f6f765e3b1d4dbbde72c9dcb38479f37e (v0.7.0) + NOTE: https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236 CVE-2022-0084 RESERVED - jboss-xnio (bug #1013280) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892011514a9eba27bf6673cd2e83e727f70791ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892011514a9eba27bf6673cd2e83e727f70791ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-41682/3 iotjs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: bb058542 by Neil Williams at 2022-07-04T13:54:08+01:00 CVE-2021-41682/3 iotjs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54465,9 +54465,12 @@ CVE-2021-41685 CVE-2021-41684 RESERVED CVE-2021-41683 (There is a stack-overflow at ecma-helpers.c:326 in ecma_get_lex_env_ty ...) - TODO: check + - iotjs + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4745 CVE-2021-41682 (There is a heap-use-after-free at ecma-helpers-string.c:1940 in ecma_c ...) - TODO: check + - iotjs + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4747 + NOTE: https://github.com/jerryscript-project/jerryscript/commit/3ad76f932c8d2e3b9ba2d95e64848698ec7d7290 CVE-2021-41681 RESERVED CVE-2021-41680 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb0585423195631856e527d83b0e26c7914b3f85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb0585423195631856e527d83b0e26c7914b3f85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d1dd8f8b by Neil Williams at 2022-07-04T13:40:42+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54752,7 +54752,7 @@ CVE-2021-3822 (jsoneditor is vulnerable to Inefficient Regular Expression Comple CVE-2021-41560 (OpenCATS through 0.9.6 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: OpenCATS CVE-2021-41559 (Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Co ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2021-41558 (The set_user extension module before 3.0.0 for PostgreSQL allows Proce ...) NOT-FOR-US: set_user extension for Postgres CVE-2021-41557 (Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cross Site ...) @@ -54876,7 +54876,7 @@ CVE-2021-41508 CVE-2021-41507 RESERVED CVE-2021-41506 (Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2 ...) - TODO: check + NOT-FOR-US: Xiaongmai CVE-2021-41505 RESERVED CVE-2021-41504 (** UNSUPPORTED WHEN ASSIGNED ** An Elevated Privileges issue exists in ...) @@ -57003,7 +57003,7 @@ CVE-2021-40665 CVE-2021-40664 RESERVED CVE-2021-40663 (deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Cont ...) - TODO: check + NOT-FOR-US: Node deep.assign CVE-2021-40662 (A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows atta ...) NOT-FOR-US: Chamilo LMS CVE-2021-40661 @@ -57049,9 +57049,9 @@ CVE-2021-40645 (An SQL Injection vulnerability exists in glorylion JFinalOA as o CVE-2021-40644 (An SQL Injection vulnerability exists in oasys oa_system as of 9/7/202 ...) NOT-FOR-US: oasys Office Automation system CVE-2021-40643 (EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerabil ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2021-40642 (Textpattern CMS v4.8.7 and older vulnerability exists through Sensitiv ...) - TODO: check + NOT-FOR-US: Textpattern CMS CVE-2021-40641 RESERVED CVE-2021-40640 @@ -57153,7 +57153,7 @@ CVE-2021-40599 CVE-2021-40598 RESERVED CVE-2021-40597 (The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Adminis ...) - TODO: check + NOT-FOR-US: EDIMAX IC-3140W CVE-2021-40596 (SQL injection vulnerability in Login.php in sourcecodester Online Lear ...) NOT-FOR-US: Sourcecodester CVE-2021-40595 (SQL injection vulnerability in Sourcecodester Online Leave Management ...) @@ -64418,7 +64418,7 @@ CVE-2021-37793 CVE-2021-37792 RESERVED CVE-2021-37791 (MyAdmin v1.0 is affected by an incorrect access control vulnerability ...) - TODO: check + NOT-FOR-US: cdfan/my-admin CVE-2021-37790 RESERVED CVE-2021-37789 @@ -6,7 +6,7 @@ CVE-2021-37780 CVE-2021-37779 RESERVED CVE-2021-37778 (There is a buffer overflow in gps-sdr-sim v1.0 when parsing long comma ...) - TODO: check + NOT-FOR-US: osqzss/gps-sdr-sim CVE-2021-3 (Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR ...) NOT-FOR-US: Gila CMS CVE-2021-37776 @@ -64460,7 +64460,7 @@ CVE-2021-37772 CVE-2021-37771 RESERVED CVE-2021-37770 (Nucleus CMS v3.71 is affected by a file upload vulnerability. In this ...) - TODO: check + NOT-FOR-US: Nucleus CMS CVE-2021-37769 RESERVED CVE-2021-37768 @@ -65122,7 +65122,7 @@ CVE-2021-37526 CVE-2021-37525 RESERVED CVE-2021-37524 (Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows re ...) - TODO: check + NOT-FOR-US: FusionPBX CVE-2021-37523 RESERVED CVE-2021-37522 @@ -74822,7 +74822,7 @@ CVE-2021-33475 CVE-2021-33474 RESERVED CVE-2021-33473 (An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allow ...) - TODO: check + NOT-FOR-US: Dragonfly Ruby Gem CVE-2021-33472 RESERVED CVE-2021-33471 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1dd8f8bbd2f12ed362388e85f3735c9c12047c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1dd8f8bbd2f12ed362388e85f3735c9c12047c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: ede8aad9 by Neil Williams at 2022-07-04T13:01:34+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32513,13 +32513,13 @@ CVE-2022-23722 (When a password reset mechanism is configured to use the Authent CVE-2022-23721 RESERVED CVE-2022-23720 (PingID Windows Login prior to 2.8 does not alert or halt operation if ...) - TODO: check + NOT-FOR-US: PingID Integration for Windows Login CVE-2022-23719 (PingID Windows Login prior to 2.8 does not authenticate communication ...) - TODO: check + NOT-FOR-US: PingID Integration for Windows Login CVE-2022-23718 (PingID Windows Login prior to 2.8 uses known vulnerable components tha ...) - TODO: check + NOT-FOR-US: PingID Integration for Windows Login CVE-2022-23717 (PingID Windows Login prior to 2.8 is vulnerable to a denial of service ...) - TODO: check + NOT-FOR-US: PingID Integration for Windows Login CVE-2022-23716 RESERVED CVE-2022-23715 @@ -56391,25 +56391,25 @@ CVE-2021-40903 (A vulnerability in Antminer Monitor 0.50.0 exists because of bac CVE-2021-40902 (flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) i ...) NOT-FOR-US: flatCore CMS CVE-2021-40901 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node scniro-validator CVE-2021-40900 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Jeyaprakash1206/regexfn CVE-2021-40899 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node repo-git-downloader CVE-2021-40898 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node scaffold-helper CVE-2021-40897 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node split-html-to-chars CVE-2021-40896 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node that-value CVE-2021-40895 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node todo-regex CVE-2021-40894 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) NOT-FOR-US: underscore-99xp CVE-2021-40893 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node validate-data CVE-2021-40892 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - TODO: check + NOT-FOR-US: Node validate-color CVE-2021-40891 RESERVED CVE-2021-40890 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede8aad9afe5a551a13ce75d9d36e9a1cbe6d18b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede8aad9afe5a551a13ce75d9d36e9a1cbe6d18b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 3514594c by Neil Williams at 2022-07-04T12:31:16+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73258,11 +73258,11 @@ CVE-2021-34082 (OS Command Injection vulnerability in allenhwkim proctree throug CVE-2021-34081 (OS Command Injection vulnerability in bbultman gitsome through 0.2.3 a ...) NOT-FOR-US: Node bbultman gitsome CVE-2021-34080 (OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.j ...) - TODO: check + NOT-FOR-US: Node ssl-utils CVE-2021-34079 (OS Command injection vulnerability in Mintzo Docker-Tester through 1.2 ...) NOT-FOR-US: Mintzo Docker-Tester CVE-2021-34078 (lifion-verify-dependencies through 1.1.0 is vulnerable to OS command i ...) - TODO: check + NOT-FOR-US: Node lifion-verify-deps CVE-2021-34077 RESERVED CVE-2021-34076 @@ -74335,21 +74335,21 @@ CVE-2021-33656 CVE-2021-33655 RESERVED CVE-2021-33654 (When performing the initialization operation of the Split operator, if ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33653 (When performing the derivation shape operation of the SpaceToBatch ope ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33652 (When the Reduce operator run operation is executed, if there is a valu ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33651 (When performing the analytical operation of the DepthwiseConv2D operat ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33650 (When performing the inference shape operation of the SparseToDense ope ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33649 (When performing the inference shape operation of the Transpose operato ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33648 (When performing the inference shape operation of Affine, Concat, MatMu ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33647 (When performing the inference shape operation of the Tile operator, if ...) - TODO: check + NOT-FOR-US: Mindspore deep learning CVE-2021-33646 RESERVED CVE-2021-33645 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3514594c546b9d85c092b070cec667b5ba0f8a0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3514594c546b9d85c092b070cec667b5ba0f8a0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b41af301 by Neil Williams at 2022-07-04T12:20:16+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -77544,7 +77544,7 @@ CVE-2021-32430
CVE-2021-32429
RESERVED
CVE-2021-32428 (SQL Injection vulnerability in viaviwebtech Android EBook App
(Books A ...)
- TODO: check
+ NOT-FOR-US: viaviwebtech Android eBook app
CVE-2021-32427
RESERVED
CVE-2021-32426 (In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject
arbitrary Ja ...)
@@ -88845,17 +88845,17 @@ CVE-2021-28153 (An issue was discovered in GNOME GLib
before 2.66.8. When g_file
[buster] - glib2.0 2.58.3-2+deb10u3
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
CVE-2021-3435 (Information leakage in le_ecred_conn_req(). Zephyr versions
= v2.4 ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3434 (Stack based buffer overflow in le_ecred_conn_req(). Zephyr
versions ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3433 (Invalid channel map in CONNECT_IND results to Deadlock. Zephyr
version ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3432 (Invalid interval in CONNECT_IND leads to Division by Zero.
Zephyr vers ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3431 (Assertion reachable with repeated LL_FEATURE_REQ. Zephyr
versions ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3430 (Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.
Zephyr vers ...)
- TODO: check
+ NOT-FOR-US: zephyr-rtos
CVE-2021-3429
RESERVED
{DLA-2601-1}
@@ -92496,17 +92496,17 @@ CVE-2021-26640
CVE-2021-26639
RESERVED
CVE-2021-26638 (Improper Authentication vulnerability in SD
smarthome(smartcare) ...)
- TODO: check
+ NOT-FOR-US: SmartHome Android app
CVE-2021-26637 (There is no account authentication and permission check logic
in the f ...)
- TODO: check
+ NOT-FOR-US: SiHAS devices
CVE-2021-26636 (Stored XSS and SQL injection vulnerability in MaxBoard could
lead to o ...)
- TODO: check
+ NOT-FOR-US: Maxboard
CVE-2021-26635 (In the code that verifies the file size in the ark library, it
is poss ...)
- TODO: check
+ NOT-FOR-US: bandisoft ark library
CVE-2021-26634 (SQL injection and file upload attacks are possible due to
insufficient ...)
- TODO: check
+ NOT-FOR-US: Maxboard
CVE-2021-26633 (SQL injection and Local File Inclusion (LFI) vulnerabilities
in MaxBoa ...)
- TODO: check
+ NOT-FOR-US: Maxboard
CVE-2021-26632
RESERVED
CVE-2021-26631 (Improper input validation vulnerability in Mangboard commerce
package ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b41af3010e1b54b6b59f65e6a210dfea3959446c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b41af3010e1b54b6b59f65e6a210dfea3959446c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: ebca431c by Neil Williams at 2022-07-04T09:34:51+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -604,7 +604,7 @@ CVE-2017-20125 (A vulnerability classified as critical was found in Online Hotel CVE-2017-20124 (A vulnerability classified as critical has been found in Online Hotel ...) NOT-FOR-US: WordPress plugin CVE-2017-20123 (A vulnerability was found in Viscosity 1.6.7. It has been classified a ...) - TODO: check + NOT-FOR-US: Viscosity on Windows and macOS CVE-2017-20122 (A vulnerability classified as problematic was found in Bitrix Site Man ...) NOT-FOR-US: Bitrix Site Manager CVE-2022-34734 @@ -115345,7 +115345,7 @@ CVE-2020-28867 CVE-2020-28866 RESERVED CVE-2020-28865 (An issue was discovered in PowerJob through 3.2.2, allows attackers to ...) - TODO: check + NOT-FOR-US: PowerJob CVE-2020-28864 (Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to caus ...) NOT-FOR-US: WinSCP CVE-2020-28863 @@ -122274,7 +122274,7 @@ CVE-2020-27511 (An issue was discovered in the stripTags and unescapeHTML compon CVE-2020-27510 RESERVED CVE-2020-27509 (Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11 ...) - TODO: check + NOT-FOR-US: Galaxkey CVE-2020-27508 (In two-factor authentication, the system also sending 2fa secret key i ...) NOT-FOR-US: Frappe Framework CVE-2020-27507 @@ -123737,7 +123737,7 @@ CVE-2020-26879 (Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hard CVE-2020-26878 (Ruckus through 1.5.1.0.21 is affected by remote command injection. An ...) NOT-FOR-US: Ruckus CVE-2020-26877 (ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in a ...) - TODO: check + NOT-FOR-US: ApiFest OAuth 2.0 CVE-2020-26876 (The wp-courses plugin through 2.0.27 for WordPress allows remote attac ...) NOT-FOR-US: WordPress plugin CVE-2020-26875 @@ -127326,7 +127326,7 @@ CVE-2020-25461 (Invalid Memory Access in the fxProxyGetter function in moddable/ CVE-2020-25460 RESERVED CVE-2020-25459 (An issue was discovered in function sync_tree in hetero_decision_tree_ ...) - TODO: check + NOT-FOR-US: FederatedAI/FATE CVE-2020-25458 RESERVED CVE-2020-25457 @@ -136856,7 +136856,7 @@ CVE-2020-21163 CVE-2020-21162 RESERVED CVE-2020-21161 (Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirect ...) - TODO: check + NOT-FOR-US: Ruckus CVE-2020-21160 RESERVED CVE-2020-21159 @@ -137099,7 +137099,7 @@ CVE-2020-21048 (An issue in the dither.c component of libsixel prior to v1.8.4 a CVE-2020-21047 RESERVED CVE-2020-21046 (A local privilege escalation vulnerability was identified within the " ...) - TODO: check + NOT-FOR-US: EagleGet for Windows CVE-2020-21045 RESERVED CVE-2020-21044 @@ -139469,9 +139469,9 @@ CVE-2020-19899 CVE-2020-19898 RESERVED CVE-2020-19897 (A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remot ...) - TODO: check + NOT-FOR-US: Wuzhicms CVE-2020-19896 (File inclusion vulnerability in Minicms v1.9 allows remote attackers t ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2020-19895 RESERVED CVE-2020-19894 @@ -166211,7 +166211,7 @@ CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows i CVE-2020-9755 RESERVED CVE-2020-9754 (NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to ...) - TODO: check + NOT-FOR-US: Whale Browser CVE-2020-9753 (Whale Browser Installer before 1.2.0.5 versions don't support signatur ...) NOT-FOR-US: Whale Browser CVE-2020-9752 (Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a lo ...) @@ -177990,7 +177990,7 @@ CVE-2020-5182 (The J-BusinessDirectory extension before 5.2.9 for Joomla! allows CVE-2020-5181 RESERVED CVE-2020-5180 (Viscosity 1.8.2 on Windows and macOS allows an unprivileged user to se ...) - NOT-FOR-US: Viscosity on Widnows and macOS + NOT-FOR-US: Viscosity on Windows and macOS CVE-2019-20224 (netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows ...) NOT-FOR-US: Pandora FMS CVE-2019-20223 (In Support Incident Tracker (SiT!) 3.67, the id parameter is affected ...) @@ -425351,7 +425351,8 @@ CVE-2014-3650 (Multiple persistent cross-site scripting (XSS) flaws were found i CVE-2014-3649 (JBoss AeroGear has reflected XSS via the password field ...) NOT-FOR-US: JBoss AeroGear CVE-2014-3648 (The simplepush server iterates through the application installations a ...) - TODO: check + NOTE: https://issues.redhat.com/browse/AEROGEAR-6091
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: aeac0582 by Neil Williams at 2022-06-11T14:29:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10773,13 +10773,13 @@ CVE-2022-29097 CVE-2022-29096 RESERVED CVE-2022-29095 (Dell SupportAssist Client Consumer versions (3.10.4 and prior) and Del ...) - TODO: check + NOT-FOR-US: Dell SupportAssist CVE-2022-29094 (Dell SupportAssist Client Consumer versions (3.10.4 and versions prior ...) - TODO: check + NOT-FOR-US: Dell SupportAssist CVE-2022-29093 (Dell SupportAssist Client Consumer versions (3.10.4 and versions prior ...) - TODO: check + NOT-FOR-US: Dell SupportAssist CVE-2022-29092 (Dell SupportAssist Client Consumer versions (3.11.0 and versions prior ...) - TODO: check + NOT-FOR-US: Dell SupportAssist CVE-2022-29091 (Dell Unity, Dell UnityVSA, and Dell UnityXT versions prior to 5.2.0.0. ...) NOT-FOR-US: Dell CVE-2022-29090 @@ -12667,17 +12667,17 @@ CVE-2022-28388 (usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Lin - linux 5.17.3-1 NOTE: https://git.kernel.org/linus/3d3925ff6433f98992685a9679613a2cc97f3ce2 (5.18-rc1) CVE-2022-28387 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-28386 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-28385 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-28384 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-28383 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-28382 (An issue was discovered in certain Verbatim drives through 2022-03-31. ...) - TODO: check + NOT-FOR-US: Verbatim USB drives CVE-2022-1214 REJECTED CVE-2022-1213 (SSRF filter bypass port 80, 433 in GitHub repository livehelperchat/li ...) @@ -20216,13 +20216,13 @@ CVE-2022-25809 (Improper Neutralization of audio output from 3rd and 4th Generat CVE-2022-25808 RESERVED CVE-2022-25807 (An issue was discovered in the IGEL Universal Management Suite (UMS) 6 ...) - TODO: check + NOT-FOR-US: IGEL UMS CVE-2022-25806 (An issue was discovered in the IGEL Universal Management Suite (UMS) 6 ...) - TODO: check + NOT-FOR-US: IGEL UMS CVE-2022-25805 (An issue was discovered in the IGEL Universal Management Suite (UMS) 6 ...) - TODO: check + NOT-FOR-US: IGEL UMS CVE-2022-25804 (An issue was discovered in the IGEL Universal Management Suite (UMS) 6 ...) - TODO: check + NOT-FOR-US: IGEL UMS CVE-2022-25803 RESERVED CVE-2022-25802 @@ -38723,41 +38723,41 @@ CVE-2022-21764 CVE-2022-21763 RESERVED CVE-2022-21762 (In apusys driver, there is a possible system crash due to an integer o ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21761 (In apusys driver, there is a possible system crash due to an integer o ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21760 (In apusys driver, there is a possible system crash due to an integer o ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21759 (In power service, there is a possible out of bounds write due to a mis ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21758 (In ccu, there is a possible memory corruption due to a double free. Th ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21757 (In WIFI Firmware, there is a possible system crash due to a missing co ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21756 (In WLAN driver, there is a possible out of bounds read due to an incor ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21755 (In WLAN driver, there is a possible out of bounds read due to an incor ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21754 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21753 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-21752 (In WLAN driver, there is a possible out of bounds write due to a missi ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] CVE-2021-40592/gpac 2.0.0+dfsg1-2
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b32e4357 by Neil Williams at 2022-06-11T14:06:33+01:00 CVE-2021-40592/gpac 2.0.0+dfsg1-2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51765,7 +51765,9 @@ CVE-2021-40594 CVE-2021-40593 RESERVED CVE-2021-40592 (GPAC version before commit 71460d72ec07df766dab0a4d52687529f3efcf0a (v ...) - TODO: check + - gpac 2.0.0+dfsg1-2 + NOTE: https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a (v2.0.0) + NOTE: https://github.com/gpac/gpac/issues/1876 CVE-2021-40591 RESERVED CVE-2021-40590 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32e43572564f2811aa3cff3a87990fe2bf22d2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32e43572564f2811aa3cff3a87990fe2bf22d2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix CVE-2019-25067/libpod - refer to src pkg name
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: e616543f by Neil Williams at 2022-06-11T13:59:55+01:00 Fix CVE-2019-25067/libpod - refer to src pkg name - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1623,7 +1623,7 @@ CVE-2019-25069 (A vulnerability, which was classified as problematic, has been f CVE-2019-25068 (A vulnerability classified as critical was found in Axios Italia Axios ...) NOT-FOR-US: Axios Italia Axios RE CVE-2019-25067 (A vulnerability, which was classified as critical, was found in Podman ...) - - podman + - libpod NOTE: https://vuldb.com/?id.143949 NOTE: https://www.exploit-db.com/exploits/47500 NOTE: exploit demo script on client uses Python podman code which is not in Debian View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e616543f6c22202ca9100b3af87110596f59ed57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e616543f6c22202ca9100b3af87110596f59ed57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-25067/podman undetermined
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 795f83ad by Neil Williams at 2022-06-11T13:45:06+01:00 CVE-2019-25067/podman undetermined - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1623,7 +1623,12 @@ CVE-2019-25069 (A vulnerability, which was classified as problematic, has been f CVE-2019-25068 (A vulnerability classified as critical was found in Axios Italia Axios ...) NOT-FOR-US: Axios Italia Axios RE CVE-2019-25067 (A vulnerability, which was classified as critical, was found in Podman ...) - TODO: check + - podman + NOTE: https://vuldb.com/?id.143949 + NOTE: https://www.exploit-db.com/exploits/47500 + NOTE: exploit demo script on client uses Python podman code which is not in Debian + NOTE: refers to old versions of remote code which were never uploaded to Debian + NOTE: unclear if the issue was ever reported upstream, could be Fedora/RedHat specific CVE-2019-25066 (A vulnerability has been found in ajenti 2.1.31 and classified as crit ...) - ajenti (bug #792019) CVE-2019-25065 (A vulnerability was found in OpenNetAdmin 18.1.1. It has been rated as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/795f83ad72599f69bbe743ef55b4ccc546304dda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/795f83ad72599f69bbe743ef55b4ccc546304dda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-40589/zangband unfixed, non-free
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b8615b1f by Neil Williams at 2022-06-11T13:10:02+01:00 CVE-2021-40589/zangband unfixed, non-free - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51764,7 +51764,8 @@ CVE-2021-40591 CVE-2021-40590 RESERVED CVE-2021-40589 (ZAngband zangband-data 2.7.5 is affected by an integer underflow vulne ...) - TODO: check + - zangband + NOTE: https://sourceforge.net/p/zangband/bugs/671/ CVE-2021-40588 RESERVED CVE-2021-40587 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8615b1f70efc9026e74797d556add9a07c257dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8615b1f70efc9026e74797d556add9a07c257dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 21dfe9df by Neil Williams at 2022-06-11T12:57:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3098,7 +3098,7 @@ CVE-2020-36525 (A vulnerability classified as problematic has been found in Link CVE-2020-36524 (A vulnerability was found in Refined Toolkit. It has been rated as pro ...) NOT-FOR-US: Atlassian CVE-2020-36523 (A vulnerability was found in PlantUML 6.43. It has been declared as pr ...) - TODO: check + NOT-FOR-US: Atlassian PlantUML plugin CVE-2022-31749 RESERVED CVE-2022-31748 @@ -59539,7 +59539,7 @@ CVE-2021-37591 CVE-2021-37590 RESERVED CVE-2021-37589 (Virtua Cobranca before 12R allows SQL Injection on the login page. ...) - TODO: check + NOT-FOR-US: Virtua Cobranca CVE-2021-37588 (In Charm 0.43, any two users can collude to achieve the ability to dec ...) NOT-FOR-US: Charm CVE-2021-37587 (In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 dat ...) @@ -67825,13 +67825,13 @@ CVE-2021-34085 (Read access violation in the III_dequantize_sample function in m NOTE: Vulnerable code removed in https://sourceforge.net/p/mp3gain/code/ci/aea83203960fc6d3237b1ae38e8434ec8681b21a/ (v1.6.0) NOTE: https://drive.google.com/drive/folders/1epm65c4_iC0zE5V_leoet4Jyk1Prz2p5?usp=sharing CVE-2021-34084 (OS command injection vulnerability in Turistforeningen node-s3-uploade ...) - TODO: check + NOT-FOR-US: Node s3-uploader CVE-2021-34083 (Google-it is a Node.js package which allows its users to send search q ...) - TODO: check + NOT-FOR-US: Node google-it CVE-2021-34082 (OS Command Injection vulnerability in allenhwkim proctree through 0.1. ...) - TODO: check + NOT-FOR-US: Node proctree CVE-2021-34081 (OS Command Injection vulnerability in bbultman gitsome through 0.2.3 a ...) - TODO: check + NOT-FOR-US: Node bbultman gitsome CVE-2021-34080 (OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.j ...) TODO: check CVE-2021-34079 (OS Command injection vulnerability in Mintzo Docker-Tester through 1.2 ...) @@ -69885,7 +69885,7 @@ CVE-2021-33256 (** DISPUTED ** A CSV injection vulnerability on the login panel CVE-2021-33255 RESERVED CVE-2021-33254 (An issue was discovered in src/http/httpLib.c in EmbedThis Appweb Comm ...) - TODO: check + NOT-FOR-US: AppWeb HTTP server CVE-2021-33253 RESERVED CVE-2021-33252 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21dfe9df1ad9609fcd63c757b67d8a12d224fc16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21dfe9df1ad9609fcd63c757b67d8a12d224fc16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b4e7922e by Neil Williams at 2022-06-11T12:32:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1625,7 +1625,7 @@ CVE-2019-25068 (A vulnerability classified as critical was found in Axios Italia CVE-2019-25067 (A vulnerability, which was classified as critical, was found in Podman ...) TODO: check CVE-2019-25066 (A vulnerability has been found in ajenti 2.1.31 and classified as crit ...) - TODO: check + - ajenti (bug #792019) CVE-2019-25065 (A vulnerability was found in OpenNetAdmin 18.1.1. It has been rated as ...) NOT-FOR-US: OpenNetAdmin CVE-2018-25044 @@ -3090,13 +3090,13 @@ CVE-2021-46812 CVE-2021-46811 RESERVED CVE-2020-36527 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-36526 (A vulnerability classified as problematic was found in Countdown Timer ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-36525 (A vulnerability classified as problematic has been found in Linking. T ...) NOT-FOR-US: Linking CVE-2020-36524 (A vulnerability was found in Refined Toolkit. It has been rated as pro ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-36523 (A vulnerability was found in PlantUML 6.43. It has been declared as pr ...) TODO: check CVE-2022-31749 @@ -147801,7 +147801,7 @@ CVE-2020-14127 CVE-2020-14126 RESERVED CVE-2020-14125 (A denial of service vulnerability exists in some Xiaomi models of phon ...) - TODO: check + NOT-FOR-US: Xiaomi CVE-2020-14124 (There is a buffer overflow in librsa.so called by getwifipwdurl interf ...) NOT-FOR-US: Xiaomi CVE-2020-14123 (There is a pointer double free vulnerability in Some MIUI Services. Wh ...) @@ -214661,9 +214661,9 @@ CVE-2019-10001 CVE-2019-1 RESERVED CVE-2019-9972 (PhoneSystem Terminal in 3CX Phone System (Debian based installation) 1 ...) - TODO: check + NOT-FOR-US: 3CX Phone System CVE-2019-9971 (PhoneSystem Terminal in 3CX Phone System (Debian based installation) 1 ...) - TODO: check + NOT-FOR-US: 3CX Phone System CVE-2019-9970 (Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal ...) - signal-desktop (bug #842943) CVE-2019-9969 (XnView Classic 2.48 on Windows allows remote attackers to cause a deni ...) @@ -249133,7 +249133,7 @@ CVE-2018-17242 CVE-2018-17241 RESERVED CVE-2018-17240 (There is a memory dump vulnerability on Netwave IP camera devices at / ...) - TODO: check + NOT-FOR-US: Netwave IP camera CVE-2018-17239 RESERVED CVE-2018-17238 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4e7922ed8d71a669eb3224e9a9c6752f0f79e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4e7922ed8d71a669eb3224e9a9c6752f0f79e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs & nextcloud-server itp
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 38ebda5c by Neil Williams at 2022-06-01T11:40:13+01:00 Process some NFUs nextcloud-server itp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7863,7 +7863,7 @@ CVE-2022-29378 CVE-2022-29377 (Totolink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a st ...) NOT-FOR-US: TOTOLINK CVE-2022-29376 (Xampp for Windows v8.1.4 and below was discovered to contain insecure ...) - TODO: check + NOT-FOR-US: XAMPP for Windows CVE-2022-29375 RESERVED CVE-2022-29374 @@ -8216,7 +8216,7 @@ CVE-2022-29260 CVE-2022-29259 RESERVED CVE-2022-29258 (XWiki Platform Filter UI provides a generic user interface to convert ...) - TODO: check + NOT-FOR-US: XWiki CVE-2022-29257 RESERVED CVE-2022-29256 (sharp is an application for Node.js image processing. Prior to version ...) @@ -8243,11 +8243,11 @@ CVE-2022-29247 CVE-2022-29246 (Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded st ...) NOT-FOR-US: Microsoft CVE-2022-29245 (SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 ...) - TODO: check + NOT-FOR-US: SSH.NET CVE-2022-29244 RESERVED CVE-2022-29243 (Nextcloud Server is the file server software for Nextcloud, a self-hos ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2022-29242 (GOST engine is a reference implementation of the Russian GOST crypto a ...) - libengine-gost-openssl1.1 NOTE: https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5 @@ -8306,7 +8306,7 @@ CVE-2022-29221 (Smarty is a template engine for PHP, facilitating the separation NOTE: https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd (v4.1.1) NOTE: https://github.com/smarty-php/smarty/commit/3606c4717ed6348e114a610ff1e446048dcd0345 (v3.1.45) CVE-2022-29220 (github-action-merge-dependabot is an action that automatically approve ...) - TODO: check + NOT-FOR-US: github-action-merge-dependabot CVE-2022-29219 (Lodestar is a TypeScript implementation of the Ethereum Consensus spec ...) NOT-FOR-US: chainsafe/lodestar CVE-2022-29218 (RubyGems is a package registry used to supply software for the Ruby la ...) @@ -17618,7 +17618,7 @@ CVE-2022-25881 CVE-2022-25879 RESERVED CVE-2022-25878 (The package protobufjs before 6.11.3 are vulnerable to Prototype Pollu ...) - TODO: check + NOT-FOR-US: protobufjs/protobuf.js CVE-2022-25877 RESERVED CVE-2022-25876 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ebda5cffd9c0f436ee825cca1fa3ccc1cd2b52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ebda5cffd9c0f436ee825cca1fa3ccc1cd2b52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 50b2c6b9 by Neil Williams at 2022-06-01T11:17:57+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36984,13 +36984,13 @@ CVE-2021-44100 CVE-2021-44099 RESERVED CVE-2021-44098 (EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Inje ...) - TODO: check + NOT-FOR-US: EgavilanMedia CVE-2021-44097 (EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vuln ...) - TODO: check + NOT-FOR-US: EgavilanMedia CVE-2021-44096 (EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 ...) - TODO: check + NOT-FOR-US: EgavilanMedia CVE-2021-44095 (Project Worlds Official Hospital Management System in php 1.0 is vulne ...) - TODO: check + NOT-FOR-US: projectworldsofficial/hospital-management-system-in-php CVE-2021-44094 (ZrLog 2.2.2 has a remote command execution vulnerability at plugin dow ...) NOT-FOR-US: zrlog CVE-2021-44093 (A Remote Command Execution vulnerability on the background in zrlog 2. ...) @@ -37020,7 +37020,7 @@ CVE-2021-44082 (textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) vi CVE-2021-44081 (A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4. Wh ...) NOT-FOR-US: Open5GS CVE-2021-44080 (A Command Injection vulnerability in httpd web server (setup.cgi) in S ...) - TODO: check + NOT-FOR-US: SerComm h500s CVE-2021-4001 (A race condition was found in the Linux kernel's ebpf verifier between ...) - linux 5.15.5-1 [bullseye] - linux 5.10.84-1 @@ -39910,7 +39910,7 @@ CVE-2021-43514 CVE-2021-43513 RESERVED CVE-2021-43512 (An issue was discovered in FlightRadar24 v8.9.0, v8.10.0, v8.10.2, v8. ...) - TODO: check + NOT-FOR-US: FlightRadar24 for Android CVE-2021-43511 RESERVED CVE-2021-43510 (SQL Injection vulnerability exists in Sourcecodester Simple Client Man ...) @@ -42522,7 +42522,7 @@ CVE-2021-42874 CVE-2021-42873 RESERVED CVE-2021-42872 (TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vuln ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-42871 RESERVED CVE-2021-42870 (ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b2c6b9a870f1467178d40529f02e1c5c656f9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b2c6b9a870f1467178d40529f02e1c5c656f9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-42201-4/swftools removed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 2aa0a89d by Neil Williams at 2022-06-01T11:04:02+01:00 CVE-2021-42201-4/swftools removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45438,13 +45438,17 @@ CVE-2021-42206 CVE-2021-42205 RESERVED CVE-2021-42204 (An issue was discovered in swftools through 20201222. A heap-buffer-ov ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/169 CVE-2021-42203 (An issue was discovered in swftools through 20201222. A heap-use-after ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/176 CVE-2021-42202 (An issue was discovered in swftools through 20201222. A NULL pointer d ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/171 CVE-2021-42201 (An issue was discovered in swftools through 20201222. A heap-buffer-ov ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/175 CVE-2021-42200 (An issue was discovered in swftools through 20201222. A NULL pointer d ...) - swftools NOTE: https://github.com/matthiaskramm/swftools/issues/170 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa0a89dd16d462b7dd56455ed617a7d34e533fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa0a89dd16d462b7dd56455ed617a7d34e533fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ff0919f by Neil Williams at 2022-06-01T11:02:14+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50564,7 +50564,7 @@ CVE-2021-40188 (PHPFusion 9.03.110 is affected by an arbitrary file upload vulne CVE-2021-40187 RESERVED CVE-2021-40186 (The AppCheck research team identified a Server-Side Request Forgery (S ...) - TODO: check + NOT-FOR-US: DNN CVE-2021-40185 RESERVED CVE-2021-40184 @@ -58844,7 +58844,7 @@ CVE-2021-36892 CVE-2021-36891 RESERVED CVE-2021-36890 (Cross-Site Request Forgery (CSRF) vulnerability in Social Share Button ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-36889 (Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabiliti ...) NOT-FOR-US: WordPress plugin CVE-2021-36888 (Unauthenticated Arbitrary Options Update vulnerability leading to full ...) @@ -58892,7 +58892,7 @@ CVE-2021-36868 CVE-2021-36867 (Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko ...) NOT-FOR-US: WordPress plugin CVE-2021-36866 (Authenticated (author or higher role) Stored Cross-Site Scripting (XSS ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-36865 RESERVED CVE-2021-36864 @@ -67000,7 +67000,7 @@ CVE-2021-33506 (jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensu CVE-2021-33505 (A local malicious user can circumvent the Falco detection engine throu ...) - falco (bug #842306) CVE-2021-33504 (Couchbase Server before 7.1.0 has Incorrect Access Control. ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-33503 (An issue was discovered in urllib3 before 1.26.5. When provided with a ...) - python-urllib3 1.26.5-1~exp1 (bug #989848) [buster] - python-urllib3 (Minor issue) @@ -69504,7 +69504,7 @@ CVE-2021-32548 (It was discovered that read_file() in apport/hookutils.py would CVE-2021-32547 (It was discovered that read_file() in apport/hookutils.py would follow ...) NOT-FOR-US: Apport CVE-2021-32546 (Missing input validation in internal/db/repo_editor.go in Gogs before ...) - TODO: check + NOT-FOR-US: Go Git Service CVE-2021-32545 (Pexip Infinity before 26 allows remote denial of service because of mi ...) NOT-FOR-US: Pexip Infinity CVE-2021-32544 (Special characters of IGT search function in igt+ are not filtered in ...) @@ -82082,7 +82082,7 @@ CVE-2021-27780 (The software may be vulnerable to both Un-Auth XML interaction a CVE-2021-27779 (VersionVault Express exposes sensitive information that an attacker ca ...) NOT-FOR-US: HCL CVE-2021-27778 (HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by i ...) - TODO: check + NOT-FOR-US: HCL CVE-2021-2 (XML External Entity (XXE) injection vulnerabilities occur when poorly ...) NOT-FOR-US: HCL CVE-2021-27776 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff0919fc0c786bbf9f01a9ce9d7b2a05349e9d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff0919fc0c786bbf9f01a9ce9d7b2a05349e9d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: cbaceb03 by Neil Williams at 2022-06-01T10:40:12+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4455,9 +4455,9 @@ CVE-2022-1662 RESERVED NOT-FOR-US: Red Hat convert2rhel CVE-2022-1661 (The affected products are vulnerable to directory traversal, which may ...) - TODO: check + NOT-FOR-US: Keysight N6854A and N6841A CVE-2022-1660 (The affected products are vulnerable of untrusted data due to deserial ...) - TODO: check + NOT-FOR-US: Keysight N6854A and N6841A CVE-2022-1659 RESERVED CVE-2022-1658 @@ -5110,9 +5110,9 @@ CVE-2022-30298 CVE-2022-29509 RESERVED CVE-2022-29483 (Incorrect Default Permissions vulnerability in ABB e-Design allows att ...) - TODO: check + NOT-FOR-US: ABB e-Design CVE-2022-28702 (Incorrect Default Permissions vulnerability in ABB e-Design allows att ...) - TODO: check + NOT-FOR-US: ABB e-Design CVE-2022-1615 RESERVED CVE-2022-1614 @@ -9108,7 +9108,7 @@ CVE-2022-28947 CVE-2022-28946 (An issue in the component ast/parser.go of Open Policy Agent v0.39.0 c ...) NOT-FOR-US: Open Policy Agent CVE-2022-28945 (An issue in Webbank WeCube v3.2.2 allows attackers to execute a direct ...) - TODO: check + NOT-FOR-US: Webbank WeCube CVE-2022-28944 (Certain EMCO Software products are affected by: CWE-494: Download of C ...) NOT-FOR-US: EMCO CVE-2022-28943 @@ -9436,7 +9436,7 @@ CVE-2022-28801 CVE-2022-28800 RESERVED CVE-2022-28799 (The TikTok application before 23.8.4 for Android allows account takeov ...) - TODO: check + NOT-FOR-US: TikTok Android app CVE-2022-28798 RESERVED CVE-2022-28797 @@ -10047,7 +10047,7 @@ CVE-2022-28607 CVE-2022-28606 (An arbitrary file upload vulnerability exists in Wenzhou Huoyin Inform ...) NOT-FOR-US: BossCMS CVE-2022-28605 (LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a ...) - TODO: check + NOT-FOR-US: LinkPlay Sound Bar CVE-2022-28604 RESERVED CVE-2022-28603 @@ -21707,7 +21707,7 @@ CVE-2022-24583 CVE-2022-24582 (Accounting Journal Management 1.0 is vulnerable to XSS-PHPSESSID-Hijac ...) NOT-FOR-US: Accounting Journal Management CVE-2022-24581 (ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture v ...) - TODO: check + NOT-FOR-US: ACEweb Online Portal CVE-2022-24580 RESERVED CVE-2022-24579 @@ -27207,7 +27207,7 @@ CVE-2022-23084 CVE-2022-23083 (NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transf ...) NOT-FOR-US: NetMaster CVE-2022-23082 (In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path trave ...) - TODO: check + NOT-FOR-US: WhiteSource CureKit CVE-2022-23081 RESERVED CVE-2022-23080 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbaceb033033ce5a5a43593cf29a05ecb948bbfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbaceb033033ce5a5a43593cf29a05ecb948bbfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8edab209 by Neil Williams at 2022-06-01T09:58:03+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19639,7 +19639,7 @@ CVE-2022-25239
CVE-2022-25238
RESERVED
CVE-2022-25237 (Bonita Web 2021.2 is affected by a
authentication/authorization bypass ...)
- TODO: check
+ NOT-FOR-US: Bonita Web
CVE-2022-25236 (xmlparse.c in Expat (aka libexpat) before 2.4.5 allows
attackers to in ...)
{DSA-5085-1 DLA-2935-1}
- expat 2.4.5-1 (bug #1005895)
@@ -20442,7 +20442,7 @@ CVE-2022-24969
CVE-2022-24968 (In Mellium mellium.im/xmpp through 0.21.0, an attacker capable
of spoo ...)
NOT-FOR-US: Mellium
CVE-2022-24967 (Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site
Scripting ( ...)
- TODO: check
+ NOT-FOR-US: Black Rainbow NIMBUS
CVE-2022-24966
RESERVED
CVE-2022-24965
@@ -21268,11 +21268,11 @@ CVE-2022-0557 (OS Command Injection in Packagist
microweber/microweber prior to
CVE-2022-24703
RESERVED
CVE-2022-24702 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in
WinAPRS 2.9 ...)
- TODO: check
+ NOT-FOR-US: WinAPRS
CVE-2022-24701 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in
WinAPRS 2.9 ...)
- TODO: check
+ NOT-FOR-US: WinAPRS
CVE-2022-24700 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in
WinAPRS 2.9 ...)
- TODO: check
+ NOT-FOR-US: WinAPRS
CVE-2022-0556 (A local privilege escalation vulnerability caused by incorrect
permiss ...)
NOT-FOR-US: Zyxel
CVE-2022-0555
@@ -22842,13 +22842,13 @@ CVE-2022-24243
CVE-2022-24242
RESERVED
CVE-2022-24241 (ACEweb Online Portal 3.5.065 was discovered to contain an
External Con ...)
- TODO: check
+ NOT-FOR-US: ACEweb Online Portal
CVE-2022-24240 (ACEweb Online Portal 3.5.065 was discovered to contain a SQL
injection ...)
- TODO: check
+ NOT-FOR-US: ACEweb Online Portal
CVE-2022-24239 (ACEweb Online Portal 3.5.065 was discovered to contain an
unrestricted ...)
- TODO: check
+ NOT-FOR-US: ACEweb Online Portal
CVE-2022-24238 (ACEweb Online Portal 3.5.065 was discovered to contain a
cross-site sc ...)
- TODO: check
+ NOT-FOR-US: ACEweb Online Portal
CVE-2022-24237 (The snaptPowered2 component of Snapt Aria v12.8 was discovered
to cont ...)
NOT-FOR-US: Snapt Aria
CVE-2022-24236 (An insecure permissions vulnerability in Snapt Aria v12.8
allows unaut ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8edab209fa6db8f7618a6bc3d1d81a6bdbf62da7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8edab209fa6db8f7618a6bc3d1d81a6bdbf62da7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process Cisco NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 47758d52 by Neil Williams at 2022-06-01T09:40:12+01:00 Process Cisco NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41181,9 +41181,9 @@ CVE-2022-20809 (Multiple vulnerabilities in the API and web-based management int CVE-2022-20808 RESERVED CVE-2022-20807 (Multiple vulnerabilities in the API and web-based management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20806 (Multiple vulnerabilities in the API and web-based management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20805 (A vulnerability in the automatic decryption process in Cisco Umbrella ...) NOT-FOR-US: Cisco CVE-2022-20804 (A vulnerability in the Cisco Discovery Protocol of Cisco Unified Commu ...) @@ -41193,7 +41193,7 @@ CVE-2022-20803 - clamav (Only affects 0.104.x) NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20802 (A vulnerability in the web interface of Cisco Enterprise Chat and Emai ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20801 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2022-20800 @@ -41203,7 +41203,7 @@ CVE-2022-20799 (Multiple vulnerabilities in the web-based management interface o CVE-2022-20798 RESERVED CVE-2022-20797 (A vulnerability in the web-based management interface of Cisco Secure ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20796 (On May 4, 2022, the following vulnerability in the ClamAV scanning lib ...) - clamav 0.103.6+dfsg-1 [bullseye] - clamav (clamav is updated via -updates) @@ -41283,7 +41283,7 @@ CVE-2022-20767 (A vulnerability in the Snort rule evaluation function of Cisco F CVE-2022-20766 RESERVED CVE-2022-20765 (A vulnerability in the web applications of Cisco UCS Director could al ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20764 (Multiple vulnerabilities in the web engine of Cisco TelePresence Colla ...) NOT-FOR-US: Cisco CVE-2022-20763 (A vulnerability in the login authorization components of Cisco Webex M ...) @@ -41470,23 +41470,23 @@ CVE-2022-20676 (A vulnerability in the Tool Command Language (Tcl) interpreter o CVE-2022-20675 (A vulnerability in the TCP/IP stack of Cisco Email Security Appliance ...) NOT-FOR-US: Cisco CVE-2022-20674 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20673 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20672 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20671 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20670 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20669 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20668 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20667 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20666 (Multiple vulnerabilities in the web-based management interface of Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20665 (A vulnerability in the CLI of Cisco StarOS could allow an authenticate ...) NOT-FOR-US: Cisco CVE-2022-20664 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47758d52f0f9f64ed46911d11e6462234a6f4022 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47758d52f0f9f64ed46911d11e6462234a6f4022 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d5afb2f6 by Neil Williams at 2022-06-01T09:23:57+01:00 Process some NFUs - - - - - ca083b92 by Neil Williams at 2022-06-01T09:23:59+01:00 CVE-2021-42195 to 42200 / swftools removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45431,17 +45431,23 @@ CVE-2021-42202 (An issue was discovered in swftools through 20201222. A NULL poi CVE-2021-42201 (An issue was discovered in swftools through 20201222. A heap-buffer-ov ...) TODO: check CVE-2021-42200 (An issue was discovered in swftools through 20201222. A NULL pointer d ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/170 CVE-2021-42199 (An issue was discovered in swftools through 20201222. A heap buffer ov ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/173 CVE-2021-42198 (An issue was discovered in swftools through 20201222. A NULL pointer d ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/168 CVE-2021-42197 (An issue was discovered in swftools through 20201222 through a memory ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/177 CVE-2021-42196 (An issue was discovered in swftools through 20201222. A NULL pointer d ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/172 CVE-2021-42195 (An issue was discovered in swftools through 20201222. A heap-buffer-ov ...) - TODO: check + - swftools + NOTE: https://github.com/matthiaskramm/swftools/issues/174 CVE-2021-42194 (The wechat_return function in /controller/Index.php of EyouCms V1.5.4- ...) NOT-FOR-US: Eyoucms CVE-2021-42193 @@ -64899,7 +64905,7 @@ CVE-2021-34362 (A command injection vulnerability has been reported to affect QN CVE-2021-34361 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP CVE-2021-34360 (A cross-site request forgery (CSRF) vulnerability has been reported to ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-34359 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP CVE-2021-34358 (We have already fixed this vulnerability in the following versions of ...) @@ -67806,7 +67812,7 @@ CVE-2021-33188 CVE-2021-33187 RESERVED CVE-2021-3555 (A Buffer Overflow vulnerability in the RSTP server component of Eufy I ...) - TODO: check + NOT-FOR-US: Eufy 2K Indoor Camera CVE-2021-33186 (SerenityOS in test-crypto.cpp contains a stack buffer overflow which c ...) NOT-FOR-US: SerenityOS CVE-2021-33185 (SerenityOS contains a buffer overflow in the set_range test in TestBit ...) @@ -82055,9 +82061,9 @@ CVE-2021-27783 (User generated PPKG file for Bulk Enroll may have unencrypted se CVE-2021-27782 RESERVED CVE-2021-27781 (The Master operator may be able to embed script tag in HTML with alert ...) - TODO: check + NOT-FOR-US: HCL CVE-2021-27780 (The software may be vulnerable to both Un-Auth XML interaction and una ...) - TODO: check + NOT-FOR-US: HCL CVE-2021-27779 (VersionVault Express exposes sensitive information that an attacker ca ...) NOT-FOR-US: HCL CVE-2021-27778 (HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by i ...) @@ -111864,7 +111870,7 @@ CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of pn CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows arbitrary send ...) NOT-FOR-US: Node lettre CVE-2020-28246 (A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0. ...) - TODO: check + NOT-FOR-US: Form.io CVE-2020-28245 RESERVED CVE-2020-28244 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/319de1caf6b84b2c71fc6396c987139109a99ce4...ca083b9281bf89f6449a0c24e850b74fb677b122 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/319de1caf6b84b2c71fc6396c987139109a99ce4...ca083b9281bf89f6449a0c24e850b74fb677b122 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-21831 & CVE-2022-22577 in rails
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: e51505dc by Neil Williams at 2022-05-27T12:58:17+01:00 CVE-2022-21831 CVE-2022-22577 in rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27852,7 +27852,9 @@ CVE-2022-22579 (An information disclosure issue was addressed with improved stat CVE-2022-22578 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple CVE-2022-22577 (An XSS Vulnerability in Action Pack = 5.2.0 and 5.2.0 that co ...) - TODO: check + - rails (bug #1011941) + NOTE: https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533 + NOTE: https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec (6-1-stable) CVE-2022-22576 (An improper authentication vulnerability exists in curl 7.33.0 to and ...) - curl 7.83.0-1 (bug #1010295) NOTE: https://curl.se/docs/CVE-2022-22576.html @@ -33349,7 +33351,9 @@ CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding secur CVE-2022-21832 RESERVED CVE-2022-21831 (A code injection vulnerability exists in the Active Storage = v5.2 ...) - TODO: check + - rails (bug #1011940) + NOTE: https://github.com/advisories/GHSA-w749-p3v6-hccq + NOTE: https://github.com/rails/rails/commit/b0b5eaf477c907819ead1808d09bfaae3eb4cc54 (6-1-stable) CVE-2022-21830 (A blind self XSS vulnerability exists in RocketChat LiveChat v1.9 ...) NOT-FOR-US: Rocket.Chat.Livechat CVE-2022-21829 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51505dc06f826df1da13c3c3a0fe5d8b2d6f373 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51505dc06f826df1da13c3c3a0fe5d8b2d6f373 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 39f29214 by Neil Williams at 2022-05-27T12:38:42+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8606,7 +8606,7 @@ CVE-2022-1264 CVE-2022-1262 (A command injection vulnerability in the protest binary allows an atta ...) NOT-FOR-US: D-Link Routers CVE-2022-1261 (Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) ...) - TODO: check + NOT-FOR-US: MatrikonOPC CVE-2022-1260 RESERVED CVE-2022-1259 @@ -33357,7 +33357,7 @@ CVE-2022-21829 CVE-2022-21828 (A user with high privilege access to the Incapptic Connect web console ...) NOT-FOR-US: Ivanti CVE-2022-21827 (An improper privilege vulnerability has been discovered in Citrix Gate ...) - TODO: check + NOT-FOR-US: Citrix CVE-2022-21826 RESERVED CVE-2022-21825 (An Improper Access Control vulnerability exists in Citrix Workspace Ap ...) @@ -39932,7 +39932,7 @@ CVE-2022-20823 CVE-2022-20822 RESERVED CVE-2022-20821 (A vulnerability in the health check RPM of Cisco IOS XR Software could ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20820 RESERVED CVE-2022-20819 @@ -39956,7 +39956,7 @@ CVE-2022-20811 CVE-2022-20810 RESERVED CVE-2022-20809 (Multiple vulnerabilities in the API and web-based management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2022-20808 RESERVED CVE-2022-20807 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39f2921417ec0564ccbcb59b8660c67f04f968f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39f2921417ec0564ccbcb59b8660c67f04f968f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 4108bdf6 by Neil Williams at 2022-05-27T12:27:30+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13933,7 +13933,7 @@ CVE-2022-26867 CVE-2022-26866 RESERVED CVE-2022-26865 (Dell Support Assist OS Recovery versions before 5.5.2 contain an Authe ...) - TODO: check + NOT-FOR-US: Dell SupportAssist CVE-2022-26864 RESERVED CVE-2022-26863 @@ -13949,7 +13949,7 @@ CVE-2022-26859 CVE-2022-26858 RESERVED CVE-2022-26857 (Dell OpenManage Enterprise Versions 3.8.3 and prior contain an imprope ...) - TODO: check + NOT-FOR-US: Dell OpenManage Enterprise CVE-2022-26856 (Dell EMC Repository Manager version 3.4.0 contains a plain-text passwo ...) NOT-FOR-US: EMC CVE-2022-26855 (Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect d ...) @@ -20801,7 +20801,7 @@ CVE-2022-24424 (Dell EMC AppSync versions from 3.9 to 4.3 contain a path travers CVE-2022-24423 (Dell EMC iDRAC8 versions 2.81.81 and earlier contain a denial of servi ...) NOT-FOR-US: EMC CVE-2022-24422 (Dell iDRAC9 versions 5.00.00.00 and later but prior to 5.10.10.00, con ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-24421 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2022-24420 (Dell BIOS contains an improper input validation vulnerability. A local ...) @@ -20809,9 +20809,9 @@ CVE-2022-24420 (Dell BIOS contains an improper input validation vulnerability. A CVE-2022-24419 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2022-24418 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-24417 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-24416 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2022-24415 (Dell BIOS contains an improper input validation vulnerability. A local ...) @@ -27626,15 +27626,15 @@ CVE-2021-4200 (A Improper Privilege Management vulnerability in SUSE Rancher all CVE-2022-22677 RESERVED CVE-2022-22676 (An event handler validation issue in the XPC Services API was addresse ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22675 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22674 (An out-of-bounds read issue existed that led to the disclosure of kern ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22673 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22672 (A memory corruption issue was addressed with improved memory handling. ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22671 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple CVE-2022-22670 (An access issue was addressed with improved access restrictions. This ...) @@ -27652,9 +27652,9 @@ CVE-2022-22665 (A logic issue was addressed with improved validation. This issue CVE-2022-22664 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2022-22663 (This issue was addressed with improved checks to prevent unauthorized ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22662 (A cookie management issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22661 (A type confusion issue was addressed with improved state handling. Thi ...) NOT-FOR-US: Apple CVE-2022-22660 (This issue was addressed with a new entitlement. This issue is fixed i ...) @@ -27770,7 +27770,7 @@ CVE-2022-22618 (This issue was addressed with improved checks. This issue is fix CVE-2022-22617 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2022-22616 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-22615 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2022-22614 (A use after free issue was addressed with improved memory management. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108bdf6fe924a4749a5356ead23c2e861f78dd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108bdf6fe924a4749a5356ead23c2e861f78dd2 You're receiving this email because
[Git][security-tracker-team/security-tracker][master] 2 commits: Process some Apple NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d0120aa by Neil Williams at 2022-05-27T12:00:21+01:00 Process some Apple NFUs - - - - - 78f25c1c by Neil Williams at 2022-05-27T12:09:01+01:00 Process some Apple NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14233,37 +14233,37 @@ CVE-2022-0890 (NULL Pointer Dereference in GitHub repository mruby/mruby prior t NOTE: https://huntr.dev/bounties/68e09ec1-6cc7-48b8-981d-30f478c70276/ NOTE: https://github.com/mruby/mruby/commit/da48e7dbb20024c198493b8724adae1b842083aa CVE-2022-26776 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26775 (An integer overflow was addressed with improved input validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26774 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26773 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26772 (A memory corruption issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26771 (A memory corruption issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26770 (An out-of-bounds read issue was addressed with improved input validati ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26769 (A memory corruption issue was addressed with improved input validation ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26768 (A memory corruption issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26767 (The issue was addressed with additional permissions checks. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26766 (A certificate parsing issue was addressed with improved checks. This i ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26765 (A race condition was addressed with improved state handling. This issu ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26764 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26763 (An out-of-bounds access issue was addressed with improved bounds check ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26762 RESERVED CVE-2022-26761 (A memory corruption issue was addressed with improved memory handling. ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26760 RESERVED CVE-2022-26759 @@ -14271,11 +14271,11 @@ CVE-2022-26759 CVE-2022-26758 RESERVED CVE-2022-26757 (A use after free issue was addressed with improved memory management. ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26756 (An out-of-bounds write issue was addressed with improved input validat ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26755 (This issue was addressed with improved environment sanitization. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26754 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2022-26753 (A buffer overflow issue was addressed with improved memory handling. T ...) @@ -14283,23 +14283,23 @@ CVE-2022-26753 (A buffer overflow issue was addressed with improved memory handl CVE-2022-26752 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2022-26751 (A memory corruption issue was addressed with improved input validation ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26750 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2022-26749 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2022-26748 (An out-of-bounds write issue was addressed with improved input validat ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26747 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26746 (This issue was addressed by removing the vulnerable code. This issue i ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26745 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26744 (A memory corruption issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26743 (An out-of-bounds write issue was addressed with improved bounds checki ...) -
[Git][security-tracker-team/security-tracker][master] Undo incomplete change for CVE-2021-42859
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 73426cf4 by Neil Williams at 2022-05-27T11:51:31+01:00 Undo incomplete change for CVE-2021-42859 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41320,7 +41320,7 @@ CVE-2021-42861 CVE-2021-42860 (A stack buffer overflow exists in Mini-XML v3.2. When inputting an unf ...) TODO: check CVE-2021-42859 (A memory leak issue was discovered in Mini-XML v3.2 that could cause a ...) - - mxml + TODO: check CVE-2021-42858 RESERVED CVE-2021-42857 (It was discovered that the SteelCentral AppInternals Dynamic Sampling ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73426cf4c582421b2d5474b55b35a7f016efdb71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73426cf4c582421b2d5474b55b35a7f016efdb71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some Apple NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 97abd286 by Neil Williams at 2022-05-27T11:47:03+01:00 Process some Apple NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14277,17 +14277,17 @@ CVE-2022-26756 (An out-of-bounds write issue was addressed with improved input v CVE-2022-26755 (This issue was addressed with improved environment sanitization. This ...) TODO: check CVE-2022-26754 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26753 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26752 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26751 (A memory corruption issue was addressed with improved input validation ...) TODO: check CVE-2022-26750 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26749 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26748 (An out-of-bounds write issue was addressed with improved input validat ...) TODO: check CVE-2022-26747 (This issue was addressed with improved checks. This issue is fixed in ...) @@ -14301,19 +14301,19 @@ CVE-2022-26744 (A memory corruption issue was addressed with improved state mana CVE-2022-26743 (An out-of-bounds write issue was addressed with improved bounds checki ...) TODO: check CVE-2022-26742 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26741 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26740 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26739 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26738 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26737 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26736 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26735 RESERVED CVE-2022-26734 @@ -14323,83 +14323,83 @@ CVE-2022-26733 CVE-2022-26732 RESERVED CVE-2022-26731 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26730 RESERVED CVE-2022-26729 RESERVED CVE-2022-26728 (This issue was addressed with improved entitlements. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26727 (This issue was addressed with improved entitlements. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26726 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26725 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26724 (An authentication issue was addressed with improved state management. ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26723 (A memory corruption issue was addressed with improved input validation ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26722 (A memory initialization issue was addressed. This issue is fixed in Se ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26721 (A memory initialization issue was addressed. This issue is fixed in Se ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26720 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26719 RESERVED CVE-2022-26718 (An out-of-bounds read issue was addressed with improved input validati ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26717 RESERVED CVE-2022-26716 RESERVED CVE-2022-26715 (An out-of-bounds write issue was addressed with improved bounds checki ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26714 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-26713 RESERVED CVE-2022-26712 (This issue was addressed by removing the vulnerable code. This issue
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: dc2da96b by Neil Williams at 2022-05-27T11:15:03+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41320,7 +41320,7 @@ CVE-2021-42861 CVE-2021-42860 (A stack buffer overflow exists in Mini-XML v3.2. When inputting an unf ...) TODO: check CVE-2021-42859 (A memory leak issue was discovered in Mini-XML v3.2 that could cause a ...) - TODO: check + - mxml CVE-2021-42858 RESERVED CVE-2021-42857 (It was discovered that the SteelCentral AppInternals Dynamic Sampling ...) @@ -41783,7 +41783,7 @@ CVE-2021-42694 (** DISPUTED ** An issue was discovered in the character definiti CVE-2021-42693 RESERVED CVE-2021-42692 (There is a stack-overflow vulnerability in tinytoml v0.4 that can caus ...) - TODO: check + NOT-FOR-US: mayah/tinytoml CVE-2021-42691 RESERVED CVE-2021-42690 @@ -49053,7 +49053,7 @@ CVE-2021-40319 CVE-2021-40318 RESERVED CVE-2021-40317 (Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.p ...) - TODO: check + - piwigo CVE-2021-40316 RESERVED CVE-2021-40315 @@ -66976,11 +66976,11 @@ CVE-2021-33018 (The use of a broken or risky cryptographic algorithm in Philips CVE-2021-33017 (The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.0 ...) NOT-FOR-US: Philips CVE-2021-33016 (An attacker can gain full access (read/write/delete) to sensitive fold ...) - TODO: check + NOT-FOR-US: Kuka CVE-2021-33015 (Cscape (All Versions prior to 9.90 SP5) lacks proper validation of use ...) NOT-FOR-US: Cscape CVE-2021-33014 (An attacker can gain VxWorks Shell after login due to hard-coded crede ...) - TODO: check + NOT-FOR-US: Kuka CVE-2021-33013 (mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized ...) NOT-FOR-US: mySCADA myPRO CVE-2021-33012 (Rockwell Automation MicroLogix 1100, all versions, allows a remote, un ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc2da96b1974599f1937f53a7e7297b329469a62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc2da96b1974599f1937f53a7e7297b329469a62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Angular is the replacement for angular.js
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cddbf30 by Neil Williams at 2022-05-27T10:47:50+01:00 Angular is the replacement for angular.js angular.js is not affected, vulnerable code is not present No ITP/RFP exists for angular/angular Angular is not a drop-in replacement for angular.js, migrations in reverse deps would be required. Node/NPM upstream ceased support for angularJS in Jan 2022. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -369,7 +369,8 @@ CVE-2022-1889 CVE-2022-1888 RESERVED CVE-2021-4231 (A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It ha ...) - TODO: check + NOT-FOR-US: angular/angular - replacement for deprecated angularjs + NOTE: AngularJS upstream support has officially ended as of January 2022 CVE-2022-31619 RESERVED CVE-2022-1887 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cddbf30bc8450e059b0232f3810a9a35310b053 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cddbf30bc8450e059b0232f3810a9a35310b053 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d187fd97 by Neil Williams at 2022-05-27T10:20:16+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72255,39 +72255,39 @@ CVE-2021-31012 CVE-2021-31011 REJECTED CVE-2021-31010 (A deserialization issue was addressed through improved validation. Thi ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31009 (Multiple issues were addressed by removing HDF5. This issue is fixed i ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31008 (A type confusion issue was addressed with improved memory handling. Th ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31007 (Description: A permissions issue was addressed with improved validatio ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31006 (Description: A permissions issue was addressed with improved validatio ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31005 (Description: A logic issue was addressed with improved state managemen ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31004 (A race condition was addressed with improved locking. This issue is fi ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31003 REJECTED CVE-2021-31002 REJECTED CVE-2021-31001 (An access issue was addressed with improved access restrictions. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-31000 (A permissions issue was addressed with improved validation. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30999 (The issue was addressed with improved permissions logic. This issue is ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30998 (A S/MIME issue existed in the handling of encrypted email. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30997 (A S/MIME issue existed in the handling of encrypted email. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30996 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2021-30995 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2021-30994 (An access issue was addressed with improved access restrictions. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30993 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2021-30992 (This issue was addressed with improved handling of file metadata. This ...) @@ -72355,7 +72355,7 @@ CVE-2021-30964 (An inherited permissions issue was addressed with additional res CVE-2021-30963 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2021-30962 (A memory initialization issue was addressed with improved memory handl ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30961 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2021-30960 (A buffer overflow issue was addressed with improved memory handling. T ...) @@ -72367,7 +72367,7 @@ CVE-2021-30958 (An out-of-bounds read was addressed with improved input validati CVE-2021-30957 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2021-30956 (A lock screen issue allowed access to contacts on a locked device. Thi ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30955 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2021-30954 (A type confusion issue was addressed with improved memory handling. Th ...) @@ -72407,9 +72407,9 @@ CVE-2021-30946 (A logic issue was addressed with improved restrictions. This iss CVE-2021-30945 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2021-30944 (Description: A logic issue was addressed with improved state managemen ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30943 (An issue in the handling of group membership was resolved with improve ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30942 (Description: A memory corruption issue in the processing of ICC profil ...) NOT-FOR-US: Apple CVE-2021-30941 (A buffer overflow issue was addressed with improved memory handling. T ...) @@ -72437,7 +72437,7 @@ CVE-2021-30934 (A buffer overflow issue was addressed with improved memory handl - wpewebkit 2.34.4-1 NOTE: https://webkitgtk.org/security/WSA-2022-0001.html CVE-2021-30933 (A race condition was addressed with improved state handling. This issu ...) - TODO: check + NOT-FOR-US: Apple CVE-2021-30932 (The issue was addressed with
[Git][security-tracker-team/security-tracker][master] CVE-2022-29221/smarty3, smarty4 unfixed 1011757 & 1011758
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 60519131 by Neil Williams at 2022-05-26T13:36:57+01:00 CVE-2022-29221/smarty3, smarty4 unfixed 1011757 1011758 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6987,7 +6987,14 @@ CVE-2022-29222 (Pion DTLS is a Go implementation of Datagram Transport Layer Sec NOTE: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412 (v2.1.5) NOTE: https://github.com/pion/dtls/releases/tag/v2.1.5 CVE-2022-29221 (Smarty is a template engine for PHP, facilitating the separation of pr ...) - TODO: check + - smarty4 (bug #1011757) + - smarty3 (bug #1011758) + - smarty + NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c + NOTE: https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd (v4.1.1) + NOTE: https://github.com/smarty-php/smarty/commit/3606c4717ed6348e114a610ff1e446048dcd0345 (support/3.1) + NOTE: https://github.com/smarty-php/smarty/releases/tag/v3.1.45 + NOTE: https://github.com/smarty-php/smarty/releases/tag/v4.1.1 CVE-2022-29220 RESERVED CVE-2022-29219 (Lodestar is a TypeScript implementation of the Ethereum Consensus spec ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60519131a471301873410fc5f773c260326c7f2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60519131a471301873410fc5f773c260326c7f2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29361/python-werkzeug undetermined, disputed upstream
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 52ee35b4 by Neil Williams at 2022-05-26T14:22:13+01:00 CVE-2022-29361/python-werkzeug undetermined, disputed upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6589,7 +6589,9 @@ CVE-2022-29363 (Phpok v6.1 was discovered to contain a deserialization vulnerabi CVE-2022-29362 (A cross-site scripting (XSS) vulnerability in /navigation/create?Paren ...) NOT-FOR-US: ZKEACMS CVE-2022-29361 (Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below ...) - TODO: check + - python-werkzeug + TODO: upstream disputes this as a misfiled CVE + NOTE: https://github.com/pallets/werkzeug/issues/2420 CVE-2022-29360 RESERVED CVE-2022-29359 (A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ee35b4baf112d84cfe6f67ba5a867c979f96a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ee35b4baf112d84cfe6f67ba5a867c979f96a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29358/epub2txt2 itp 1004115
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: bf6ec3c0 by Neil Williams at 2022-05-26T14:10:32+01:00 CVE-2022-29358/epub2txt2 itp 1004115 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6595,7 +6595,7 @@ CVE-2022-29360 CVE-2022-29359 (A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs ...) NOT-FOR-US: School Club Application System CVE-2022-29358 (epub2txt2 v2.04 was discovered to contain an integer overflow via the ...) - TODO: check + - epub2txt2 (bug #1004115) CVE-2022-29357 RESERVED CVE-2022-29356 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf6ec3c039652ca31763525b046bf0a3a8abc42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf6ec3c039652ca31763525b046bf0a3a8abc42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 7de3cb9d by Neil Williams at 2022-05-26T14:00:00+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6613,7 +6613,7 @@ CVE-2022-29351 (An arbitrary file upload vulnerability in the file upload module CVE-2022-29350 RESERVED CVE-2022-29349 (kkFileView v4.0.0 was discovered to contain a cross-site scripting (XS ...) - TODO: check + NOT-FOR-US: kkFileview CVE-2022-29348 RESERVED CVE-2022-29347 (An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attacke ...) @@ -6647,15 +6647,15 @@ CVE-2022-29339 (In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in CVE-2022-29338 RESERVED CVE-2022-29337 (C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command ...) - TODO: check + NOT-FOR-US: CDATA CVE-2022-29336 RESERVED CVE-2022-29335 RESERVED CVE-2022-29334 (An issue in H v1.0 allows attackers to bypass authentication via a ses ...) - TODO: check + NOT-FOR-US: SiJiDo/H CVE-2022-29333 (A vulnerability in CyberLink Power Director v14 allows attackers to es ...) - TODO: check + NOT-FOR-US: CyberLink PowerDirector CVE-2022-29332 (D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal. An atta ...) NOT-FOR-US: D-LINK CVE-2022-29331 @@ -6711,7 +6711,7 @@ CVE-2022-29307 (IonizeCMS v1.0.8.1 was discovered to contain a command injection CVE-2022-29306 (IonizeCMS v1.0.8.1 was discovered to contain a SQL injection vulnerabi ...) NOT-FOR-US: Ionize CMS CVE-2022-29305 (imgurl v2.31 was discovered to contain a Blind SQL injection vulnerabi ...) - TODO: check + NOT-FOR-US: imgURL CVE-2022-29304 (Online Sports Complex Booking System 1.0 is vulnerable to SQL Injectio ...) NOT-FOR-US: Sourcecodester Online Sports Complex Booking System CVE-2022-29303 (SolarView Compact ver.6.00 was discovered to contain a command injecti ...) @@ -6913,7 +6913,7 @@ CVE-2022-29258 CVE-2022-29257 RESERVED CVE-2022-29256 (sharp is an application for Node.js image processing. Prior to version ...) - TODO: check + NOT-FOR-US: lovell/sharp CVE-2022-29255 RESERVED CVE-2022-29254 @@ -6927,7 +6927,7 @@ CVE-2022-29251 (XWiki Platform Flamingo Theme UI is a tool that allows customiza CVE-2022-29250 RESERVED CVE-2022-29249 (JavaEZ is a library that adds new functions to make Java easier. A wea ...) - TODO: check + NOT-FOR-US: JavaEZLib/JavaEZ CVE-2022-29248 (Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ...) - guzzle (bug #1011636) NOTE: https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 @@ -6942,7 +6942,7 @@ CVE-2022-29244 CVE-2022-29243 RESERVED CVE-2022-29242 (GOST engine is a reference implementation of the Russian GOST crypto a ...) - TODO: check + NOT-FOR-US: gost-engine/engine CVE-2022-29241 RESERVED CVE-2022-29240 @@ -6952,7 +6952,7 @@ CVE-2022-29239 CVE-2022-29238 RESERVED CVE-2022-29237 (Opencast is a free and open source solution for automated video captur ...) - TODO: check + NOT-FOR-US: Opencast CVE-2022-29236 RESERVED CVE-2022-29235 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7de3cb9d379f84e716072f099806b444d45a25a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7de3cb9d379f84e716072f099806b444d45a25a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29217/pyjwt unfixed 1011747
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d94414a0 by Neil Williams at 2022-05-26T10:45:50+01:00 CVE-2022-29217/pyjwt unfixed 1011747 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6980,7 +6980,10 @@ CVE-2022-29219 (Lodestar is a TypeScript implementation of the Ethereum Consensu CVE-2022-29218 (RubyGems is a package registry used to supply software for the Ruby la ...) NOT-FOR-US: rubygems/rubygems.org CVE-2022-29217 (PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple ...) - TODO: check + - pyjwt (bug #1011747) + NOTE: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24 + NOTE: https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc (2.4.0) + NOTE: https://github.com/jpadilla/pyjwt/releases/tag/2.4.0 CVE-2022-29216 (TensorFlow is an open source platform for machine learning. Prior to v ...) - tensorflow (bug #804612) CVE-2022-29215 (RegionProtect is a plugin that allows users to manage certain events i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d94414a05112bd783f53d423456d8d34c217f58d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d94414a05112bd783f53d423456d8d34c217f58d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 872e619b by Neil Williams at 2022-05-26T10:35:51+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6919,7 +6919,7 @@ CVE-2022-29248 (Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and CVE-2022-29247 RESERVED CVE-2022-29246 (Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded st ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-29245 RESERVED CVE-2022-29244 @@ -6965,7 +6965,7 @@ CVE-2022-29225 CVE-2022-29224 RESERVED CVE-2022-29223 (Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded st ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-29222 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...) - snowflake (bug #1011458) NOTE: https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh @@ -6976,7 +6976,7 @@ CVE-2022-29221 (Smarty is a template engine for PHP, facilitating the separation CVE-2022-29220 RESERVED CVE-2022-29219 (Lodestar is a TypeScript implementation of the Ethereum Consensus spec ...) - TODO: check + NOT-FOR-US: chainsafe/lodestar CVE-2022-29218 (RubyGems is a package registry used to supply software for the Ruby la ...) NOT-FOR-US: rubygems/rubygems.org CVE-2022-29217 (PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple ...) @@ -6984,9 +6984,9 @@ CVE-2022-29217 (PyJWT is a Python implementation of RFC 7519. PyJWT supports mul CVE-2022-29216 (TensorFlow is an open source platform for machine learning. Prior to v ...) - tensorflow (bug #804612) CVE-2022-29215 (RegionProtect is a plugin that allows users to manage certain events i ...) - TODO: check + NOT-FOR-US: PocketMine plugin CVE-2022-29214 (NextAuth.js (next-auth) is am open source authentication solution for ...) - TODO: check + NOT-FOR-US: NextAuth.js CVE-2022-29213 (TensorFlow is an open source platform for machine learning. Prior to v ...) - tensorflow (bug #804612) CVE-2022-29212 (TensorFlow is an open source platform for machine learning. Prior to v ...) @@ -7645,7 +7645,7 @@ CVE-2022-29004 (Diary Management System v1.0 was discovered to contain a cross-s CVE-2022-29003 RESERVED CVE-2022-29002 (A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers ...) - TODO: check + NOT-FOR-US: xxl-job CVE-2022-29001 (In SpringBootMovie =1.2, the uploaded file suffix parameter is not ...) NOT-FOR-US: SpringBootMovie CVE-2022-29000 @@ -80643,7 +80643,7 @@ CVE-2021-27781 CVE-2021-27780 RESERVED CVE-2021-27779 (VersionVault Express exposes sensitive information that an attacker ca ...) - TODO: check + NOT-FOR-US: HCL CVE-2021-27778 RESERVED CVE-2021-2 (XML External Entity (XXE) injection vulnerabilities occur when poorly ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/872e619bc6e0dfb0b71fb6e6d84258db02960ec5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/872e619bc6e0dfb0b71fb6e6d84258db02960ec5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d7743914 by Neil Williams at 2022-05-26T10:09:32+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7651,7 +7651,7 @@ CVE-2022-29001 (In SpringBootMovie =1.2, the uploaded file suffix parameter CVE-2022-29000 RESERVED CVE-2022-28999 (Insecure permissions in the install directories and binaries of Dev-CP ...) - TODO: check + NOT-FOR-US: Bloodshed Dev-C++ CVE-2022-28998 (Xlight FTP v3.9.3.2 was discovered to contain a stack-based buffer ove ...) NOT-FOR-US: Xlight FTP CVE-2022-28997 (CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forger ...) @@ -7944,7 +7944,7 @@ CVE-2022-28877 CVE-2022-28876 RESERVED CVE-2022-28875 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atl ...) - TODO: check + NOT-FOR-US: F-Secure CVE-2022-28874 (Multiple Denial-of-Service vulnerabilities was discovered in the F-Sec ...) NOT-FOR-US: F-Secure CVE-2022-28873 (A vulnerability affecting F-Secure SAFE browser was discovered. An att ...) @@ -7970,7 +7970,7 @@ CVE-2022-28864 CVE-2022-28863 RESERVED CVE-2022-28862 (In Archibus Web Central before 26.2, multiple SQL Injection vulnerabil ...) - TODO: check + NOT-FOR-US: ARCHIBUS Web Central CVE-2022-28861 RESERVED CVE-2022-28860 @@ -25881,7 +25881,7 @@ CVE-2022-23052 (PeteReport Version 0.5 contains a Cross Site Request Forgery (CS CVE-2022-23051 (PeteReport Version 0.5 allows an authenticated admin user to inject pe ...) NOT-FOR-US: PeteReport CVE-2022-23050 (ManageEngine AppManager15 (Build No:15510) allows an authenticated adm ...) - TODO: check + NOT-FOR-US: ManageEngine Applications Manager CVE-2022-23049 (Exponent CMS 2.6.0patch2 allows an authenticated user to inject persis ...) NOT-FOR-US: Exponent CMS CVE-2022-23048 (Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7743914651369f942a40bdf50820da7e08f739c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7743914651369f942a40bdf50820da7e08f739c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d7be4e68 by Neil Williams at 2022-05-26T09:53:24+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8365,7 +8365,7 @@ CVE-2022-26841 CVE-2022-26837 RESERVED CVE-2022-26833 (An improper authentication vulnerability exists in the REST API functi ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26515 RESERVED CVE-2022-26513 @@ -12986,7 +12986,7 @@ CVE-2021-46711 CVE-2021-46710 RESERVED CVE-2022-27169 (An information disclosure vulnerability exists in the OAS Engine Secur ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-27167 (Privilege escalation vulnerability in Windows products of ESET, spol. ...) NOT-FOR-US: ESET CVE-2022-27166 @@ -12996,19 +12996,19 @@ CVE-2022-26511 (WPS Presentation 11.8.0.5745 insecurely load d3dx9_41.dll when o CVE-2022-26510 (A firmware update vulnerability exists in the iburn firmware checks fu ...) NOT-FOR-US: InHand Networks InRouter302 CVE-2022-26303 (An external config control vulnerability exists in the OAS Engine Secu ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26082 (A file write vulnerability exists in the OAS Engine SecureTransferFile ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26081 (The installer of WPS Office Version 10.8.0.5745 insecurely load shcore ...) NOT-FOR-US: WPS Office CVE-2022-26077 (A cleartext transmission of sensitive information vulnerability exists ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26067 (An information disclosure vulnerability exists in the OAS Engine Secur ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26043 (An external config control vulnerability exists in the OAS Engine Secu ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-26026 (A denial of service vulnerability exists in the OAS Engine SecureConfi ...) - TODO: check + NOT-FOR-US: Open Automation Software CVE-2022-25969 (The installer of WPS Office Version 10.8.0.6186 insecurely load VERSIO ...) NOT-FOR-US: WPS Office CVE-2022-25949 (The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Ve ...) @@ -30789,7 +30789,7 @@ CVE-2022-22129 CVE-2022-22128 RESERVED CVE-2022-22127 (Tableau is aware of a broken access control vulnerability present in T ...) - TODO: check + NOT-FOR-US: Tableau Server CVE-2022-22126 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...) NOT-FOR-US: Openmct CVE-2022-22125 (In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored ...) @@ -32077,7 +32077,7 @@ CVE-2022-21953 CVE-2022-21952 RESERVED CVE-2022-21951 (A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, ...) - TODO: check + NOT-FOR-US: Rancher CVE-2022-21950 RESERVED CVE-2022-21949 (A Improper Restriction of XML External Entity Reference vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7be4e680bbce2e9eb0ebd6d7d9b1058e0d2b781 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7be4e680bbce2e9eb0ebd6d7d9b1058e0d2b781 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Disentangle multiple projects called gibbon
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 52ea832f by Neil Williams at 2022-05-26T09:14:44+01:00 Disentangle multiple projects called gibbon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12399,7 +12399,7 @@ CVE-2022-27313 (An arbitrary file deletion vulnerability in Gitea v1.16.3 allows CVE-2022-27312 RESERVED CVE-2022-27311 (Gibbon v3.4.4 and below allows attackers to execute a Server-Side Requ ...) - NOT-FOR-US: Gibbon + NOT-FOR-US: amro/Gibbon CVE-2022-27310 RESERVED CVE-2022-27309 @@ -12411,7 +12411,7 @@ CVE-2022-27307 CVE-2022-27306 REJECTED CVE-2022-27305 (Gibbon v23 does not generate a new session ID cookie after a user auth ...) - TODO: check + NOT-FOR-US: GibbonEdu/core CVE-2022-27304 (Student Grading System v1.0 was discovered to contain a SQL injection ...) NOT-FOR-US: Student Grading System CVE-2022-27303 @@ -49071,7 +49071,7 @@ CVE-2021-40216 CVE-2021-40215 RESERVED CVE-2021-40214 (Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wal ...) - NOT-FOR-US: Gibbon + NOT-FOR-US: GibbonEdu/core CVE-2021-40213 RESERVED CVE-2021-40212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ea832f33ae0083a552ed86daa81bb4f2e99bd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ea832f33ae0083a552ed86daa81bb4f2e99bd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process 1 NFU
Neil Williams pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ef0adafc by Neil Williams at 2022-05-26T09:00:43+01:00
Process 1 NFU
- - - - -
b7c8cb5d by Neil Williams at 2022-05-26T09:00:45+01:00
CVE-2022-26945/golang-github-hashicorp-go-getter unfixed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3483,11 +3483,20 @@ CVE-2022-30325
CVE-2022-30324
RESERVED
CVE-2022-30323 (HashiCorp go-getter through 2.0.2 does not safely perform
downloads (i ...)
- TODO: check
+ - golang-github-hashicorp-go-getter (bug #1011741)
+ NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
+ NOTE: https://github.com/hashicorp/go-getter/pull/359
+ NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30322 (HashiCorp go-getter through 2.0.2 does not safely perform
downloads (i ...)
- TODO: check
+ - golang-github-hashicorp-go-getter (bug #1011741)
+ NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
+ NOTE: https://github.com/hashicorp/go-getter/pull/359
+ NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30321 (HashiCorp go-getter through 2.0.2 does not safely perform
downloads (i ...)
- TODO: check
+ - golang-github-hashicorp-go-getter (bug #1011741)
+ NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
+ NOTE: https://github.com/hashicorp/go-getter/pull/359
+ NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-1616 (Use after free in append_command in GitHub repository vim/vim
prior to ...)
{DLA-3011-1}
- vim
@@ -13320,7 +13329,10 @@ CVE-2022-0936 (Cross-site Scripting (XSS) - Stored in
GitHub repository autolab/
CVE-2022-26946
RESERVED
CVE-2022-26945 (HashiCorp go-getter before 2.0.2 allows Command Injection. ...)
- TODO: check
+ - golang-github-hashicorp-go-getter (bug #1011741)
+ NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
+ NOTE: https://github.com/hashicorp/go-getter/pull/359
+ NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-26944
RESERVED
CVE-2022-26943
@@ -28149,7 +28161,7 @@ CVE-2022-0087 (keystone is vulnerable to Improper
Neutralization of Input During
CVE-2021-46130
RESERVED
CVE-2022-22306 (An improper certificate validation vulnerability [CWE-295] in
FortiOS ...)
- TODO: check
+ NOT-FOR-US: Fortinet FortiOS
CVE-2022-22305
RESERVED
CVE-2022-22304
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed7aeadbf782e9e8f117d9f1537e7df74c2b0ff1...b7c8cb5d92acb3cddc61d421b9c238eaad687bdd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed7aeadbf782e9e8f117d9f1537e7df74c2b0ff1...b7c8cb5d92acb3cddc61d421b9c238eaad687bdd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ca2ff50 by Neil Williams at 2022-05-26T08:32:52+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23219,7 +23219,7 @@ CVE-2022-23777 CVE-2022-23776 RESERVED CVE-2022-23775 (TrueStack Direct Connect 1.4.7 has Incorrect Access Control. ...) - TODO: check + NOT-FOR-US: TrueStack CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to move arbitr ...) NOT-FOR-US: Docker Desktop CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret ...) @@ -33319,7 +33319,7 @@ CVE-2021-44721 CVE-2021-44720 RESERVED CVE-2021-44719 (Docker Desktop 4.3.0 has Incorrect Access Control. ...) - TODO: check + NOT-FOR-US: Docker Desktop on MacOS CVE-2021-44718 RESERVED - wolfssl 5.1.1-1 @@ -60607,7 +60607,7 @@ CVE-2021-35489 (Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2host= CVE-2021-35488 (Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combinedtitl ...) NOT-FOR-US: Thruk CVE-2021-35487 (Nokia Broadcast Message Center through 11.1.0 allows an authenticated ...) - TODO: check + NOT-FOR-US: Nokia Broadcast Message Center CVE-2021-35486 RESERVED CVE-2021-35485 @@ -66566,7 +66566,7 @@ CVE-2021-32999 (Improper handling of exceptional conditions in SuiteLink server CVE-2021-32998 (The FANUC R-30iA and R-30iB series controllers are vulnerable to an ou ...) NOT-FOR-US: FANUC CVE-2021-32997 (The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, ...) - TODO: check + NOT-FOR-US: Baker Hughes Bentley Nevada CVE-2021-32996 (The FANUC R-30iA and R-30iB series controllers are vulnerable to integ ...) NOT-FOR-US: FANUC CVE-2021-32995 (Cscape (All Versions prior to 9.90 SP5) lacks proper validation of use ...) @@ -66582,7 +66582,7 @@ CVE-2021-32991 (Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerab CVE-2021-32990 (FATEK Automation WinProladder Versions 3.30 and prior are vulnerable t ...) NOT-FOR-US: FATEK Automation WinProladder CVE-2021-32989 (When a non-existent resource is requested, the LCDS LAquis SCADA appli ...) - TODO: check + NOT-FOR-US: LAquis SCADA CVE-2021-32988 (FATEK Automation WinProladder Versions 3.30 and prior are vulnerable t ...) NOT-FOR-US: FATEK Automation WinProladder CVE-2021-32987 (Null pointer dereference in SuiteLink server while processing command ...) @@ -66628,7 +66628,7 @@ CVE-2021-32968 (Two buffer overflows in the built-in web server in Moxa NPort IA CVE-2021-32967 (Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an atta ...) NOT-FOR-US: Delta Electronics CVE-2021-32966 (Philips Interoperability Solution XDS versions 2.5 through 3.11 and 20 ...) - TODO: check + NOT-FOR-US: Philips Interoperability CVE-2021-32965 (Delta Electronics DIAScreen versions prior to 1.1.0 are vulnerable to ...) NOT-FOR-US: Delta Electronics CVE-2021-32964 (The AGG Software Web Server version 4.0.40.1014 and prior is vulnerabl ...) @@ -80365,7 +80365,7 @@ CVE-2021-27785 CVE-2021-27784 RESERVED CVE-2021-27783 (User generated PPKG file for Bulk Enroll may have unencrypted sensitiv ...) - TODO: check + NOT-FOR-US: HCL CVE-2021-27782 RESERVED CVE-2021-27781 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ca2ff50feb8a158a3825b4a3a43e19134b6b7c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ca2ff50feb8a158a3825b4a3a43e19134b6b7c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process YottaDB CVEs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: db85f774 by Neil Williams at 2022-05-25T15:59:09+01:00 Process YottaDB CVEs Confirmed with YottaDB upstream that YottaDB is built around a fork of FIS GT.M which is maintained separately from FIS. Only report CVEs against FIS GT.M if the CVE is filed against FIS GT.M or linked to Release Notes from FIS, not just YottaDB GitLab. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34112,38 +34112,27 @@ CVE-2021-44492 (An issue was discovered in YottaDB through r1.32 and V7.0-000 an NOTE: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44491 (An issue was discovered in YottaDB through r1.32 and V7.0-000. Using c ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44490 (An issue was discovered in YottaDB through r1.32 and V7.0-000. Using c ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44489 (An issue was discovered in YottaDB through r1.32 and V7.0-000. Using c ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44488 (An issue was discovered in YottaDB through r1.32 and V7.0-000. Using c ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44487 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44486 (An issue was discovered in YottaDB through r1.32 and V7.0-000. Using c ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44485 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44484 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44483 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44482 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44481 (An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ...) - NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 - TODO: check - unclear if affects only YottaDB + NOT-FOR-US: YottaDB CVE-2021-44480 (Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who ...) NOT-FOR-US: Wokka Lokka Q50 devices CVE-2021-44479 (NXP Kinetis K82 devices have a buffer over-read via a crafted wlength ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db85f774530d1047ed9976c20b0c8ca48a98ce9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db85f774530d1047ed9976c20b0c8ca48a98ce9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
