[Git][security-tracker-team/security-tracker][master] 3 commits: Process NFUs

Mon Feb 21 08:13:00 GMT 2022


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6684b48d by Salvatore Bonaccorso at 2022-02-21T09:11:43+01:00
Process NFUs

- - - - -
ccb91d28 by Salvatore Bonaccorso at 2022-02-21T09:11:45+01:00
Add CVE-2022-23647/node-prismjs

- - - - -
bf7341d0 by Salvatore Bonaccorso at 2022-02-21T09:12:20+01:00
Add upstream issue reference for CVE-2022-23647

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -707,7 +707,7 @@ CVE-2022-XXXX [Arbitrary File Write Vulnerability ]
 CVE-2022-25299 (This affects the package cesanta/mongoose before 7.6. The unsafe handl ...)
 	TODO: check
 CVE-2022-25298 (This affects the package sprinfall/webcc before 0.3.0. It is possible  ...)
-	TODO: check
+	NOT-FOR-US: webcc
 CVE-2022-25297
 	RESERVED
 CVE-2022-25296
@@ -3505,7 +3505,7 @@ CVE-2022-0452
 	[buster] - chromium <end-of-life> (see DSA 5046)
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2022-0451 (Dart SDK contains the HTTPClient in dart:io library whcih includes aut ...)
-	TODO: check
+	NOT-FOR-US: Dart SDK
 CVE-2022-0450
 	RESERVED
 CVE-2022-0449
@@ -4901,7 +4901,7 @@ CVE-2021-4211
 CVE-2021-4210
 	RESERVED
 CVE-2022-23913 (In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker coul ...)
-	TODO: check
+	NOT-FOR-US: Apache ActiveMQ Artemis
 CVE-2022-23912
 	RESERVED
 CVE-2022-23911
@@ -5416,7 +5416,7 @@ CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3. ...
 	NOTE: Document best practices for security: https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa
 	NOTE: loguru documents security considerations and best practices to follow
 CVE-2022-23848 (In Alluxio before 2.7.3, the logserver does not validate the input str ...)
-	TODO: check
+	NOT-FOR-US: Alluxio
 CVE-2022-23847
 	RESERVED
 CVE-2022-23846
@@ -5939,13 +5939,17 @@ CVE-2022-23652
 CVE-2022-23651
 	RESERVED
 CVE-2022-23650 (Netmaker is a platform for creating and managing virtual overlay netwo ...)
-	TODO: check
+	NOT-FOR-US: Netmaker
 CVE-2022-23649 (Cosign provides container signing, verification, and storage in an OCI ...)
 	NOT-FOR-US: Cosign
 CVE-2022-23648
 	RESERVED
 CVE-2022-23647 (Prism is a syntax highlighting library. Starting with version 1.14.0 a ...)
-	TODO: check
+	- node-prismjs <unfixed>
+	NOTE: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+	NOTE: https://github.com/PrismJS/prism/issues/3340
+	NOTE: https://github.com/PrismJS/prism/pull/3341
+	NOTE: https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c (v1.27.0)
 CVE-2022-23646 (Next.js is a React framework. Starting with version 10.0.0 and prior t ...)
 	TODO: check
 CVE-2022-23645 (swtpm is a libtpms-based TPM emulator with socket, character device, a ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9569315dc097de84a711203a7eca0412c878d199...bf7341d0ee7811756656afd9aa495f6fed839d22

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9569315dc097de84a711203a7eca0412c878d199...bf7341d0ee7811756656afd9aa495f6fed839d22
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220221/7ede882a/attachment.htm>
