[Git][security-tracker-team/security-tracker][master] Checked multiple CVEs in pjproject against asterisk and ring

Neil Williams (@codehelp) codehelp at debian.org
Fri Feb 18 11:25:10 GMT 2022 


Neil Williams pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2b9223dc by Neil Williams at 2022-02-18T11:24:42+00:00
Checked multiple CVEs in pjproject against asterisk and ring

More updates to follow

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17188,15 +17188,19 @@ CVE-2022-21724 (pgjdbc is the offical PostgreSQL JDBC Driver. A security hole wa
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2)
 CVE-2022-21723 (PJSIP is a free and open source multimedia communication library writt ...)
+	- asterisk <unfixed>
+	[bullseye] - asterisk <not-affected> (Vulnerable code not present)
 	- pjproject <removed>
+	- ring <unfixed>
+	[stretch] - ring <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
 	NOTE: https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896
-	TODO: check, might affect in impact src:ring
 CVE-2022-21722 (PJSIP is a free and open source multimedia communication library writt ...)
+	- asterisk <unfixed>
 	- pjproject <removed>
+	- ring <unfixed>
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
 	NOTE: https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a
-	TODO: check, might affect in impact src:ring
 CVE-2022-21721 (Next.js is a React framework. Starting with version 12.0.0 and prior t ...)
 	TODO: check
 CVE-2022-21720 (GLPI is a free asset and IT management software package. Prior to vers ...)
@@ -17705,11 +17709,12 @@ CVE-2021-43847 (HumHub is an open-source social network kit written in PHP. Prio
 CVE-2021-43846 (`solidus_frontend` is the cart and storefront for the Solidus e-commer ...)
 	NOT-FOR-US: solidus_frontend
 CVE-2021-43845 (PJSIP is a free and open source multimedia communication library. In v ...)
+	- asterisk <unfixed>
 	- pjproject <removed>
+	- ring <unfixed>
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
 	NOTE: https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859
 	NOTE: https://github.com/pjsip/pjproject/pull/2924
-	TODO: check, might affect in impact src:ring
 CVE-2021-43844 (MSEdgeRedirect is a tool to redirect news, search, widgets, weather, a ...)
 	NOT-FOR-US: MSEdgeRedirect
 CVE-2021-43843 (jsx-slack is a package for building JSON objects for Slack block kit s ...)
@@ -17806,10 +17811,11 @@ CVE-2021-43806 (Tuleap is a Libre and Open Source tool for end to end traceabili
 CVE-2021-43805 (Solidus is a free, open-source ecommerce platform built on Rails. Vers ...)
 	NOT-FOR-US: Solidus
 CVE-2021-43804 (PJSIP is a free and open source multimedia communication library writt ...)
+	- asterisk <unfixed>
 	- pjproject <removed>
+	- ring <unfixed>
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
 	NOTE: https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e
-	TODO: check, might affect in impact src:ring
 CVE-2021-43803 (Next.js is a React framework. In versions of Next.js prior to 12.0.5 o ...)
 	NOT-FOR-US: next.js
 CVE-2021-43802 (Etherpad is a real-time collaborative editor. In versions prior to 1.8 ...)
@@ -20028,15 +20034,35 @@ CVE-2021-43305
 CVE-2021-43304
 	RESERVED
 CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker ...)
-	TODO: check
+	- asterisk <unfixed>
+	- pjproject <removed>
+	- ring <unfixed>
+	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
+	NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
 CVE-2021-43302 (Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An ...)
-	TODO: check
+	- asterisk <unfixed>
+	- pjproject <removed>
+	- ring <unfixed>
+	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
+	NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
 CVE-2021-43301 (Stack overflow in PJSUA API when calling pjsua_playlist_create. An att ...)
-	TODO: check
+	- asterisk <unfixed>
+	- pjproject <removed>
+	- ring <unfixed>
+	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
+	NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
 CVE-2021-43300 (Stack overflow in PJSUA API when calling pjsua_recorder_create. An att ...)
-	TODO: check
+	- asterisk <unfixed>
+	- pjproject <removed>
+	- ring <unfixed>
+	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
+	NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
 CVE-2021-43299 (Stack overflow in PJSUA API when calling pjsua_player_create. An attac ...)
-	TODO: check
+	- asterisk <unfixed>
+	- pjproject <removed>
+	- ring <unfixed>
+	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
+	NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
 CVE-2021-43298 (The code that performs password matching when using 'Basic' HTTP authe ...)
 	NOT-FOR-US: GoAhead Web Server
 CVE-2021-43297 (A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 a ...)
@@ -36212,10 +36238,11 @@ CVE-2021-37708 (Shopware is an open source eCommerce platform. Versions prior to
 CVE-2021-37707 (Shopware is an open source eCommerce platform. Versions prior to 6.4.3 ...)
 	NOT-FOR-US: Shopware
 CVE-2021-37706 (PJSIP is a free and open source multimedia communication library writt ...)
+	- asterisk <unfixed>
 	- pjproject <removed>
+	- ring <unfixed>
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
 	NOTE: https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
-	TODO: check, might affect in impact src:ring
 CVE-2021-37705 (OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. S ...)
 	NOT-FOR-US: OneFuzz
 CVE-2021-37704 (PhpFastCache is a high-performance backend cache system (packagist pac ...)
@@ -48277,11 +48304,11 @@ CVE-2021-32686 (PJSIP is a free and open source multimedia communication library
 	[stretch] - asterisk <not-affected> (Vulnerable code not present)
 	- pjproject <removed>
 	[stretch] - pjproject <no-dsa> (Minor issue; https://people.debian.org/~abhijith/upload/CVE-2021-32686.patch)
+	- ring <unfixed>
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2021-009.html
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
 	NOTE: https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
 	NOTE: https://github.com/pjsip/pjproject/pull/2716
-	TODO: check, might affect in impact src:ring
 CVE-2021-32685 (tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser ( ...)
 	NOT-FOR-US: tEnvoy
 CVE-2021-32684 (magento-scripts contains scripts and configuration used by Create Mage ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9223dc052155c9d0f273067ca4f89586e895db

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9223dc052155c9d0f273067ca4f89586e895db
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220218/2732c4bb/attachment.htm>

More information about the debian-security-tracker-commits mailing list