[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Dec 26 08:10:22 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
352308ae by security tracker role at 2022-12-26T08:10:12+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2022-4741 (A vulnerability was found in docconv up to 1.2.0 and classified as pro ...)
+ TODO: check
+CVE-2022-4740 (A vulnerability, which was classified as problematic, has been found i ...)
+ TODO: check
+CVE-2022-4739 (A vulnerability classified as critical was found in SourceCodester Sch ...)
+ TODO: check
+CVE-2022-4738 (A vulnerability classified as problematic has been found in SourceCode ...)
+ TODO: check
+CVE-2022-4737 (A vulnerability was found in SourceCodester Blood Bank Management Syst ...)
+ TODO: check
+CVE-2022-4736 (A vulnerability was found in Venganzas del Pasado and classified as pr ...)
+ TODO: check
+CVE-2021-4280 (A vulnerability was found in styler_praat_scripts. It has been classif ...)
+ TODO: check
+CVE-2021-4279 (A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3. ...)
+ TODO: check
+CVE-2020-36632 (A vulnerability, which was classified as critical, was found in hughsk ...)
+ TODO: check
+CVE-2020-36631 (A vulnerability was found in barronwaffles dwc_network_server_emulator ...)
+ TODO: check
+CVE-2020-36630 (A vulnerability was found in FreePBX cdr 14.0. It has been classified ...)
+ TODO: check
+CVE-2019-25085 (A vulnerability was found in GNOME gvdb. It has been classified as cri ...)
+ TODO: check
CVE-2022-4735 (A vulnerability classified as problematic was found in asrashley dash- ...)
NOT-FOR-US: asrashley dash-live
CVE-2021-4278 (A vulnerability classified as problematic has been found in cronvel tr ...)
@@ -160,35 +184,35 @@ CVE-2022-4682
RESERVED
CVE-2022-4681
RESERVED
-CVE-2022-47943 (An issue was discovered in ksmbd in the Linux kernel before 5.19.2. Th ...)
+CVE-2022-47943 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/ac60778b87e45576d7bfdbd6f53df902654e6f09 (6.0-rc1)
-CVE-2022-47942 (An issue was discovered in ksmbd in the Linux kernel before 5.19.2. Th ...)
+CVE-2022-47942 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/8f0541186e9ad1b62accc9519cc2b7a7240272a7 (6.0-rc1)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-CAN-17771/
-CVE-2022-47941 (An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs ...)
+CVE-2022-47941 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/aa7253c2393f6dcd6a1468b0792f6da76edad917 (6.0-rc1)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-CAN-17815/
-CVE-2022-47940 (An issue was discovered in ksmbd in the Linux kernel before 5.18.18. f ...)
+CVE-2022-47940 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/158a66b245739e15858de42c0ba60fcf3de9b8e6 (5.19-rc1)
-CVE-2022-47939 (An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs ...)
+CVE-2022-47939 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/cf6531d98190fa2cf92a6d8bbc8af0a4740a223c (6.0-rc1)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-CAN-17816
-CVE-2022-47938 (An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs ...)
+CVE-2022-47938 (An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 ...)
- linux 5.19.6-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
@@ -467,7 +491,7 @@ CVE-2021-4266 (A vulnerability classified as problematic has been found in Webde
NOT-FOR-US: Webdetails cpf
CVE-2021-4265 (A vulnerability was found in siwapp-ror. It has been rated as problema ...)
NOT-FOR-US: siwapp-ror
-CVE-2021-4264 (A vulnerability was found in LinkedIn dustjs 3.0.0 and classified as p ...)
+CVE-2021-4264 (A vulnerability was found in LinkedIn dustjs up to 2.x and classified ...)
NOT-FOR-US: dustjs
CVE-2021-4263 (A vulnerability, which was classified as problematic, has been found i ...)
NOT-FOR-US: leanote
@@ -21484,8 +21508,7 @@ CVE-2022-3355 (Cross-site Scripting (XSS) - Stored in GitHub repository inventre
NOT-FOR-US: inventree
CVE-2022-41768
RESERVED
-CVE-2022-41767 [mediawiki: reassignEdits doesn't update results in an IP range check on Special:Contributions]
- RESERVED
+CVE-2022-41767 (An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x ...)
{DSA-5246-1 DLA-3148-1}
- mediawiki 1:1.35.8-1
NOTE: https://phabricator.wikimedia.org/T316304
@@ -21494,8 +21517,7 @@ CVE-2022-41766 [mediawiki: On action=rollback the message "alreadyrolled" can le
RESERVED
- mediawiki <not-affected> (Vulnerable code not present, only affects 1.37 and later)
NOTE: https://phabricator.wikimedia.org/T307278
-CVE-2022-41765 [mediawiki: HTMLUserTextField exposes existence of hidden users]
- RESERVED
+CVE-2022-41765 (An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x ...)
{DSA-5246-1 DLA-3148-1}
- mediawiki 1:1.35.8-1
NOTE: https://phabricator.wikimedia.org/T309894
@@ -33284,20 +33306,20 @@ CVE-2022-37315 (graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recur
NOT-FOR-US: graphql-go
CVE-2022-37314
RESERVED
-CVE-2022-37313
- RESERVED
-CVE-2022-37312
- RESERVED
-CVE-2022-37311
- RESERVED
-CVE-2022-37310
- RESERVED
-CVE-2022-37309
- RESERVED
-CVE-2022-37308
- RESERVED
-CVE-2022-37307
- RESERVED
+CVE-2022-37313 (OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protecti ...)
+ TODO: check
+CVE-2022-37312 (OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via ...)
+ TODO: check
+CVE-2022-37311 (OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via ...)
+ TODO: check
+CVE-2022-37310 (OX App Suite through 7.10.6 allows XSS via a malicious capability to t ...)
+ TODO: check
+CVE-2022-37309 (OX App Suite through 7.10.6 allows XSS via script code within a contac ...)
+ TODO: check
+CVE-2022-37308 (OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail m ...)
+ TODO: check
+CVE-2022-37307 (OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, ...)
+ TODO: check
CVE-2022-37306
RESERVED
CVE-2022-37305 (The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicle ...)
@@ -33757,6 +33779,7 @@ CVE-2022-37157
CVE-2022-37156
RESERVED
CVE-2022-37155 (RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to ...)
+ {DSA-5190-1}
- spip 4.1.5+dfsg-1
NOTE: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-1-5-SPIP-4-0-8-et-SPIP-3-2-16.html
NOTE: https://spawnzii.github.io/posts/2022/07/how-we-have-pwned-root-me-in-2022/
@@ -38298,6 +38321,7 @@ CVE-2022-35410 (mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows .
NOTE: https://0xacab.org/jvoisin/mat2/-/issues/174
NOTE: https://dustri.org/b/mat2-0130.html
CVE-2022-35409 (An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0 ...)
+ {DLA-3249-1}
- mbedtls 2.28.1-1
[bullseye] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/5e9790353d2d9e41e85262eebe52fd90bb49f1e0/security-advisories/advisories/mbedtls-security-advisory-2022-07.md
@@ -49359,8 +49383,8 @@ CVE-2022-1837 (A vulnerability was found in Home Clean Services Management Syste
NOT-FOR-US: Home Clean Services Management System
CVE-2022-31470 (An XSS vulnerability in the index_mobile_changepass.hsp reset-password ...)
NOT-FOR-US: Axigen Mobile WebMail
-CVE-2022-31469
- RESERVED
+CVE-2022-31469 (OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrate ...)
+ TODO: check
CVE-2022-31468 (OX App Suite through 8.2 allows XSS via an attachment or OX Drive cont ...)
NOT-FOR-US: OX App Suite
CVE-2022-31467 (A DLL hijacking vulnerability in the installed for Quick Heal Total Se ...)
@@ -52916,8 +52940,8 @@ CVE-2022-30262 (The Emerson ControlWave 'Next Generation' RTUs through 2022-05-0
NOT-FOR-US: Emerson
CVE-2022-30261
RESERVED
-CVE-2022-30260
- RESERVED
+CVE-2022-30260 (Emerson DeltaV Distributed Control System (DCS) has insufficient verif ...)
+ TODO: check
CVE-2022-1588
REJECTED
CVE-2022-1587 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...)
@@ -54093,10 +54117,10 @@ CVE-2022-29855 (Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27
NOT-FOR-US: Mitel
CVE-2022-29854 (A vulnerability in Mitel 6900 Series IP (MiNet) phones excluding 6970, ...)
NOT-FOR-US: Mitel
-CVE-2022-29853
- RESERVED
-CVE-2022-29852
- RESERVED
+CVE-2022-29853 (OX App Suite through 8.2 allows XSS via a certain complex hierarchy th ...)
+ TODO: check
+CVE-2022-29852 (OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-f ...)
+ TODO: check
CVE-2022-29851 (documentconverter in OX App Suite through 7.10.6, in a non-default con ...)
NOT-FOR-US: OX App Suite
CVE-2022-29850 (Various Lexmark products through 2022-04-27 allow an attacker who has ...)
@@ -62698,8 +62722,8 @@ CVE-2022-26971 (Barco Control Room Management Suite web application, which is pa
NOT-FOR-US: Barco Control Room Management Suite
CVE-2022-26970
RESERVED
-CVE-2022-26969
- RESERVED
+CVE-2022-26969 (In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS ...)
+ TODO: check
CVE-2022-26968
RESERVED
CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...)
@@ -62717,8 +62741,8 @@ CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. driv
NOTE: https://git.kernel.org/linus/e9da0b56fe27206b49f39805f7dcda8a89379062 (5.17-rc6)
CVE-2022-26965 (In Pluck 4.7.16, an admin user can use the theme upload functionality ...)
NOT-FOR-US: Pluck CMS
-CVE-2022-26964
- RESERVED
+CVE-2022-26964 (Weak password derivation for export in Devolutions Remote Desktop Mana ...)
+ TODO: check
CVE-2022-26963
RESERVED
CVE-2022-26962
@@ -71190,16 +71214,16 @@ CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when un
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/29/1
NOTE: https://git.kernel.org/linus/f9d87929d451d3e649699d0f1d74f71f77ad38f5
-CVE-2022-24120
- RESERVED
-CVE-2022-24119
- RESERVED
-CVE-2022-24118
- RESERVED
-CVE-2022-24117
- RESERVED
-CVE-2022-24116
- RESERVED
+CVE-2022-24120 (Certain General Electric Renewable Energy products store cleartext cre ...)
+ TODO: check
+CVE-2022-24119 (Certain General Electric Renewable Energy products have a hidden featu ...)
+ TODO: check
+CVE-2022-24118 (Certain General Electric Renewable Energy products allow attackers to ...)
+ TODO: check
+CVE-2022-24117 (Certain General Electric Renewable Energy products download firmware w ...)
+ TODO: check
+CVE-2022-24116 (Certain General Electric Renewable Energy products have inadequate enc ...)
+ TODO: check
CVE-2022-24115 (Local privilege escalation due to unrestricted loading of unsigned lib ...)
NOT-FOR-US: Acronis
CVE-2022-24114 (Local privilege escalation due to race condition on application startu ...)
@@ -80001,10 +80025,10 @@ CVE-2021-45469 (In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel throug
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=215235
CVE-2021-45468 (Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote ...)
NOT-FOR-US: Imperva Web Application Firewall
-CVE-2021-45467
- RESERVED
-CVE-2021-45466
- RESERVED
+CVE-2021-45467 (In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, ...)
+ TODO: check
+CVE-2021-45466 (In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, ...)
+ TODO: check
CVE-2021-45465
RESERVED
CVE-2021-4160 (There is a carry propagation bug in the MIPS32 and MIPS64 squaring pro ...)
@@ -81605,6 +81629,7 @@ CVE-2021-4131 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-4130 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- snipe-it <itp> (bug #1005172)
CVE-2021-4129 (Mozilla developers and community members Julian Hector, Randell Jesup, ...)
+ {DSA-5034-1 DSA-5026-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -82637,23 +82662,20 @@ CVE-2021-44857 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x befor
[stretch] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T297322
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
-CVE-2021-44856 [Title blocked in AbuseFilter can be created via Special:ChangeContentModel]
- RESERVED
+CVE-2021-44856 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...)
{DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.5-1
[stretch] - mediawiki <postponed> (Minor issue)
NOTE: https://phabricator.wikimedia.org/T271037
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
-CVE-2021-44855 [Blind Stored XSS in VisualEditor media dialog]
- RESERVED
+CVE-2021-44855 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...)
{DSA-5246-1}
- mediawiki 1:1.35.5-1
[buster] - mediawiki <not-affected> (Vulnerable code not present)
[stretch] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T293589
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
-CVE-2021-44854 [REST API incorrectly publicly caches autocomplete search results from private wikis]
- RESERVED
+CVE-2021-44854 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...)
{DSA-5246-1}
- mediawiki 1:1.35.5-1
[buster] - mediawiki <not-affected> (Vulnerable code not present)
@@ -83056,8 +83078,7 @@ CVE-2021-4082 (pimcore is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: Pimcore
CVE-2021-4081 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...)
NOT-FOR-US: Pimcore
-CVE-2021-44758 [spnego: send_reject when no mech selected]
- RESERVED
+CVE-2021-44758 (Heimdal before 7.7.1 allows attackers to cause a NULL pointer derefere ...)
{DSA-5287-1 DLA-3206-1}
- heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187)
NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-69h9-669w-88xv
@@ -83171,6 +83192,7 @@ CVE-2021-44733 (A use-after-free exists in drivers/tee/tee_shm.c in the TEE subs
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030747
CVE-2021-44732 (Mbed TLS before 3.0.1 has a double free in certain out-of-memory condi ...)
+ {DLA-3249-1}
[experimental] - mbedtls 2.28.0-0.1
- mbedtls 2.28.0-0.3 (bug #1002631)
[bullseye] - mbedtls <no-dsa> (Minor issue)
@@ -87645,6 +87667,7 @@ CVE-2021-43668 (Go-Ethereum 1.10.9 nodes crash (denial of service) after receivi
CVE-2021-43667 (A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0 ...)
NOT-FOR-US: HyperLedger
CVE-2021-43666 (A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier ...)
+ {DLA-3249-1}
- mbedtls 2.28.0-1
[bullseye] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/issues/5136
@@ -88523,8 +88546,8 @@ CVE-2021-43398 (** DISPUTED ** Crypto++ (aka Cryptopp) 8.6.0 and earlier contain
NOTE: https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222
CVE-2021-43397 (LiquidFiles before 3.6.3 allows remote attackers to elevate their priv ...)
NOT-FOR-US: LiquidFiles
-CVE-2021-43395
- RESERVED
+CVE-2021-43395 (An issue was discovered in illumos before f859e7171bb5db34321e45585839 ...)
+ TODO: check
CVE-2021-43394 (Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, ...)
NOT-FOR-US: Unisys
CVE-2021-43393 (STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes ...)
@@ -101038,8 +101061,8 @@ CVE-2021-39371 (An XML external entity (XXE) injection in PyWPS before 4.4.5 all
NOTE: https://github.com/geopython/pywps/pull/616
CVE-2021-39370
RESERVED
-CVE-2021-39369
- RESERVED
+CVE-2021-39369 (In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the ...)
+ TODO: check
CVE-2021-39368 (Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter ...)
NOT-FOR-US: Canon Oce Print Exec Workgroup
CVE-2021-39367 (Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. ...)
@@ -101056,7 +101079,7 @@ CVE-2021-39364 (Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 device
CVE-2021-39363 (Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allo ...)
NOT-FOR-US: Honeywell
CVE-2020-36478 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 L ...)
- {DLA-2826-1}
+ {DLA-3249-1 DLA-2826-1}
- mbedtls 2.16.9-0.1
NOTE: https://github.com/ARMmbed/mbedtls/issues/3629
NOTE: https://github.com/ARMmbed/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 (development)
@@ -101069,12 +101092,12 @@ CVE-2020-36477 (An issue was discovered in Mbed TLS before 2.24.0. The verificat
NOTE: https://github.com/ARMmbed/mbedtls/issues/3498
NOTE: https://github.com/ARMmbed/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 (development)
CVE-2020-36476 (An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 L ...)
- {DLA-2826-1}
+ {DLA-3249-1 DLA-2826-1}
- mbedtls 2.16.9-0.1
NOTE: https://github.com/ARMmbed/mbedtls/commit/a321413807927d6e295cec8677733bbde6aeec34 (development)
NOTE: https://github.com/ARMmbed/mbedtls/commit/ef73875913c66767e7a954aa0b68f42f0756d9b2 (mbedtls-2.7)
CVE-2020-36475 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 L ...)
- {DLA-2826-1}
+ {DLA-3249-1 DLA-2826-1}
- mbedtls 2.16.9-0.1
NOTE: https://github.com/ARMmbed/mbedtls/commit/9246d041500b96fb0694cbda1d833e420696827e
CVE-2021-39362 (An XSS issue was discovered in ReCaptcha Solver 5.7. A response from A ...)
@@ -103059,8 +103082,7 @@ CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 befor
NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2)
NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.4.5)
NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.2.17)
-CVE-2021-38561
- RESERVED
+CVE-2021-38561 (golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic ...)
- golang-golang-x-text 0.3.7-1
- golang-x-text <removed>
[buster] - golang-x-text <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
@@ -107696,24 +107718,30 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a mal
NOTE: https://github.com/GNOME/gthumb/commit/e79b4519cc6e27388ddd3f095e97d1559cb47616
NOTE: Crash in CLI tool, no security impact
CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/issues/3340
NOTE: https://github.com/ARMmbed/mbedtls/pull/3433
CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/issues/3394
@@ -109810,14 +109838,14 @@ CVE-2021-35956 (Stored cross-site scripting (XSS) in the embedded webserver of A
NOT-FOR-US: AKCP sensorProbe
CVE-2021-35955 (Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML fi ...)
NOT-FOR-US: Contao CMS
-CVE-2021-35954
- RESERVED
-CVE-2021-35953
- RESERVED
-CVE-2021-35952
- RESERVED
-CVE-2021-35951
- RESERVED
+CVE-2021-35954 (fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physic ...)
+ TODO: check
+CVE-2021-35953 (fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remo ...)
+ TODO: check
+CVE-2021-35952 (fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remo ...)
+ TODO: check
+CVE-2021-35951 (fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Una ...)
+ TODO: check
CVE-2021-35950
RESERVED
CVE-2021-35949 (The shareinfo controller in the ownCloud Server before 10.8.0 allows a ...)
@@ -111836,8 +111864,8 @@ CVE-2021-3612 (An out-of-bounds memory write flaw was found in the Linux kernel'
NOTE: Introduced by: https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/
CVE-2021-35066 (An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.13 ...)
NOT-FOR-US: ConnectWise Automate
-CVE-2021-35065
- RESERVED
+CVE-2021-35065 (The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular ...)
+ TODO: check
CVE-2021-35064 (KramerAV VIAWare, all tested versions, allow privilege escalation thro ...)
NOT-FOR-US: KramerAV VIAWare
CVE-2021-35063 (Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion." ...)
@@ -124774,8 +124802,8 @@ CVE-2021-30136
RESERVED
CVE-2021-30135
RESERVED
-CVE-2021-30134
- RESERVED
+CVE-2021-30134 (php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows ...)
+ TODO: check
CVE-2021-30133 (A cross-site scripting (XSS) vulnerability in CloverDX Server 5.9.0, C ...)
NOT-FOR-US: CloverDX
CVE-2021-30132 (Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalati ...)
@@ -139623,7 +139651,7 @@ CVE-2021-24121
CVE-2021-24120
RESERVED
CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in b ...)
- {DLA-2826-1}
+ {DLA-3249-1 DLA-2826-1}
- mbedtls 2.16.11-0.1
[bullseye] - mbedtls <no-dsa> (Minor issue)
NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
@@ -188525,6 +188553,7 @@ CVE-2020-16152 (The NetConfig UI administrative interface in Extreme Networks Ex
CVE-2020-16151
RESERVED
CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1 (bug #972806)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
@@ -204027,6 +204056,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos
- linux 5.5.13-1
NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4)
CVE-2020-10941 (Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive inform ...)
+ {DLA-3249-1}
- mbedtls 2.16.5-1
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
@@ -204070,6 +204100,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu
NOTE: Introduced around https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...)
+ {DLA-3249-1}
- mbedtls 2.16.9-0.1 (bug #963159)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
@@ -234741,6 +234772,7 @@ CVE-2019-18224 (idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has
CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple authenti ...)
NOT-FOR-US: ZOOM International Call Recording
CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...)
+ {DLA-3249-1}
- mbedtls 2.16.4-1
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
@@ -239188,6 +239220,7 @@ CVE-2019-16912
CVE-2019-16911
RESERVED
CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...)
+ {DLA-3249-1}
- mbedtls 2.16.3-1 (bug #941265)
[stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352308aee612f535bf87ee18ed47bc88c0d3e5a8
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352308aee612f535bf87ee18ed47bc88c0d3e5a8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221226/837cb792/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list