[Git][security-tracker-team/security-tracker][master] bullseyre/buster triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Feb 4 13:25:23 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7feae34c by Moritz Muehlenhoff at 2022-02-04T14:25:10+01:00
bullseyre/buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -856,6 +856,8 @@ CVE-2022-0415
 	RESERVED
 CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...)
 	- xterm 370-2 (bug #1004689)
+	[bullseye] - xterm <no-dsa> (Minor issue)
+	[buster] - xterm <no-dsa> (Minor issue)
 	NOTE: https://twitter.com/nickblack/status/1487731459398025216
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3
@@ -1176,6 +1178,11 @@ CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 CVE-2022-0391 [urllib.parse does not sanitize URLs containing ASCII newline and tabs]
 	RESERVED
 	- python3.9 3.9.7-1
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
+	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
+	- python3.5 <removed>
+	- python3.4 <removed>
 	NOTE: https://bugs.python.org/issue43882
 	NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
 	NOTE: Followup for 3.10.x: https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705 (v3.10.0b2)
@@ -3145,11 +3152,15 @@ CVE-2022-23453
 CVE-2022-23452
 	RESERVED
 	- barbican <unfixed>
+	[bullseye] - barbican <no-dsa> (Minor issue)
+	[buster] - barbican <no-dsa> (Minor issue)
 	NOTE: https://storyboard.openstack.org/#!/story/2009297
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025090
 CVE-2022-23451
 	RESERVED
 	- barbican <unfixed>
+	[bullseye] - barbican <no-dsa> (Minor issue)
+	[buster] - barbican <no-dsa> (Minor issue)
 	NOTE: https://storyboard.openstack.org/#!/story/2009253
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025089
 CVE-2022-23450
@@ -4766,16 +4777,19 @@ CVE-2022-23036
 	RESERVED
 CVE-2022-23035 (Insufficient cleanup of passed-through device IRQs The management of I ...)
 	- xen <unfixed>
+	[bullseye] - xen <postponed> (Fix along with next DSA round)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-395.html
 CVE-2022-23034 (A PV guest could DoS Xen while unmapping a grant To address XSA-380, r ...)
 	- xen <unfixed>
+	[bullseye] - xen <postponed> (Fix along with next DSA round)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-394.html
 CVE-2022-23033 (arm: guest_physmap_remove_page not removing the p2m mappings The funct ...)
 	- xen <unfixed>
+	[bullseye] - xen <postponed> (Fix along with next DSA round)
 	[buster] - xen <not-affected> (Vulnerable code introduced later)
 	[stretch] - xen <not-affected> (Vulnerable code introduced later)
 	NOTE: https://xenbits.xen.org/xsa/advisory-393.html
@@ -14582,12 +14596,16 @@ CVE-2022-21682 (Flatpak is a Linux application sandboxing and distribution frame
 	NOTE: 1.12.4 added further changes to avoid regressions for some workflows
 CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...)
 	- node-marked 4.0.12+ds+~4.0.1-1
+	[bullseye] - node-marked <no-dsa> (Minor issue)
+	[buster] - node-marked <no-dsa> (Minor issue)
 	NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
 	NOTE: https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
 	NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10)
 	NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10
 CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...)
 	- node-marked 4.0.12+ds+~4.0.1-1
+	[bullseye] - node-marked <no-dsa> (Minor issue)
+	[buster] - node-marked <no-dsa> (Minor issue)
 	NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10)
 	NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10
 	NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
@@ -17141,11 +17159,15 @@ CVE-2021-43358 (Sunnet eHRD has inadequate filtering for special characters in U
 	NOT-FOR-US: Sunnet eHRD
 CVE-2021-3928 (vim is vulnerable to Use of Uninitialized Variable ...)
 	- vim 2:8.2.3995-1
+	[bullseye] - vim <no-dsa> (Minor issue)
+	[buster] - vim <no-dsa> (Minor issue)
 	[stretch] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd
 	NOTE: Fixed by: https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732 (v8.2.3582)
 CVE-2021-3927 (vim is vulnerable to Heap-based Buffer Overflow ...)
 	- vim 2:8.2.3995-1
+	[bullseye] - vim <no-dsa> (Minor issue)
+	[buster] - vim <no-dsa> (Minor issue)
 	[stretch] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0
 	NOTE: Fixed by: https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e (v8.2.3581)
@@ -36439,17 +36461,25 @@ CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in G
 	NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e
 CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...)
 	- libde265 <unfixed>
+	[bullseye] - libde265 <no-dsa> (Minor issue)
+	[buster] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/302
 CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion. ...)
 	- libde265 <unfixed>
+	[bullseye] - libde265 <no-dsa> (Minor issue)
+	[buster] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/301
 CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following') vulnera ...)
 	NOT-FOR-US: Bitdefender
 CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at ...)
 	- libde265 <unfixed>
+	[bullseye] - libde265 <no-dsa> (Minor issue)
+	[buster] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/300
 CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-f ...)
 	- libde265 <unfixed>
+	[bullseye] - libde265 <no-dsa> (Minor issue)
+	[buster] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/299
 CVE-2021-36407
 	RESERVED
@@ -224924,6 +224954,7 @@ CVE-2018-16473 (A path traversal in takeapeek module versions <=0.2.2 allows
 	NOT-FOR-US: takeapeek
 CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions <=1.0 ...)
 	- node-cached-path-relative 1.0.2-1
+	[buster] - node-cached-path-relative <no-dsa> (Minor issue)
 	NOTE: https://hackerone.com/reports/390847
 	NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
 	NOTE: Fixed by: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7feae34caf6072e33b2858c194e75d9f6600346c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7feae34caf6072e33b2858c194e75d9f6600346c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220204/7fbc8422/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list