[Git][security-tracker-team/security-tracker][master] bullseye triage

Mon Aug 22 15:44:13 BST 2022


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b4819afe by Moritz Muehlenhoff at 2022-08-22T16:43:21+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -316,6 +316,7 @@ CVE-2022-38494
 	RESERVED
 CVE-2022-38493 (Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA priva ...)
 	- rhonabwy 1.1.7-1
+	[bullseye] - rhonabwy <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399
 CVE-2022-38492
 	RESERVED
@@ -6423,28 +6424,36 @@ CVE-2022-36148 (fdkaac commit 53fe239 was discovered to contain a floating point
 CVE-2022-36147
 	RESERVED
 CVE-2022-36146 (SWFMill commit 53d7690 was discovered to contain a memory allocation i ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/65
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36145 (SWFMill commit 53d7690 was discovered to contain a segmentation violat ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/64
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36144 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...)
 	- swfmill <unfixed>
+	[bullseye] - swfmill <no-dsa> (Minor issue)
 	NOTE: https://github.com/djcsdy/swfmill/issues/63
 CVE-2022-36143 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/62
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36142 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/61
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36141 (SWFMill commit 53d7690 was discovered to contain a segmentation violat ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/58
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36140 (SWFMill commit 53d7690 was discovered to contain a segmentation violat ...)
-	- swfmill <unfixed>
+	- swfmill <unfixed> (unimportant)
 	NOTE: https://github.com/djcsdy/swfmill/issues/57
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-36139 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...)
 	- swfmill <unfixed>
+	[bullseye] - swfmill <no-dsa> (Minor issue)
 	NOTE: https://github.com/djcsdy/swfmill/issues/56
 CVE-2022-36138
 	RESERVED
@@ -34931,6 +34940,7 @@ CVE-2022-25758 (All versions of package scss-tokenizer are vulnerable to Regular
 	- node-scss-tokenizer <itp> (bug #885456)
 CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command Injection via  ...)
 	- ruby-git <unfixed> (bug #1009926)
+	[bullseye] - ruby-git <no-dsa> (Minor issue)
 	NOTE: https://github.com/ruby-git/ruby-git/pull/569
 	NOTE: Fixed by: https://github.com/ruby-git/ruby-git/commit/291ca0946bec7164b90ad5c572ac147f512c7159 (v1.11.0)
 	NOTE: https://security.snyk.io/vuln/SNYK-RUBY-GIT-2421270
@@ -35647,6 +35657,7 @@ CVE-2022-0719 (Cross-site Scripting (XSS) - Reflected in GitHub repository micro
 CVE-2022-0718
 	RESERVED
 	- python-oslo.utils 4.10.1-1
+	[bullseye] - python-oslo.utils <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2056850
 	NOTE: https://bugs.launchpad.net/oslo.utils/+bug/1949623
 	NOTE: Fixed by: https://opendev.org/openstack/oslo.utils/commit/6e17ae1f7959c64dfd20a5f67edf422e702426aa (4.12.1)
@@ -57174,6 +57185,7 @@ CVE-2021-43557 (The uri-block plugin in Apache APISIX before 2.10.2 uses $reques
 CVE-2021-3941 (In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division o ...)
 	[experimental] - openexr 3.1.3-1
 	- openexr 3.1.5-2 (bug #1014828)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2019789
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084
@@ -57361,6 +57373,7 @@ CVE-2021-3934 (ohmyzsh is vulnerable to Improper Neutralization of Special Eleme
 CVE-2021-3933 (An integer overflow could occur when OpenEXR processes a crafted file  ...)
 	[experimental] - openexr 3.1.3-1
 	- openexr 3.1.5-2 (bug #1014828)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <not-affected> (Vulnerable code not present)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2019783
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912


=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ linux (carnil)
 --
 maven-shared-utils
 --
+minetest
+--
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4819afe1e521bc33b9ab2494ddabb3ff04b5e94

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4819afe1e521bc33b9ab2494ddabb3ff04b5e94
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220822/359dcbb6/attachment.htm>
