[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Aug 23 21:10:38 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c757a127 by security tracker role at 2022-08-23T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,77 @@
+CVE-2022-38714
+ RESERVED
+CVE-2022-38713
+ RESERVED
+CVE-2022-38712
+ RESERVED
+CVE-2022-38711
+ RESERVED
+CVE-2022-38710
+ RESERVED
+CVE-2022-38709
+ RESERVED
+CVE-2022-38708
+ RESERVED
+CVE-2022-38707
+ RESERVED
+CVE-2022-38706
+ RESERVED
+CVE-2022-38705
+ RESERVED
+CVE-2022-38458
+ RESERVED
+CVE-2022-38394
+ RESERVED
+CVE-2022-38094
+ RESERVED
+CVE-2022-37337
+ RESERVED
+CVE-2022-36429
+ RESERVED
+CVE-2022-35273
+ RESERVED
+CVE-2022-34869
+ RESERVED
+CVE-2022-2973
+ RESERVED
+CVE-2022-2972
+ RESERVED
+CVE-2022-2971
+ RESERVED
+CVE-2022-2970
+ RESERVED
+CVE-2022-2969
+ RESERVED
+CVE-2022-2968
+ RESERVED
+CVE-2022-2967
+ RESERVED
+CVE-2022-2966
+ RESERVED
+CVE-2022-2965 (Improper Restriction of Rendered UI Layers or Frames in GitHub reposit ...)
+ TODO: check
+CVE-2022-2964
+ RESERVED
+CVE-2022-2963
+ RESERVED
+CVE-2022-2962
+ RESERVED
+CVE-2022-2961
+ RESERVED
+CVE-2022-2960
+ RESERVED
+CVE-2022-2959
+ RESERVED
+CVE-2022-2958
+ RESERVED
+CVE-2022-2957
+ RESERVED
+CVE-2022-2956 (A vulnerability classified as problematic has been found in ConsoleTVs ...)
+ TODO: check
+CVE-2022-2955
+ RESERVED
+CVE-2022-2954
+ RESERVED
CVE-2022-38699
RESERVED
CVE-2022-38698
@@ -80,12 +154,12 @@ CVE-2022-2947
RESERVED
CVE-2022-38666
RESERVED
-CVE-2022-38665
- RESERVED
-CVE-2022-38664
- RESERVED
-CVE-2022-38663
- RESERVED
+CVE-2022-38665 (Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ p ...)
+ TODO: check
+CVE-2022-38664 (Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlie ...)
+ TODO: check
+CVE-2022-38663 (Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., re ...)
+ TODO: check
CVE-2022-38662
RESERVED
CVE-2022-38661
@@ -116,8 +190,8 @@ CVE-2022-38649
RESERVED
CVE-2022-38648
RESERVED
-CVE-2022-2946
- RESERVED
+CVE-2022-2946 (Use After Free in GitHub repository vim/vim prior to 9.0.0245. ...)
+ TODO: check
CVE-2022-2945
RESERVED
CVE-2022-2944
@@ -474,7 +548,7 @@ CVE-2022-2925
RESERVED
CVE-2022-2924
RESERVED
-CVE-2022-2923 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.023 ...)
+CVE-2022-2923 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.024 ...)
- vim 2:9.0.0242-1
NOTE: https://huntr.dev/bounties/fd3a3ab8-ab0f-452f-afea-8c613e283fd2
NOTE: https://github.com/vim/vim/commit/6669de1b235843968e88844ca6d3c8dec4b01a9e (v9.0.0240)
@@ -1474,8 +1548,8 @@ CVE-2022-2798
RESERVED
CVE-2022-2797 (A vulnerability classified as critical was found in SourceCodester Stu ...)
NOT-FOR-US: SourceCodester Student Information System
-CVE-2022-2796
- RESERVED
+CVE-2022-2796 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...)
+ TODO: check
CVE-2022-2795
RESERVED
CVE-2022-38176
@@ -1486,8 +1560,8 @@ CVE-2022-38174
RESERVED
CVE-2022-38173
RESERVED
-CVE-2022-38172
- RESERVED
+CVE-2022-38172 (ServiceNow through San Diego Patch 3 allows XSS via the name field dur ...)
+ TODO: check
CVE-2022-38171 (Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 d ...)
TODO: check, https://bugzilla.redhat.com/show_bug.cgi?id=2120439, might be N/A for us as using poppler
CVE-2022-2794
@@ -1793,10 +1867,10 @@ CVE-2022-36425
RESERVED
CVE-2022-36422
RESERVED
-CVE-2022-36405
- RESERVED
-CVE-2022-36394
- RESERVED
+CVE-2022-36405 (Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnera ...)
+ TODO: check
+CVE-2022-36394 (Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest ...)
+ TODO: check
CVE-2022-36390
RESERVED
CVE-2022-36387
@@ -1815,26 +1889,26 @@ CVE-2022-36355
RESERVED
CVE-2022-36352
RESERVED
-CVE-2022-36347
- RESERVED
+CVE-2022-36347 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...)
+ TODO: check
CVE-2022-36345
RESERVED
-CVE-2022-35726
- RESERVED
+CVE-2022-35726 (Broken Authentication vulnerability in yotuwp Video Gallery plugin < ...)
+ TODO: check
CVE-2022-35725
RESERVED
CVE-2022-35277
RESERVED
CVE-2022-35275
RESERVED
-CVE-2022-35242
- RESERVED
-CVE-2022-35235
- RESERVED
+CVE-2022-35242 (Unauthenticated plugin settings change vulnerability in 59sec THE Lead ...)
+ TODO: check
+CVE-2022-35235 (Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThe ...)
+ TODO: check
CVE-2022-31474
RESERVED
-CVE-2022-29476
- RESERVED
+CVE-2022-29476 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 8 D ...)
+ TODO: check
CVE-2022-2743
RESERVED
CVE-2022-2742
@@ -3264,8 +3338,7 @@ CVE-2022-37430
RESERVED
CVE-2022-37429
RESERVED
-CVE-2022-37428
- RESERVED
+CVE-2022-37428 (PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when pro ...)
- pdns-recursor <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2022/08/23/1
NOTE: https://downloads.powerdns.com/patches/2022-02/
@@ -3307,8 +3380,8 @@ CVE-2022-37399
RESERVED
CVE-2022-37398 (A stack-based buffer overflow vulnerability was found inside ADM when ...)
NOT-FOR-US: ASUSTOR Data Master (ADM)
-CVE-2022-36350
- RESERVED
+CVE-2022-36350 (Stored cross-site scripting vulnerability in PukiWiki versions 1.3.1 t ...)
+ TODO: check
CVE-2022-2667 (A vulnerability was found in SourceCodester Loan Management System and ...)
NOT-FOR-US: SourceCodester
CVE-2022-2666
@@ -3919,8 +3992,8 @@ CVE-2022-37225
RESERVED
CVE-2022-37224
RESERVED
-CVE-2022-37223
- RESERVED
+CVE-2022-37223 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system ...)
+ TODO: check
CVE-2022-37222
RESERVED
CVE-2022-37221
@@ -3967,8 +4040,8 @@ CVE-2022-37201
RESERVED
CVE-2022-37200
RESERVED
-CVE-2022-37199
- RESERVED
+CVE-2022-37199 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system ...)
+ TODO: check
CVE-2022-37198
RESERVED
CVE-2022-37197
@@ -4139,12 +4212,12 @@ CVE-2022-37115
RESERVED
CVE-2022-37114
RESERVED
-CVE-2022-37113
- RESERVED
-CVE-2022-37112
- RESERVED
-CVE-2022-37111
- RESERVED
+CVE-2022-37113 (Bluecms 1.6 has SQL injection in line 132 of admin/area.php ...)
+ TODO: check
+CVE-2022-37112 (BlueCMS 1.6 has SQL injection in line 55 of admin/model.php ...)
+ TODO: check
+CVE-2022-37111 (BlueCMS 1.6 has SQL injection in line 132 of admin/article.php ...)
+ TODO: check
CVE-2022-37110
RESERVED
CVE-2022-37109
@@ -5862,12 +5935,12 @@ CVE-2018-25045 (Django REST framework (aka django-rest-framework) before 3.9.1 a
NOTE: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8 (3.9.1)
CVE-2022-36407
RESERVED
-CVE-2022-36389
- RESERVED
+CVE-2022-36389 (Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Mes ...)
+ TODO: check
CVE-2022-36386
RESERVED
-CVE-2022-36379
- RESERVED
+CVE-2022-36379 (Cross-Site Request Forgery (CSRF) leading to plugin settings update in ...)
+ TODO: check
CVE-2022-36378 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...)
NOT-FOR-US: WordPress plugin
CVE-2022-36375 (Authenticated (high role user) WordPress Options Change vulnerability ...)
@@ -5882,34 +5955,34 @@ CVE-2022-36344 (An unquoted search path vulnerability exists in 'JustSystems JUS
NOT-FOR-US: JustSystems
CVE-2022-36343 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-36341
- RESERVED
+CVE-2022-36341 (Authenticated (subscriber+) plugin settings change leading to Stored C ...)
+ TODO: check
CVE-2022-36296 (Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND pl ...)
NOT-FOR-US: JumpDEMAND
-CVE-2022-36292
- RESERVED
-CVE-2022-36288
- RESERVED
-CVE-2022-36285
- RESERVED
+CVE-2022-36292 (Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill Gallery P ...)
+ TODO: check
+CVE-2022-36288 (Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden ...)
+ TODO: check
+CVE-2022-36285 (Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Up ...)
+ TODO: check
CVE-2022-36284 (Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerc ...)
NOT-FOR-US: WooCommerce addon
-CVE-2022-36282
- RESERVED
+CVE-2022-36282 (Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerabilit ...)
+ TODO: check
CVE-2022-35882 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-34868
- RESERVED
+CVE-2022-34868 (Authenticated Arbitrary Settings Update vulnerability in YooMoney 
 ...)
+ TODO: check
CVE-2022-34867
RESERVED
CVE-2022-34857 (Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP P ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-34658
- RESERVED
+CVE-2022-34658 (Multiple Authenticated (contributor+) Persistent Cross-Site Scripting ...)
+ TODO: check
CVE-2022-34656
RESERVED
-CVE-2022-34648
- RESERVED
+CVE-2022-34648 (Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerabilit ...)
+ TODO: check
CVE-2022-34344
RESERVED
CVE-2022-34154 (Authenticated (author or higher user role) Arbitrary File Upload vulne ...)
@@ -5922,8 +5995,8 @@ CVE-2022-33943 (Authenticated (contributor or higher user role) Cross-Site Scrip
NOT-FOR-US: WordPress plugin
CVE-2022-33201 (Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – ...)
NOT-FOR-US: MailerLite
-CVE-2022-33142
- RESERVED
+CVE-2022-33142 (Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in W ...)
+ TODO: check
CVE-2022-2515
RESERVED
CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...)
@@ -6354,8 +6427,8 @@ CVE-2022-36263 (StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect
NOT-FOR-US: StreamLabs Desktop Application
CVE-2022-36262 (An issue was discovered in taocms 3.0.2. in the website settings that ...)
NOT-FOR-US: taocms
-CVE-2022-36261
- RESERVED
+CVE-2022-36261 (An arbitrary file deletion vulnerability was discovered in taocms 3.0. ...)
+ TODO: check
CVE-2022-36260
RESERVED
CVE-2022-36259
@@ -8677,8 +8750,8 @@ CVE-2022-35280 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does n
NOT-FOR-US: IBM
CVE-2022-35279
RESERVED
-CVE-2022-35278
- RESERVED
+CVE-2022-35278 (In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show mal ...)
+ TODO: check
CVE-2022-34850
RESERVED
CVE-2022-34845
@@ -8905,8 +8978,8 @@ CVE-2022-35205
RESERVED
CVE-2022-35204 (Vitejs Vite before v2.9.13 was discovered to allow attackers to perfor ...)
NOT-FOR-US: Vitejs Vite
-CVE-2022-35203
- RESERVED
+CVE-2022-35203 (An access control issue in TrendNet TV-IP572PI v1.0 allows unauthentic ...)
+ TODO: check
CVE-2022-35202
RESERVED
CVE-2022-35201 (Tenda-AC18 V15.03.05.05 was discovered to contain a remote command exe ...)
@@ -9085,8 +9158,8 @@ CVE-2022-35117 (Clinic's Patient Management System v1.0 was discovered to contai
NOT-FOR-US: Clinic's Patient Management System
CVE-2022-35116
RESERVED
-CVE-2022-35115
- RESERVED
+CVE-2022-35115 (IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to ...)
+ TODO: check
CVE-2022-35114 (SWFTools commit 772e55a2 was discovered to contain a segmentation viol ...)
- swftools <removed>
NOTE: https://github.com/matthiaskramm/swftools/issues/185
@@ -10789,10 +10862,10 @@ CVE-2022-2206 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...
NOTE: https://huntr.dev/bounties/01d01e74-55d0-4d9e-878e-79ba599be668
NOTE: https://github.com/vim/vim/commit/e178af5a586ea023622d460779fdcabbbfac0908 (v8.2.5160)
NOTE: Crash in CLI tool, no security impact
-CVE-2022-34486
- RESERVED
-CVE-2022-27637
- RESERVED
+CVE-2022-34486 (Path traversal vulnerability in PukiWiki versions 1.4.5 to 1.5.3 allow ...)
+ TODO: check
+CVE-2022-27637 (Reflected cross-site scripting vulnerability in PukiWiki versions 1.5. ...)
+ TODO: check
CVE-2022-2205
RESERVED
- firefox 103.0-1
@@ -16459,8 +16532,8 @@ CVE-2022-1991 (A vulnerability classified as problematic has been found in Fast
NOT-FOR-US: Fast Food Ordering System
CVE-2022-1990 (The Nested Pages WordPress plugin before 3.1.21 does not escape and sa ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1989
- RESERVED
+CVE-2022-1989 (All CODESYS Visualization versions before V4.2.0.0 generate a login di ...)
+ TODO: check
CVE-2022-1988 (Cross-site Scripting (XSS) - Generic in GitHub repository neorazorx/fa ...)
NOT-FOR-US: neorazorx/facturascripts
CVE-2022-32274 (The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to s ...)
@@ -23630,8 +23703,8 @@ CVE-2022-1515 (A memory leak was discovered in matio 1.5.21 and earlier in Mat_V
NOTE: Fixed by: https://github.com/tbeu/matio/commit/b53b62b756920f4c1509f4ee06427f66c3b5c9c4 (v1.5.22)
CVE-2022-1514 (Stored XSS via upload plugin functionality in zip format in GitHub rep ...)
NOT-FOR-US: facturascripts
-CVE-2022-1513
- RESERVED
+CVE-2022-1513 (A potential vulnerability was reported in Lenovo PCManager prior to ve ...)
+ TODO: check
CVE-2022-1512 (The ScrollReveal.js Effects WordPress plugin through 1.2 does not sani ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1511 (Improper Access Control in GitHub repository snipe/snipe-it prior to 5 ...)
@@ -26566,10 +26639,10 @@ CVE-2022-28885
RESERVED
CVE-2022-28884
RESERVED
-CVE-2022-28883
- RESERVED
-CVE-2022-28882
- RESERVED
+CVE-2022-28883 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure &am ...)
+ TODO: check
+CVE-2022-28882 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure &am ...)
+ TODO: check
CVE-2022-28881 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atl ...)
NOT-FOR-US: F-Secure
CVE-2022-28880 (A Denial-of-Service vulnerability was discovered in the F-Secure Atlan ...)
@@ -26697,7 +26770,7 @@ CVE-2022-28819 (Adobe Character Animator versions 4.4.2 (and earlier) and 22.3 (
CVE-2022-28818 (ColdFusion versions CF2021U3 (and earlier) and CF2018U13 are affected ...)
NOT-FOR-US: Adobe
CVE-2022-28817
- RESERVED
+ REJECTED
CVE-2022-28816
RESERVED
CVE-2022-28815
@@ -42210,7 +42283,7 @@ CVE-2022-23817
RESERVED
CVE-2022-23816
RESERVED
- {DSA-5184-1}
+ {DSA-5207-1 DSA-5184-1}
- linux 5.18.14-1
- xen 4.16.2-1
[buster] - xen <end-of-life> (DSA 4677-1)
@@ -51135,8 +51208,7 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12
- apache-log4j2 2.17.0-1 (bug #1001891)
NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
NOTE: https://issues.apache.org/jira/browse/LOG4J2-3230
-CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive]
- RESERVED
+CVE-2021-31566 (An improper link resolution flaw can occur while extracting an archive ...)
{DLA-2987-1}
- libarchive 3.5.2-1 (bug #1001990)
[bullseye] - libarchive 3.4.3-2+deb11u1
@@ -51144,8 +51216,7 @@ CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times,
NOTE: https://github.com/libarchive/libarchive/issues/1566
NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2)
NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2)
-CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target]
- RESERVED
+CVE-2021-23177 (An improper link resolution flaw while extracting an archive can lead ...)
{DLA-2987-1}
- libarchive 3.5.2-1 (bug #1001986)
[bullseye] - libarchive 3.4.3-2+deb11u1
@@ -59908,8 +59979,7 @@ CVE-2021-43012 (Adobe Prelude version 10.1 (and earlier) are affected by a memor
NOT-FOR-US: Adobe
CVE-2021-43011 (Adobe Prelude version 10.1 (and earlier) are affected by a memory corr ...)
NOT-FOR-US: Adobe
-CVE-2021-3905 [External triggered memory leak in Open vSwitch while processing fragmented packets]
- RESERVED
+CVE-2021-3905 (A memory leak was found in Open vSwitch (OVS) during userspace IP frag ...)
- openvswitch <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/openvswitch/ovs-issues/issues/226
NOTE: Introduced by: https://github.com/openvswitch/ovs/commit/640d4db788eda96bb904abcfc7de2327107bafe1 (v2.16.0)
@@ -60641,7 +60711,7 @@ CVE-2021-42719 (Adobe Bridge version 11.1.1 (and earlier) is affected by an out-
CVE-2021-42718
RESERVED
CVE-2021-3894 [sctp: local DoS: unprivileged user can cause BUG()]
- RESERVED
+ REJECTED
- linux 5.14.16-1
[bullseye] - linux 5.10.84-1
[stretch] - linux <not-affected> (Vulnerable code not present)
@@ -60852,8 +60922,8 @@ CVE-2021-42629
RESERVED
CVE-2021-42628
RESERVED
-CVE-2021-42627
- RESERVED
+CVE-2021-42627 (The WAN configuration page "wan.htm" on D-Link DIR-615 devices with fi ...)
+ TODO: check
CVE-2021-42626
RESERVED
CVE-2021-42625
@@ -64321,8 +64391,7 @@ CVE-2021-41773 (A flaw was found in a change made to path normalization in Apach
NOTE: Fixed by: https://svn.apache.org/r1893775
NOTE: https://www.openwall.com/lists/oss-security/2021/10/05/2
NOTE: https://www.openwall.com/lists/oss-security/2021/10/08/1
-CVE-2021-3839
- RESERVED
+CVE-2021-3839 (A flaw was found in the vhost library in DPDK. Function vhost_user_set ...)
{DSA-5130-1}
- dpdk 20.11.5-1 (bug #1010641)
[buster] - dpdk <not-affected> (Vulnerable code introduced later)
@@ -64839,8 +64908,7 @@ CVE-2021-41574
RESERVED
CVE-2021-41573 (Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and later allows info ...)
NOT-FOR-US: Hitachi
-CVE-2021-3827
- RESERVED
+CVE-2021-3827 (A flaw was found in keycloak, where the default ECP binding flow allow ...)
NOT-FOR-US: Keycloak
CVE-2021-41572
RESERVED
@@ -66334,8 +66402,8 @@ CVE-2021-40987 (A remote arbitrary command execution vulnerability was discovere
NOT-FOR-US: Aruba
CVE-2021-40986 (A remote arbitrary command execution vulnerability was discovered in A ...)
NOT-FOR-US: Aruba
-CVE-2021-3800
- RESERVED
+CVE-2021-3800 (A flaw was found in glib before version 2.63.6. Due to random charset ...)
+ TODO: check
CVE-2021-40985 (A stack-based buffer under-read in htmldoc before 1.9.12, allows attac ...)
{DLA-2928-1}
- htmldoc 1.9.13-1 (unimportant)
@@ -66618,8 +66686,7 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow becaus
[bullseye] - atftp 0.7.git20120829-3.3+deb11u1
[buster] - atftp 0.7.git20120829-3.2~deb10u2
NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
-CVE-2021-3798 [Soft token does not check if an EC key is valid]
- RESERVED
+CVE-2021-3798 (A flaw was found in openCryptoki. The openCryptoki Soft token does not ...)
- opencryptoki <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780
NOTE: Introduced with: https://github.com/opencryptoki/opencryptoki/commit/a179fd01a265a98194d9c06ec5958da1dd2ecae3 (v3.15.0)
@@ -67557,7 +67624,7 @@ CVE-2021-3772 (A flaw was found in the Linux SCTP stack. A blind attacker may be
[buster] - linux 4.19.235-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2000694
CVE-2021-3771
- RESERVED
+ REJECTED
CVE-2021-40524 (In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism ...)
- pure-ftpd 1.0.50-1 (bug #993810)
[bullseye] - pure-ftpd <no-dsa> (Minor issue)
@@ -67754,16 +67821,14 @@ CVE-2021-40441 (Windows Media Center Elevation of Privilege Vulnerability ...)
NOT-FOR-US: Microsoft
CVE-2021-40440 (Microsoft Dynamics Business Central Cross-site Scripting Vulnerability ...)
NOT-FOR-US: Microsoft
-CVE-2021-3764 [DoS in ccp_run_aes_gcm_cmd() function]
- RESERVED
+CVE-2021-3764 (A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd ...)
{DSA-5096-1 DLA-2941-1}
- linux 5.14.12-1
[bullseye] - linux 5.10.84-1
[stretch] - linux <not-affected> (Vulnerability introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997467
NOTE: https://git.kernel.org/linus/505d9dcb0f7ddf9d075e729523a33d38642ae680 (5.15-rc4)
-CVE-2021-3763
- RESERVED
+CVE-2021-3763 (A flaw was found in the Red Hat AMQ Broker management console in versi ...)
NOT-FOR-US: Red Hat AMQ Broker
CVE-2021-3762 (A directory traversal vulnerability was found in the ClairCore engine ...)
NOT-FOR-US: Quay/clair
@@ -68055,8 +68120,7 @@ CVE-2021-40333 (Weak Password Requirements vulnerability in Hitachi Energy FOX61
NOT-FOR-US: Hitachi
CVE-2021-40332
RESERVED
-CVE-2021-3759 [unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks]
- RESERVED
+CVE-2021-3759 (A memory overflow vulnerability was found in the Linux kernel’s ...)
- linux 5.15.3-1
NOTE: https://lore.kernel.org/linux-mm/1626333284-1404-1-git-send-email-nglaive@gmail.com/
CVE-2021-3758 (bookstack is vulnerable to Server-Side Request Forgery (SSRF) ...)
@@ -68554,8 +68618,7 @@ CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response i
NOTE: https://github.com/python/cpython/commit/0389426fa4af4dfc8b1d7f3f291932d928392d8b (3.8 branch)
NOTE: https://github.com/python/cpython/commit/fee96422e6f0056561cf74fef2012cc066c9db86 (v3.7.11)
NOTE: https://github.com/python/cpython/commit/1b6f4e5e13ebd1f957b47f7415b53d0869bdbac6 (v3.6.14
-CVE-2021-3736 [uninitialized kernel stack may lead to information disclosure]
- RESERVED
+CVE-2021-3736 (A flaw was found in the Linux kernel. A memory leak problem was found ...)
- linux 5.14.6-1 (unimportant)
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
@@ -70553,13 +70616,13 @@ CVE-2021-3726 (# Vulnerability in `title` function **Description**: the `title`
CVE-2021-3725 (Vulnerability in dirhistory plugin Description: the widgets that go ba ...)
NOT-FOR-US: ohmyzsh
CVE-2021-3724
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-23161
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-23156
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-39294
RESERVED
@@ -70769,8 +70832,7 @@ CVE-2021-3715 (A flaw was found in the "Routing decision" classifier in the Linu
[stretch] - linux 4.9.228-1
NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1
NOTE: https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6)
-CVE-2021-3714
- RESERVED
+CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication mechanism. ...)
- linux <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327
CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, ...)
@@ -72346,13 +72408,11 @@ CVE-2021-38563 (An issue was discovered in Foxit PDF Reader before 11.0.1 and PD
CVE-2021-3703
RESERVED
NOT-FOR-US: Red Hat Serverless
-CVE-2021-3702
- RESERVED
+CVE-2021-3702 (A race condition flaw was found in ansible-runner, where an attacker c ...)
- ansible-runner <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/ansible/ansible-runner/pull/742/commits/0e9aa8a97e7832ef9a1553ef2908632a32d2b8c4
NOTE: Introduced in https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253
-CVE-2021-3701
- RESERVED
+CVE-2021-3701 (A flaw was found in ansible-runner where the default temporary files c ...)
- ansible-runner 2.1.1-1
NOTE: https://github.com/ansible/ansible-runner/issues/738
NOTE: https://github.com/ansible/ansible-runner/pull/742/commits/60b059f00409224acae1e417153a241c8591ad89
@@ -73292,8 +73352,7 @@ CVE-2021-38210
RESERVED
CVE-2021-3691
RESERVED
-CVE-2021-3690 [buffer leak on incoming websocket PONG message may lead to DoS]
- RESERVED
+CVE-2021-3690 (A flaw was found in Undertow. A buffer leak on the incoming WebSocket ...)
- undertow 2.2.10-1
NOTE: https://issues.redhat.com/browse/UNDERTOW-1935
CVE-2021-38209 (net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.1 ...)
@@ -74771,8 +74830,7 @@ CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos s
NOTE: Followup: https://github.com/heimdal/heimdal/commit/773802aecfb4b6a73817fa522faeb55b2a7cdb2a
NOTE: "Equivalent" issue for CVE-2021-37750 for the MIT krb5 vulnerability.
NOTE: Fixed by (Samba): https://gitlab.com/samba-team/samba/-/commit/0cb4b939f192376bf5e33637863a91a20f74c5a5
-CVE-2021-3670 [MaxQueryDuration not honoured in Samba AD DC LDAP]
- RESERVED
+CVE-2021-3670 (MaxQueryDuration not honoured in Samba AD DC LDAP ...)
- ldb 2:2.2.3-1
[buster] - ldb <no-dsa> (Minor issue)
[stretch] - ldb <no-dsa> (Minor issue)
@@ -119549,8 +119607,7 @@ CVE-2021-20317 (A flaw was found in the Linux kernel. A corrupted timer tree cau
{DSA-5096-1 DLA-2941-1 DLA-2843-1}
- linux 5.4.6-1
NOTE: https://git.kernel.org/linus/511885d7061eda3eb1faf3f57dcc936ff75863f1 (5.4-rc1)
-CVE-2021-20316
- RESERVED
+CVE-2021-20316 (A flaw was found in the way Samba handled file/directory metadata. Thi ...)
[experimental] - samba 2:4.16.0+dfsg-1
- samba 2:4.16.0+dfsg-2 (bug #1004690)
[bullseye] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists)
@@ -119628,8 +119685,7 @@ CVE-2021-20305 (A flaw was found in Nettle in versions before 3.7.2, where sever
NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b
NOTE: Fix canonical reduction in gostdsa_vko:
NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9
-CVE-2021-20304 [Undefined-shift in Imf_2_5::hufDecode]
- RESERVED
+CVE-2021-20304 (A flaw was found in OpenEXR's hufDecode functionality. This flaw allow ...)
- openexr 2.5.4-1 (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e
@@ -119660,8 +119716,7 @@ CVE-2021-20299 (A flaw was found in OpenEXR's Multipart input file functionality
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/840
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f
-CVE-2021-20298 [Out-of-memory in B44Compressor]
- RESERVED
+CVE-2021-20298 (A flaw was found in OpenEXR's B44Compressor. This flaw allows an attac ...)
- openexr 2.5.4-1
[buster] - openexr <ignored> (Minor issue)
[stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's a full fix upstream)
@@ -120613,8 +120668,7 @@ CVE-2020-35511
RESERVED
CVE-2020-35510 (A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redha ...)
- libjboss-remoting-java <removed>
-CVE-2020-35509
- RESERVED
+CVE-2020-35509 (A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An ...)
NOT-FOR-US: Keycloak
CVE-2020-35508 (A flaw possibility of race condition and incorrect initialization of t ...)
- linux 5.9.9-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c757a12708906eadb8f35ff6fedfe41f4b895dd5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c757a12708906eadb8f35ff6fedfe41f4b895dd5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220823/d29d06e1/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list