[Git][security-tracker-team/security-tracker][master] 7 commits: Triage CVE-2022-30256 in maradns for buster LTS.

Chris Lamb (@lamby) lamby at debian.org
Mon Dec 5 07:38:37 GMT 2022 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2eedd614 by Chris Lamb at 2022-12-05T07:33:10+00:00
Triage CVE-2022-30256 in maradns for buster LTS.

- - - - -
410bcc45 by Chris Lamb at 2022-12-05T07:33:30+00:00
Triage CVE-2022-24999 in node-qs for buster LTS.

- - - - -
42f41e22 by Chris Lamb at 2022-12-05T07:33:47+00:00
Triage CVE-2022-45197 in slixmpp for buster LTS.

- - - - -
512fdf81 by Chris Lamb at 2022-12-05T07:34:24+00:00
Triage CVE-2022-45414 in thunderbird for buster LTS.

- - - - -
271f0ae6 by Chris Lamb at 2022-12-05T07:35:53+00:00
data/dla-needed.txt: Triage http-parser for buster LTS (CVE-2020-8287)

- - - - -
99a6fb39 by Chris Lamb at 2022-12-05T07:36:46+00:00
Triage CVE-2021-33621 in ruby2.5 for buster LTS.

- - - - -
4d16609b by Chris Lamb at 2022-12-05T07:37:43+00:00
Triage CVE-2022-XXXX in node-d3-color for buster LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -156,6 +156,7 @@ CVE-2022-4263
 CVE-2022-XXXX [node-d3-color redos]
 	- node-d3-color 1.2.8-5
 	[bullseye] - node-d3-color <no-dsa> (Minor issue)
+	[buster] - node-d3-color <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-36jr-mh4h-2g58
 	NOTE: https://github.com/d3/d3-color/issues/97
 	NOTE: https://github.com/d3/d3-color/pull/100
@@ -3206,6 +3207,7 @@ CVE-2022-45414
 	RESERVED
 	- thunderbird 1:102.5.1-1
 	[bullseye] - thunderbird <postponed> (Minor issue, fix along in next ESR update)
+	[buster] - thunderbird <postponed> (Minor issue)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-50/#CVE-2022-45414
 CVE-2022-45413
 	RESERVED
@@ -3804,6 +3806,7 @@ CVE-2022-45197 [missing certificate hostname validation]
 	RESERVED
 	- slixmpp 1.8.3-1
 	[bullseye] - slixmpp <no-dsa> (Minor issue)
+	[buster] - slixmpp <no-dsa> (Minor issue)
 	NOTE: https://lab.louiz.org/poezio/slixmpp/-/commit/b60b1b985db928532f97c4f61d6fbc801f0aa7fa (slix-1.8.3)
 CVE-2022-45196 (Hyperledger Fabric 2.3 allows attackers to cause a denial of service ( ...)
 	NOT-FOR-US: Hyperledger Fabric
@@ -47071,6 +47074,7 @@ CVE-2022-30257 (An issue was discovered in Technitium DNS Server through 8.0.2 t
 CVE-2022-30256 (An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allo ...)
 	- maradns <unfixed>
 	[bullseye] - maradns <no-dsa> (Minor issue)
+	[buster] - maradns <no-dsa> (Minor issue)
 	NOTE: https://maradns.samiam.org/security.html#CVE-2022-30256
 CVE-2022-30255
 	RESERVED
@@ -62375,6 +62379,7 @@ CVE-2022-25000
 CVE-2022-24999 (qs before 6.10.3, as used in Express before 4.17.3 and other products, ...)
 	- node-qs 6.10.3+ds+~6.9.7-1
 	[bullseye] - node-qs <no-dsa> (Minor issue)
+	[buster] - node-qs <no-dsa> (Minor issue)
 	NOTE: https://github.com/ljharb/qs/pull/428
 CVE-2022-24998
 	RESERVED
@@ -109439,6 +109444,7 @@ CVE-2021-33621 (The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before
 	- ruby2.7 <removed>
 	[bullseye] - ruby2.7 <no-dsa> (Minor issue)
 	- ruby2.5 <removed>
+	[buster] - ruby2.5 <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
 	NOTE: Fixed by: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (v0.3.4)
 	NOTE: Possible followup needed: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (v3.0.5)


=====================================
data/dla-needed.txt
=====================================
@@ -86,6 +86,9 @@ hsqldb (Markus Koschany)
   NOTE: 20221031: To be investigated further. A possible outcome is to ignore it.
   NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html.
 --
+http-parser
+  NOTE: 20221205: Programming language: C.
+--
 imagemagick (Roberto C. Sánchez)
   NOTE: 20220904: Programming language: C.
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c7ecb41c44bc87f78f854716627498c70e0d7653...4d16609bf7c73f11f4cabd12a94124aaf47ce777

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c7ecb41c44bc87f78f854716627498c70e0d7653...4d16609bf7c73f11f4cabd12a94124aaf47ce777
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221205/e34e2f26/attachment.htm>

More information about the debian-security-tracker-commits mailing list