[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2022-1271
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11c89875 by Salvatore Bonaccorso at 2022-04-08T07:02:09+02:00 Add Debian bug references for CVE-2022-1271 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,8 +5,8 @@ CVE-2022-28662 CVE-2022-28661 RESERVED CVE-2022-1271 - - xz-utils - - gzip + - xz-utils (bug #1009167) + - gzip (bug #1009168) NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch NOTE: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11c89875f65cda872a68e0287e0ddbfe0877f575 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11c89875f65cda872a68e0287e0ddbfe0877f575 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commits for gzip issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9335e9a8 by Salvatore Bonaccorso at 2022-04-08T06:59:34+02:00 Track upstream commits for gzip issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,13 @@ CVE-2022-1271 NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch NOTE: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=d74a30d45c6834c8e9f87115197370fe86656d81 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=6543c09c6ecfb1630085d440b76511953bc5a2cb (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=0e2d07fc2c4393cfb9dbab580d0bee4525b9c9b3 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=5e1fc8b92c1af9382365aef0f9130341ee1d2c76 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=9d3248751178939713a39115cf68ec8a11506cc9 (v1.12) NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/8 CVE-2022-1263 - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9335e9a89c0caa2948b214a224d13c733feb8509 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9335e9a89c0caa2948b214a224d13c733feb8509 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1271/{xz-utils,gzip}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
62759507 by Salvatore Bonaccorso at 2022-04-08T06:42:31+02:00
Add CVE-2022-1271/{xz-utils,gzip}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4,6 +4,13 @@ CVE-2022-28662
RESERVED
CVE-2022-28661
RESERVED
+CVE-2022-1271
+ - xz-utils
+ - gzip
+ NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
+ NOTE:
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
+ NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
+ NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/8
CVE-2022-1263
- linux
NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62759507fcc12ea64fb577b71715507366cddd94
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62759507fcc12ea64fb577b71715507366cddd94
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24785/node-moment
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69427aea by Salvatore Bonaccorso at 2022-04-08T06:24:09+02:00 Add CVE-2022-24785/node-moment - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10467,7 +10467,9 @@ CVE-2022-24787 (Vyper is a Pythonic Smart Contract Language for the Ethereum Vir CVE-2022-24786 RESERVED CVE-2022-24785 (Moment.js is a JavaScript date library for parsing, validating, manipu ...) - TODO: check + - node-moment + NOTE: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 + NOTE: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 (2.29.2) CVE-2022-24784 (Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and ...) NOT-FOR-US: Statamic CVE-2022-24783 (Deno is a runtime for JavaScript and TypeScript. The versions of Deno ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69427aea7eab3e68e703402dd7972aba2cc9c609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69427aea7eab3e68e703402dd7972aba2cc9c609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fixes for samba previously in experimental landed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3655f091 by Salvatore Bonaccorso at 2022-04-08T06:22:00+02:00
Fixes for samba previously in experimental landed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -14091,7 +14091,7 @@ CVE-2022-0337
CVE-2022-0336 [Samba AD users with permission to write to an account can
impersonate arbitrary services]
RESERVED
[experimental] - samba 2:4.16.0+dfsg-1
- - samba (bug #1004694)
+ - samba 2:4.16.0+dfsg-2 (bug #1004694)
[bullseye] - samba 2:4.13.13+dfsg-1~deb11u3
[buster] - samba (Minor issue; affects Samba as AD DC)
NOTE: https://www.samba.org/samba/security/CVE-2022-0336.html
@@ -26112,7 +26112,7 @@ CVE-2021-44143 (A flaw was found in mbsync in isync
1.4.0 through 1.4.3. Due to
CVE-2021-44142 (The Samba vfs_fruit module uses extended file attributes (EA,
xattr) t ...)
{DSA-5071-1}
[experimental] - samba 2:4.16.0+dfsg-1
- - samba (bug #1004693)
+ - samba 2:4.16.0+dfsg-2 (bug #1004693)
NOTE: https://www.samba.org/samba/security/CVE-2021-44142.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14914
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-244/
@@ -26120,7 +26120,7 @@ CVE-2021-44142 (The Samba vfs_fruit module uses
extended file attributes (EA, xa
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-246/
CVE-2021-44141 (All versions of Samba prior to 4.15.5 are vulnerable to a
malicious cl ...)
[experimental] - samba 2:4.16.0+dfsg-1
- - samba (bug #1004692)
+ - samba 2:4.16.0+dfsg-2 (bug #1004692)
[bullseye] - samba (Minor issue; no backport to older
versions, mitigations exists)
[buster] - samba (Minor issue; no backport to older versions,
mitigations exists)
NOTE: https://www.samba.org/samba/security/CVE-2021-44141.html
@@ -28851,7 +28851,7 @@ CVE-2021-43567
RESERVED
CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a
malicious c ...)
[experimental] - samba 2:4.16.0+dfsg-1
- - samba (bug #1004691)
+ - samba 2:4.16.0+dfsg-2 (bug #1004691)
[bullseye] - samba (Minor issue; no backport to older
versions, mitigations exists)
[buster] - samba (Minor issue; no backport to older versions,
mitigations exists)
NOTE: https://www.samba.org/samba/security/CVE-2021-43566.html
@@ -90393,7 +90393,7 @@ CVE-2021-20317 (A flaw was found in the Linux kernel. A
corrupted timer tree cau
CVE-2021-20316
RESERVED
[experimental] - samba 2:4.16.0+dfsg-1
- - samba (bug #1004690)
+ - samba 2:4.16.0+dfsg-2 (bug #1004690)
[bullseye] - samba (Minor issue; no backport to older
versions, mitigations exists)
[buster] - samba (Minor issue; no backport to older versions,
mitigations exists)
NOTE: https://www.samba.org/samba/security/CVE-2021-20316.html
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3655f0914b372133148e110140fe52fab81b5e65
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3655f0914b372133148e110140fe52fab81b5e65
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-0204/bluez via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c344467a by Salvatore Bonaccorso at 2022-04-07T23:27:27+02:00 Track fixed version for CVE-2022-0204/bluez via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16329,7 +16329,7 @@ CVE-2022-0206 (The NewStatPress WordPress plugin before 1.3.6 does not properly CVE-2022-0205 (The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions prior to ...) - - bluez (bug #1003712) + - bluez 5.64-1 (bug #1003712) [bullseye] - bluez (Minor issue) [buster] - bluez (Minor issue) [stretch] - bluez (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c344467aaa56de0e624da2c44c4d4c3057dfe1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c344467aaa56de0e624da2c44c4d4c3057dfe1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for chromium
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
98072768 by Salvatore Bonaccorso at 2022-04-07T23:06:37+02:00
Reserve DSA number for chromium
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[07 Apr 2022] DSA-5114-1 chromium - security update
+ {CVE-2022-1232}
+ [bullseye] - chromium 100.0.4896.75-1~deb11u1
[06 Apr 2022] DSA-5113-1 firefox-esr - security update
{CVE-2022-1097 CVE-2022-1196 CVE-2022-24713 CVE-2022-28281
CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289}
[buster] - firefox-esr 91.8.0esr-1~deb10u1
=
data/dsa-needed.txt
=
@@ -16,8 +16,6 @@ asterisk/oldstable
--
cacti
--
-chromium (carnil)
---
condor/oldstable
--
fish/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98072768f861cdbc3c05e9950d4d0ad7baf9aeb0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98072768f861cdbc3c05e9950d4d0ad7baf9aeb0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2022-24724
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29bce8b7 by Salvatore Bonaccorso at 2022-04-07T22:26:28+02:00 Add reference for CVE-2022-24724 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10656,6 +10656,7 @@ CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implem NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x NOTE: https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.3 NOTE: https://github.com/github/cmark-gfm/commit/ac80f7b56522ffa158e1f0c14a611ffccacd4027 (0.29.0.gfm.3) + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2258 CVE-2022-24723 (URI.js is a Javascript URL mutation library. Before version 1.19.9, wh ...) - node-urijs (bug #902083) NOTE: https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 (v1.19.9) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29bce8b789cbd76cfdc7241fca2b6677b9f6aae2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29bce8b789cbd76cfdc7241fca2b6677b9f6aae2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove ignored tag from CVE-2016-9318 for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a010e71 by Anton Gladky at 2022-04-07T22:24:49+02:00 Remove ignored tag from CVE-2016-9318 for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -335597,7 +335597,6 @@ CVE-2016-9318 (libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier a [experimental] - libxml2 2.9.8+dfsg-1 - libxml2 2.9.10+dfsg-2 (bug #844581) [buster] - libxml2 (Minor issue; intrusive to backport) - [stretch] - libxml2 (Minor issue; intrusive to backport) [jessie] - libxml2 (Minor issue; intrusive to backport) [wheezy] - libxml2 (Minor issue) NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a010e711b3190d8bdc79505c079a1b5dd56f984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a010e711b3190d8bdc79505c079a1b5dd56f984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
73028002 by security tracker role at 2022-04-07T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -881,7 +881,7 @@ CVE-2022-28290
RESERVED
CVE-2022-28289
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -898,7 +898,7 @@ CVE-2022-28287
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/#CVE-2022-28287
CVE-2022-28286
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -907,7 +907,7 @@ CVE-2022-28286
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-28286
CVE-2022-28285
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -924,7 +924,7 @@ CVE-2022-28283
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/#CVE-2022-28283
CVE-2022-28282
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -933,7 +933,7 @@ CVE-2022-28282
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-28282
CVE-2022-28281
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -956,7 +956,7 @@ CVE-2022-1197
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-1197
CVE-2022-1196
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/#CVE-2022-1196
@@ -2226,7 +2226,7 @@ CVE-2022-26064
RESERVED
CVE-2022-1097
RESERVED
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
@@ -10693,7 +10693,7 @@ CVE-2022-24714 (Icinga Web 2 is an open source
monitoring web interface, framewo
NOTE:
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
NOTE:
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
CVE-2022-24713 (regex is an implementation of regular expressions for the Rust
languag ...)
- {DSA-5113-1}
+ {DSA-5113-1 DLA-2971-1}
- firefox 99.0-1
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7302800285d4b1800beef5c71ca9bbf93a1aec3d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7302800285d4b1800beef5c71ca9bbf93a1aec3d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2022-1263/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7c2eb4f by Salvatore Bonaccorso at 2022-04-07T21:42:56+02:00 Correct tracking for CVE-2022-1263/linux Fixes: 975565a681e5 (Add CVE-2022-1263/linux) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,12 +4,10 @@ CVE-2022-28662 RESERVED CVE-2022-28661 RESERVED -CVE-2022-1263 [KVM: x86/mmu: do compare-and-exchange of gPTE via the user address] +CVE-2022-1263 - linux - [buster] - linux (Vulnerable code not present) - [stretch] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1 - NOTE: https://git.kernel.org/linus/2a8859f373b0a86f0ece8ec8312607eacf12485d (5.18-rc1) + NOTE: https://www.spinics.net/lists/kvm/msg273052.html CVE-2022-1249 [NULL pointer dereference in cms_set_pw_data()] - pesign (Vulnerable code introduced later) NOTE: https://github.com/rhboot/pesign/pull/79 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7c2eb4fcdd9dad2a9aba710de5a4bb9fafacc00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7c2eb4fcdd9dad2a9aba710de5a4bb9fafacc00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26612/hadoop
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b70c8349 by Salvatore Bonaccorso at 2022-04-07T21:33:18+02:00 Add CVE-2022-26612/hadoop - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5487,6 +5487,7 @@ CVE-2022-26613 RESERVED CVE-2022-26612 RESERVED + - hadoop (bug #793644) CVE-2022-26611 RESERVED CVE-2022-26610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70c8349d9c3a256832f1c97832c2b296e2a8ced -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70c8349d9c3a256832f1c97832c2b296e2a8ced You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo entry for CVE-2021-4207, CVE situation clarified
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2917883 by Salvatore Bonaccorso at 2022-04-07T21:26:38+02:00 Remove todo entry for CVE-2021-4207, CVE situation clarified Red Hat confirmed that the assigned CVE-2021-4207 is the correct one and the blog entry from starlabs got updated as well. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2036966#c8 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16223,7 +16223,6 @@ CVE-2021-4207 - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036966 NOTE: https://starlabs.sg/advisories/22-4207/ - TODO: starlabs.sg and RH Bugzilla entry disagree on the CVE identifier (2022 vs 2021) CVE-2021-4206 RESERVED - qemu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d29178834c4d7e2847ce9c8591b496e60b77a42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d29178834c4d7e2847ce9c8591b496e60b77a42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2021-4206
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b834f32 by Salvatore Bonaccorso at 2022-04-07T21:25:54+02:00 Remove todo item for CVE-2021-4206 Confirmed that the 2021 CVE was the correct one and starlabs updated the blog entry as well. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2036998#c7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16229,7 +16229,6 @@ CVE-2021-4206 - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036998 NOTE: https://starlabs.sg/advisories/22-4206/ - TODO: starlabs.sg and RH Bugzilla entry disagree on the CVE identifier (2022 vs 2021) CVE-2021-4205 RESERVED CVE-2021-31567 (Authenticated (admin+) Arbitrary File Download vulnerability discovere ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b834f32b91897eaa4169dd18ffd3635eea66111 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b834f32b91897eaa4169dd18ffd3635eea66111 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cf7ed91 by Henri Salo at 2022-04-07T22:12:05+03:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3844,8 +3844,10 @@ CVE-2022-27222 RESERVED CVE-2022-0993 RESERVED + NOT-FOR-US: WordPress plugin CVE-2022-0992 RESERVED + NOT-FOR-US: WordPress plugin CVE-2022-0991 (Insufficient Session Expiration in GitHub repository admidio/admidio p ...) NOT-FOR-US: admidio CVE-2022-0990 (Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calib ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf7ed9135f222d59f38cfb311009b4c7419fd0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf7ed9135f222d59f38cfb311009b4c7419fd0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c72feb07 by Salvatore Bonaccorso at 2022-04-07T21:10:07+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk/oldstable -- cacti -- +chromium (carnil) +-- condor/oldstable -- fish/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72feb0797aaf5b69f5eaac9fd4850cd98fffb38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72feb0797aaf5b69f5eaac9fd4850cd98fffb38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lrzip: reference CVE-2017-884X unimportant issues fixed by DLA single patch
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c602bf6f by Sylvain Beucler at 2022-04-07T18:21:02+02:00
lrzip: reference CVE-2017-884X unimportant issues fixed by DLA single patch
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -309310,6 +309310,7 @@ CVE-2017-8849 (smb4k before 2.0.1 allows local users
to gain root privileges by
CVE-2017-8848 (Allen Disk 1.6 has CSRF in setpass.php with an impact of
changing a pa ...)
NOT-FOR-US: Allen Disk
CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so
in lrz ...)
+ {DLA-2725-1}
- lrzip 0.631+git180517-1 (unimportant; bug #863145)
NOTE: https://github.com/ckolivas/lrzip/issues/67
NOTE:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/
@@ -309322,6 +309323,7 @@ CVE-2017-8846 (The read_stream function in stream.c
in liblrzip.so in lrzip 0.63
NOTE: https://github.com/ckolivas/lrzip/issues/71
NOTE:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as
used in lr ...)
+ {DLA-2725-1}
- lrzip 0.631+git180517-1 (unimportant; bug #863151)
NOTE: https://github.com/ckolivas/lrzip/issues/68
NOTE:
https://github.com/ckolivas/lrzip/commit/89d7b33e6a6450eed326b40084b547d42bad333f
@@ -309336,14 +309338,18 @@ CVE-2017-8844 (The read_1g function in stream.c in
liblrzip.so in lrzip 0.631 al
NOTE:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/
NOTE:
https://github.com/ckolivas/lrzip/commit/dc57230636fe8da068674e1023b2f07c593ec21b
(v0.640)
CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip
0.631 al ...)
+ {DLA-2725-1}
- lrzip 0.631+git180517-1 (unimportant; bug #863155)
NOTE: https://github.com/ckolivas/lrzip/issues/69
NOTE:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/
+ NOTE:
https://github.com/ckolivas/lrzip/commit/cd456aa70e1f9b6769454ab4f8198e1551c33c49
(v0.640)
NOTE: Crash in CLI tool, no security implications
CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so
in lrz ...)
+ {DLA-2725-1}
- lrzip 0.631+git180517-1 (unimportant; bug #863156)
NOTE: https://github.com/ckolivas/lrzip/issues/66
NOTE:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/
+ NOTE:
https://github.com/ckolivas/lrzip/commit/38386bd482c0a8102a79958cb3eddcb97a167ca3
(v0.640)
NOTE: Crash in CLI tool, no security implications
CVE-2017-8841 (Arbitrary file deletion exists on Peplink Balance 305, 380,
580, 710, ...)
NOT-FOR-US: Peplink Balance devices
=
data/DLA/list
=
@@ -753,7 +753,7 @@
{CVE-2020-13933 CVE-2020-17510}
[stretch] - shiro 1.3.2-1+deb9u2
[01 Aug 2021] DLA-2725-1 lrzip - security update
- {CVE-2017-8844 CVE-2017-8846 CVE-2017-9928 CVE-2017-9929 CVE-2018-5650
CVE-2018-5747 CVE-2018-5786 CVE-2018-10685 CVE-2018-11496}
+ {CVE-2017-8842 CVE-2017-8843 CVE-2017-8844 CVE-2017-8845 CVE-2017-8846
CVE-2017-8847 CVE-2017-9928 CVE-2017-9929 CVE-2018-5650 CVE-2018-5747
CVE-2018-5786 CVE-2018-10685 CVE-2018-11496}
[stretch] - lrzip 0.631-1+deb9u1
[01 Aug 2021] DLA-2724-1 condor - security update
{CVE-2019-18823}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c602bf6f01541e2b9b8997e4b7726cad0918c115
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c602bf6f01541e2b9b8997e4b7726cad0918c115
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1263/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 975565a6 by Salvatore Bonaccorso at 2022-04-07T18:15:01+02:00 Add CVE-2022-1263/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,12 @@ CVE-2022-28662 RESERVED CVE-2022-28661 RESERVED +CVE-2022-1263 [KVM: x86/mmu: do compare-and-exchange of gPTE via the user address] + - linux + [buster] - linux (Vulnerable code not present) + [stretch] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1 + NOTE: https://git.kernel.org/linus/2a8859f373b0a86f0ece8ec8312607eacf12485d (5.18-rc1) CVE-2022-1249 [NULL pointer dereference in cms_set_pw_data()] - pesign (Vulnerable code introduced later) NOTE: https://github.com/rhboot/pesign/pull/79 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975565a681e53e97887e7e52d6ee2b8b83d8e5a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975565a681e53e97887e7e52d6ee2b8b83d8e5a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-8844/lrzip: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: dff2f462 by Sylvain Beucler at 2022-04-07T17:29:55+02:00 CVE-2017-8844/lrzip: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -309328,6 +309328,7 @@ CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 al [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/70 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ + NOTE: https://github.com/ckolivas/lrzip/commit/dc57230636fe8da068674e1023b2f07c593ec21b (v0.640) CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 al ...) - lrzip 0.631+git180517-1 (unimportant; bug #863155) NOTE: https://github.com/ckolivas/lrzip/issues/69 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff2f462a7c3e91c2c31ac39b28cf0a00579cbd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff2f462a7c3e91c2c31ac39b28cf0a00579cbd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2971-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ff98e6a8 by Emilio Pozuelo Monfort at 2022-04-07T10:40:31+02:00
Reserve DLA-2971-1 for firefox-esr
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Apr 2022] DLA-2971-1 firefox-esr - security update
+ {CVE-2022-1097 CVE-2022-1196 CVE-2022-24713 CVE-2022-28281
CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289}
+ [stretch] - firefox-esr 91.8.0esr-1~deb9u1
[04 Apr 2022] DLA-2970-1 qemu - security update
{CVE-2021-3593 CVE-2021-3748 CVE-2021-3930 CVE-2021-20196
CVE-2022-26354}
[stretch] - qemu 1:2.8+dfsg-6+deb9u17
=
data/dla-needed.txt
=
@@ -31,8 +31,6 @@ debian-security-support (Utkarsh)
NOTE: 20220402: check debian/README.source, sync with h01ger, and announce
EOL'd packages (Beuc)
NOTE: 20220402: context:
https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc)
--
-firefox-esr (Emilio)
---
firmware-nonfree
NOTE: 20210731: WIP:
https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding
possible "ignore" tag
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff98e6a84b0452819a0624cf51485e1c33da2734
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff98e6a84b0452819a0624cf51485e1c33da2734
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
