[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Feb 7 22:03:57 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
59300f89 by Moritz Muehlenhoff at 2022-02-07T23:03:36+01:00
buster/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3913,11 +3913,10 @@ CVE-2022-0285 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore
 	NOT-FOR-US: pimcore
 CVE-2022-0284
 	RESERVED
-	- imagemagick <undetermined>
+	- imagemagick <not-affected> (Specific to IM7)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2045943
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/4729
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7
-	TODO: check if it affects ImageMagick6
 CVE-2022-0283
 	RESERVED
 CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11. ...)
@@ -6249,6 +6248,7 @@ CVE-2022-22814
 	RESERVED
 CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...)
 	- node-follow-redirects 1.14.7+~1.13.1-1
+	[bullseye] - node-follow-redirects <no-dsa> (Minor issue)
 	[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
 	NOTE: https://github.com/follow-redirects/follow-redirects/issues/183
@@ -7954,18 +7954,26 @@ CVE-2021-46047 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the
 	NOTE: https://github.com/gpac/gpac/commit/dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd
 CVE-2021-46046 (A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_si ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/2005
 	NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
 CVE-2021-46045 (GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/2007
 	NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
 CVE-2021-46044 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via ShiftMetaOf ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/2006
 	NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
 CVE-2021-46043 (A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the gf_list ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <no-dsa> (Minor issue)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/2001
 	NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
 CVE-2021-46042 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fsee ...)
@@ -8242,6 +8250,8 @@ CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer
 	NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...)
 	- assimp 5.1.1~ds0-1
+	[bullseye] - assimp <not-affected> (Vulnerable code not present)
+	[buster] - assimp <not-affected> (Vulnerable code not present)
 	[stretch] - assimp <not-affected> (M3D format support not present)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml
@@ -13416,11 +13426,13 @@ CVE-2021-44514 (OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishan
 	NOT-FOR-US: ManageEngine
 CVE-2021-44513 (Insecure creation of temporary directories in tmate-ssh-server 2.3.0 a ...)
 	- tmate-ssh-server <unfixed> (bug #1001225)
+	[bullseye] - tmate-ssh-server <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596
 	NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388
 CVE-2021-44512 (World-writable permissions on the /tmp/tmate/sessions directory in tma ...)
 	- tmate-ssh-server <unfixed> (bug #1001225)
+	[bullseye] - tmate-ssh-server <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596
 	NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388
@@ -20619,6 +20631,7 @@ CVE-2021-42577
 	RESERVED
 CVE-2021-42576 (The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Py ...)
 	- golang-github-microcosm-cc-bluemonday 1.0.16-1
+	[bullseye] - golang-github-microcosm-cc-bluemonday <no-dsa> (Minor issue)
 	NOTE: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
 CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not properly enfo ...)
 	NOT-FOR-US: OWASP HTML Sanitizer
@@ -25521,6 +25534,8 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1
 	NOTE: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 (8.5.64)
 CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression Complexity ...)
 	- node-nth-check 2.0.1-1
+	[bullseye] - node-nth-check <no-dsa> (Minor issue)
+	[buster] - node-nth-check <no-dsa> (Minor issue)
 	[stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1)
 	NOTE: https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/
@@ -31315,6 +31330,8 @@ CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin
 	NOT-FOR-US: TastyIgniter
 CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allow ...)
 	- consul <unfixed>
+	[bullseye] - consul <no-dsa> (Minor issue)
+	[buster] - consul <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
 	NOTE: https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15)
 CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted Fi ...)
@@ -31521,9 +31538,11 @@ CVE-2021-38604 (In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/
 	NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
 CVE-2021-38603 (PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Informati ...)
 	- pluxml <unfixed>
+	[buster] - pluxml <ignored> (Minor issue)
 	[stretch] - pluxml <no-dsa> (Minor issue)
 CVE-2021-38602 (PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content ...)
 	- pluxml <unfixed>
+	[buster] - pluxml <ignored> (Minor issue)
 	[stretch] - pluxml <no-dsa> (Minor issue)
 CVE-2021-38601
 	RESERVED
@@ -41791,6 +41810,7 @@ CVE-2021-34432 (In Eclipse Mosquitto versions 2.07 and earlier, the server will
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141
 CVE-2021-34431 (In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client ...)
 	- mosquitto 2.0.11-1
+	[bullseye] - mosquitto <no-dsa> (Minor issue)
 	[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
 	[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
 	NOTE: https://mosquitto.org/blog/2021/06/version-2-0-11-released/
@@ -42018,6 +42038,7 @@ CVE-2021-34338
 CVE-2021-34337 [password checking timing attack in administrative REST API]
 	RESERVED
 	- mailman3 <unfixed> (bug #1004934)
+	[bullseye] - mailman3 <no-dsa> (Minor issue)
 	[buster] - mailman3 <no-dsa> (Minor issue; will be fixed via point release)
 	NOTE: Fixed by: https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 (3.3.5b1)
 CVE-2021-34336
@@ -57945,6 +57966,7 @@ CVE-2021-28167 (In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.r
 	NOT-FOR-US: Eclipse OpenJ9
 CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated clien ...)
 	- mosquitto 2.0.10-1 (bug #986701)
+	[bullseye] - mosquitto <no-dsa> (Minor issue)
 	[buster] - mosquitto <not-affected> (Vulnerable code introduced in 2.0)
 	[stretch] - mosquitto <not-affected> (Vulnerable code introduced in 2.0)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59300f8964d9728017bbd8c8f009c768d719ce3d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59300f8964d9728017bbd8c8f009c768d719ce3d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220207/f2fa9bfd/attachment.htm>

More information about the debian-security-tracker-commits mailing list