[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Aug 11 22:41:40 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
95d31930 by Moritz Muehlenhoff at 2022-08-11T23:41:25+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1653,8 +1653,11 @@ CVE-2022-37452 (Exim before 4.95 has a heap-based buffer overflow for the alias
 	NOTE: https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 (exim-4.95-RC0)
 CVE-2022-37451 (Exim before 4.96 has an invalid free in pam_converse in auths/call_pam ...)
 	- exim4 4.95-4
+	[bullseye] - exim4 <not-affected> (Vulnerable code not present)
+	[buster] - exim4 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/ivd38/exim_invalid_free
 	NOTE: https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42 (exim-4.96-RC0)
+	NOTE: Introduced in https://github.com/Exim/exim/commit/1e30b0199daf7a7a882458251a3dc10d45d4c7d1 (exim-4.95-RC0)
 CVE-2022-37450 (Go Ethereum (aka geth) through 1.10.21 allows attackers to increase re ...)
 	- golang-github-go-ethereum <itp> (bug #890541)
 CVE-2022-37449
@@ -1915,6 +1918,7 @@ CVE-2022-37395
 	RESERVED
 CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...)
 	- nova <unfixed> (bug #1016980)
+	[bullseye] - nova <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ossa/+bug/1981813
 	NOTE: https://review.opendev.org/c/openstack/nova/+/849985
 	NOTE: https://review.opendev.org/c/openstack/nova/+/850003
@@ -2113,6 +2117,7 @@ CVE-2022-2625 [extension scripts replace objects not owned by the extension]
 	{DLA-3072-1}
 	- postgresql-14 14.5-1
 	- postgresql-13 <removed>
+	[bullseye] - postgresql-13 <postponed> (Minor issue, fix along in next update)
 	- postgresql-11 <removed>
 	NOTE: https://www.postgresql.org/support/security/CVE-2022-2625/
 CVE-2022-2624
@@ -2808,6 +2813,7 @@ CVE-2022-37036
 	RESERVED
 CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_ ...)
 	- frr <unfixed> (bug #1016978)
+	[bullseye] - frr <no-dsa> (Minor issue)
 	NOTE: https://github.com/FRRouting/frr/issues/11698
 CVE-2022-37034
 	RESERVED
@@ -5732,6 +5738,7 @@ CVE-2022-35864 (This vulnerability allows remote attackers to disclose sensitive
 	NOT-FOR-US: BMC Track-It!
 CVE-2022-2414 (Access to external entities when parsing XML documents can lead to XML ...)
 	- dogtag-pki <unfixed> (bug #1014957)
+	[bullseye] - dogtag-pki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2104676
 	NOTE: https://github.com/dogtagpki/pki/pull/4021
 	NOTE: https://github.com/dogtagpki/pki/commit/4e893243d72ad766558c10c907841f5f9c047055
@@ -6746,6 +6753,7 @@ CVE-2022-35415
 	RESERVED
 CVE-2022-35414 (softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized r ...)
 	- qemu <unfixed> (bug #1014958)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1065
 	NOTE: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
 	NOTE: https://sick.codes/sick-2022-113
@@ -7880,9 +7888,10 @@ CVE-2022-34929
 CVE-2022-34928 (JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerabil ...)
 	NOT-FOR-US: JFinal CMS
 CVE-2022-34927 (MilkyTracker v1.03.00 was discovered to contain a stack overflow via t ...)
-	- milkytracker <unfixed> (bug #1016578)
+	- milkytracker <unfixed> (unimportant; bug #1016578)
 	NOTE: https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b
 	NOTE: https://github.com/milkytracker/MilkyTracker/issues/275
+	NOTE: Crash in GUI tool, no security impact
 CVE-2022-34926
 	RESERVED
 CVE-2022-34925
@@ -8468,6 +8477,7 @@ CVE-2022-34750 (An issue was discovered in MediaWiki through 1.38.1. The lemma l
 	NOT-FOR-US: MediaWiki extension WikiBase
 CVE-2022-34749 (In mistune through 2.0.2, support of inline markup is implemented by u ...)
 	- mistune 2.0.3-1 (bug #1016089)
+	[bullseye] - mistune <no-dsa> (Minor issue)
 	NOTE: https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2 (v2.0.3)
 CVE-2022-34748 (A vulnerability has been identified in Simcenter Femap (All versions & ...)
 	NOT-FOR-US: Siemens
@@ -9063,6 +9073,7 @@ CVE-2022-34527 (D-Link DSL-3782 v1.03 and below was discovered to contain a comm
 	NOT-FOR-US: D-Link
 CVE-2022-34526 (A stack overflow was discovered in the _TIFFVGetField function of Tiff ...)
 	- tiff 4.4.0-4
+	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/433
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990
 CVE-2022-34525
@@ -25712,6 +25723,7 @@ CVE-2022-1228 (The Opensea WordPress plugin before 1.0.3 does not sanitize and e
 CVE-2022-1227 (A privilege escalation flaw was found in Podman. This flaw allows an a ...)
 	- libpod 3.4.7+ds1-1
 	- golang-github-containers-psgo 1.7.1+ds1-1
+	[bullseye] - golang-github-containers-psgo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
 	NOTE: https://github.com/containers/psgo/pull/92
 	NOTE: https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443 (v1.7.2)
@@ -178367,6 +178379,7 @@ CVE-2020-8288 (The `specializedRendering` function in Rocket.Chat server before
 CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two co ...)
 	{DSA-4826-1}
 	- http-parser 2.9.4-5 (bug #1016690)
+	[bullseye] - http-parser <no-dsa> (Minor issue)
 	- nodejs 12.20.1~dfsg-1 (bug #979364)
 	[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodejs.org/en/blog/release/v10.23.1/
@@ -381604,6 +381617,7 @@ CVE-2016-3710 (The VGA module in QEMU improperly performs bounds checking on ban
 	NOTE: mitigation: run HVM in stubdomains, PV, default video card not vulnerable, i386-only
 CVE-2016-3709 (Possible cross-site scripting vulnerability in libxml after commit 960 ...)
 	- libxml2 2.9.12+dfsg-3
+	[bullseye] - libxml2 <no-dsa> (Minor issue)
 	NOTE: https://mail.gnome.org/archives/xml/2018-January/msg00010.html
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769760
 	NOTE: Introduced by: https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588 (v2.9.2-rc1)c


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ epiphany-browser
 --
 freecad (aron)
 --
+gdk-pixbuf
+--
 kicad (jmm)
 --
 linux (carnil)
@@ -55,3 +57,5 @@ webkit2gtk (berto)
 --
 wpewebkit (berto)
 --
+zlib
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95d3193032a69c9f122c8c253cf591a8e87dc4eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95d3193032a69c9f122c8c253cf591a8e87dc4eb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220811/4ce571f2/attachment.htm>

More information about the debian-security-tracker-commits mailing list