[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2022-46393,mbedtls: Buster and Bullseye are not affected
Markus Koschany (@apo)
apo at debian.org
Sun Dec 25 19:13:05 GMT 2022
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
73685136 by Markus Koschany at 2022-12-25T20:12:28+01:00
CVE-2022-46393,mbedtls: Buster and Bullseye are not affected
The vulnerable code was introduced later
- - - - -
33d7a2d3 by Markus Koschany at 2022-12-25T20:12:29+01:00
CVE-2022-3109,ffmpeg: buster postponed
- - - - -
17c970e4 by Markus Koschany at 2022-12-25T20:12:30+01:00
LTS: add xorg-server to dla-needed.txt
- - - - -
0d394729 by Markus Koschany at 2022-12-25T20:12:31+01:00
CVE-2022-43272,dcmtk: buster / no-dsa
Minor issue
- - - - -
4916e729 by Markus Koschany at 2022-12-25T20:12:32+01:00
CVE-2021-4249,haskell-xml-conduit: buster no-dsa
Minor issue
- - - - -
636a6e4f by Markus Koschany at 2022-12-25T20:12:33+01:00
CVE-2021-4243,jquery-minicolors: buster is no-dsa
Minor issue
- - - - -
fa44a943 by Markus Koschany at 2022-12-25T20:12:34+01:00
CVE-2022-23527,libapache2-mod-auth-openidc: buster is no-dsa
Minor issue
- - - - -
d427ca54 by Markus Koschany at 2022-12-25T20:12:35+01:00
CVE-2020-36619,multimon-ng: buster is no-dsa
- - - - -
9c1906c5 by Markus Koschany at 2022-12-25T20:12:35+01:00
LTS: add nvidia-graphics-drivers to dla-needed.txt
- - - - -
52e7c0ab by Markus Koschany at 2022-12-25T20:12:36+01:00
CVE-2022-4427,buster: otrs2 no-dsa
- - - - -
81316d19 by Markus Koschany at 2022-12-25T20:12:37+01:00
CVE-2022-24439,python-git: buster is no-dsa
Minor issue
- - - - -
78da581b by Markus Koschany at 2022-12-25T20:12:38+01:00
wireshark,TEMP CVE, buster postponed
- - - - -
df69a44f by Markus Koschany at 2022-12-25T20:12:38+01:00
LTS: add exuberant-ctags to dla-needed.txt
- - - - -
ff882d66 by Markus Koschany at 2022-12-25T20:12:39+01:00
LTS: add libcommons-net-java to dla-needed.txt
- - - - -
b5e4733f by Markus Koschany at 2022-12-25T20:12:39+01:00
LTS: add libitext5-java to dla-needed.txt
- - - - -
f72541c0 by Markus Koschany at 2022-12-25T20:12:39+01:00
LTS: add libjettison-java to dla-needed.txt
- - - - -
f0874b72 by Markus Koschany at 2022-12-25T20:12:39+01:00
LTS: add netty to dla-needed.txt
- - - - -
174b3d71 by Markus Koschany at 2022-12-25T20:12:39+01:00
LTS: add xrdp to dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1338,6 +1338,7 @@ CVE-2021-4258 (** DISPUTED ** A vulnerability was found in whohas. It has been r
CVE-2020-36619 (A vulnerability was found in multimon-ng. It has been rated as critica ...)
- multimon-ng 1.2.0+dfsg-1
[bullseye] - multimon-ng <no-dsa> (Minor issue)
+ [buster] - multimon-ng <no-dsa> (Minor issue)
NOTE: https://github.com/EliasOenal/multimon-ng/commit/e5a51c508ef952e81a6da25b43034dd1ed023c07 (1.2.0)
NOTE: https://github.com/EliasOenal/multimon-ng/pull/160
CVE-2020-36618 (A vulnerability classified as critical has been found in Furqan node-w ...)
@@ -1435,6 +1436,7 @@ CVE-2022-4592 (A vulnerability was found in luckyshot CRMx and classified as cri
CVE-2021-4249 (A vulnerability was found in xml-conduit. It has been classified as pr ...)
- haskell-xml-conduit 1.9.1.1-1
[bullseye] - haskell-xml-conduit <no-dsa> (Minor issue)
+ [buster] - haskell-xml-conduit <no-dsa> (Minor issue)
NOTE: https://github.com/snoyberg/xml/pull/161/commits/2274b3c26fda7406337ce47cdfd862ef187694e2
NOTE: https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea (xml-conduit/1.9.1.0)
CVE-2021-4248 (A vulnerability was found in kapetan dns up to 6.1.0. It has been rate ...)
@@ -4201,6 +4203,7 @@ CVE-2022-4427 (Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG
- znuny 6.4.5-1
- otrs2 <removed>
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2022-07
CVE-2022-4426
RESERVED
@@ -4227,15 +4230,18 @@ CVE-2021-4244 (A vulnerability classified as problematic has been found in yikes
CVE-2021-4243 (A vulnerability was found in claviska jquery-minicolors up to 2.3.5. I ...)
- jquery-minicolors <unfixed> (bug #1026050)
[bullseye] - jquery-minicolors <no-dsa> (Minor issue)
+ [buster] - jquery-minicolors <no-dsa> (Minor issue)
NOTE: https://github.com/claviska/jquery-minicolors/releases/tag/2.3.6
NOTE: https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3
CVE-2022-XXXX [The BPv6, OpenFlow, and Kafka protocol dissectors could go into an infinite loops]
- wireshark 4.0.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark <postponed> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-09.html
CVE-2022-XXXX [The Kafka dissector could consume excessive amounts of memory]
- wireshark 4.0.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark <postponed> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-10.html
CVE-2022-46908 (SQLite through 3.40.0, when relying on --safe for execution of an untr ...)
- sqlite3 3.40.0-2 (bug #1026293)
@@ -5748,7 +5754,10 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before
NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...)
- mbedtls 2.28.2-1
+ [bullseye] - mbedtls <not-affected> (The vulnerable code was introduced later)
+ [buster] - mbedtls <not-affected> (The vulnerable code was introduced later)
NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
+ NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443
CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to print ...)
{DLA-3225-1}
- awstats 7.8-3 (bug #1025410)
@@ -17392,6 +17401,7 @@ CVE-2022-43272 (DCMTK v3.6.7 was discovered to contain a memory leak via the T_A
[experimental] - dcmtk 3.6.8~git20221013.51be018-1
- dcmtk <unfixed>
[bullseye] - dcmtk <no-dsa> (Minor issue)
+ [buster] - dcmtk <no-dsa> (Minor issue)
NOTE: https://github.com/songxpu/bug_report/tree/master/DCMTK/memory_leak_in_3.6.7
NOTE: Fixed by: https://github.com/DCMTK/dcmtk/commit/c34f4e46e672ad21accf04da0dc085e43be6f5e1
CVE-2022-43271 (Inhabit Systems Pty Ltd Move CRM version 4, build 260 was discovered t ...)
@@ -26404,6 +26414,7 @@ CVE-2022-3110 (An issue was discovered in the Linux kernel through 5.16-rc6. _rt
CVE-2022-3109 (An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in ...)
- ffmpeg 7:5.1-1
[bullseye] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.3.x)
+ [buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.3.x)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 (n5.1)
CVE-2022-3108 (An issue was discovered in the Linux kernel through 5.16-rc6. kfd_pars ...)
- linux 5.16.7-1
@@ -65654,6 +65665,7 @@ CVE-2022-24440 (The package cocoapods-downloader before 1.6.0, from 1.6.2 and be
CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code Execut ...)
- python-git <unfixed>
[bullseye] - python-git <no-dsa> (Minor issue)
+ [buster] - python-git <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
NOTE: https://github.com/gitpython-developers/GitPython/issues/1515
CVE-2022-24438
@@ -73487,6 +73499,7 @@ CVE-2022-23528
CVE-2022-23527 (mod_auth_openidc is an OpenID Certified™ authentication and auth ...)
- libapache2-mod-auth-openidc 2.4.12.2-1 (bug #1026444)
[bullseye] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+ [buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8 (v2.4.12.2)
CVE-2022-23526 (Helm is a tool for managing Charts, pre-configured Kubernetes resource ...)
=====================================
data/dla-needed.txt
=====================================
@@ -45,6 +45,10 @@ erlang
exiv2 (Helmut Grohne)
NOTE: 20221119: Programming language: C.
--
+exuberant-ctags
+ NOTE: 20221225: Programming language: C.
+ NOTE: 20221225: Special attention: Needs further investigation.
+--
firmware-nonfree (Markus Koschany)
NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it.
NOTE: 20221204: Coming soon in the first week of December. (apo)
@@ -99,6 +103,9 @@ lava
libapreq2
NOTE: 20221031: Programming language: C.
--
+libcommons-net-java
+ NOTE: 20221225: Programming language: Java.
+--
libde265
NOTE: 20221107: Programming language: C++.
NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk)
@@ -109,6 +116,13 @@ libetpan (Utkarsh)
NOTE: 20221203: Programming language: C++.
NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git
--
+libitext5-java
+ NOTE: 20221225: Programming language: Java.
+--
+libjettison-java
+ NOTE: 20221225: Programming language: Java.
+ NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/libjettison-java.git
+--
libreoffice
NOTE: 20221012: Programming language: C++.
--
@@ -151,6 +165,11 @@ netatalk (gladk)
NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk
NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk)
--
+netty
+ NOTE: 20221225: Programming language: Java.
+ NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/netty.git
+ NOTE: 20221225: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/netty.html
+--
nextcloud-desktop
NOTE: 20221128: Programming language: C++.
NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop
@@ -197,6 +216,9 @@ nodejs
NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster.
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html
--
+nvidia-graphics-drivers
+ NOTE: 20221225: Programming language: binary blob.
+--
php-cas
NOTE: 20221105: Programming language: PHP.
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
@@ -289,6 +311,14 @@ xdg-utils
NOTE: 20221120: Programming language: C.
NOTE: 20221120: no real fix yet
--
+xorg-server
+ NOTE: 20221225: Programming language: C.
+ NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xorg-server.git
+--
+xrdp
+ NOTE: 20221225: Programming language: C.
+ NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
+--
zabbix
NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too.
NOTE: 20221209: Programming language: C.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f81f60f927e0b7ae652594f1c540897eee39d720...174b3d71edba4b1c58f513b14b19a4bef4b0bb81
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f81f60f927e0b7ae652594f1c540897eee39d720...174b3d71edba4b1c58f513b14b19a4bef4b0bb81
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221225/64c2052d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list