[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Aug 12 08:34:40 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9a8af819 by Moritz Muehlenhoff at 2022-08-12T09:33:58+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2805,6 +2805,7 @@ CVE-2022-2590
 	NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1
 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...)
 	- fava <unfixed> (bug #1016971)
+	[bullseye] - fava <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/
 	NOTE: https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539 (v1.22.3)
 CVE-2022-37037
@@ -4273,6 +4274,7 @@ CVE-2022-33963
 	RESERVED
 CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...)
 	- fava <unfixed> (bug #1016971)
+	[bullseye] - fava <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
 	NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2)
 CVE-2022-36381
@@ -4410,6 +4412,7 @@ CVE-2022-2515
 	RESERVED
 CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...)
 	- fava <unfixed> (bug #1016971)
+	[bullseye] - fava <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
 	NOTE: https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22)
 CVE-2022-2513
@@ -20658,16 +20661,19 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 w
 	- nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but build depends a shared deb)
 CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
 	NOTE: https://github.com/hashicorp/go-getter/pull/359
 	NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
 CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
 	NOTE: https://github.com/hashicorp/go-getter/pull/359
 	NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
 CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
 	NOTE: https://github.com/hashicorp/go-getter/pull/359
 	NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -30647,6 +30653,7 @@ CVE-2022-26946
 	RESERVED
 CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
 	NOTE: https://github.com/hashicorp/go-getter/pull/359
 	NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -64579,6 +64586,7 @@ CVE-2021-41040 (In Eclipse Wakaama, ever since its inception until 2021-01-14, t
 	NOT-FOR-US: Eclipse Wakaama
 CVE-2021-41039 (In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client conn ...)
 	- mosquitto <unfixed> (bug #1001028)
+	[bullseye] - mosquitto <no-dsa> (Minor issue)
 	[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
 	[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
@@ -80991,6 +80999,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension al
 	NOT-FOR-US: Eclipse Theia
 CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic se ...)
 	- mosquitto <unfixed> (bug #993400)
+	[bullseye] - mosquitto <no-dsa> (Minor issue)
 	[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
 	[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324
@@ -109030,6 +109039,7 @@ CVE-2021-23386 (This affects the package dns-packet before 5.2.2. It creates buf
 	NOT-FOR-US: Node dns-packet
 CVE-2021-23385 (This affects all versions of package Flask-Security. When using the ge ...)
 	- flask-security <unfixed>
+	[bullseye] - flask-security <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to ...)
 	NOT-FOR-US: Node koa-remove-trailing-slashes before


=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions
 --
+maven-shared-utils
+--
 net-snmp
 --
 netatalk



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8af81995adedb8681cc8ae5e4ed259edd67f43

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8af81995adedb8681cc8ae5e4ed259edd67f43
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220812/6d9026ee/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list