[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2022-1271
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11c89875 by Salvatore Bonaccorso at 2022-04-08T07:02:09+02:00 Add Debian bug references for CVE-2022-1271 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,8 +5,8 @@ CVE-2022-28662 CVE-2022-28661 RESERVED CVE-2022-1271 - - xz-utils - - gzip + - xz-utils (bug #1009167) + - gzip (bug #1009168) NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch NOTE: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11c89875f65cda872a68e0287e0ddbfe0877f575 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11c89875f65cda872a68e0287e0ddbfe0877f575 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commits for gzip issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9335e9a8 by Salvatore Bonaccorso at 2022-04-08T06:59:34+02:00 Track upstream commits for gzip issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,13 @@ CVE-2022-1271 NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch NOTE: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=d74a30d45c6834c8e9f87115197370fe86656d81 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=6543c09c6ecfb1630085d440b76511953bc5a2cb (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=0e2d07fc2c4393cfb9dbab580d0bee4525b9c9b3 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=5e1fc8b92c1af9382365aef0f9130341ee1d2c76 (v1.12) + NOTE: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=9d3248751178939713a39115cf68ec8a11506cc9 (v1.12) NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/8 CVE-2022-1263 - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9335e9a89c0caa2948b214a224d13c733feb8509 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9335e9a89c0caa2948b214a224d13c733feb8509 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1271/{xz-utils,gzip}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62759507 by Salvatore Bonaccorso at 2022-04-08T06:42:31+02:00 Add CVE-2022-1271/{xz-utils,gzip} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,13 @@ CVE-2022-28662 RESERVED CVE-2022-28661 RESERVED +CVE-2022-1271 + - xz-utils + - gzip + NOTE: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch + NOTE: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 + NOTE: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html + NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/8 CVE-2022-1263 - linux NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62759507fcc12ea64fb577b71715507366cddd94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62759507fcc12ea64fb577b71715507366cddd94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24785/node-moment
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69427aea by Salvatore Bonaccorso at 2022-04-08T06:24:09+02:00 Add CVE-2022-24785/node-moment - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10467,7 +10467,9 @@ CVE-2022-24787 (Vyper is a Pythonic Smart Contract Language for the Ethereum Vir CVE-2022-24786 RESERVED CVE-2022-24785 (Moment.js is a JavaScript date library for parsing, validating, manipu ...) - TODO: check + - node-moment + NOTE: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 + NOTE: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 (2.29.2) CVE-2022-24784 (Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and ...) NOT-FOR-US: Statamic CVE-2022-24783 (Deno is a runtime for JavaScript and TypeScript. The versions of Deno ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69427aea7eab3e68e703402dd7972aba2cc9c609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69427aea7eab3e68e703402dd7972aba2cc9c609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fixes for samba previously in experimental landed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3655f091 by Salvatore Bonaccorso at 2022-04-08T06:22:00+02:00 Fixes for samba previously in experimental landed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14091,7 +14091,7 @@ CVE-2022-0337 CVE-2022-0336 [Samba AD users with permission to write to an account can impersonate arbitrary services] RESERVED [experimental] - samba 2:4.16.0+dfsg-1 - - samba (bug #1004694) + - samba 2:4.16.0+dfsg-2 (bug #1004694) [bullseye] - samba 2:4.13.13+dfsg-1~deb11u3 [buster] - samba (Minor issue; affects Samba as AD DC) NOTE: https://www.samba.org/samba/security/CVE-2022-0336.html @@ -26112,7 +26112,7 @@ CVE-2021-44143 (A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to CVE-2021-44142 (The Samba vfs_fruit module uses extended file attributes (EA, xattr) t ...) {DSA-5071-1} [experimental] - samba 2:4.16.0+dfsg-1 - - samba (bug #1004693) + - samba 2:4.16.0+dfsg-2 (bug #1004693) NOTE: https://www.samba.org/samba/security/CVE-2021-44142.html NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14914 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-244/ @@ -26120,7 +26120,7 @@ CVE-2021-44142 (The Samba vfs_fruit module uses extended file attributes (EA, xa NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-246/ CVE-2021-44141 (All versions of Samba prior to 4.15.5 are vulnerable to a malicious cl ...) [experimental] - samba 2:4.16.0+dfsg-1 - - samba (bug #1004692) + - samba 2:4.16.0+dfsg-2 (bug #1004692) [bullseye] - samba (Minor issue; no backport to older versions, mitigations exists) [buster] - samba (Minor issue; no backport to older versions, mitigations exists) NOTE: https://www.samba.org/samba/security/CVE-2021-44141.html @@ -28851,7 +28851,7 @@ CVE-2021-43567 RESERVED CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malicious c ...) [experimental] - samba 2:4.16.0+dfsg-1 - - samba (bug #1004691) + - samba 2:4.16.0+dfsg-2 (bug #1004691) [bullseye] - samba (Minor issue; no backport to older versions, mitigations exists) [buster] - samba (Minor issue; no backport to older versions, mitigations exists) NOTE: https://www.samba.org/samba/security/CVE-2021-43566.html @@ -90393,7 +90393,7 @@ CVE-2021-20317 (A flaw was found in the Linux kernel. A corrupted timer tree cau CVE-2021-20316 RESERVED [experimental] - samba 2:4.16.0+dfsg-1 - - samba (bug #1004690) + - samba 2:4.16.0+dfsg-2 (bug #1004690) [bullseye] - samba (Minor issue; no backport to older versions, mitigations exists) [buster] - samba (Minor issue; no backport to older versions, mitigations exists) NOTE: https://www.samba.org/samba/security/CVE-2021-20316.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3655f0914b372133148e110140fe52fab81b5e65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3655f0914b372133148e110140fe52fab81b5e65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-0204/bluez via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c344467a by Salvatore Bonaccorso at 2022-04-07T23:27:27+02:00 Track fixed version for CVE-2022-0204/bluez via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16329,7 +16329,7 @@ CVE-2022-0206 (The NewStatPress WordPress plugin before 1.3.6 does not properly CVE-2022-0205 (The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions prior to ...) - - bluez (bug #1003712) + - bluez 5.64-1 (bug #1003712) [bullseye] - bluez (Minor issue) [buster] - bluez (Minor issue) [stretch] - bluez (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c344467aaa56de0e624da2c44c4d4c3057dfe1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c344467aaa56de0e624da2c44c4d4c3057dfe1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for chromium
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98072768 by Salvatore Bonaccorso at 2022-04-07T23:06:37+02:00 Reserve DSA number for chromium - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[07 Apr 2022] DSA-5114-1 chromium - security update + {CVE-2022-1232} + [bullseye] - chromium 100.0.4896.75-1~deb11u1 [06 Apr 2022] DSA-5113-1 firefox-esr - security update {CVE-2022-1097 CVE-2022-1196 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289} [buster] - firefox-esr 91.8.0esr-1~deb10u1 = data/dsa-needed.txt = @@ -16,8 +16,6 @@ asterisk/oldstable -- cacti -- -chromium (carnil) --- condor/oldstable -- fish/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98072768f861cdbc3c05e9950d4d0ad7baf9aeb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98072768f861cdbc3c05e9950d4d0ad7baf9aeb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2022-24724
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29bce8b7 by Salvatore Bonaccorso at 2022-04-07T22:26:28+02:00 Add reference for CVE-2022-24724 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10656,6 +10656,7 @@ CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implem NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x NOTE: https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.3 NOTE: https://github.com/github/cmark-gfm/commit/ac80f7b56522ffa158e1f0c14a611ffccacd4027 (0.29.0.gfm.3) + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2258 CVE-2022-24723 (URI.js is a Javascript URL mutation library. Before version 1.19.9, wh ...) - node-urijs (bug #902083) NOTE: https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 (v1.19.9) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29bce8b789cbd76cfdc7241fca2b6677b9f6aae2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29bce8b789cbd76cfdc7241fca2b6677b9f6aae2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove ignored tag from CVE-2016-9318 for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a010e71 by Anton Gladky at 2022-04-07T22:24:49+02:00 Remove ignored tag from CVE-2016-9318 for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -335597,7 +335597,6 @@ CVE-2016-9318 (libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier a [experimental] - libxml2 2.9.8+dfsg-1 - libxml2 2.9.10+dfsg-2 (bug #844581) [buster] - libxml2 (Minor issue; intrusive to backport) - [stretch] - libxml2 (Minor issue; intrusive to backport) [jessie] - libxml2 (Minor issue; intrusive to backport) [wheezy] - libxml2 (Minor issue) NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a010e711b3190d8bdc79505c079a1b5dd56f984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a010e711b3190d8bdc79505c079a1b5dd56f984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73028002 by security tracker role at 2022-04-07T20:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -881,7 +881,7 @@ CVE-2022-28290 RESERVED CVE-2022-28289 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -898,7 +898,7 @@ CVE-2022-28287 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/#CVE-2022-28287 CVE-2022-28286 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -907,7 +907,7 @@ CVE-2022-28286 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-28286 CVE-2022-28285 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -924,7 +924,7 @@ CVE-2022-28283 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/#CVE-2022-28283 CVE-2022-28282 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -933,7 +933,7 @@ CVE-2022-28282 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-28282 CVE-2022-28281 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -956,7 +956,7 @@ CVE-2022-1197 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-1197 CVE-2022-1196 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/#CVE-2022-1196 @@ -2226,7 +2226,7 @@ CVE-2022-26064 RESERVED CVE-2022-1097 RESERVED - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 @@ -10693,7 +10693,7 @@ CVE-2022-24714 (Icinga Web 2 is an open source monitoring web interface, framewo NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf NOTE: https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293 CVE-2022-24713 (regex is an implementation of regular expressions for the Rust languag ...) - {DSA-5113-1} + {DSA-5113-1 DLA-2971-1} - firefox 99.0-1 - firefox-esr 91.8.0esr-1 - thunderbird 1:91.8.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7302800285d4b1800beef5c71ca9bbf93a1aec3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7302800285d4b1800beef5c71ca9bbf93a1aec3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2022-1263/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7c2eb4f by Salvatore Bonaccorso at 2022-04-07T21:42:56+02:00 Correct tracking for CVE-2022-1263/linux Fixes: 975565a681e5 (Add CVE-2022-1263/linux) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,12 +4,10 @@ CVE-2022-28662 RESERVED CVE-2022-28661 RESERVED -CVE-2022-1263 [KVM: x86/mmu: do compare-and-exchange of gPTE via the user address] +CVE-2022-1263 - linux - [buster] - linux (Vulnerable code not present) - [stretch] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1 - NOTE: https://git.kernel.org/linus/2a8859f373b0a86f0ece8ec8312607eacf12485d (5.18-rc1) + NOTE: https://www.spinics.net/lists/kvm/msg273052.html CVE-2022-1249 [NULL pointer dereference in cms_set_pw_data()] - pesign (Vulnerable code introduced later) NOTE: https://github.com/rhboot/pesign/pull/79 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7c2eb4fcdd9dad2a9aba710de5a4bb9fafacc00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7c2eb4fcdd9dad2a9aba710de5a4bb9fafacc00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26612/hadoop
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b70c8349 by Salvatore Bonaccorso at 2022-04-07T21:33:18+02:00 Add CVE-2022-26612/hadoop - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5487,6 +5487,7 @@ CVE-2022-26613 RESERVED CVE-2022-26612 RESERVED + - hadoop (bug #793644) CVE-2022-26611 RESERVED CVE-2022-26610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70c8349d9c3a256832f1c97832c2b296e2a8ced -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70c8349d9c3a256832f1c97832c2b296e2a8ced You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo entry for CVE-2021-4207, CVE situation clarified
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2917883 by Salvatore Bonaccorso at 2022-04-07T21:26:38+02:00 Remove todo entry for CVE-2021-4207, CVE situation clarified Red Hat confirmed that the assigned CVE-2021-4207 is the correct one and the blog entry from starlabs got updated as well. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2036966#c8 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16223,7 +16223,6 @@ CVE-2021-4207 - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036966 NOTE: https://starlabs.sg/advisories/22-4207/ - TODO: starlabs.sg and RH Bugzilla entry disagree on the CVE identifier (2022 vs 2021) CVE-2021-4206 RESERVED - qemu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d29178834c4d7e2847ce9c8591b496e60b77a42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d29178834c4d7e2847ce9c8591b496e60b77a42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2021-4206
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b834f32 by Salvatore Bonaccorso at 2022-04-07T21:25:54+02:00 Remove todo item for CVE-2021-4206 Confirmed that the 2021 CVE was the correct one and starlabs updated the blog entry as well. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2036998#c7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16229,7 +16229,6 @@ CVE-2021-4206 - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036998 NOTE: https://starlabs.sg/advisories/22-4206/ - TODO: starlabs.sg and RH Bugzilla entry disagree on the CVE identifier (2022 vs 2021) CVE-2021-4205 RESERVED CVE-2021-31567 (Authenticated (admin+) Arbitrary File Download vulnerability discovere ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b834f32b91897eaa4169dd18ffd3635eea66111 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b834f32b91897eaa4169dd18ffd3635eea66111 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cf7ed91 by Henri Salo at 2022-04-07T22:12:05+03:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3844,8 +3844,10 @@ CVE-2022-27222 RESERVED CVE-2022-0993 RESERVED + NOT-FOR-US: WordPress plugin CVE-2022-0992 RESERVED + NOT-FOR-US: WordPress plugin CVE-2022-0991 (Insufficient Session Expiration in GitHub repository admidio/admidio p ...) NOT-FOR-US: admidio CVE-2022-0990 (Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calib ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf7ed9135f222d59f38cfb311009b4c7419fd0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf7ed9135f222d59f38cfb311009b4c7419fd0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c72feb07 by Salvatore Bonaccorso at 2022-04-07T21:10:07+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk/oldstable -- cacti -- +chromium (carnil) +-- condor/oldstable -- fish/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72feb0797aaf5b69f5eaac9fd4850cd98fffb38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72feb0797aaf5b69f5eaac9fd4850cd98fffb38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lrzip: reference CVE-2017-884X unimportant issues fixed by DLA single patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c602bf6f by Sylvain Beucler at 2022-04-07T18:21:02+02:00 lrzip: reference CVE-2017-884X unimportant issues fixed by DLA single patch - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -309310,6 +309310,7 @@ CVE-2017-8849 (smb4k before 2.0.1 allows local users to gain root privileges by CVE-2017-8848 (Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a pa ...) NOT-FOR-US: Allen Disk CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) + {DLA-2725-1} - lrzip 0.631+git180517-1 (unimportant; bug #863145) NOTE: https://github.com/ckolivas/lrzip/issues/67 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/ @@ -309322,6 +309323,7 @@ CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.63 NOTE: https://github.com/ckolivas/lrzip/issues/71 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/ CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lr ...) + {DLA-2725-1} - lrzip 0.631+git180517-1 (unimportant; bug #863151) NOTE: https://github.com/ckolivas/lrzip/issues/68 NOTE: https://github.com/ckolivas/lrzip/commit/89d7b33e6a6450eed326b40084b547d42bad333f @@ -309336,14 +309338,18 @@ CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 al NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ NOTE: https://github.com/ckolivas/lrzip/commit/dc57230636fe8da068674e1023b2f07c593ec21b (v0.640) CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 al ...) + {DLA-2725-1} - lrzip 0.631+git180517-1 (unimportant; bug #863155) NOTE: https://github.com/ckolivas/lrzip/issues/69 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/ + NOTE: https://github.com/ckolivas/lrzip/commit/cd456aa70e1f9b6769454ab4f8198e1551c33c49 (v0.640) NOTE: Crash in CLI tool, no security implications CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) + {DLA-2725-1} - lrzip 0.631+git180517-1 (unimportant; bug #863156) NOTE: https://github.com/ckolivas/lrzip/issues/66 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/ + NOTE: https://github.com/ckolivas/lrzip/commit/38386bd482c0a8102a79958cb3eddcb97a167ca3 (v0.640) NOTE: Crash in CLI tool, no security implications CVE-2017-8841 (Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, ...) NOT-FOR-US: Peplink Balance devices = data/DLA/list = @@ -753,7 +753,7 @@ {CVE-2020-13933 CVE-2020-17510} [stretch] - shiro 1.3.2-1+deb9u2 [01 Aug 2021] DLA-2725-1 lrzip - security update - {CVE-2017-8844 CVE-2017-8846 CVE-2017-9928 CVE-2017-9929 CVE-2018-5650 CVE-2018-5747 CVE-2018-5786 CVE-2018-10685 CVE-2018-11496} + {CVE-2017-8842 CVE-2017-8843 CVE-2017-8844 CVE-2017-8845 CVE-2017-8846 CVE-2017-8847 CVE-2017-9928 CVE-2017-9929 CVE-2018-5650 CVE-2018-5747 CVE-2018-5786 CVE-2018-10685 CVE-2018-11496} [stretch] - lrzip 0.631-1+deb9u1 [01 Aug 2021] DLA-2724-1 condor - security update {CVE-2019-18823} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c602bf6f01541e2b9b8997e4b7726cad0918c115 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c602bf6f01541e2b9b8997e4b7726cad0918c115 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1263/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 975565a6 by Salvatore Bonaccorso at 2022-04-07T18:15:01+02:00 Add CVE-2022-1263/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,12 @@ CVE-2022-28662 RESERVED CVE-2022-28661 RESERVED +CVE-2022-1263 [KVM: x86/mmu: do compare-and-exchange of gPTE via the user address] + - linux + [buster] - linux (Vulnerable code not present) + [stretch] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/04/07/1 + NOTE: https://git.kernel.org/linus/2a8859f373b0a86f0ece8ec8312607eacf12485d (5.18-rc1) CVE-2022-1249 [NULL pointer dereference in cms_set_pw_data()] - pesign (Vulnerable code introduced later) NOTE: https://github.com/rhboot/pesign/pull/79 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975565a681e53e97887e7e52d6ee2b8b83d8e5a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975565a681e53e97887e7e52d6ee2b8b83d8e5a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-8844/lrzip: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: dff2f462 by Sylvain Beucler at 2022-04-07T17:29:55+02:00 CVE-2017-8844/lrzip: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -309328,6 +309328,7 @@ CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 al [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/70 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ + NOTE: https://github.com/ckolivas/lrzip/commit/dc57230636fe8da068674e1023b2f07c593ec21b (v0.640) CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 al ...) - lrzip 0.631+git180517-1 (unimportant; bug #863155) NOTE: https://github.com/ckolivas/lrzip/issues/69 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff2f462a7c3e91c2c31ac39b28cf0a00579cbd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff2f462a7c3e91c2c31ac39b28cf0a00579cbd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2971-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ff98e6a8 by Emilio Pozuelo Monfort at 2022-04-07T10:40:31+02:00 Reserve DLA-2971-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Apr 2022] DLA-2971-1 firefox-esr - security update + {CVE-2022-1097 CVE-2022-1196 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289} + [stretch] - firefox-esr 91.8.0esr-1~deb9u1 [04 Apr 2022] DLA-2970-1 qemu - security update {CVE-2021-3593 CVE-2021-3748 CVE-2021-3930 CVE-2021-20196 CVE-2022-26354} [stretch] - qemu 1:2.8+dfsg-6+deb9u17 = data/dla-needed.txt = @@ -31,8 +31,6 @@ debian-security-support (Utkarsh) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) -- -firefox-esr (Emilio) --- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff98e6a84b0452819a0624cf51485e1c33da2734 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff98e6a84b0452819a0624cf51485e1c33da2734 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits