[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: claim node-loader-utils in dla-needed.txt

Sat Dec 31 00:57:07 GMT 2022


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d072b919 by Guilhem Moulin at 2022-12-31T01:22:42+01:00
LTS: claim node-loader-utils in dla-needed.txt

- - - - -
c331f310 by Guilhem Moulin at 2022-12-31T01:35:15+01:00
Mark CVE-2022-{37599,37603} as not affecting buster.

- - - - -
cbc43eee by Guilhem Moulin at 2022-12-31T01:56:18+01:00
Reserve DLA-3252-1 for cacti

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -33637,6 +33637,7 @@ CVE-2022-37604
 CVE-2022-37603 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...)
 	- node-loader-utils 2.0.4-1
 	[bullseye] - node-loader-utils 2.0.0-1+deb11u1
+	[buster] - node-loader-utils <not-affected> (Vulnerable regex introduced in upstream v1.2.0)
 	NOTE: https://github.com/webpack/loader-utils/issues/213
 	NOTE: https://github.com/webpack/loader-utils/pull/225
 	NOTE: https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb (v2.0.4)
@@ -33652,6 +33653,7 @@ CVE-2022-37600
 CVE-2022-37599 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...)
 	- node-loader-utils 2.0.4-1
 	[bullseye] - node-loader-utils 2.0.0-1+deb11u1
+	[buster] - node-loader-utils <not-affected> (Vulnerable regex introduced in upstream v1.2.0)
 	NOTE: https://github.com/webpack/loader-utils/issues/211
 	NOTE: https://github.com/webpack/loader-utils/pull/225
 	NOTE: https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb (v2.0.4)
@@ -67515,7 +67517,6 @@ CVE-2022-21209 (The affected product is vulnerable to an out-of-bounds read whil
 CVE-2022-0730 (Under certain ldap conditions, Cacti authentication can be bypassed wi ...)
 	{DSA-5298-1 DLA-2965-1}
 	- cacti 1.2.20+ds1-1 (bug #1008693)
-	[buster] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/4562
 	NOTE: https://github.com/Cacti/cacti/commit/1386bdbf7f845a32e24ac9415f3ebb7932e77fe7 (1.2.x)
 	NOTE: https://github.com/Cacti/cacti/commit/8694bf28edad723585915a97b95fbf5b1816a02b (1.2.x)
@@ -168869,7 +168870,6 @@ CVE-2020-25707
 	REJECTED
 CVE-2020-25706 (A cross-site scripting (XSS) vulnerability exists in templates_import. ...)
 	- cacti 1.2.14+ds1-1
-	[buster] - cacti <no-dsa> (Minor issue)
 	[stretch] - cacti <not-affected> (Vulnerable code introduced in 1.0.0)
 	NOTE: https://github.com/Cacti/cacti/issues/3723
 	NOTE: https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e
@@ -174719,7 +174719,6 @@ CVE-2020-23227
 CVE-2020-23226 (Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1. ...)
 	{DLA-2965-1}
 	- cacti 1.2.13+ds1-1
-	[buster] - cacti <no-dsa> (Minor issues)
 	NOTE: https://github.com/Cacti/cacti/issues/3549
 	NOTE: https://github.com/Cacti/cacti/commit/8d5fbc48debddc91a66b5aed877060566c6b6232 (1.2.13)
 	NOTE: https://github.com/Cacti/cacti/commit/74c011ba8635902713c530ded90bc0a045ca461d (1.2.13)
@@ -210836,7 +210835,6 @@ CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext H
 	NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template.
 CVE-2020-8813 (graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute a ...)
 	- cacti 1.2.10+ds1-1 (bug #951832)
-	[buster] - cacti <no-dsa> (Minor issue)
 	[stretch] - cacti <not-affected> (Vulnerable code not present)
 	[jessie] - cacti <not-affected> (Vulnerable code not present)
 	NOTE: https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3252-1 cacti - security update
+	{CVE-2020-8813 CVE-2020-23226 CVE-2020-25706 CVE-2022-0730 CVE-2022-46169}
+	[buster] - cacti 1.2.2+ds1-2+deb10u5
 [29 Dec 2022] DLA-3251-1 libcommons-net-java - security update
 	{CVE-2021-37533}
 	[buster] - libcommons-net-java 3.6-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -21,10 +21,6 @@ apache2
 asterisk
   NOTE: 20221211: Programming language: C.
 --
-cacti (guilhem)
-  NOTE: 20221208: Programming language: PHP.
-  NOTE: 20221208: VCS: https://salsa.debian.org/cacti-team/cacti/
---
 ceph (Stefano Rivera)
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system.
@@ -181,7 +177,7 @@ node-got
   NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
   NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby).
 --
-node-loader-utils
+node-loader-utils (guilhem)
   NOTE: 20221111: Programming language: JavaScript.
   NOTE: 20221111: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6b6cb037cef356e378e771e9b8e64a9b8d65036...cbc43eee8c43cb67122b3c299a48d8fc613e63d9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6b6cb037cef356e378e771e9b8e64a9b8d65036...cbc43eee8c43cb67122b3c299a48d8fc613e63d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221231/5076f213/attachment-0001.htm>
