Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits: e220945a by Thorsten Alteholz at 2022-06-03T23:23:04+02:00 mark ckeditor3 sa EOL in Stretch - - - - - d9997664 by Thorsten Alteholz at 2022-06-03T23:26:39+02:00 add python-bottle - - - - - ede8c4a2 by Thorsten Alteholz at 2022-06-03T23:42:19+02:00 mark CVE-2022-32200 as no-dsa for Stretch - - - - - 3072efb7 by Thorsten Alteholz at 2022-06-03T23:44:20+02:00 mark CVE-2022-1942 as no-dsa for Stretch - - - - - 1aac2918 by Thorsten Alteholz at 2022-06-03T23:44:53+02:00 mark CVE-2022-1968 as no-dsa for Stretch - - - - - b2f5bfe7 by Thorsten Alteholz at 2022-06-03T23:49:09+02:00 add php-horde-turba - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -231,6 +231,7 @@ CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) - vim <unfixed> [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) + [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b NOTE: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 (v8.2.5050) CVE-2022-1967 @@ -258,6 +259,7 @@ CVE-2022-32200 (libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check - dwarfutils <unfixed> [bullseye] - dwarfutils <no-dsa> (Minor issue) [buster] - dwarfutils <no-dsa> (Minor issue) + [stretch] - dwarfutils <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/8151575a6ace77d005ca5bb5d71c1bfdba3f7069 NOTE: https://github.com/davea42/libdwarf-code/issues/116 NOTE: https://www.prevanders.net/dwarfbug.html#DW202205-001 @@ -1125,6 +1127,7 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to - vim <unfixed> [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) + [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/67ca4d3b-9175-43c1-925c-72a7091bc071 NOTE: https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d (v8.2.5043) CVE-2022-1941 @@ -21490,10 +21493,12 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor <unfixed> - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor <unfixed> - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 NOTE: https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0) NOTE: MITRE's referenced patch (above) does not seem related @@ -48413,6 +48418,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0) CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions ...) - ckeditor <unfixed> (bug #999909) @@ -57342,6 +57348,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content [bullseye] - ckeditor <no-dsa> (Minor issue) [buster] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...) @@ -66494,6 +66501,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc - ckeditor 4.16.0+dfsg-2 [buster] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser NOTE: https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed CVE-2021-33828 (The files_antivirus component before 1.0.0 for ownCloud mishandles the ...) @@ -86141,6 +86149,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4 [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <postponed> (Fix along next DLA) - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 CVE-2021-26270 RESERVED @@ -245485,6 +245494,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a [stretch] - ckeditor <ignored> (Minor issue, XSS through direct copy/paste by victim, no identified patch) [jessie] - ckeditor <ignored> (Minor issue) - ckeditor3 <unfixed> (low) + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) - fckeditor <removed> CVE-2018-17959 RESERVED @@ -414223,6 +414233,7 @@ CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin be [wheezy] - ckeditor <not-affected> (Preview plugin not yet present) [squeeze] - ckeditor <not-affected> (Preview plugin not yet present) - ckeditor3 <unfixed> + [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706 (v3.6.x) NOTE: https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a (v4.4.3) CVE-2014-5190 (Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/i ...) ===================================== data/dla-needed.txt ===================================== @@ -212,6 +212,9 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- +php-horde-turba + NOTE: 20220603: Programming language: PHP. +-- pidgin (Andreas Rönnquist) NOTE: 20220529: Programming language: C. -- @@ -233,6 +236,9 @@ puppet-module-puppetlabs-firewall pyjwt NOTE: 20220529: Programming language: Python. -- +python-bottle + NOTE: 20220603: Programming language: Python. +-- qemu (Abhijith PA) NOTE: 20220529: Programming language: C. NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe7d353bfb3a7f92d1d089a0c1f4910df2d6ca69...b2f5bfe7e1ce1e44044662c0c10654d73f68eda5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe7d353bfb3a7f92d1d089a0c1f4910df2d6ca69...b2f5bfe7e1ce1e44044662c0c10654d73f68eda5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits