[Git][security-tracker-team/security-tracker][master] bullseye/buster triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Apr 21 13:36:32 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c0c27f05 by Moritz Muehlenhoff at 2022-04-21T14:36:15+02:00
bullseye/buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -44,6 +44,8 @@ CVE-2022-29538
 	RESERVED
 CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a hea ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/2173
 	NOTE: Fixed by: https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a
 CVE-2022-29536 (In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document c ...)
@@ -2025,7 +2027,9 @@ CVE-2022-28739 [Buffer overrun in String-to-Float conversion]
 	RESERVED
 	- ruby3.0 <unfixed> (bug #1009956)
 	- ruby2.7 <unfixed> (bug #1009957)
+	[bullseye] - ruby2.7 <postponed> (Minor issue, fix with next Ruby security release)
 	- ruby2.5 <removed>
+	[buster] - ruby2.5 <postponed> (Minor issue, fix with next Ruby security release)
 	- ruby2.3 <removed>
 	NOTE: https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306 (v2_6_10)
 	NOTE: https://github.com/ruby/ruby/commit/c9c2245c0a25176072e02db9254f0e0c84c805cd (v2_7_6)
@@ -6878,6 +6882,8 @@ CVE-2022-27047 (mogu_blog_cms 5.2 suffers from upload arbitrary files without an
 	NOT-FOR-US: mogu_blog_cms
 CVE-2022-27046 (libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in  ...)
 	- libsixel 1.10.3-1
+	[bullseye] - libsixel <no-dsa> (Minor issue)
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/157
 	NOTE: https://github.com/libsixel/libsixel/issues/27
 	NOTE: https://github.com/libsixel/libsixel/pull/28
@@ -6886,6 +6892,8 @@ CVE-2022-27045
 	RESERVED
 CVE-2022-27044 (libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c: ...)
 	- libsixel 1.10.3-1
+	[bullseye] - libsixel <no-dsa> (Minor issue)
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/156
 	NOTE: https://github.com/libsixel/libsixel/issues/25
 	NOTE: https://github.com/libsixel/libsixel/pull/26
@@ -11327,6 +11335,7 @@ CVE-2022-21183
 	RESERVED
 CVE-2016-20014 (In pam_tacplus.c in pam_tacplus before 1.4.1, pam_sm_acct_mgmt does no ...)
 	- libpam-tacplus <unfixed> (bug #1009966)
+	[buster] - libpam-tacplus <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab (v1.4.1)
 CVE-2016-20013 (sha256crypt and sha512crypt through 0.6 allow attackers to cause a den ...)
 	NOTE: https://akkadia.org/drepper/SHA-crypt.txt
@@ -12896,6 +12905,8 @@ CVE-2022-24829 (Garden is an automation platform for Kubernetes development and
 	NOT-FOR-US: Garden
 CVE-2022-24828 (Composer is a dependency manager for the PHP programming language. Int ...)
 	- composer <unfixed> (bug #1009960)
+	[bullseye] - composer <no-dsa> (Minor issue)
+	[buster] - composer <no-dsa> (Minor issue)
 	NOTE: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 (2.2.12)
 	NOTE: https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
 CVE-2022-24827 (Elide is a Java library that lets you stand up a GraphQL/JSON-API web  ...)
@@ -12971,6 +12982,8 @@ CVE-2022-24796 (RaspberryMatic is a free and open-source operating system for ru
 	NOT-FOR-US: RaspberryMatic
 CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation libra ...)
 	- ruby-yajl <unfixed>
+	[bullseye] - ruby-yajl <no-dsa> (Minor issue)
+	[buster] - ruby-yajl <no-dsa> (Minor issue)
 	[stretch] - ruby-yajl <no-dsa> (Minor issue)
 	NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
 	NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ cacti
 --
 condor/oldstable
 --
+epiphany-browser
+--
 fish/stable
 --
 freecad (aron)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c27f05375c1366a86b1c379ad18bb453c5c0dd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c27f05375c1366a86b1c379ad18bb453c5c0dd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220421/2cb5d2f7/attachment.htm>

More information about the debian-security-tracker-commits mailing list