[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Apr 3 21:20:23 BST 2022



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ced45790 by Moritz Muehlenhoff at 2022-04-03T22:19:50+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4053,6 +4053,8 @@ CVE-2022-26884
 CVE-2022-0934
 	RESERVED
 	- dnsmasq <unfixed>
+	[bullseye] - dnsmasq <no-dsa> (Minor issue)
+	[buster] - dnsmasq <no-dsa> (Minor issue)
 	NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html
 CVE-2022-0933
 	RESERVED
@@ -5560,11 +5562,11 @@ CVE-2022-0815 (Improper access control vulnerability in McAfee WebAdvisor Chrome
 CVE-2022-0814
 	RESERVED
 CVE-2022-0813 (PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially ...)
-	- phpmyadmin 4:5.1.3+dfsg1-1
-	[stretch] - phpmyadmin <postponed> (Minor issue)
+	- phpmyadmin 4:5.1.3+dfsg1-1 (unimportant)
 	NOTE: https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-released/
 	NOTE: https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-exposure-sensitive-information
 	NOTE: Fixed by: https://github.com/phpmyadmin/phpmyadmin/commit/c04f85f2bb96c442086d9ad057953567cc794486
+	NOTE: Negligible security impact
 CVE-2022-0811 (A flaw was found in CRI-O in the way it set kernel options for a pod.  ...)
 	NOT-FOR-US: cri-o
 CVE-2022-26333
@@ -8212,18 +8214,24 @@ CVE-2022-25311 (A vulnerability has been identified in SINEC NMS (All versions).
 CVE-2022-25310
 	RESERVED
 	- fribidi <unfixed> (bug #1008793)
+	[bullseye] - fribidi <no-dsa> (Minor issue)
+	[buster] - fribidi <no-dsa> (Minor issue)
 	NOTE: https://github.com/fribidi/fribidi/issues/183
 	NOTE: https://github.com/fribidi/fribidi/pull/186
 	NOTE: https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
 CVE-2022-25309
 	RESERVED
 	- fribidi <unfixed> (bug #1008793)
+	[bullseye] - fribidi <no-dsa> (Minor issue)
+	[buster] - fribidi <no-dsa> (Minor issue)
 	NOTE: https://github.com/fribidi/fribidi/issues/182
 	NOTE: https://github.com/fribidi/fribidi/pull/185
 	NOTE: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
 CVE-2022-25308
 	RESERVED
 	- fribidi <unfixed> (bug #1008793)
+	[bullseye] - fribidi <no-dsa> (Minor issue)
+	[buster] - fribidi <no-dsa> (Minor issue)
 	NOTE: https://github.com/fribidi/fribidi/issues/181
 	NOTE: https://github.com/fribidi/fribidi/pull/184
 	NOTE: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
@@ -8399,6 +8407,7 @@ CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on
 	[buster] - qtbase-opensource-src <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
 	[stretch] - qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
 	- qtbase-opensource-src-gles <unfixed>
+	[buster] - qtbase-opensource-src-gles <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/396020
@@ -10353,8 +10362,8 @@ CVE-2022-24616
 	RESERVED
 CVE-2022-24615 (zip4j up to 2.9.0 can throw various uncaught exceptions while parsing  ...)
 	- zip4j <unfixed>
+	[bullseye] - zip4j <no-dsa> (Minor issue)
 	NOTE: https://github.com/srikanth-lingala/zip4j/issues/377
-	TODO: check details
 CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor up to 2 ...)
 	- libmetadata-extractor-java <unfixed>
 	[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
@@ -26609,6 +26618,7 @@ CVE-2021-43810 (Admidio is a free open source user management system for website
 	NOT-FOR-US: Admidio
 CVE-2021-43809 (`Bundler` is a package for managing application dependencies in Ruby.  ...)
 	- rubygems 3.3.5-1
+	[bullseye] - rubygems <no-dsa> (Minor issue)
 	NOTE: https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
 	NOTE: https://github.com/rubygems/rubygems/commit/90b1ed8b9f8b636aa8c913f7b5a764a2e03d179c (v3.3.0)
 	NOTE: https://github.com/rubygems/rubygems/pull/5142
@@ -27692,6 +27702,7 @@ CVE-2021-43726
 	RESERVED
 CVE-2021-43725 (There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login. ...)
 	- spotweb <removed>
+	[buster] - spotweb <no-dsa> (Minor issue)
 	NOTE: https://github.com/spotweb/spotweb/commit/2bfa001689aae96009688a193c64478647ba45a1
 	NOTE: https://github.com/spotweb/spotweb/issues/718
 CVE-2021-43724 (A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS throug ...)
@@ -52582,6 +52593,7 @@ CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly as
 	- golang-1.16 1.16.6-1
 	- golang-1.15 1.15.9-6
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
 	- golang-1.7 <removed>
@@ -55825,6 +55837,7 @@ CVE-2021-33198 (In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a pa
 	- golang-1.16 1.16.5-1
 	- golang-1.15 1.15.9-5
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <not-affected> (Vulnerable code introduced later)
 	- golang-1.7 <removed>
@@ -60308,6 +60321,7 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
 	- golang-1.16 1.16.4-1
 	- golang-1.15 1.15.9-2
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
 	- golang-1.7 <removed>
@@ -64778,6 +64792,7 @@ CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero charac
 	- golang-1.16 <unfixed>
 	- golang-1.15 <unfixed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility)
 	- golang-1.7 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 asterisk/oldstable
 --
+cacti
+--
 condor/oldstable
 --
 fish/stable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4579024a661cf66dd8c7b79277fecca898468

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4579024a661cf66dd8c7b79277fecca898468
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220403/6ae0cdec/attachment.htm>


More information about the debian-security-tracker-commits mailing list