[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Aug 29 09:10:27 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ba2a09b9 by security tracker role at 2022-08-29T08:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,5 @@
+CVE-2022-3019 (The forgot password token basically just makes us capable of taking ov ...)
+ TODO: check
CVE-2222-XXXX [DoS vulnerability in inetutils-telnetd: NULL pointer dereference when sending the byte sequences]
- inetutils 2:2.3-5
[bullseye] - inetutils <no-dsa> (Minor issue)
@@ -815,10 +817,10 @@ CVE-2022-38513
RESERVED
CVE-2022-38512
RESERVED
-CVE-2022-38511
- RESERVED
-CVE-2022-38510
- RESERVED
+CVE-2022-38511 (TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a comman ...)
+ TODO: check
+CVE-2022-38510 (Tenda_TX9pro V22.03.02.10 was discovered to contain a buffer overflow ...)
+ TODO: check
CVE-2022-38509
RESERVED
CVE-2022-38508
@@ -5614,16 +5616,16 @@ CVE-2022-36710
RESERVED
CVE-2022-36709
RESERVED
-CVE-2022-36708
- RESERVED
-CVE-2022-36707
- RESERVED
-CVE-2022-36706
- RESERVED
-CVE-2022-36705
- RESERVED
-CVE-2022-36704
- RESERVED
+CVE-2022-36708 (Library Management System v1.0 was discovered to contain a SQL injecti ...)
+ TODO: check
+CVE-2022-36707 (Library Management System v1.0 was discovered to contain a SQL injecti ...)
+ TODO: check
+CVE-2022-36706 (Ingredients Stock Management System v1.0 was discovered to contain a S ...)
+ TODO: check
+CVE-2022-36705 (Ingredients Stock Management System v1.0 was discovered to contain a S ...)
+ TODO: check
+CVE-2022-36704 (Library Management System v1.0 was discovered to contain a SQL injecti ...)
+ TODO: check
CVE-2022-36703 (Ingredients Stock Management System v1.0 was discovered to contain a S ...)
NOT-FOR-US: Ingredients Stock Management System
CVE-2022-36702
@@ -5798,20 +5800,20 @@ CVE-2022-36618
RESERVED
CVE-2022-36617
RESERVED
-CVE-2022-36616
- RESERVED
-CVE-2022-36615
- RESERVED
-CVE-2022-36614
- RESERVED
-CVE-2022-36613
- RESERVED
-CVE-2022-36612
- RESERVED
-CVE-2022-36611
- RESERVED
-CVE-2022-36610
- RESERVED
+CVE-2022-36616 (TOTOLINK A810R V4.1.2cu.5182_B20201026 and V5.9c.4050_B20190424 was di ...)
+ TODO: check
+CVE-2022-36615 (TOTOLINK A3000RU V4.1.2cu.5185_B20201128 was discovered to contain a h ...)
+ TODO: check
+CVE-2022-36614 (TOTOLINK A860R V4.1.2cu.5182_B20201027 was discovered to contain a har ...)
+ TODO: check
+CVE-2022-36613 (TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a har ...)
+ TODO: check
+CVE-2022-36612 (TOTOLINK A950RG V4.1.2cu.5204_B20210112 was discovered to contain a ha ...)
+ TODO: check
+CVE-2022-36611 (TOTOLINK A800R V4.1.2cu.5137_B20200730 was discovered to contain a har ...)
+ TODO: check
+CVE-2022-36610 (TOTOLINK A720R V4.1.5cu.532_B20210610 was discovered to contain a hard ...)
+ TODO: check
CVE-2022-36609
RESERVED
CVE-2022-36608
@@ -5884,10 +5886,10 @@ CVE-2022-36575
RESERVED
CVE-2022-36574
RESERVED
-CVE-2022-36573
- RESERVED
-CVE-2022-36572
- RESERVED
+CVE-2022-36573 (A cross-site scripting (XSS) vulnerability in Pagekit CMS v1.0.18 allo ...)
+ TODO: check
+CVE-2022-36572 (Sinsiu Sinsiu Enterprise Website System v1.1.1.0 was discovered to con ...)
+ TODO: check
CVE-2022-36571
RESERVED
CVE-2022-36570
@@ -6935,8 +6937,8 @@ CVE-2022-36196
RESERVED
CVE-2022-36195
RESERVED
-CVE-2022-36194
- RESERVED
+CVE-2022-36194 (Centreon 22.04.0 is vulnerable to Cross Site Scripting (XSS) from the ...)
+ TODO: check
CVE-2022-36193
RESERVED
CVE-2022-36192
@@ -10870,8 +10872,8 @@ CVE-2022-34670
RESERVED
CVE-2022-34669
RESERVED
-CVE-2022-34668
- RESERVED
+CVE-2022-34668 (NVFLARE, versions prior to 2.1.4, contains a vulnerability that deseri ...)
+ TODO: check
CVE-2022-34667
RESERVED
CVE-2022-34666
@@ -16187,8 +16189,8 @@ CVE-2022-2025
RESERVED
CVE-2017-20051 (A vulnerability was found in InnoSetup Installer. It has been declared ...)
NOT-FOR-US: InnoSetup
-CVE-2022-32548
- RESERVED
+CVE-2022-32548 (An issue was discovered on certain DrayTek Vigor routers before July 2 ...)
+ TODO: check
CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'double', ...)
- imagemagick <unfixed> (bug #1016442)
[bullseye] - imagemagick <ignored> (Minor issue)
@@ -17216,7 +17218,7 @@ CVE-2022-32209 (# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a
NOTE: https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800
NOTE: https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d (v1.4.3)
CVE-2022-32208 (When curl < 7.84.0 does FTP transfers secured by krb5, it handles m ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.84.0-1
NOTE: https://curl.se/docs/CVE-2022-32208.html
NOTE: Introduced by: https://github.com/curl/curl/commit/54967d2a3ab5559631407f7b7f67ef48c2dda6dd (curl-7_16_4)
@@ -17230,7 +17232,7 @@ CVE-2022-32207 (When curl < 7.84.0 saves cookies, alt-svc and hsts data to lo
NOTE: Introduced by: https://github.com/curl/curl/commit/b834890a3fa3f525cd8ef4e99554cdb4558d7e1b (curl-7_69_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0)
CVE-2022-32206 (curl < 7.84.0 supports "chained" HTTP compression algorithms, meani ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.84.0-1
NOTE: https://curl.se/docs/CVE-2022-32206.html
NOTE: Introduced by: https://github.com/curl/curl/commit/dbcced8e32b50c068ac297106f0502ee200a1ebd (curl-7_57_0)
@@ -30446,14 +30448,14 @@ CVE-2022-26346 (A denial of service vulnerability exists in the ucloud_del_node
CVE-2022-1060
RESERVED
CVE-2022-27782 (libcurl would reuse a previously created connection even when a TLS or ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.83.1-1
NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/5
NOTE: https://curl.se/docs/CVE-2022-27782.html
NOTE: Fixed by: https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c (curl-7_83_1)
NOTE: Fixed by: https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 (curl-7_83_1)
CVE-2022-27781 (libcurl provides the `CURLOPT_CERTINFO` option to allow applications t ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.83.1-1
NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/4
NOTE: https://curl.se/docs/CVE-2022-27781.html
@@ -30495,7 +30497,7 @@ CVE-2022-27777 (A XSS Vulnerability in Action View tag helpers >= 5.2.0 and &
NOTE: Fixed by: https://github.com/rails/rails/commit/1278c0f0b4a18ea199f92b666b8b94954a74c20b (v5.2.7.1)
NOTE: Regression fix: https://github.com/rails/rails/commit/a1b8a9b5e5a905d0aeabf532e3f6b74116d5cce6 (v5.2.8)
CVE-2022-27776 (A insufficiently protected credentials vulnerability in fixed in curl ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.83.0-1 (bug #1010252)
NOTE: https://curl.se/docs/CVE-2022-27776.html
NOTE: Fixed by: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 (curl-7_83_0)
@@ -35513,8 +35515,8 @@ CVE-2022-25924
RESERVED
CVE-2022-25923
RESERVED
-CVE-2022-25921
- RESERVED
+CVE-2022-25921 (All versions of package morgan-json are vulnerable to Arbitrary Code E ...)
+ TODO: check
CVE-2022-25919
RESERVED
CVE-2022-25918
@@ -35699,8 +35701,8 @@ CVE-2022-25646
RESERVED
CVE-2022-25645 (All versions of package dset are vulnerable to Prototype Pollution via ...)
NOT-FOR-US: Node dset
-CVE-2022-25644
- RESERVED
+CVE-2022-25644 (All versions of package @pendo324/get-process-by-name are vulnerable t ...)
+ TODO: check
CVE-2022-25354 (The package set-in before 2.0.3 are vulnerable to Prototype Pollution ...)
NOT-FOR-US: Node set-in
CVE-2022-25353
@@ -35870,8 +35872,8 @@ CVE-2022-21169
RESERVED
CVE-2022-21167 (All versions of package masuit.tools.core are vulnerable to Arbitrary ...)
NOT-FOR-US: masuit.tools
-CVE-2022-21165
- RESERVED
+CVE-2022-21165 (All versions of package font-converter are vulnerable to Arbitrary Com ...)
+ TODO: check
CVE-2022-21164 (The package node-lmdb before 0.9.7 are vulnerable to Denial of Service ...)
NOT-FOR-US: Node lmdb
CVE-2022-21149 (The package s-cart/s-cart before 6.9; the package s-cart/core before 6 ...)
@@ -36412,8 +36414,8 @@ CVE-2022-25643 (seatd-launch in seatd 0.6.x before 0.6.4 allows removing files w
NOTE: https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E
CVE-2022-25642 (Obyte (formerly Byteball) Wallet before 3.4.1 allows XSS. A crafted ch ...)
NOT-FOR-US: Obyte (formerly Byteball) Wallet
-CVE-2022-25641
- RESERVED
+CVE-2022-25641 (Foxit PDF Reader before 11.2.2 and PDF Editor before 11.2.2, and Phant ...)
+ TODO: check
CVE-2022-25640 (In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a re ...)
- wolfssl 5.2.0-1
[bullseye] - wolfssl 4.6.0+p1-0+deb11u1
@@ -45791,8 +45793,8 @@ CVE-2022-22899 (Core FTP / SFTP Server v2 Build 725 was discovered to allow unau
NOT-FOR-US: Core FTP / SFTP Server
CVE-2022-22898
RESERVED
-CVE-2022-22897
- RESERVED
+CVE-2022-22897 (A SQL injection vulnerability in the product_all_one_img and image_pro ...)
+ TODO: check
CVE-2022-22896
RESERVED
CVE-2022-22895 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...)
@@ -47221,7 +47223,7 @@ CVE-2022-22577 (An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 t
NOTE: https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508 (v6.0.4.8)
NOTE: https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809 (v5.2.7.1)
CVE-2022-22576 (An improper authentication vulnerability exists in curl 7.33.0 to and ...)
- {DSA-5197-1}
+ {DSA-5197-1 DLA-3085-1}
- curl 7.83.0-1 (bug #1010295)
NOTE: https://curl.se/docs/CVE-2022-22576.html
NOTE: Fixed by: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 (curl-7_83_0)
@@ -64826,18 +64828,18 @@ CVE-2021-41787
RESERVED
CVE-2021-41786
RESERVED
-CVE-2021-41785
- RESERVED
-CVE-2021-41784
- RESERVED
-CVE-2021-41783
- RESERVED
-CVE-2021-41782
- RESERVED
-CVE-2021-41781
- RESERVED
-CVE-2021-41780
- RESERVED
+CVE-2021-41785 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
+CVE-2021-41784 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
+CVE-2021-41783 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
+CVE-2021-41782 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
+CVE-2021-41781 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
+CVE-2021-41780 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
CVE-2021-41779
RESERVED
CVE-2021-41778
@@ -68637,8 +68639,8 @@ CVE-2021-40328
RESERVED
CVE-2021-40327 (Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incor ...)
NOT-FOR-US: Trusted Firmware-M (TF-M)
-CVE-2021-40326
- RESERVED
+CVE-2021-40326 (Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPD ...)
+ TODO: check
CVE-2021-40325 (Cobbler before 3.3.0 allows authorization bypass for modification of s ...)
- cobbler <removed>
CVE-2021-40324 (Cobbler before 3.3.0 allows arbitrary file write operations via upload ...)
@@ -112132,12 +112134,12 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke
CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserver < ...)
NOT-FOR-US: revive-adserver
CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...)
- {DSA-5197-1 DLA-2773-1}
+ {DSA-5197-1 DLA-3085-1 DLA-2773-1}
- curl 7.79.1-1
NOTE: https://curl.se/docs/CVE-2021-22947.html
NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0)
CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...)
- {DSA-5197-1 DLA-2773-1}
+ {DSA-5197-1 DLA-3085-1 DLA-2773-1}
- curl 7.79.1-1 (bug #1017589)
NOTE: https://curl.se/docs/CVE-2021-22946.html
NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0)
@@ -112214,7 +112216,7 @@ CVE-2021-22925 (curl supports the `-t` command line option, known as `CURLOPT_TE
NOTE: CVE is assigned because previous attempt to address CVE-2021-22898 resulted to be
NOTE: insufficient and the security vulnerability remained.
CVE-2021-22924 (libcurl keeps previously used connections in a connection pool for sub ...)
- {DSA-5197-1 DLA-2734-1}
+ {DSA-5197-1 DLA-3085-1 DLA-2734-1}
- curl 7.79.1-1 (bug #991492)
NOTE: https://curl.se/docs/CVE-2021-22924.html
NOTE: Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4)
@@ -112298,7 +112300,7 @@ CVE-2021-22900 (A vulnerability allowed multiple unrestricted uploads in Pulse C
CVE-2021-22899 (A command injection vulnerability exists in Pulse Connect Secure befor ...)
NOT-FOR-US: Pulse Connect Secure
CVE-2021-22898 (curl 7.7 through 7.76.1 suffers from an information disclosure when th ...)
- {DSA-5197-1 DLA-2734-1}
+ {DSA-5197-1 DLA-3085-1 DLA-2734-1}
- curl 7.79.1-1 (bug #989228)
NOTE: https://curl.se/docs/CVE-2021-22898.html
NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (7.7)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a09b98e4b9ff9f32eb586522b64dd62a8a0f6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a09b98e4b9ff9f32eb586522b64dd62a8a0f6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220829/aa392dfc/attachment.htm>
More information about the debian-security-tracker-commits
mailing list