date:20221121

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3201-1 for ntfs-3g

2022-11-21 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a9491949 by Thorsten Alteholz at 2022-11-22T00:11:36+01:00
Reserve DLA-3201-1 for ntfs-3g

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Nov 2022] DLA-3201-1 ntfs-3g - security update
+   {CVE-2022-40284}
+   [buster] - ntfs-3g 1:2017.3.23AR.3-3+deb10u3
 [21 Nov 2022] DLA-3200-1 graphicsmagick - security update
{CVE-2022-1270}
[buster] - graphicsmagick 1.4+really1.3.35-1~deb10u3


=
data/dla-needed.txt
=
@@ -245,11 +245,6 @@ nodejs
   NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git
   NOTE: 20221105: Source code not checked. It may be so that the vulnerability 
is not present in buster.
 --
-ntfs-3g (Thorsten Alteholz)
-  NOTE: 20221031: Programming language: C.
-  NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/ntfs-3g.git
-  NOTE: 20221120: testing package
---
 openexr
   NOTE: 20220904: Programming language: C++.
   NOTE: 20220904: Should be synced with Stretch. (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9491949d42d694b067094198d303e247fd3ca4c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9491949d42d694b067094198d303e247fd3ca4c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Proces some NFUs

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b752470c by Salvatore Bonaccorso at 2022-11-21T22:44:52+01:00
Proces some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -956,7 +956,7 @@ CVE-2022-45424
 CVE-2022-45423
RESERVED
 CVE-2022-45422 (When LG SmartShare is installed, local privilege escalation is 
possibl ...)
-   TODO: check
+   NOT-FOR-US: LG
 CVE-2022-45122
RESERVED
 CVE-2022-45113
@@ -2378,17 +2378,17 @@ CVE-2022-45019
 CVE-2022-45018
RESERVED
 CVE-2022-45017 (A cross-site scripting (XSS) vulnerability in the Overview 
Page settin ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45016 (A cross-site scripting (XSS) vulnerability in the Search 
Settings modu ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45015 (A cross-site scripting (XSS) vulnerability in the Search 
Settings modu ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45014 (A cross-site scripting (XSS) vulnerability in the Search 
Settings modu ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45013 (A cross-site scripting (XSS) vulnerability in the Show 
Advanced Option ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45012 (A cross-site scripting (XSS) vulnerability in the Modify Page 
module o ...)
-   TODO: check
+   NOT-FOR-US: WBCE CMS
 CVE-2022-45011
RESERVED
 CVE-2022-45010
@@ -2752,7 +2752,7 @@ CVE-2022-44832
 CVE-2022-44831
RESERVED
 CVE-2022-44830 (Sourcecodester Event Registration App v1.0 was discovered to 
contain m ...)
-   TODO: check
+   NOT-FOR-US: Sourcecodester Event Registration App
 CVE-2022-44829
RESERVED
 CVE-2022-44828
@@ -9279,7 +9279,7 @@ CVE-2022-3591
 CVE-2022-3590
RESERVED
 CVE-2022-3589 (An API Endpoint used by Miele's "AppWash" MobileApp in all 
versions wa ...)
-   TODO: check
+   NOT-FOR-US: Miele's "AppWash" MobileApp
 CVE-2022-3588
RESERVED
 CVE-2022-3587 (A vulnerability was found in SourceCodester Simple Cold Storage 
Manage ...)
@@ -9928,7 +9928,7 @@ CVE-2022-43119 (A cross-site scripting (XSS) 
vulnerability in Clansphere CMS v20
 CVE-2022-43118 (A cross-site scripting (XSS) vulnerability in flatCore-CMS 
v2.1.0 allo ...)
NOT-FOR-US: flatCore-CMS
 CVE-2022-43117 (Sourcecodester Password Storage Application in PHP/OOP and 
MySQL 1.0 w ...)
-   TODO: check
+   NOT-FOR-US: Sourcecodester Password Storage Application in PHP/OOP and 
MySQL
 CVE-2022-43116
RESERVED
 CVE-2022-43115
@@ -12889,7 +12889,7 @@ CVE-2022-38143
 CVE-2022-36354
RESERVED
 CVE-2022-3388 (Improper Input Validation vulnerability in Hitachi Energy 
MicroSCADA P ...)
-   TODO: check
+   NOT-FOR-US: MicroSCADA
 CVE-2022-3387 (Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to 
path tr ...)
NOT-FOR-US: Advantech R-SeeNet
 CVE-2022-3386 (Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to 
a stack ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b752470c8dcb8ddd353fafeea6fcc81dbff6679f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b752470c8dcb8ddd353fafeea6fcc81dbff6679f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed versions for protobuf via unstable for serveral CVEs

2022-11-21 Thread @gcs



László Böszörményi pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2270498 by Laszlo Boszormenyi (GCS) at 2022-11-21T22:06:45+01:00
Add fixed versions for protobuf via unstable for serveral CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10577,7 +10577,7 @@ CVE-2022-3510 (A parsing issue similar to 
CVE-2022-3171, but with Message-Type E
NOTE: 
https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat 
in proto ...)
[experimental] - protobuf 3.21.7-1
-   - protobuf 
+   - protobuf 3.21.9-3
NOTE: 
https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9
 (v21.7, v3.21.7)
 CVE-2022-3508
RESERVED
@@ -17067,7 +17067,7 @@ CVE-2022-3172
NOTE: The source package itself it still vulnerable, but custom 
rebuilds are not really a usecase here
 CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite 
versio ...)
[experimental] - protobuf 3.21.7-1
-   - protobuf 
+   - protobuf 3.21.9-3
NOTE: 
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
 CVE-2022-3170 (An out-of-bounds access issue was found in the Linux kernel 
sound subs ...)
- linux  (Vulnerable code not present)
@@ -39806,7 +39806,7 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub 
repository vim/vim prior to
NOTE: 
https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d 
(v8.2.5043)
 CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the 
ProtocolBuffers ...)
[experimental] - protobuf 3.20.2-1
-   - protobuf 
+   - protobuf 3.21.9-3
NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
NOTE: 
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
NOTE: 
https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7
 (v3.20.2)
@@ -135105,14 +135105,14 @@ CVE-2021-22571 (A local attacker could read files 
from some other users' SA360 r
NOT-FOR-US: SA360 reports
 CVE-2021-22570 (Nullptr dereference when a null char is present in a proto 
symbol. The ...)
[experimental] - protobuf 3.17.1-1
-   - protobuf 
+   - protobuf 3.21.9-3
[bullseye] - protobuf  (Minor issue)
[buster] - protobuf  (Minor issue)
[stretch] - protobuf  (Minor issue; clean crash / Dos; patch 
needs to be isolated)
NOTE: Fixed upstream in v3.15.0: 
https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
 CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of 
com.google.proto ...)
[experimental] - protobuf 3.19.3-1
-   - protobuf 
+   - protobuf 3.21.9-3
[bullseye] - protobuf  (Minor issue)
[buster] - protobuf  (Minor issue)
[stretch] - protobuf  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2270498bbea7f4047b6c9bc42592834f6dccf65

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2270498bbea7f4047b6c9bc42592834f6dccf65
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2019-20417 (duplicate of CVE-2019-15011)

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b22e837b by Salvatore Bonaccorso at 2022-11-21T21:48:06+01:00
Remove notes from CVE-2019-20417 (duplicate of CVE-2019-15011)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -203581,7 +203581,6 @@ CVE-2019-20418 (Affected versions of Atlassian Jira 
Server and Data Center allow
NOT-FOR-US: Atlassian
 CVE-2019-20417
REJECTED
-   NOT-FOR-US: Atlassian
 CVE-2019-20416 (Affected versions of Atlassian Jira Server and Data Center 
allow remot ...)
NOT-FOR-US: Atlassian
 CVE-2019-20415 (Atlassian Jira Server and Data Center in affected versions 
allows remo ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b22e837bfd6b5b821e7980683ff36d847202a05b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b22e837bfd6b5b821e7980683ff36d847202a05b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-2154 (duplicate of CVE-2022-34345)

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d439cb3d by Salvatore Bonaccorso at 2022-11-21T21:46:35+01:00
Remove notes from CVE-2022-2154 (duplicate of CVE-2022-34345)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33747,7 +33747,6 @@ CVE-2022-2155
RESERVED
 CVE-2022-2154
REJECTED
-   NOT-FOR-US: Intel
 CVE-2022-2153 (A flaw was found in the Linux kernels KVM when 
attempting to se ...)
{DSA-5173-1 DLA-3173-1 DLA-3131-1 DLA-3065-1}
- linux 5.17.3-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d439cb3df9438c19be51a6d29004f8c662f2f730

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d439cb3df9438c19be51a6d29004f8c662f2f730
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes for some libcommons-jxpath-java CVEs

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
38da4a0d by Salvatore Bonaccorso at 2022-11-21T21:44:39+01:00
Remove notes for some libcommons-jxpath-java CVEs

They are rejected by the assigning CNA.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17432,8 +17432,6 @@ CVE-2022-40162
RESERVED
 CVE-2022-40161
REJECTED
-   - libcommons-jxpath-java 
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47097
 CVE-2022-40160 (** DISPUTED ** This record was originally reported by the 
oss-fuzz pro ...)
- libcommons-jxpath-java 
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47053
@@ -17442,12 +17440,8 @@ CVE-2022-40159 (** DISPUTED ** This record was 
originally reported by the oss-fu
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47057
 CVE-2022-40158
REJECTED
-   - libcommons-jxpath-java 
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47058
 CVE-2022-40157
REJECTED
-   - libcommons-jxpath-java 
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47061
 CVE-2022-40156 (Those using Xstream to seralize XML data may be vulnerable to 
Denial o ...)
- libxstream-java 
NOTE: https://github.com/x-stream/xstream/issues/304



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38da4a0d00d04dd81076f967b31a2f315727546b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38da4a0d00d04dd81076f967b31a2f315727546b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Drop notes from CVE-2022-41852 (withdrawn)

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
14e234f2 by Salvatore Bonaccorso at 2022-11-21T21:42:37+01:00
Drop notes from CVE-2022-41852 (withdrawn)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13191,13 +13191,6 @@ CVE-2022-41853 (Those using java.sql.Statement or 
java.sql.PreparedStatement in
NOTE: https://sourceforge.net/p/hsqldb/svn/6614/
 CVE-2022-41852
REJECTED
-   - libcommons-jxpath-java  (unimportant)
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
-   NOTE: https://github.com/apache/commons-jxpath/pull/25
-   NOTE: https://github.com/apache/commons-jxpath/pull/26
-   NOTE: 
https://github.com/apache/commons-jxpath/pull/26#issuecomment-1307567283
-   NOTE: JEXL is NOT expected to safely handle untrusted input, not 
considered a
-   NOTE: vulnerability by upstream
 CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions  
V11.1.1 ...)
NOT-FOR-US: JTTK
 CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled 
security policy ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e234f2b74aebd7165c241bfa4000cca7720842

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e234f2b74aebd7165c241bfa4000cca7720842
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Drop several CVEs (originally assigned to exiv2)

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d515e028 by Salvatore Bonaccorso at 2022-11-21T21:40:47+01:00
Drop several CVEs (originally assigned to exiv2)

Furhter investigation has shown that they were not security issues and
the assigning CNA has withrawn it.

This impacts as well DLA 3186-1 list of CVE.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -1923,11 +1923,6 @@ CVE-2022-3954
RESERVED
 CVE-2022-3953
REJECTED
-   - exiv2 
-   NOTE: 
https://github.com/Exiv2/exiv2/commit/771ead87321ae6e39e5c9f6f0855c58cde6648f1
-   NOTE: https://github.com/Exiv2/exiv2/pull/2394
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52731
-   TODO: check details
 CVE-2022-3952 (A vulnerability has been found in ManyDesigns Portofino 5.3.2 
and clas ...)
NOT-FOR-US: ManyDesigns Portofino
 CVE-2022-3951
@@ -5853,21 +5848,10 @@ CVE-2022-43998
RESERVED
 CVE-2022-3757
REJECTED
-   - exiv2  (Vulnerable code not present)
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50901
-   NOTE: Issue introduced after: 
https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/d3651fdbd352cbaf259f89abf7557da343339378
 CVE-2022-3756
REJECTED
-   {DLA-3186-1}
-   - exiv2 
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/bf4f28b727bdedbd7c88179c30d360e54568a62e
 CVE-2022-3755
REJECTED
-   - exiv2  (Vulnerable code not present)
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52382
-   NOTE: Issue introduced after: 
https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/6bb956ad808590ce2321b9ddf6772974da27c4ca
 CVE-2022-3754 (Weak Password Requirements in GitHub repository 
thorsten/phpmyfaq prio ...)
NOT-FOR-US: phpmyfaq
 CVE-2022-3753 (The Evaluate WordPress plugin through 1.0 does not sanitize and 
escape ...)
@@ -7774,21 +7758,10 @@ CVE-2022-3720 (The Event Monster WordPress plugin 
before 1.2.0 does not validate
NOT-FOR-US: WordPress plugin
 CVE-2022-3719
REJECTED
-   - exiv2  (Vulnerable code not present)
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51707
-   NOTE: Introduced by: 
https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/a38e124076138e529774d5ec9890d0731058115a
 CVE-2022-3718
REJECTED
-   - exiv2  (Vulnerable code not present)
-   NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52053
-   NOTE: Issue introduced after: 
https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/459910c36a21369c09b75bcfa82f287c9da56abf
 CVE-2022-3717
REJECTED
-   - exiv2  (Vulnerable code not present)
-   NOTE: Introduced by: 
https://github.com/Exiv2/exiv2/commit/9a6ee59421fdfa0745a5f494a3dd19af78b03ce7
-   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/a58e52ed702d3bc7b8bab7ec1d70a4849eebece3
 CVE-2022-3716 (A vulnerability classified as problematic was found in 
SourceCodester  ...)
NOT-FOR-US: SourceCodester Online Medicine Ordering System
 CVE-2022-3715 [a heap-buffer-overflow in valid_parameter_transform]


=
data/DLA/list
=
@@ -40,7 +40,7 @@
{CVE-2021-36369}
[buster] - dropbear 2018.76-5+deb10u2
 [10 Nov 2022] DLA-3186-1 exiv2 - security update
-   {CVE-2017-11683 CVE-2020-19716 CVE-2022-3756}
+   {CVE-2017-11683 CVE-2020-19716}
[buster] - exiv2 0.25-4+deb10u3
 [10 Nov 2022] DLA-3185-1 xorg-server - security update
{CVE-2022-3550 CVE-2022-3551}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d515e0283c184508fdf2ced6bcb8b321bb9ecedf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d515e0283c184508fdf2ced6bcb8b321bb9ecedf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track ember as removed from every supported suite

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e8b6f922 by Salvatore Bonaccorso at 2022-11-21T21:16:00+01:00
Track ember as removed from every supported suite

- - - - -


1 changed file:

- data/packages/removed-packages


Changes:

=
data/packages/removed-packages
=
@@ -926,3 +926,4 @@ xvt
 yarssr
 zonecheck
 postgresql-14
+ember



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8b6f922cff3273b0d540fbccf32815543dcc0d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8b6f922cff3273b0d540fbccf32815543dcc0d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process several NFUs

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6792b8e6 by Salvatore Bonaccorso at 2022-11-21T21:14:42+01:00
Process several NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3065,7 +3065,7 @@ CVE-2022-44715
 CVE-2022-3862
RESERVED
 CVE-2022-3861 (The Betheme theme for WordPress is vulnerable to PHP Object 
Injection  ...)
-   TODO: check
+   NOT-FOR-US: Betheme theme for WordPress
 CVE-2022-3860
RESERVED
 CVE-2022-3859
@@ -4207,21 +4207,21 @@ CVE-2022-44656
 CVE-2022-44655
RESERVED
 CVE-2022-44654 (Affected builds of Trend Micro Apex One and Apex One as a 
Service cont ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44653 (A security agent directory traversal vulnerability in Trend 
Micro Apex ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44652 (An improper handling of exceptional conditions vulnerability 
in Trend  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44651 (A Time-of-Check Time-Of-Use vulnerability in the Trend Micro 
Apex One  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44650 (A memory corruption vulnerability in the Unauthorized Change 
Preventio ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44649 (An out-of-bounds access vulnerability in the Unauthorized 
Change Preve ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44648 (An Out-of-bounds read vulnerability in Trend Micro Apex One 
and Apex O ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44647 (An Out-of-bounds read vulnerability in Trend Micro Apex One 
and Apex O ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2022-44646 (In JetBrains TeamCity version before 2022.10, no audit items 
were adde ...)
NOT-FOR-US: JetBrains TeamCity
 CVE-2022-44645
@@ -4928,9 +4928,9 @@ CVE-2022-3765 (Cross-site Scripting (XSS) - Stored in 
GitHub repository thorsten
 CVE-2022-3764
RESERVED
 CVE-2022-3763 (The Booster for WooCommerce WordPress plugin before 5.6.7, 
Booster Plu ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2022-3762 (The Booster for WooCommerce WordPress plugin before 5.6.7, 
Booster Plu ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2022-3761
RESERVED
 CVE-2023-20853
@@ -5474,39 +5474,39 @@ CVE-2022-44185
 CVE-2022-44184
RESERVED
 CVE-2022-44183 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44182
RESERVED
 CVE-2022-44181
RESERVED
 CVE-2022-44180 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44179
RESERVED
 CVE-2022-44178 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow. via 
function ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44177 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44176 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44175 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44174 (Tenda AC18 V15.03.05.05 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44173
RESERVED
 CVE-2022-44172 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44171 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44170
RESERVED
 CVE-2022-44169 (Tenda AC15 V15.03.05.18 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44168 (Tenda AC15 V15.03.05.18 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44167 (Tenda AC15 V15.03.05.18 is avulnerable to Buffer Overflow via 
function ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44166
RESERVED
 CVE-2022-44165
@@ -5514,7 +5514,7 @@ CVE-2022-44165
 CVE-2022-44164
RESERVED
 CVE-2022-44163 (Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44162
RESERVED
 CVE-2022-44161
@@ -5524,11 +5524,11 @@ CVE-2022-44160
 CVE-2022-44159
RESERVED
 CVE-2022-44158 (Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via 
function  ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-44157
RESERVED
 CVE-2022-44156 (Tenda AC15 V15.03.05.19

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-39052

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5ea842a2 by Salvatore Bonaccorso at 2022-11-21T21:12:47+01:00
Add Debian bug reference for CVE-2022-39052

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20170,7 +20170,7 @@ CVE-2022-39054 (Cowell enterprise travel management 
system has insufficient filt
 CVE-2022-39053 (Heimavista Rpage has insufficient filtering for platform web 
URL. An u ...)
NOT-FOR-US: Heimavista Rpage
 CVE-2022-39052 (An external attacker is able to send a specially crafted email 
(with m ...)
-   - znuny 
+   - znuny  (bug #1024560)
 CVE-2022-39051 (Attacker might be able to execute malicious Perl code in the 
Template  ...)
NOT-FOR-US: OTRS
NOTE: Could possibly affect Znuny, we'll let their security team figure 
it out



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ea842a2444bb5de1fba028ab868b7908f9a92c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ea842a2444bb5de1fba028ab868b7908f9a92c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93cf03ab by security tracker role at 2022-11-21T20:10:30+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,617 @@
+CVE-2022-45781
+   RESERVED
+CVE-2022-45780
+   RESERVED
+CVE-2022-45779
+   RESERVED
+CVE-2022-45778
+   RESERVED
+CVE-2022-45777
+   RESERVED
+CVE-2022-45776
+   RESERVED
+CVE-2022-45775
+   RESERVED
+CVE-2022-45774
+   RESERVED
+CVE-2022-45773
+   RESERVED
+CVE-2022-45772
+   RESERVED
+CVE-2022-45771
+   RESERVED
+CVE-2022-45770
+   RESERVED
+CVE-2022-45769
+   RESERVED
+CVE-2022-45768
+   RESERVED
+CVE-2022-45767
+   RESERVED
+CVE-2022-45766
+   RESERVED
+CVE-2022-45765
+   RESERVED
+CVE-2022-45764
+   RESERVED
+CVE-2022-45763
+   RESERVED
+CVE-2022-45762
+   RESERVED
+CVE-2022-45761
+   RESERVED
+CVE-2022-45760
+   RESERVED
+CVE-2022-45759
+   RESERVED
+CVE-2022-45758
+   RESERVED
+CVE-2022-45757
+   RESERVED
+CVE-2022-45756
+   RESERVED
+CVE-2022-45755
+   RESERVED
+CVE-2022-45754
+   RESERVED
+CVE-2022-45753
+   RESERVED
+CVE-2022-45752
+   RESERVED
+CVE-2022-45751
+   RESERVED
+CVE-2022-45750
+   RESERVED
+CVE-2022-45749
+   RESERVED
+CVE-2022-45748
+   RESERVED
+CVE-2022-45747
+   RESERVED
+CVE-2022-45746
+   RESERVED
+CVE-2022-45745
+   RESERVED
+CVE-2022-45744
+   RESERVED
+CVE-2022-45743
+   RESERVED
+CVE-2022-45742
+   RESERVED
+CVE-2022-45741
+   RESERVED
+CVE-2022-45740
+   RESERVED
+CVE-2022-45739
+   RESERVED
+CVE-2022-45738
+   RESERVED
+CVE-2022-45737
+   RESERVED
+CVE-2022-45736
+   RESERVED
+CVE-2022-45735
+   RESERVED
+CVE-2022-45734
+   RESERVED
+CVE-2022-45733
+   RESERVED
+CVE-2022-45732
+   RESERVED
+CVE-2022-45731
+   RESERVED
+CVE-2022-45730
+   RESERVED
+CVE-2022-45729
+   RESERVED
+CVE-2022-45728
+   RESERVED
+CVE-2022-45727
+   RESERVED
+CVE-2022-45726
+   RESERVED
+CVE-2022-45725
+   RESERVED
+CVE-2022-45724
+   RESERVED
+CVE-2022-45723
+   RESERVED
+CVE-2022-45722
+   RESERVED
+CVE-2022-45721
+   RESERVED
+CVE-2022-45720
+   RESERVED
+CVE-2022-45719
+   RESERVED
+CVE-2022-45718
+   RESERVED
+CVE-2022-45717
+   RESERVED
+CVE-2022-45716
+   RESERVED
+CVE-2022-45715
+   RESERVED
+CVE-2022-45714
+   RESERVED
+CVE-2022-45713
+   RESERVED
+CVE-2022-45712
+   RESERVED
+CVE-2022-45711
+   RESERVED
+CVE-2022-45710
+   RESERVED
+CVE-2022-45709
+   RESERVED
+CVE-2022-45708
+   RESERVED
+CVE-2022-45707
+   RESERVED
+CVE-2022-45706
+   RESERVED
+CVE-2022-45705
+   RESERVED
+CVE-2022-45704
+   RESERVED
+CVE-2022-45703
+   RESERVED
+CVE-2022-45702
+   RESERVED
+CVE-2022-45701
+   RESERVED
+CVE-2022-45700
+   RESERVED
+CVE-2022-45699
+   RESERVED
+CVE-2022-45698
+   RESERVED
+CVE-2022-45697
+   RESERVED
+CVE-2022-45696
+   RESERVED
+CVE-2022-45695
+   RESERVED
+CVE-2022-45694
+   RESERVED
+CVE-2022-45693
+   RESERVED
+CVE-2022-45692
+   RESERVED
+CVE-2022-45691
+   RESERVED
+CVE-2022-45690
+   RESERVED
+CVE-2022-45689
+   RESERVED
+CVE-2022-45688
+   RESERVED
+CVE-2022-45687
+   RESERVED
+CVE-2022-45686
+   RESERVED
+CVE-2022-45685
+   RESERVED
+CVE-2022-45684
+   RESERVED
+CVE-2022-45683
+   RESERVED
+CVE-2022-45682
+   RESERVED
+CVE-2022-45681
+   RESERVED
+CVE-2022-45680
+   RESERVED
+CVE-2022-45679
+   RESERVED
+CVE-2022-45678
+   RESERVED
+CVE-2022-45677
+   RESERVED
+CVE-2022-45676
+   RESERVED
+CVE-2022-45675
+   RESERVED
+CVE-2022-45674
+   RESERVED
+CVE-2022-45673
+   RESERVED
+CVE-2022-45672
+   RESERVED
+CVE-2022-45671
+   RESERVED
+CVE-2022-45670
+   RESERVED
+CVE-2022-45669
+   RESERVED
+CVE-2022-45668
+   RESERVED
+CVE-2022-45667
+   RESERVED
+CVE-2022-45666
+   RESERVED
+CVE-2022-45665
+   RESERVED
+CVE-2022-45664
+   RESERVED
+CVE-2022-45663
+   RESERVED
+CVE-2022-45662
+   RESERVED
+CVE-2022-45661
+   RESERVED
+CVE-2022-45660
+   RESERVED
+CVE-2022-45659
+   RESERVED
+CVE-2022-45658
+   RESERVED
+CVE-2022-45657
+   RESERVED
+CVE-2022-45656
+   RESERVED
+CVE-2022-45655
+   RESERVED
+CVE-2022-45654
+   RESERVED
+CVE-2022-45653
+   RESERVED
+CVE-2022-45652
+   RESERVED
+CVE-2022-45651
+   RESERVED
+CVE-2022-45650
+   RESERVED
+CVE-2022-45649
+   RESERVED
+CVE-2022-45648
+   RESERVED
+CVE-2022-45647
+   RESERVED
+CVE-2022-45646
+   RESERVED
+CVE-2022-45645
+   RESERVED
+CVE-2022-45644
+   RESERVED
+CVE-2022-45643
+   RESERVED
+CVE-2022-45642
+   RESERVED
+CVE-2022-45641
+

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-4065/testng

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec4e9735 by Salvatore Bonaccorso at 2022-11-21T21:08:51+01:00
Update information on CVE-2022-4065/testng

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -65,7 +65,7 @@ CVE-2022-4067 (Cross-site Scripting (XSS) - Stored in GitHub 
repository librenms
 CVE-2022-4066 (A vulnerability was found in davidmoreno onion. It has been 
rated as p ...)
- libonion  (bug #744119)
 CVE-2022-4065 (A vulnerability was found in cbeust testng. It has been 
declared as cr ...)
-   - testng 
+   - testng  (Vulnerable code introduced later)
NOTE: https://github.com/cbeust/testng/pull/2806
NOTE: 
https://github.com/cbeust/testng/commit/47afa2c8a29e2cf925238af1ad7c76fba282793f
 CVE-2022-4064 (A vulnerability was found in Dalli. It has been classified as 
problema ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec4e97356f7e8a1451415de41e0c9002a4450ff3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec4e97356f7e8a1451415de41e0c9002a4450ff3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Directly reference fixing commit for CVE-2022-4065

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0459d42d by Salvatore Bonaccorso at 2022-11-21T20:57:33+01:00
Directly reference fixing commit for CVE-2022-4065

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -67,7 +67,7 @@ CVE-2022-4066 (A vulnerability was found in davidmoreno 
onion. It has been rated
 CVE-2022-4065 (A vulnerability was found in cbeust testng. It has been 
declared as cr ...)
- testng 
NOTE: https://github.com/cbeust/testng/pull/2806
-   NOTE: 
https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b
+   NOTE: 
https://github.com/cbeust/testng/commit/47afa2c8a29e2cf925238af1ad7c76fba282793f
 CVE-2022-4064 (A vulnerability was found in Dalli. It has been classified as 
problema ...)
- ruby-dalli  (Vulnerable code introduced later)
NOTE: https://github.com/petergoldstein/dalli/issues/932



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0459d42dd23edb189eaf6f3829fe45400e429922

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0459d42dd23edb189eaf6f3829fe45400e429922
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-37026: Add followup commit references correcting guard check

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9104af55 by Salvatore Bonaccorso at 2022-11-21T20:50:56+01:00
CVE-2022-37026: Add followup commit references correcting guard check

Markus did already pinpoint the fixing commit needed for the OTP-23.3
branch. Apparently later on there was a followup commit to correct the
guard check. Add those as well for any potential stable and older
release to make sure we do not hit a regression.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -25314,7 +25314,10 @@ CVE-2022-37026 (In Erlang/OTP before 23.3.4.15, 24.x 
before 24.3.4.2, and 25.x b
[bullseye] - erlang  (Minor issue)
[buster] - erlang  (Minor issue)
NOTE: https://erlangforums.com/t/otp-25-1-released/1854
-   NOTE: Possible fix according to Red Hat: 
https://github.com/erlang/otp/commit/cd5024867e
+   NOTE: Fixed by: 
https://github.com/erlang/otp/commit/cd5024867e7b7d3a6e94194af9e01e1fb77e36c9 
(OTP-23.3.4.15)
+   NOTE: Followup: 
https://github.com/erlang/otp/commit/6a1baa36e4e6c1b682e8b48e0c141602e0b8e6e5 
(OTP-23.3.4.17)
+   NOTE: Fixed by: 
https://github.com/erlang/otp/commit/254f2728902bc7e80a67726ebbc1a0b3ab7742eb 
(OTP-24.3.4.2)
+   NOTE: Followup: 
https://github.com/erlang/otp/commit/33e7570e075e0b84efef91b2f307fcf938517b1c 
(OTP-24.3.4.3)
 CVE-2022-37025 (An improper privilege management vulnerability in McAfee 
Security Scan ...)
NOT-FOR-US: McAfee
 CVE-2022-37024 (Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, 
Network Co ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9104af55346686c0dbb7f5c4c17eb13ca12c2ca6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9104af55346686c0dbb7f5c4c17eb13ca12c2ca6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFU

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
91cd8e14 by Moritz Muehlenhoff at 2022-11-21T14:27:57+01:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -106,6 +106,7 @@ CVE-2022-45471 (In JetBrains Hub before 2022.3.15181 
Throttling was missed when
NOT-FOR-US: JetBrains Hub
 CVE-2022-45470
RESERVED
+   NOT-FOR-US: Apache Hama
 CVE-2022-44456
RESERVED
 CVE-2022-4061



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cd8e146499a40cdc09f0d96d396413c21e2b45

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cd8e146499a40cdc09f0d96d396413c21e2b45
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c71feb9f by Moritz Muehlenhoff at 2022-11-21T14:03:38+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48655,7 +48655,7 @@ CVE-2022-26341 (Insufficiently protected credentials in 
software in Intel(R) AMT
 CVE-2022-26079 (Improper conditions check in some Intel(R) XMM(TM) 7560 Modem 
software ...)
NOT-FOR-US: Intel
 CVE-2022-26047 (Improper input validation for some Intel(R) PROSet/Wireless 
WiFi, Inte ...)
-   TODO: check
+   NOT-FOR-US: Intel
 CVE-2022-26045 (Improper buffer restrictions in some Intel(R) XMM(TM) 7560 
Modem softw ...)
NOT-FOR-US: Intel
 CVE-2022-25868
@@ -96044,7 +96044,7 @@ CVE-2021-37938 (It was discovered that on Windows 
operating systems specifically
 CVE-2021-37937
RESERVED
 CVE-2021-37936 (It was discovered that Kibana was not sanitizing document 
fields conta ...)
-   TODO: check
+   - kibana  (bug #700337)
 CVE-2021-37935 (An information disclosure vulnerability in the login page of 
Huntflow  ...)
NOT-FOR-US: Huntflow Enterprise
 CVE-2021-37934 (Due to insufficient server-side login-attempt limit 
enforcement, a vul ...)
@@ -98494,7 +98494,7 @@ CVE-2021-36907
 CVE-2021-36906 (Multiple Insecure Direct Object References (IDOR) 
vulnerabilities in E ...)
NOT-FOR-US: WordPress plugin
 CVE-2021-36905 (Multiple Auth. (contributor+) Stored Cross-Site Scripting 
(XSS) vulner ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2021-36904
RESERVED
 CVE-2021-36903
@@ -105682,7 +105682,7 @@ CVE-2021-33899
 CVE-2021-33898 (In Invoice Ninja before 4.4.0, there is an unsafe call to 
unserialize( ...)
NOT-FOR-US: Invoice Ninja
 CVE-2021-33897 (A buffer overflow in Synthesia before 10.7.5567, when a 
non-Latin loca ...)
-   TODO: check
+   NOT-FOR-US: Synthesia
 CVE-2021-33896 (Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory 
Traversal (o ...)
- dino-im 0.2.0-3
[buster] - dino-im  (Minor issue)
@@ -111565,7 +111565,7 @@ CVE-2021-31741
 CVE-2021-31740
RESERVED
 CVE-2021-31739 (The SEPPmail solution is vulnerable to a Cross-Site Scripting 
vulnerab ...)
-   TODO: check
+   NOT-FOR-US: SEPPmail
 CVE-2021-31738 (Adiscon LogAnalyzer 4.1.10 and 4.1.11 allow login.php XSS. ...)
NOT-FOR-US: Adiscon LogAnalyzer
 CVE-2021-31737 (emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution 
vulnerabili ...)
@@ -111835,7 +111835,7 @@ CVE-2021-31610 (The Bluetooth Classic implementation 
on AB32VG1 devices does not
 CVE-2021-31609 (The Bluetooth Classic implementation in Silicon Labs iWRAP 
6.3.0 and e ...)
NOT-FOR-US: Silicon Labs Bluetooth
 CVE-2021-31608 (Proofpoint Enterprise Protection before 18.8.0 allows a Bypass 
of a Se ...)
-   TODO: check
+   NOT-FOR-US: Proofpoint Enterprise Protection
 CVE-2021-31607 (In SaltStack Salt 2016.9 through 3002.6, a command injection 
vulnerabi ...)
{DLA-2815-1}
- salt 3002.6+dfsg1-2 (bug #987496)
@@ -125183,11 +125183,11 @@ CVE-2021-26395
 CVE-2021-26394
RESERVED
 CVE-2021-26393 (Insufficient memory cleanup in the AMD Secure Processor (ASP) 
Trusted  ...)
-   TODO: check
+   NOT-FOR-US: AMD
 CVE-2021-26392 (Insufficient verification of missing size check in 
'LoadModule' may le ...)
-   TODO: check
+   NOT-FOR-US: AMD
 CVE-2021-26391 (Insufficient verification of multiple header signatures while 
loading  ...)
-   TODO: check
+   NOT-FOR-US: AMD
 CVE-2021-26390 (A malicious or compromised UApp or ABL may coerce the 
bootloader into  ...)
NOT-FOR-US: AMD
 CVE-2021-26389
@@ -125249,7 +125249,7 @@ CVE-2021-26362 (A malicious or compromised UApp or 
ABL may be used by an attacke
 CVE-2021-26361 (A malicious or compromised User Application (UApp) or AGESA 
Boot Loade ...)
NOT-FOR-US: AMD
 CVE-2021-26360 (An attacker with local access to the system can make 
unauthorized modi ...)
-   TODO: check
+   NOT-FOR-US: AMD
 CVE-2021-26359
RESERVED
 CVE-2021-26358
@@ -180482,7 +180482,7 @@ CVE-2020-15855 (Two cross-site scripting 
vulnerabilities were fixed in Bodhi 5.6
 CVE-2020-15854
RESERVED
 CVE-2020-15853 (supybot-fedora implements the command 'refresh', that 
refreshes the ca ...)
-   TODO: check
+   NOT-FOR-US: supybot-fedora
 CVE-2020- [mpv insecure lua loadpath]
- mpv 0.32.0-2 (bug #950816)
[buster] - mpv  (Minor issue)
@@ -188487,9 +188487,9 @@ CVE-2020-12933 (A denial of service vulnerability 
exists in the D3DKMTEscape han
 CVE-2020-12932
RESERVED
 CVE-2020-12931 (Improper parameters handling in the AMD Secure Processor (ASP) 
kernel  ...)
-   TODO: check
+   NOT-FOR-US: AMD
 CVE-2020-12930 (Improper parameters handling in AMD Secure Processor (ASP) 
drivers may ...)
-

[Git][security-tracker-team/security-tracker][master] new maradns issue

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
496dd385 by Moritz Muehlenhoff at 2022-11-21T14:00:21+01:00
new maradns issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -44102,7 +44102,8 @@ CVE-2022-30258
 CVE-2022-30257
RESERVED
 CVE-2022-30256 (An issue was discovered in MaraDNS Deadwood through 3.5.0021 
that allo ...)
-   TODO: check
+   - maradns 
+   NOTE: https://maradns.samiam.org/security.html#CVE-2022-30256
 CVE-2022-30255
RESERVED
 CVE-2022-30254



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/496dd385bb12c0ae2907a996b22f9170140308af

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/496dd385bb12c0ae2907a996b22f9170140308af
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new zoneminder issues

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6a51411d by Moritz Muehlenhoff at 2022-11-21T13:55:14+01:00
new zoneminder issues
new potential otrs/znuny issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19545,7 +19545,7 @@ CVE-2022-39054 (Cowell enterprise travel management 
system has insufficient filt
 CVE-2022-39053 (Heimavista Rpage has insufficient filtering for platform web 
URL. An u ...)
NOT-FOR-US: Heimavista Rpage
 CVE-2022-39052 (An external attacker is able to send a specially crafted email 
(with m ...)
-   TODO: check
+   - znuny 
 CVE-2022-39051 (Attacker might be able to execute malicious Perl code in the 
Template  ...)
NOT-FOR-US: OTRS
NOTE: Could possibly affect Znuny, we'll let their security team figure 
it out
@@ -42572,9 +42572,13 @@ CVE-2022-30771 (Initialization function in PnpSmm 
could lead to SMRAM corruption
 CVE-2022-30770 (Terminalfour versions 8.3.7, 8.3.x versions prior to version 
8.3.8 and ...)
NOT-FOR-US: Terminalfour
 CVE-2022-30769 (Session fixation exists in ZoneMinder through 1.36.12 as an 
attacker c ...)
-   TODO: check
+   - zoneminder  (unimportant)
+   NOTE: 
https://medium.com/@dk50u1/session-fixation-in-zoneminder-up-to-v1-36-12-3c850b1fbbf3
+   NOTE: Only supported for trusted users/behind auth, see 
README.debian.security
 CVE-2022-30768 (A Stored Cross Site Scripting (XSS) issue in ZoneMinder 
1.36.12 allows ...)
-   TODO: check
+   - zoneminder  (unimportant)
+   NOTE: 
https://medium.com/@dk50u1/stored-xss-in-zoneminder-up-to-v1-36-12-f26b4bb68c31
+   NOTE: Only supported for trusted users/behind auth, see 
README.debian.security
 CVE-2022-30767 (nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 
(and throu ...)
[experimental] - u-boot 2022.07~rc4+dfsg-1
- u-boot 2022.07+dfsg-1 (bug #1014471)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a51411d4d617313b53ef26bbdaf2bf3ca54ed7c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a51411d4d617313b53ef26bbdaf2bf3ca54ed7c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: new gitlab issues

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
78a7a183 by Moritz Muehlenhoff at 2022-11-21T13:40:20+01:00
new gitlab issues

- - - - -
f31d24af by Moritz Muehlenhoff at 2022-11-21T13:49:50+01:00
two additional CVEs from August Nvidia advisory, copy over existing entries for 
older suites

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20240,7 +20240,7 @@ CVE-2022-3031 (An issue has been discovered in GitLab 
CE/EE affecting all versio
- gitlab 
NOTE: 
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
 CVE-2022-3030 (An improper access control issue in GitLab CE/EE affecting all 
version ...)
-   TODO: check
+   - gitlab 
 CVE-2022-3029 (In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due 
to a mi ...)
- routinator  (bug #929024)
 CVE-2022-3028 (A race condition was found in the Linux kernel's IP framework 
for tran ...)
@@ -21867,7 +21867,7 @@ CVE-2022-2828 (In affected versions of Octopus Server 
it is possible to reveal i
 CVE-2022-2827
RESERVED
 CVE-2022-2826 (An issue has been discovered in GitLab affecting all versions 
starting ...)
-   TODO: check
+   - gitlab 
 CVE-2022-38362 (Apache Airflow Docker's Provider prior to 3.0.0 shipped with 
an exampl ...)
- airflow  (bug #819700)
 CVE-2022-38361
@@ -31714,9 +31714,43 @@ CVE-2022-34667 (NVIDIA CUDA Toolkit SDK contains a 
stack-based buffer overflow v
[buster] - nvidia-cuda-toolkit  (Minor issue)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5373
 CVE-2022-34666 (NVIDIA GPU Display Driver for Windows and Linux contains a 
vulnerabili ...)
-   TODO: check
+   - nvidia-graphics-drivers 470.141.03-1
+   [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
+   [buster] - nvidia-graphics-drivers  (Non-free not supported)
+   - nvidia-graphics-drivers-legacy-340xx 
+   [buster] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-390xx 390.154-1
+   [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
+   [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
+   - nvidia-graphics-drivers-tesla-418 
+   [bullseye] - nvidia-graphics-drivers-tesla-418  (Non-free not 
supported)
+   - nvidia-graphics-drivers-tesla-450 450.203.03-1
+   [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
+   - nvidia-graphics-drivers-tesla-460 460.106.00-3
+   [bullseye] - nvidia-graphics-drivers-tesla-460  (Non-free not 
supported)
+   NOTE: 460.106.00-3 turned the package into a metapackage to aid 
switching to nvidia-graphics-drivers-tesla-470
+   - nvidia-graphics-drivers-tesla-470 470.141.03-1
+   [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
+   - nvidia-graphics-drivers-tesla-510 510.85.02-1
 CVE-2022-34665 (NVIDIA GPU Display Driver for Windows and Linux contains a 
vulnerabili ...)
-   TODO: check
+   - nvidia-graphics-drivers 470.141.03-1
+   [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
+   [buster] - nvidia-graphics-drivers  (Non-free not supported)
+   - nvidia-graphics-drivers-legacy-340xx 
+   [buster] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-390xx 390.154-1
+   [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
+   [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
+   - nvidia-graphics-drivers-tesla-418 
+   [bullseye] - nvidia-graphics-drivers-tesla-418  (Non-free not 
supported)
+   - nvidia-graphics-drivers-tesla-450 450.203.03-1
+   [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
+   - nvidia-graphics-drivers-tesla-460 460.106.00-3
+   [bullseye] - nvidia-graphics-drivers-tesla-460  (Non-free not 
supported)
+   NOTE: 460.106.00-3 turned the package into a metapackage to aid 
switching to nvidia-graphics-drivers-tesla-470
+   - nvidia-graphics-drivers-tesla-470 470.141.03-1
+   [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
+   - nvidia-graphics-drivers-tesla-510 510.85.02-1
 CVE-2022-34664
RESERVED
 CVE-2022-34663 (A vulnerability has been identified in RUGGEDCOM ROS M2100 
(All versio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4736cf4bc21ff490c1ef8fafd4f15638f5ff3d29...f31d24af95fd6c3933e507152be88b85d49902f8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4736cf4bc21ff490c1ef8fafd4f15638f5ff3d29...f31d24af95fd6c3933e507152be88b85d49902f8
You're receiving this email because of your account on salsa.debian.org.

[Git][security-tracker-team/security-tracker][master] new testng issue

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4736cf4b by Moritz Muehlenhoff at 2022-11-21T13:37:29+01:00
new testng issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -65,7 +65,9 @@ CVE-2022-4067 (Cross-site Scripting (XSS) - Stored in GitHub 
repository librenms
 CVE-2022-4066 (A vulnerability was found in davidmoreno onion. It has been 
rated as p ...)
- libonion  (bug #744119)
 CVE-2022-4065 (A vulnerability was found in cbeust testng. It has been 
declared as cr ...)
-   TODO: check
+   - testng 
+   NOTE: https://github.com/cbeust/testng/pull/2806
+   NOTE: 
https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b
 CVE-2022-4064 (A vulnerability was found in Dalli. It has been classified as 
problema ...)
- ruby-dalli  (Vulnerable code introduced later)
NOTE: https://github.com/petergoldstein/dalli/issues/932



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4736cf4bc21ff490c1ef8fafd4f15638f5ff3d29

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4736cf4bc21ff490c1ef8fafd4f15638f5ff3d29
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6ca0332c by Moritz Muehlenhoff at 2022-11-21T12:46:34+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,5 @@
 CVE-2022-4096 (Server-Side Request Forgery (SSRF) in GitHub repository 
appsmithorg/ap ...)
-   TODO: check
+   NOT-FOR-US: appsmith
 CVE-2022-4095
RESERVED
 CVE-2022-4094
@@ -63,7 +63,7 @@ CVE-2022-4068 (A user is able to enable their own account if 
it was disabled by
 CVE-2022-4067 (Cross-site Scripting (XSS) - Stored in GitHub repository 
librenms/libr ...)
NOT-FOR-US: LibreNMS
 CVE-2022-4066 (A vulnerability was found in davidmoreno onion. It has been 
rated as p ...)
-   TODO: check
+   - libonion  (bug #744119)
 CVE-2022-4065 (A vulnerability was found in cbeust testng. It has been 
declared as cr ...)
TODO: check
 CVE-2022-4064 (A vulnerability was found in Dalli. It has been classified as 
problema ...)
@@ -12405,9 +12405,9 @@ CVE-2022-41941
 CVE-2022-41940
RESERVED
 CVE-2022-41939 (knative.dev/func is is a client library and CLI enabling the 
developme ...)
-   TODO: check
+   NOT-FOR-US: knative.dev/func
 CVE-2022-41938 (Flarum is an open source discussion platform. Flarum's page 
title syst ...)
-   TODO: check
+   NOT-FOR-US: Flarum
 CVE-2022-41937
RESERVED
 CVE-2022-41936
@@ -13135,13 +13135,13 @@ CVE-2022-41660 (A vulnerability has been identified 
in JT2Go (All versions 
 CVE-2022-41656
RESERVED
 CVE-2022-41655 (Auth. (subscriber+) Sensitive Data Exposure vulnerability in 
Phone Ord ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2022-41650
RESERVED
 CVE-2022-41647
RESERVED
 CVE-2022-41643 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in Acce ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2022-41640
RESERVED
 CVE-2022-41638 (Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop 
plugin  ...)
@@ -20020,7 +20020,7 @@ CVE-2022-38873
 CVE-2022-38872
RESERVED
 CVE-2022-38871 (In Free5gc v3.0.5, the AMF breaks due to malformed NAS 
messages. ...)
-   TODO: check
+   NOT-FOR-US: free5GC
 CVE-2022-38870 (Free5gc v3.2.1 is vulnerable to Information disclosure. ...)
NOT-FOR-US: free5GC
 CVE-2022-38869
@@ -21582,7 +21582,7 @@ CVE-2022-2885 (Cross-site Scripting (XSS) - Stored in 
GitHub repository yetiforc
 CVE-2022-38396
RESERVED
 CVE-2022-38395 (HP Support Assistant uses HP Performance Tune-up as a 
diagnostic tool. ...)
-   TODO: check
+   NOT-FOR-US: HP
 CVE-2022-38393
RESERVED
 CVE-2022-2884 (A vulnerability in GitLab CE/EE affecting all versions from 
11.3.4 pri ...)
@@ -22343,7 +22343,7 @@ CVE-2022-38171 (Xpdf prior to version 4.04 contains an 
integer overflow in the J
NOTE: This is CVE-2021-30860 in Apple CoreGraphics and CVE-2022-38171 
in xpdf
NOTE: https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6
 CVE-2022-2794 (Certain HP PageWide Pro Printers may be vulnerable to a 
potential deni ...)
-   TODO: check
+   NOT-FOR-US: HP
 CVE-2022-2793 (Emerson Electric's Proficy Machine Edition Version 9.00 and 
prior is v ...)
NOT-FOR-US: Emerson
 CVE-2022-2792 (Emerson Electric's Proficy Machine Edition Version 9.00 and 
prior is v ...)
@@ -24930,7 +24930,7 @@ CVE-2022-37199 (JFinal CMS 5.1.0 is vulnerable to SQL 
Injection via /jfinal_cms/
 CVE-2022-37198
RESERVED
 CVE-2022-37197 (IOBit IOTransfer V4 is vulnerable to Unquoted Service Path. 
...)
-   TODO: check
+   NOT-FOR-US: IOBit
 CVE-2022-37196
RESERVED
 CVE-2022-37195
@@ -31257,7 +31257,7 @@ CVE-2022-34829 (Zoho ManageEngine ADSelfService Plus 
before 6203 allows a denial
 CVE-2022-34828
RESERVED
 CVE-2022-34827 (Carel Boss Mini 1.5.0 has Improper Access Control. ...)
-   TODO: check
+   NOT-FOR-US: Carel Boss Mini
 CVE-2022-34826 (In Couchbase Server 7.1.x before 7.1.1, an encrypted Private 
Key passp ...)
NOT-FOR-US: Couchbase Server
 CVE-2022-34825 (Uncontrolled Search Path Element in CLUSTERPRO X 5.0 for 
Windows and e ...)
@@ -39681,7 +39681,7 @@ CVE-2022-31696
 CVE-2022-31695
RESERVED
 CVE-2022-31694 (InstallBuilder Qt installers built with versions previous to 
22.10 try ...)
-   TODO: check
+   NOT-FOR-US: InstallBuilder Qt installers
 CVE-2022-31693
RESERVED
 CVE-2022-31692 (Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 
5.6.9 co ...)
@@ -39972,9 +39972,9 @@ CVE-2022-1877
 CVE-2022-31618 (NVIDIA vGPU software contains a vulnerability in the Virtual 
GPU Manag ...)
NOT-FOR-US: NVIDIA
 CVE-2022-31617 (NVIDIA GPU Display Driver for Windows contains a vulnerability 
in the  ...)
-   TODO: check
+   NOT-FOR-US: NVIDIA drivers for Windows
 CVE-2022-31616

[Git][security-tracker-team/security-tracker][master] bullseye triage

2022-11-21 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2d84d6d by Moritz Muehlenhoff at 2022-11-21T11:57:04+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12536,6 +12536,7 @@ CVE-2022-41878 (Parse Server is an open source backend 
that can be deployed to a
NOT-FOR-US: Node parse-server
 CVE-2022-41877 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba
@@ -18704,6 +18705,7 @@ CVE-2022-39348 (Twisted is an event-based framework for 
internet applications. S
NOTE: Fixed by: 
https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
 (twisted-22.10.0rc1)
 CVE-2022-39347 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
@@ -18766,24 +18768,29 @@ CVE-2022-39321 (GitHub Actions Runner is the 
application that runs a job from a
NOT-FOR-US: GitHub Actions Runner
 CVE-2022-39320 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j
 CVE-2022-39319 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76
 CVE-2022-39318 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
 CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh
 CVE-2022-39316 (FreeRDP is a free remote desktop protocol library and clients. 
In affe ...)
- freerdp2  (bug #1024511)
+   [bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
@@ -53747,10 +53754,10 @@ CVE-2022-0944 (Template injection in connection test 
endpoint leads to RCE in Gi
NOT-FOR-US: sqlpad
 CVE-2022-0943 (Heap-based Buffer Overflow occurs in vim in GitHub repository 
vim/vim  ...)
{DLA-3182-1 DLA-3053-1}
-   - vim 2:8.2.4659-1
-   [bullseye] - vim  (Minor issue)
+   - vim 2:8.2.4659-1 (unimportant)
NOTE: https://huntr.dev/bounties/9e4de32f-ad5f-4830-b3ae-9467b5ab90a1
NOTE: 
https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3 
(v8.2.4563)
+   NOTE: Crash in CLI tool, no security impact
 CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in 
compilePassOpcode in  ...)
- liblouis 3.22.0-1 (bug #1008009)
[bullseye] - liblouis  (Minor issue)
@@ -57409,10 +57416,10 @@ CVE-2022-0730 (Under certain ldap conditions, Cacti 
authentication can be bypass
NOTE: 
https://github.com/Cacti/cacti/commit/0bb77ee9b4d1c7a99e0140b88789e050e523e628 
(1.2.x)
 CVE-2022-0729 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim 
prior  ...)
{DLA-3182-1 DLA-2947-1}
-   - vim 2:8.2.4659-1
-   [bullseye] - vim  (Minor issue)
+   - vim 2:8.2.4659-1 (unimportant)
NOTE: https://huntr.dev/bounties/f3f3d992-7bd6-4ee5-a502-ae0e5f8016ea
NOTE: 
https://github.com/vim/vim/commit/6456fae9ba8e72c74b2c0c499eaf09974604ff30 
(v8.2.4440)
+   NOTE: Crash in CLI tool, no security impact
 CVE-2022-0728 (The Easy Smooth Scroll

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4087/ipxe

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8f048e82 by Salvatore Bonaccorso at 2022-11-21T09:46:38+01:00
Add CVE-2022-4087/ipxe

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19,7 +19,9 @@ CVE-2022-4089
 CVE-2022-4088
RESERVED
 CVE-2022-4087 (A vulnerability was found in iPXE. It has been declared as 
problematic ...)
-   TODO: check
+   - ipxe 
+   NOTE: Fixed by: 
https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729
+   TODO: check, might be introduced later than the packaged version
 CVE-2022-4086
REJECTED
 CVE-2022-4085



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f048e824089c55d13863135811244fcc0e8943d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f048e824089c55d13863135811244fcc0e8943d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4093/dolibarr

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cf59fe3a by Salvatore Bonaccorso at 2022-11-21T09:45:05+01:00
Add CVE-2022-4093/dolibarr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,7 +5,7 @@ CVE-2022-4095
 CVE-2022-4094
RESERVED
 CVE-2022-4093 (SQL injection attacks can result in unauthorized access to 
sensitive d ...)
-   TODO: check
+   - dolibarr 
 CVE-2022-4092
RESERVED
 CVE-2022-44608



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf59fe3ae0617e5ce32427501eea6b8a60a98994

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf59fe3ae0617e5ce32427501eea6b8a60a98994
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2022-11-21 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d7f0d61 by security tracker role at 2022-11-21T08:10:11+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2022-4096 (Server-Side Request Forgery (SSRF) in GitHub repository 
appsmithorg/ap ...)
+   TODO: check
+CVE-2022-4095
+   RESERVED
+CVE-2022-4094
+   RESERVED
+CVE-2022-4093 (SQL injection attacks can result in unauthorized access to 
sensitive d ...)
+   TODO: check
+CVE-2022-4092
+   RESERVED
 CVE-2022-44608
RESERVED
 CVE-2022-4091
@@ -8,8 +18,8 @@ CVE-2022-4089
RESERVED
 CVE-2022-4088
RESERVED
-CVE-2022-4087
-   RESERVED
+CVE-2022-4087 (A vulnerability was found in iPXE. It has been declared as 
problematic ...)
+   TODO: check
 CVE-2022-4086
REJECTED
 CVE-2022-4085
@@ -48634,6 +48644,7 @@ CVE-2022-1273 (The Import WP WordPress plugin before 
2.4.6 does not validate the
 CVE-2022-1272
RESERVED
 CVE-2022-1270 (In GraphicsMagick, a heap buffer overflow was found when 
parsing MIFF. ...)
+   {DLA-3200-1}
- graphicsmagick 1.4+really1.3.38-1
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/664/
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/94f4bcf448ad



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d7f0d6122238ce93331958d9fb9b528fb182cf9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d7f0d6122238ce93331958d9fb9b528fb182cf9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3201-1 for ntfs-3g

[Git][security-tracker-team/security-tracker][master] Proces some NFUs

[Git][security-tracker-team/security-tracker][master] Add fixed versions for protobuf via unstable for serveral CVEs

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2019-20417 (duplicate of CVE-2019-15011)

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-2154 (duplicate of CVE-2022-34345)

[Git][security-tracker-team/security-tracker][master] Remove notes for some libcommons-jxpath-java CVEs

[Git][security-tracker-team/security-tracker][master] Drop notes from CVE-2022-41852 (withdrawn)

[Git][security-tracker-team/security-tracker][master] Drop several CVEs (originally assigned to exiv2)

[Git][security-tracker-team/security-tracker][master] Track ember as removed from every supported suite

[Git][security-tracker-team/security-tracker][master] Process several NFUs

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-39052

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-4065/testng

[Git][security-tracker-team/security-tracker][master] Directly reference fixing commit for CVE-2022-4065

[Git][security-tracker-team/security-tracker][master] CVE-2022-37026: Add followup commit references correcting guard check

[Git][security-tracker-team/security-tracker][master] NFU

[Git][security-tracker-team/security-tracker][master] NFUs

[Git][security-tracker-team/security-tracker][master] new maradns issue

[Git][security-tracker-team/security-tracker][master] new zoneminder issues

[Git][security-tracker-team/security-tracker][master] 2 commits: new gitlab issues

[Git][security-tracker-team/security-tracker][master] new testng issue

[Git][security-tracker-team/security-tracker][master] NFUs

[Git][security-tracker-team/security-tracker][master] bullseye triage

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4087/ipxe

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4093/dolibarr

[Git][security-tracker-team/security-tracker][master] automatic update

26 matches

Site Navigation

Mail list logo

Footer information