[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun Apr 3 21:20:23 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ced45790 by Moritz Muehlenhoff at 2022-04-03T22:19:50+02:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4053,6 +4053,8 @@ CVE-2022-26884
CVE-2022-0934
RESERVED
- dnsmasq <unfixed>
+ [bullseye] - dnsmasq <no-dsa> (Minor issue)
+ [buster] - dnsmasq <no-dsa> (Minor issue)
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html
CVE-2022-0933
RESERVED
@@ -5560,11 +5562,11 @@ CVE-2022-0815 (Improper access control vulnerability in McAfee WebAdvisor Chrome
CVE-2022-0814
RESERVED
CVE-2022-0813 (PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially ...)
- - phpmyadmin 4:5.1.3+dfsg1-1
- [stretch] - phpmyadmin <postponed> (Minor issue)
+ - phpmyadmin 4:5.1.3+dfsg1-1 (unimportant)
NOTE: https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-released/
NOTE: https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-exposure-sensitive-information
NOTE: Fixed by: https://github.com/phpmyadmin/phpmyadmin/commit/c04f85f2bb96c442086d9ad057953567cc794486
+ NOTE: Negligible security impact
CVE-2022-0811 (A flaw was found in CRI-O in the way it set kernel options for a pod. ...)
NOT-FOR-US: cri-o
CVE-2022-26333
@@ -8212,18 +8214,24 @@ CVE-2022-25311 (A vulnerability has been identified in SINEC NMS (All versions).
CVE-2022-25310
RESERVED
- fribidi <unfixed> (bug #1008793)
+ [bullseye] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/183
NOTE: https://github.com/fribidi/fribidi/pull/186
NOTE: https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
CVE-2022-25309
RESERVED
- fribidi <unfixed> (bug #1008793)
+ [bullseye] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/182
NOTE: https://github.com/fribidi/fribidi/pull/185
NOTE: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
CVE-2022-25308
RESERVED
- fribidi <unfixed> (bug #1008793)
+ [bullseye] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/181
NOTE: https://github.com/fribidi/fribidi/pull/184
NOTE: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
@@ -8399,6 +8407,7 @@ CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on
[buster] - qtbase-opensource-src <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
[stretch] - qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
- qtbase-opensource-src-gles <unfixed>
+ [buster] - qtbase-opensource-src-gles <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/396020
@@ -10353,8 +10362,8 @@ CVE-2022-24616
RESERVED
CVE-2022-24615 (zip4j up to 2.9.0 can throw various uncaught exceptions while parsing ...)
- zip4j <unfixed>
+ [bullseye] - zip4j <no-dsa> (Minor issue)
NOTE: https://github.com/srikanth-lingala/zip4j/issues/377
- TODO: check details
CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor up to 2 ...)
- libmetadata-extractor-java <unfixed>
[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
@@ -26609,6 +26618,7 @@ CVE-2021-43810 (Admidio is a free open source user management system for website
NOT-FOR-US: Admidio
CVE-2021-43809 (`Bundler` is a package for managing application dependencies in Ruby. ...)
- rubygems 3.3.5-1
+ [bullseye] - rubygems <no-dsa> (Minor issue)
NOTE: https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
NOTE: https://github.com/rubygems/rubygems/commit/90b1ed8b9f8b636aa8c913f7b5a764a2e03d179c (v3.3.0)
NOTE: https://github.com/rubygems/rubygems/pull/5142
@@ -27692,6 +27702,7 @@ CVE-2021-43726
RESERVED
CVE-2021-43725 (There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login. ...)
- spotweb <removed>
+ [buster] - spotweb <no-dsa> (Minor issue)
NOTE: https://github.com/spotweb/spotweb/commit/2bfa001689aae96009688a193c64478647ba45a1
NOTE: https://github.com/spotweb/spotweb/issues/718
CVE-2021-43724 (A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS throug ...)
@@ -52582,6 +52593,7 @@ CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly as
- golang-1.16 1.16.6-1
- golang-1.15 1.15.9-6
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -55825,6 +55837,7 @@ CVE-2021-33198 (In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a pa
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (Vulnerable code introduced later)
- golang-1.7 <removed>
@@ -60308,6 +60321,7 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
- golang-1.16 1.16.4-1
- golang-1.15 1.15.9-2
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -64778,6 +64792,7 @@ CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero charac
- golang-1.16 <unfixed>
- golang-1.15 <unfixed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility)
- golang-1.7 <removed>
=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa
--
asterisk/oldstable
--
+cacti
+--
condor/oldstable
--
fish/stable
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4579024a661cf66dd8c7b79277fecca898468
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4579024a661cf66dd8c7b79277fecca898468
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220403/6ae0cdec/attachment.htm>
More information about the debian-security-tracker-commits
mailing list