[Git][security-tracker-team/security-tracker][master] Expand TODO item for four CVEs, unclear if specific to OpenAnolis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1bf2526 by Salvatore Bonaccorso at 2022-09-09T23:13:49+02:00 Expand TODO item for four CVEs, unclear if specific to OpenAnolis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -415,15 +415,15 @@ CVE-2022-40139 CVE-2022-40138 RESERVED CVE-2022-40133 (A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf ...) - TODO: check + TODO: check, specific to OpenAnolis? CVE-2022-38457 (A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res ...) - TODO: check + TODO: check, specific to OpenAnolis? CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx driver in ...) - TODO: check + TODO: check, specific to OpenAnolis? CVE-2022-36402 RESERVED CVE-2022-36280 (An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx ...) - TODO: check + TODO: check, specific to OpenAnolis? CVE-2022-3147 (Mattermost version 7.0.x and earlier fails to sufficiently limit the i ...) - mattermost-server (bug #823556) CVE-2022-3146 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1bf25267f2b15f010cd92b0f41e5c7745a86222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1bf25267f2b15f010cd92b0f41e5c7745a86222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-3077 and CVE-2022-2873
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b7e029b by Salvatore Bonaccorso at 2022-09-09T22:58:23+02:00 Update information on CVE-2022-3077 and CVE-2022-2873 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2721,7 +2721,11 @@ CVE-2022-3078 (An issue was discovered in the Linux kernel through 5.16-rc6. The [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e6a21a14106d9718aa4f8e115b1e474888eeba44 (5.18-rc1) CVE-2022-3077 (A buffer overflow vulnerability was found in the Linux kernel Intel ...) - TODO: check + - linux 5.18.2-1 + [bullseye] - linux (Vulnerable code introduced later) + [buster] - linux (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2123309 + NOTE: https://git.kernel.org/linus/690b2549b19563ec5ad53e5c82f6a944d910086e (5.19-rc1) CVE-2022-3076 RESERVED CVE-2022-3075 @@ -4798,10 +4802,9 @@ CVE-2022-2874 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. NOTE: https://github.com/vim/vim/commit/4875d6ab068f09df88d24d81de40dcd8d56e243d (v9.0.0224) NOTE: Crash in CLI tool, no security impact CVE-2022-2873 (An out-of-bounds memory access flaw was found in the Linux kernel Inte ...) - - linux 5.18.2-1 - [bullseye] - linux (Vulnerable code introduced later) - [buster] - linux (Vulnerable code introduced later) + - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2119048 + NOTE: https://lore.kernel.org/lkml/20220729093451.551672-1-zheyum...@gmail.com/T/ CVE-2022-2872 RESERVED CVE-2022-2871 (Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b7e029b98310f21b69431dd6e8592ac1f133124 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b7e029b98310f21b69431dd6e8592ac1f133124 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3169/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acd6ce74 by Salvatore Bonaccorso at 2022-09-09T22:49:38+02:00 Add CVE-2022-3169/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -172,7 +172,9 @@ CVE-2022-40239 CVE-2022-40238 RESERVED CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw may occ ...) - TODO: check + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125341 + NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=214771 CVE-2022-3168 RESERVED CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acd6ce74bef9fe620617ff95aa6061b8d9fd5881 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acd6ce74bef9fe620617ff95aa6061b8d9fd5881 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3147/mattermost-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4f8c099 by Salvatore Bonaccorso at 2022-09-09T22:39:59+02:00 Add CVE-2022-3147/mattermost-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -423,7 +423,7 @@ CVE-2022-36402 CVE-2022-36280 (An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx ...) TODO: check CVE-2022-3147 (Mattermost version 7.0.x and earlier fails to sufficiently limit the i ...) - TODO: check + - mattermost-server (bug #823556) CVE-2022-3146 RESERVED CVE-2022-3145 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f8c0994fdbd9ba6eaf684f540fa0f84d4766ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f8c0994fdbd9ba6eaf684f540fa0f84d4766ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20f29a7c by Salvatore Bonaccorso at 2022-09-09T22:39:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-40318 RESERVED CVE-2022-40317 (OpenKM 6.3.11 allows stored XSS related to the javascriptcolon; s ...) - TODO: check + NOT-FOR-US: OpenKM CVE-2022-40316 RESERVED CVE-2022-40315 @@ -216,7 +216,7 @@ CVE-2022-40195 CVE-2022-40194 RESERVED CVE-2022-40191 (Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-40189 RESERVED CVE-2022-40132 @@ -232,7 +232,7 @@ CVE-2022-38470 CVE-2022-38460 RESERVED CVE-2022-38144 (Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpFor ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-38140 RESERVED CVE-2022-38139 @@ -260,7 +260,7 @@ CVE-2022-36790 CVE-2022-36388 RESERVED CVE-2022-36356 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-36340 RESERVED CVE-2022-36299 @@ -1028,13 +1028,13 @@ CVE-2022-39848 CVE-2022-39847 RESERVED CVE-2022-39846 (DLL hijacking vulnerability in Smart Switch PC prior to version 4.3.22 ...) - TODO: check + NOT-FOR-US: Samstung CVE-2022-39845 (Improper validation of integrity check vulnerability in Samsung Kies p ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39844 (Improper validation of integrity check vulnerability in Smart Switch P ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-3133 (OS Command Injection in GitHub repository jgraph/drawio prior to 20.3. ...) - TODO: check + NOT-FOR-US: jgraph/drawio CVE-2022-3132 RESERVED CVE-2022-3131 @@ -1136,19 +1136,19 @@ CVE-2022-39812 CVE-2022-39811 RESERVED CVE-2022-39810 (An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflect ...) - TODO: check + NOT-FOR-US: WSO2 Enterprise Integrator CVE-2022-39809 (An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflect ...) - TODO: check + NOT-FOR-US: WSO2 Enterprise Integrator CVE-2022-38701 (OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerabili ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2022-38700 (OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnera ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2022-38081 (OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnera ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2022-38064 (OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnera ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2022-36423 (OpenHarmony-v3.1.2 and prior versions have an incorrect configuration ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2022-3120 (A vulnerability classified as critical was found in SourceCodester Cli ...) NOT-FOR-US: SourceCodester Clinics Patient Management System CVE-2022-3119 @@ -4139,11 +4139,11 @@ CVE-2022-38617 CVE-2022-38616 RESERVED CVE-2022-38615 (SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL inject ...) - TODO: check + NOT-FOR-US: SmartVista CVE-2022-38614 (An issue in the IGB Files and OutfileService features of SmartVista Ca ...) - TODO: check + NOT-FOR-US: SmartVista CVE-2022-38613 (A Path Traversal vulnerability in SmartVista Cardgen v3.28.0 allows au ...) - TODO: check + NOT-FOR-US: SmartVista CVE-2022-38612 RESERVED CVE-2022-38611 @@ -5201,35 +5201,35 @@ CVE-2022-38288 CVE-2022-38287 RESERVED CVE-2022-38286 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list. ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38285 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/menu/list. ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38284 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/department ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38283 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/video/list. ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38282 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/videoalbum/ ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38281 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list. ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-38280 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/image/list. ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cca8ccb1 by Salvatore Bonaccorso at 2022-09-09T22:32:39+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15976,7 +15976,7 @@ CVE-2022-34167 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to stored c CVE-2022-34166 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2022-34165 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSph ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-34164 (IBM CICS TX 11.1 could allow a local user to impersonate another legit ...) NOT-FOR-US: IBM CVE-2022-34163 (IBM CICS TX 11.1 is vulnerable to HTTP header injection, caused by imp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca8ccb10cb3173cf4bf6bdf63297669bb9e89d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca8ccb10cb3173cf4bf6bdf63297669bb9e89d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aeeae369 by security tracker role at 2022-09-09T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2022-40318 + RESERVED +CVE-2022-40317 (OpenKM 6.3.11 allows stored XSS related to the javascriptcolon; s ...) + TODO: check +CVE-2022-40316 + RESERVED +CVE-2022-40315 + RESERVED +CVE-2022-40314 + RESERVED +CVE-2022-40313 + RESERVED +CVE-2022-40309 + RESERVED +CVE-2022-40308 + RESERVED +CVE-2022-40199 + RESERVED +CVE-2022-38975 + RESERVED +CVE-2022-37346 + RESERVED +CVE-2022-3172 + RESERVED +CVE-2022-3171 + RESERVED +CVE-2022-3170 + RESERVED CVE-2022-40307 (An issue was discovered in the Linux kernel through 5.19.8. drivers/fi ...) - linux NOTE: https://git.kernel.org/linus/9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 @@ -143,8 +171,8 @@ CVE-2022-40239 RESERVED CVE-2022-40238 RESERVED -CVE-2022-3169 - RESERVED +CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw may occ ...) + TODO: check CVE-2022-3168 RESERVED CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) @@ -187,8 +215,8 @@ CVE-2022-40195 RESERVED CVE-2022-40194 RESERVED -CVE-2022-40191 - RESERVED +CVE-2022-40191 (Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerab ...) + TODO: check CVE-2022-40189 RESERVED CVE-2022-40132 @@ -203,8 +231,8 @@ CVE-2022-38470 RESERVED CVE-2022-38460 RESERVED -CVE-2022-38144 - RESERVED +CVE-2022-38144 (Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpFor ...) + TODO: check CVE-2022-38140 RESERVED CVE-2022-38139 @@ -231,8 +259,8 @@ CVE-2022-36790 RESERVED CVE-2022-36388 RESERVED -CVE-2022-36356 - RESERVED +CVE-2022-36356 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...) + TODO: check CVE-2022-36340 RESERVED CVE-2022-36299 @@ -384,18 +412,18 @@ CVE-2022-40139 RESERVED CVE-2022-40138 RESERVED -CVE-2022-40133 - RESERVED -CVE-2022-38457 - RESERVED -CVE-2022-38096 - RESERVED +CVE-2022-40133 (A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf ...) + TODO: check +CVE-2022-38457 (A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res ...) + TODO: check +CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx driver in ...) + TODO: check CVE-2022-36402 RESERVED -CVE-2022-36280 - RESERVED -CVE-2022-3147 - RESERVED +CVE-2022-36280 (An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx ...) + TODO: check +CVE-2022-3147 (Mattermost version 7.0.x and earlier fails to sufficiently limit the i ...) + TODO: check CVE-2022-3146 RESERVED CVE-2022-3145 @@ -999,14 +1027,14 @@ CVE-2022-39848 RESERVED CVE-2022-39847 RESERVED -CVE-2022-39846 - RESERVED -CVE-2022-39845 - RESERVED -CVE-2022-39844 - RESERVED -CVE-2022-3133 - RESERVED +CVE-2022-39846 (DLL hijacking vulnerability in Smart Switch PC prior to version 4.3.22 ...) + TODO: check +CVE-2022-39845 (Improper validation of integrity check vulnerability in Samsung Kies p ...) + TODO: check +CVE-2022-39844 (Improper validation of integrity check vulnerability in Smart Switch P ...) + TODO: check +CVE-2022-3133 (OS Command Injection in GitHub repository jgraph/drawio prior to 20.3. ...) + TODO: check CVE-2022-3132 RESERVED CVE-2022-3131 @@ -1107,20 +1135,20 @@ CVE-2022-39812 RESERVED CVE-2022-39811 RESERVED -CVE-2022-39810 - RESERVED -CVE-2022-39809 - RESERVED -CVE-2022-38701 - RESERVED -CVE-2022-38700 - RESERVED -CVE-2022-38081 - RESERVED -CVE-2022-38064 - RESERVED -CVE-2022-36423 - RESERVED +CVE-2022-39810 (An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflect ...) + TODO: check +CVE-2022-39809 (An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflect ...) + TODO: check +CVE-2022-38701 (OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerabili ...) + TODO: check +CVE-2022-38700 (OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnera ...) + TODO: check +CVE-2022-38081 (OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnera ...) + TODO: check +CVE-2022-38064 (OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnera ...) + TODO: check +CVE-2022-36423 (OpenHarmony-v3.1.2 and prior versions have an incorrect configuration ...)
[Git][security-tracker-team/security-tracker][master] Fix typo in CVE identifier for unrar-nonfree entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee4a337a by Salvatore Bonaccorso at 2022-09-09T21:26:58+02:00 Fix typo in CVE identifier for unrar-nonfree entry - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -58,7 +58,7 @@ CVE-2022-21716 [buster] - twisted 18.9.0-3+deb10u1 CVE-2022-24801 [buster] - twisted 18.9.0-3+deb10u1 -CVE-2022-3033 +CVE-2022-30333 [buster] - unrar-nonfree 1:5.6.6-1+deb10u1 CVE-2021-41125 [buster] - python-scrapy 1.5.1-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee4a337a24dafc23fdf015a8b90ca0a23f0bb3ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee4a337a24dafc23fdf015a8b90ca0a23f0bb3ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove two more CVE associated which are untracked for otherwise for twisted
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d62d525 by Salvatore Bonaccorso at 2022-09-09T21:21:16+02:00 Remove two more CVE associated which are untracked for otherwise for twisted - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -48,10 +48,6 @@ CVE-2019-12387 [buster] - twisted 18.9.0-3+deb10u1 CVE-2019-12855 [buster] - twisted 18.9.0-3+deb10u1 -CVE-2019-9514 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2019-9515 - [buster] - twisted 18.9.0-3+deb10u1 CVE-2020-10108 [buster] - twisted 18.9.0-3+deb10u1 CVE-2020-10109 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d62d5250812a00ab22f87b96fee1d4cf5041c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d62d5250812a00ab22f87b96fee1d4cf5041c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove one entry which does not belong to the source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8674c9ab by Salvatore Bonaccorso at 2022-09-09T21:16:58+02:00 Remove one entry which does not belong to the source package - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -48,8 +48,6 @@ CVE-2019-12387 [buster] - twisted 18.9.0-3+deb10u1 CVE-2019-12855 [buster] - twisted 18.9.0-3+deb10u1 -CVE-2019-9511 - [buster] - twisted 18.9.0-3+deb10u1 CVE-2019-9514 [buster] - twisted 18.9.0-3+deb10u1 CVE-2019-9515 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8674c9ab4d70ca86387e9b3fa9cae5f773c8c5dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8674c9ab4d70ca86387e9b3fa9cae5f773c8c5dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rust-anymap removed from sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a929232 by Moritz Muehlenhoff at 2022-09-09T21:10:30+02:00 rust-anymap removed from sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77674,8 +77674,8 @@ CVE-2021-38189 (An issue was discovered in the lettre crate before 0.9.6 for Rus CVE-2021-38188 (An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. ...) NOT-FOR-US: Rust crate iced-x86 CVE-2021-38187 (An issue was discovered in the anymap crate through 0.12.1 for Rust. I ...) - - rust-anymap (bug #992046) - [bullseye] - rust-anymap (Minor issue) + - rust-anymap (bug #992046) + [bullseye] - rust-anymap (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0065.html CVE-2021-38186 (An issue was discovered in the comrak crate before 0.10.1 for Rust. It ...) NOT-FOR-US: Rust crate comrak View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a92923249e241c50afd11469e25202951e99cc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a92923249e241c50afd11469e25202951e99cc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-28589/tinyobjloader
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4262d9bd by Salvatore Bonaccorso at 2022-09-09T17:48:29+02:00 Update information on CVE-2020-28589/tinyobjloader - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -131599,9 +131599,11 @@ CVE-2020-28590 (An out-of-bounds read vulnerability exists in the Obj File Trian NOTE: https://github.com/slic3r/Slic3r/issues/5074 NOTE: Crash in enduser application, no security impact CVE-2020-28589 (An improper array index validation vulnerability exists in the LoadObj ...) + [experimental] - tinyobjloader 2.0.0~rc9+dfsg-1 - tinyobjloader (bug #1014776) [bullseye] - tinyobjloader (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1212 + NOTE: https://github.com/tinyobjloader/tinyobjloader/commit/7ba4b652ee0c5175ec8abf66199e84d88adf11f1 (v2.0.0rc9) CVE-2020-28588 (An information disclosure vulnerability exists in the /proc/pid/syscal ...) - linux 5.9.15-1 [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4262d9bd7cf61c8ecfae238b7612605ef7fc9eff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4262d9bd7cf61c8ecfae238b7612605ef7fc9eff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for two upstream commits for tinyexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b0a9a8f by Salvatore Bonaccorso at 2022-09-09T17:43:12+02:00 Add upstream tag information for two upstream commits for tinyexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -280910,7 +280910,7 @@ CVE-2018-12689 (phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id CVE-2018-12688 (tinyexr 0.9.5 has a segmentation fault in the wav2Decode function. ...) - tinyexr (Fixed with initial upload to the archive, see #1014980) NOTE: https://github.com/syoyo/tinyexr/issues/83 - NOTE: https://github.com/syoyo/tinyexr/commit/6c3b01ff9223036fb1c7a6f1cc2d3a63cc1e7c1d + NOTE: https://github.com/syoyo/tinyexr/commit/6c3b01ff9223036fb1c7a6f1cc2d3a63cc1e7c1d (v1.0.0) CVE-2018-12687 (tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h ...) - tinyexr (unimportant) NOTE: https://github.com/syoyo/tinyexr/issues/84 @@ -282971,7 +282971,7 @@ CVE-2018-12065 (A Local File Inclusion vulnerability in /system/WCore/WHelper.ph CVE-2018-12064 (tinyexr 0.9.5 has a heap-based buffer over-read via tinyexr::ReadChann ...) - tinyexr (Fixed with initial upload to the archive, see #1014980) NOTE: https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_7953aea - NOTE: https://github.com/syoyo/tinyexr/commit/6fd0c1f7575b9119f287fbe5577b2eff41c71bd5 + NOTE: https://github.com/syoyo/tinyexr/commit/6fd0c1f7575b9119f287fbe5577b2eff41c71bd5 (v1.0.0) CVE-2018-12063 (The sell function of a smart contract implementation for Internet Node ...) NOT-FOR-US: Internet Node Token CVE-2018-12062 (The sell function of a smart contract implementation for SwftCoin (SWF ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b0a9a8fe81049768cda7577b8c116b86a39e0bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b0a9a8fe81049768cda7577b8c116b86a39e0bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add pull request reference for CVE-2022-34300
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5cc4d53 by Salvatore Bonaccorso at 2022-09-09T17:42:28+02:00 Add pull request reference for CVE-2022-34300 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15547,6 +15547,7 @@ CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based buffer over-read in tiny - tinyexr 1.0.1+dfsg-4 (bug #1014980) [bullseye] - tinyexr (Minor issue) NOTE: https://github.com/syoyo/tinyexr/issues/167 + NOTE: https://github.com/syoyo/tinyexr/pull/175 CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This issue i ...) - dwarfutils (bug #1014493) [bullseye] - dwarfutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5cc4d53af36ebdc67da31d9c532dd6b5821e9ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5cc4d53af36ebdc67da31d9c532dd6b5821e9ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two tinyexr issues n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f3ffe012 by Moritz Muehlenhoff at 2022-09-09T17:04:27+02:00 two tinyexr issues n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -280907,9 +280907,9 @@ CVE-2018-12689 (phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id NOTE: Non-security issue as demostrated in https://bugs.debian.org/902186 NOTE: and disputed as security issue. Should be properly rejected by MITRE. CVE-2018-12688 (tinyexr 0.9.5 has a segmentation fault in the wav2Decode function. ...) - - tinyexr (bug #1014980) - [bullseye] - tinyexr (Minor issue) + - tinyexr (Fixed with initial upload to the archive, see #1014980) NOTE: https://github.com/syoyo/tinyexr/issues/83 + NOTE: https://github.com/syoyo/tinyexr/commit/6c3b01ff9223036fb1c7a6f1cc2d3a63cc1e7c1d CVE-2018-12687 (tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h ...) - tinyexr (unimportant) NOTE: https://github.com/syoyo/tinyexr/issues/84 @@ -282968,9 +282968,9 @@ CVE-2018-12067 (The sell function of a smart contract implementation for Substra CVE-2018-12065 (A Local File Inclusion vulnerability in /system/WCore/WHelper.php in C ...) NOT-FOR-US: wityCMS CVE-2018-12064 (tinyexr 0.9.5 has a heap-based buffer over-read via tinyexr::ReadChann ...) - - tinyexr (bug #1014980) - [bullseye] - tinyexr (Minor issue) + - tinyexr (Fixed with initial upload to the archive, see #1014980) NOTE: https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_7953aea + NOTE: https://github.com/syoyo/tinyexr/commit/6fd0c1f7575b9119f287fbe5577b2eff41c71bd5 CVE-2018-12063 (The sell function of a smart contract implementation for Internet Node ...) NOT-FOR-US: Internet Node Token CVE-2018-12062 (The sell function of a smart contract implementation for SwftCoin (SWF ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ffe012a5dd9762a73ce91288b65d85230c1f38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ffe012a5dd9762a73ce91288b65d85230c1f38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add webkit exploit reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 69128059 by Moritz Muehlenhoff at 2022-09-09T17:00:17+02:00 add webkit exploit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19265,6 +19265,7 @@ CVE-2022-32792 [An out-of-bounds write issue was addressed with improved input v - webkit2gtk 2.36.6-1 - wpewebkit 2.36.6-1 NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2 + NOTE: https://starlabs.sg/blog/2022/09-step-by-step-walkthrough-of-cve-2022-32792/ CVE-2022-32791 RESERVED CVE-2022-32790 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6912805921728270af862befe3c81e579309de84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6912805921728270af862befe3c81e579309de84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3101-1 for libxslt
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f85c5a06 by Emilio Pozuelo Monfort at 2022-09-09T14:55:49+02:00 Reserve DLA-3101-1 for libxslt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Sep 2022] DLA-3101-1 libxslt - security update + {CVE-2019-5815 CVE-2021-30560} + [buster] - libxslt 1.1.32-2.2~deb10u2 [07 Sep 2022] DLA-3100-1 libgoogle-gson-java - security update {CVE-2022-25647} [buster] - libgoogle-gson-java 2.8.5-3+deb10u1 = data/dla-needed.txt = @@ -64,9 +64,6 @@ kopanocore libraw NOTE: 20220904: Programming language: C++. -- -libxslt (Emilio) - NOTE: 20220905: Programming language: C --- linux (Ben Hutchings) -- mariadb-10.3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f85c5a060dc2bb7325e031588cdff1d9dbdf1c46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f85c5a060dc2bb7325e031588cdff1d9dbdf1c46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re add rails to dla-needed.txt, regression
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: db0b2ebc by Abhijith PA at 2022-09-09T18:11:02+05:30 Re add rails to dla-needed.txt, regression - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,12 @@ poppler (Markus Koschany) python-oslo.utils (Chris Lamb) NOTE: 20220904: Programming language: Python. -- +rails (Abhijith PA) + NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) + NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) + NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) + NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cacc85a3 by Moritz Muehlenhoff at 2022-09-09T11:49:27+02:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,9 +17,10 @@ CVE-2022-40300 RESERVED CVE-2022-40299 (In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., b ...) [experimental] - singular 1:4.3.1-p1+ds-1 - - singular + - singular (unimportant) NOTE: https://github.com/Singular/Singular/commit/5f28fbf066626fa9c4a8f0e6408c0bb362fb386c (Release-4-3-1) NOTE: https://github.com/Singular/Singular/issues/1137 + NOTE: Neutralised by kernel hardening (fs.protected_symlinks = 1) CVE-2022-40298 RESERVED CVE-2022-40297 (UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be use ...) @@ -4926,9 +4927,10 @@ CVE-2022-2850 [SIGSEGV in sync_repl] NOTE: https://github.com/389ds/389-ds-base/commit/bd566957f85c889f13cd24f903c91c16c955acbd (389-ds-base-1.3.10) NOTE: Results from an incomplete fix for CVE-2021-3514 CVE-2022-2849 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - - vim 2:9.0.0229-1 + - vim 2:9.0.0229-1 (unimportant) NOTE: https://huntr.dev/bounties/389aeccd-deb9-49ae-9b6a-24c12d79b02e NOTE: https://github.com/vim/vim/commit/f6d39c31d2177549a986d170e192d8351bd571e2 (v9.0.0220) + NOTE: Crash in CLI tool, no security impact CVE-2022-2848 RESERVED CVE-2022-2847 (A vulnerability, which was classified as critical, has been found in S ...) @@ -4936,9 +4938,10 @@ CVE-2022-2847 (A vulnerability, which was classified as critical, has been found CVE-2022-2846 (A vulnerability classified as problematic was found in Calendar Event ...) NOT-FOR-US: WordPress plugin CVE-2022-2845 (Buffer Over-read in GitHub repository vim/vim prior to 9.0.0218. ...) - - vim 2:9.0.0229-1 + - vim 2:9.0.0229-1 (unimportant) NOTE: https://huntr.dev/bounties/3e1d31ac-1cfd-4a9f-bc5c-213376b69445 NOTE: https://github.com/vim/vim/commit/e98c88c44c308edaea5994b8ad4363e65030968c (v9.0.0218) + NOTE: Crash in CLI tool, no security impact CVE-2022-2844 (A vulnerability classified as problematic has been found in MotoPress ...) NOT-FOR-US: WordPress plugin CVE-2022-2843 (A vulnerability was found in MotoPress Timetable and Event Schedule. I ...) @@ -24497,6 +24500,7 @@ CVE-2022-1776 (The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPr NOT-FOR-US: WordPress plugin CVE-2022-30976 (GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcsl ...) - gpac (bug #1016443) + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2179 @@ -43496,6 +43500,7 @@ CVE-2022-24576 (GPAC 1.0.1 is affected by Use After Free through MP4Box. ...) NOTE: https://github.com/gpac/gpac/commit/96699aabae042f8f55cf8a85fa5758e3db752bae (v2.0.0) CVE-2022-24575 (GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2058 @@ -63757,6 +63762,7 @@ CVE-2021-43178 REJECTED CVE-2021-43177 (As a result of an incomplete fix for CVE-2015-7225, in versions of dev ...) - ruby-devise-two-factor 4.0.2-1 (bug #1009636) + [bullseye] - ruby-devise-two-factor (Minor issue) NOTE: https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp NOTE: https://github.com/tinfoil/devise-two-factor/pull/108 NOTE: https://github.com/tinfoil/devise-two-factor/commit/64576bb9e7d29800c5f92bb86fb6ecff91ad6105 (v4.0.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cacc85a3dee80e45a3f10fb953e17cd59a396db1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cacc85a3dee80e45a3f10fb953e17cd59a396db1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-25076/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5099df7 by Salvatore Bonaccorso at 2022-09-09T11:36:38+02:00 Add CVE-2019-25076/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -147,7 +147,9 @@ CVE-2022-3169 CVE-2022-3168 RESERVED CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - TODO: check + - openvswitch + NOTE: https://arxiv.org/abs/2011.09107 + NOTE: https://sites.google.com/view/tuple-space-explosion CVE-2022-40237 RESERVED CVE-2022-40236 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5099df78f9cf6aebc521ff2305053781a524e7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5099df78f9cf6aebc521ff2305053781a524e7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40299/singular
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb455f02 by Salvatore Bonaccorso at 2022-09-09T10:27:38+02:00 Add CVE-2022-40299/singular - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,10 @@ CVE-2022-40301 CVE-2022-40300 RESERVED CVE-2022-40299 (In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., b ...) - TODO: check + [experimental] - singular 1:4.3.1-p1+ds-1 + - singular + NOTE: https://github.com/Singular/Singular/commit/5f28fbf066626fa9c4a8f0e6408c0bb362fb386c (Release-4-3-1) + NOTE: https://github.com/Singular/Singular/issues/1137 CVE-2022-40298 RESERVED CVE-2022-40297 (UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be use ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb455f02a267430d3b7d15a30a88b5f4a3bf75b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb455f02a267430d3b7d15a30a88b5f4a3bf75b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc45211d by Salvatore Bonaccorso at 2022-09-09T10:25:54+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,7 +4,7 @@ CVE-2022-40307 (An issue was discovered in the Linux kernel through 5.19.8. driv CVE-2022-40306 RESERVED CVE-2022-40305 (A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 al ...) - TODO: check + NOT-FOR-US: Canto Cumulus CVE-2022-40304 RESERVED CVE-2022-40303 @@ -20,7 +20,7 @@ CVE-2022-40299 (In Singular before 4.3.1, a predictable /tmp pathname is used (e CVE-2022-40298 RESERVED CVE-2022-40297 (UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be use ...) - TODO: check + NOT-FOR-US: UBports Ubuntu Touch CVE-2022-40296 RESERVED CVE-2022-40295 @@ -52,13 +52,13 @@ CVE-2022-40283 CVE-2022-40282 RESERVED CVE-2022-40281 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) - TODO: check + NOT-FOR-US: Samsung TizenRT CVE-2022-40280 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) - TODO: check + NOT-FOR-US: Samsung TizenRT CVE-2022-40279 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) - TODO: check + NOT-FOR-US: Samsung TizenRT CVE-2022-40278 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) - TODO: check + NOT-FOR-US: Samsung TizenRT CVE-2022-40277 RESERVED CVE-2022-40276 @@ -5209,7 +5209,7 @@ CVE-2022-38267 (School Activity Updates with SMS Notification v1.0 was discovere CVE-2022-38266 RESERVED CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to contain a S ...) - TODO: check + NOT-FOR-US: Apartment Visitor Management System CVE-2022-38264 RESERVED CVE-2022-38263 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc45211d832e120099952d2465392259968d10ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc45211d832e120099952d2465392259968d10ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40307/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 829a783e by Salvatore Bonaccorso at 2022-09-09T10:19:08+02:00 Add CVE-2022-40307/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2022-40307 (An issue was discovered in the Linux kernel through 5.19.8. drivers/fi ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 CVE-2022-40306 RESERVED CVE-2022-40305 (A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/829a783e104f71388c0f34a9a47a52baa8b480cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/829a783e104f71388c0f34a9a47a52baa8b480cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57788dbe by security tracker role at 2022-09-09T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,149 @@ +CVE-2022-40307 (An issue was discovered in the Linux kernel through 5.19.8. drivers/fi ...) + TODO: check +CVE-2022-40306 + RESERVED +CVE-2022-40305 (A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 al ...) + TODO: check +CVE-2022-40304 + RESERVED +CVE-2022-40303 + RESERVED +CVE-2022-40302 + RESERVED +CVE-2022-40301 + RESERVED +CVE-2022-40300 + RESERVED +CVE-2022-40299 (In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., b ...) + TODO: check +CVE-2022-40298 + RESERVED +CVE-2022-40297 (UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be use ...) + TODO: check +CVE-2022-40296 + RESERVED +CVE-2022-40295 + RESERVED +CVE-2022-40294 + RESERVED +CVE-2022-40293 + RESERVED +CVE-2022-40292 + RESERVED +CVE-2022-40291 + RESERVED +CVE-2022-40290 + RESERVED +CVE-2022-40289 + RESERVED +CVE-2022-40288 + RESERVED +CVE-2022-40287 + RESERVED +CVE-2022-40286 + RESERVED +CVE-2022-40285 + RESERVED +CVE-2022-40284 + RESERVED +CVE-2022-40283 + RESERVED +CVE-2022-40282 + RESERVED +CVE-2022-40281 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) + TODO: check +CVE-2022-40280 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) + TODO: check +CVE-2022-40279 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) + TODO: check +CVE-2022-40278 (An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PR ...) + TODO: check +CVE-2022-40277 + RESERVED +CVE-2022-40276 + RESERVED +CVE-2022-40275 + RESERVED +CVE-2022-40274 + RESERVED +CVE-2022-40273 + RESERVED +CVE-2022-40272 + RESERVED +CVE-2022-40271 + RESERVED +CVE-2022-40270 + RESERVED +CVE-2022-40269 + RESERVED +CVE-2022-40268 + RESERVED +CVE-2022-40267 + RESERVED +CVE-2022-40266 + RESERVED +CVE-2022-40265 + RESERVED +CVE-2022-40264 + RESERVED +CVE-2022-40263 + RESERVED +CVE-2022-40262 + RESERVED +CVE-2022-40261 + RESERVED +CVE-2022-40260 + RESERVED +CVE-2022-40259 + RESERVED +CVE-2022-40258 + RESERVED +CVE-2022-40257 + RESERVED +CVE-2022-40256 + RESERVED +CVE-2022-40255 + RESERVED +CVE-2022-40254 + RESERVED +CVE-2022-40253 + RESERVED +CVE-2022-40252 + RESERVED +CVE-2022-40251 + RESERVED +CVE-2022-40250 + RESERVED +CVE-2022-40249 + RESERVED +CVE-2022-40248 + RESERVED +CVE-2022-40247 + RESERVED +CVE-2022-40246 + RESERVED +CVE-2022-40245 + RESERVED +CVE-2022-40244 + RESERVED +CVE-2022-40243 + RESERVED +CVE-2022-40242 + RESERVED +CVE-2022-40241 + RESERVED +CVE-2022-40240 + RESERVED +CVE-2022-40239 + RESERVED +CVE-2022-40238 + RESERVED +CVE-2022-3169 + RESERVED +CVE-2022-3168 + RESERVED +CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) + TODO: check CVE-2022-40237 RESERVED CVE-2022-40236 @@ -86,8 +232,8 @@ CVE-2022-36299 RESERVED CVE-2022-36295 RESERVED -CVE-2022-3167 - RESERVED +CVE-2022-3167 (Improper Restriction of Rendered UI Layers or Frames in GitHub reposit ...) + TODO: check CVE-2022-3166 RESERVED CVE-2022-3165 @@ -4212,8 +4358,8 @@ CVE-2022-38495 RESERVED CVE-2022-38078 (Movable Type XMLRPC API provided by Six Apart Ltd. contains a command ...) - movabletype-opensource -CVE-2022-2925 - RESERVED +CVE-2022-2925 (Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appw ...) + TODO: check CVE-2022-2924 RESERVED CVE-2022-2923 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.024 ...) @@ -5053,16 +5199,16 @@ CVE-2022-38271 RESERVED CVE-2022-38270 RESERVED -CVE-2022-38269 - RESERVED -CVE-2022-38268 - RESERVED -CVE-2022-38267 - RESERVED +CVE-2022-38269 (School Activity Updates with SMS Notification v1.0 was discovered to c ...) + TODO: check +CVE-2022-38268 (School Activity Updates with SMS Notification v1.0 was discovered to c ...) + TODO: check +CVE-2022-38267 (School Activity Updates with SMS Notification v1.0 was discovered to c ...) + TODO: check CVE-2022-38266 RESERVED -CVE-2022-38265 - RESERVED +CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to contain a S ...) + TODO: check CVE-2022-38264
[Git][security-tracker-team/security-tracker][master] Added mariadb-10.3 to dla-needed. There are no known urgent CVEs but the share...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: da509ec3 by Ola Lundqvist at 2022-09-09T08:20:47+02:00 Added mariadb-10.3 to dla-needed. There are no known urgent CVEs but the share volume of issues warrants a fix. May be fixed at the same time as for bullseye and that is likely to be in a point release. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,6 +69,11 @@ libxslt (Emilio) -- linux (Ben Hutchings) -- +mariadb-10.3 + NOTE: 20220909: Programming language: C. + NOTE: 20220909: Could not find any urgent issues but the share volume of issues should warrant a security update. + NOTE: 20220909: For bullseye the likely outcome is that the package should be fixed in a point release. +-- mbedtls NOTE: 20220821: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da509ec335afcfbd4a7afc84242909c9aa2e239e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da509ec335afcfbd4a7afc84242909c9aa2e239e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added paramiko to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c5ae7d5f by Ola Lundqvist at 2022-09-09T08:12:36+02:00 Added paramiko to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,6 +90,9 @@ openexr NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) -- +paramiko + NOTE: 20220909: Programming language: Python. +-- pcs (Valentin Vidic) NOTE: 20220905: Programming language: Python. NOTE: 20220905: Local access needed to get exploit the vulnerability. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ae7d5f3fd4c5af768ddc05514fdc2da565154e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ae7d5f3fd4c5af768ddc05514fdc2da565154e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Review list for upcoming bullseye point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eb18346 by Salvatore Bonaccorso at 2022-09-09T08:11:33+02:00 Review list for upcoming bullseye point release - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -1,17 +1,3 @@ -CVE-2021-32718 - [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 -CVE-2021-32719 - [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 -CVE-2021-22116 - [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 -CVE-2018-1279 - [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 -CVE-2021-3654 - [bullseye] - nova 2:22.2.2-1+deb11u1 -CVE-2022-27240 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 -CVE-2022-29967 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 CVE-2020-22284 [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1 CVE-2020-22283 @@ -20,8 +6,6 @@ CVE-2022-21704 [bullseye] - node-log4js 6.3.0+~cs8.3.10-1+deb11u1 CVE-2022-31129 [bullseye] - node-moment 2.29.1+ds-2+deb11u2 -CVE-2022-32096 - [bullseye] - rhonabwy 0.9.13-3+deb11u2 CVE-2022-26307 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 CVE-2022-26306 @@ -30,8 +14,6 @@ CVE-2022-26305 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 CVE-2021-25636 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 -CVE-2022-28737 - [bullseye] - shim 15.6-1~deb11u1 CVE-2021-45911 [bullseye] - gif2apng 1.9+srconly-3+deb11u1 CVE-2021-45910 @@ -89,8 +71,6 @@ CVE-2022-31291 [bullseye] - dlt-daemon 2.18.6-1+deb11u1 CVE-2021-24119 [bullseye] - mbedtls 2.16.12-0+deb11u1 -CVE-2021-44732 - [bullseye] - mbedtls 2.16.12-0+deb11u1 CVE-2022-30550 [bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u1 CVE-2021-40491 @@ -113,3 +93,23 @@ CVE-2022-39188 [bullseye] - linux 5.10.140-1 CVE-2022-39190 [bullseye] - linux 5.10.140-1 +CVE-2021-32718 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-32719 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-22116 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2018-1279 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-3654 + [bullseye] - nova 2:22.2.2-1+deb11u1 +CVE-2022-27240 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 +CVE-2022-29967 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 +CVE-2022-32096 + [bullseye] - rhonabwy 0.9.13-3+deb11u2 +CVE-2022-28737 + [bullseye] - shim 15.6-1~deb11u1 +CVE-2021-44732 + [bullseye] - mbedtls 2.16.12-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb183465a254e7e1db639c90a3f68f95c08f21c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb183465a254e7e1db639c90a3f68f95c08f21c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Updated the order of how issues are shown in lts-cve-triage command. The...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4686a5af by Ola Lundqvist at 2022-09-09T08:03:12+02:00 Updated the order of how issues are shown in lts-cve-triage command. The reason is that it is more important to triage new potentially severe issues rather than to re-triage issues that have already been triaged once. - - - - - 1 changed file: - bin/lts-cve-triage.py Changes: = bin/lts-cve-triage.py = @@ -64,9 +64,6 @@ LIST_NAMES = ( ('triage_possible_easy_fixes', ('Issues not yet triaged for {lts}, but already fixed in {next_lts}') .format(**RELEASES)), -('triage_possible_missed_fixes', - ('Issues postponed for {lts}, but already fixed in {next_lts} via DSA or point releases (to be fixed or )') - .format(**RELEASES)), ('triage_other_not_triaged_in_next_lts', ('Other issues to triage for {lts} (not yet triaged for {next_lts})') .format(**RELEASES)), @@ -75,6 +72,9 @@ LIST_NAMES = ( ('unexpected_nodsa', ('Issues tagged no-dsa in {lts} that are open in {next_lts}') .format(**RELEASES)), +('triage_possible_missed_fixes', + ('Issues postponed for {lts}, but already fixed in {next_lts} via DSA or point releases (to be fixed or )') + .format(**RELEASES)), ('possible_easy_fixes', ('Issues from dla-needed.txt that are already fixed in {next_lts}') .format(**RELEASES)), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4686a5af08a3372d5f60bd348be84fd570c42b26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4686a5af08a3372d5f60bd348be84fd570c42b26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits