[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Dec 12 17:57:07 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
03378f2f by Moritz Muehlenhoff at 2022-12-12T18:56:26+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3113,7 +3113,7 @@ CVE-2022-4135 (Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2022-4134
 	RESERVED
-	- glance <unfixed>
+	NOTE: There's no code fix, just an update on best practices
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2147462
 	NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0090
 	NOTE: https://bugs.launchpad.net/ossn/+bug/1990157
@@ -4929,6 +4929,7 @@ CVE-2022-45284
 	RESERVED
 CVE-2022-45283 (GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the s ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2295
 	NOTE: https://github.com/gpac/gpac/commit/0fc714872ba4536a1190f93aa278b6e08f8c60df
@@ -13877,6 +13878,7 @@ CVE-2022-42962
 	RESERVED
 CVE-2022-42961 (An issue was discovered in wolfSSL before 5.5.0. A fault injection att ...)
 	- wolfssl 5.5.3-1 (bug #1023574)
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable
 CVE-2022-42960 (EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1 ...)
 	NOT-FOR-US: EqualWeb Accessibility Widget
@@ -14028,10 +14030,12 @@ CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure
 	NOT-FOR-US: WordPress plugin
 CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...)
 	- protobuf <unfixed>
+	[bullseye] - protobuf <no-dsa> (Minor issue)
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...)
 	[experimental] - protobuf 3.21.7-1
 	- protobuf 3.21.9-3
+	[bullseye] - protobuf <no-dsa> (Minor issue)
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7)
 CVE-2022-3508
 	RESERVED
@@ -14152,6 +14156,7 @@ CVE-2022-42907
 	RESERVED
 CVE-2022-42905 (In wolfSSL before 5.5.2, if callback functions are enabled (via the WO ...)
 	- wolfssl 5.5.3-1
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 	NOTE: Fixed in 5.5.2 (https://www.wolfssl.com/docs/security-vulnerabilities/)
 CVE-2022-42904 (Zoho ManageEngine ADManager Plus through 7151 allows authenticated adm ...)
 	NOT-FOR-US: Zoho ManageEngine
@@ -23489,6 +23494,7 @@ CVE-2022-39174
 	RESERVED
 CVE-2022-39173 (In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow ...)
 	- wolfssl 5.5.3-1 (bug #1021021)
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 CVE-2022-39172
 	RESERVED
 CVE-2022-39171
@@ -33855,6 +33861,7 @@ CVE-2022-35410 (mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows .
 	NOTE: https://dustri.org/b/mat2-0130.html
 CVE-2022-35409 (An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0 ...)
 	- mbedtls 2.28.1-1
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/5e9790353d2d9e41e85262eebe52fd90bb49f1e0/security-advisories/advisories/mbedtls-security-advisory-2022-07.md
 	NOTE: https://github.com/Mbed-TLS/mbedtls/commit/f333dfab4a6c2d8a604a61558a8f783145161de4 (v2.28.1)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 (v2.28.1)
@@ -43639,6 +43646,7 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBuffers ...)
 	[experimental] - protobuf 3.20.2-1
 	- protobuf 3.21.9-3
+	[bullseye] - protobuf <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
 	NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2)
@@ -61286,6 +61294,7 @@ CVE-2022-24440 (The package cocoapods-downloader before 1.6.0, from 1.6.2 and be
 	NOT-FOR-US: cocoapods-downloader
 CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code Execut ...)
 	- python-git <unfixed>
+	[bullseye] - python-git <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
 	NOTE: https://github.com/gitpython-developers/GitPython/issues/1515
 CVE-2022-24438
@@ -78784,6 +78793,7 @@ CVE-2021-44733 (A use-after-free exists in drivers/tee/tee_shm.c in the TEE subs
 CVE-2021-44732 (Mbed TLS before 3.0.1 has a double free in certain out-of-memory condi ...)
 	[experimental] - mbedtls 2.28.0-0.1
 	- mbedtls 2.28.0-0.3 (bug #1002631)
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
 	NOTE: https://github.com/ARMmbed/mbedtls/commit/eb490aabf6a9f47c074ec476d0d4997c2362cdbc (mbedtls-2.16.12)
 CVE-2021-44731 (A race condition existed in the snapd 2.54.2 snap-confine binary when  ...)
@@ -83256,6 +83266,7 @@ CVE-2021-43667 (A vulnerability has been detected in HyperLedger Fabric v1.4.0,
 	NOT-FOR-US: HyperLedger
 CVE-2021-43666 (A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier ...)
 	- mbedtls 2.28.0-1
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/5136
 	NOTE: Backport 2.16: https://github.com/ARMmbed/mbedtls/pull/5311
 CVE-2021-43665



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03378f2f23a5174a20aa686adcbf67c15a9df4f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03378f2f23a5174a20aa686adcbf67c15a9df4f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221212/7561effd/attachment.htm>

More information about the debian-security-tracker-commits mailing list