[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Apr 25 12:55:52 BST 2022



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2993daec by Moritz Muehlenhoff at 2022-04-25T13:55:42+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -519,6 +519,8 @@ CVE-2022-29566 (The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generati
 	TODO: check
 CVE-2022-1427 (Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository mruby ...)
 	- mruby <unfixed>
+	[bullseye] - mruby <no-dsa> (Minor issue)
+	[buster] - mruby <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301
 	NOTE: https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b
 CVE-2022-29565
@@ -4742,9 +4744,10 @@ CVE-2022-28050
 CVE-2022-28049 (NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference v ...)
 	NOT-FOR-US: njs
 CVE-2022-28048 (STB v2.27 was discovered to contain an integer shift of invalid size i ...)
-	- libstb <unfixed>
+	- libstb <unfixed> (unimportant)
 	NOTE: https://github.com/nothings/stb/issues/1293
 	NOTE: https://github.com/nothings/stb/pull/1297
+	NOTE: Negligible security impact
 CVE-2022-28047
 	RESERVED
 CVE-2022-28046
@@ -4759,10 +4762,14 @@ CVE-2022-28043
 	RESERVED
 CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...)
 	- libstb <unfixed>
+	[bullseye] - libstb <no-dsa> (Minor issue)
+	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1289
 	NOTE: https://github.com/nothings/stb/pull/1297
 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...)
 	- libstb <unfixed>
+	[bullseye] - libstb <no-dsa> (Minor issue)
+	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1292
 	NOTE: https://github.com/nothings/stb/pull/1297
 CVE-2022-28040
@@ -6331,14 +6338,20 @@ CVE-2022-27407
 	RESERVED
 CVE-2022-27406 (FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovere ...)
 	- freetype <unfixed>
+	[bullseye] - freetype <no-dsa> (Minor issue)
+	[buster] - freetype <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
 	NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2 (VER-2-12-0)
 CVE-2022-27405 (FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovere ...)
 	- freetype <unfixed>
+	[bullseye] - freetype <no-dsa> (Minor issue)
+	[buster] - freetype <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
 	NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 (VER-2-12-0)
 CVE-2022-27404 (FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovere ...)
 	- freetype <unfixed>
+	[bullseye] - freetype <no-dsa> (Minor issue)
+	[buster] - freetype <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
 	NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db (VER-2-12-0)
 CVE-2022-27403


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ condor/oldstable
 --
 epiphany-browser
 --
+ffmpeg (jmm)
+--
 fish/stable
 --
 freecad (aron)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2993daecc785e23d647037197bac50fea8175b1a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2993daecc785e23d647037197bac50fea8175b1a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220425/394f53fb/attachment.htm>


More information about the debian-security-tracker-commits mailing list