[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Jan 2 20:10:37 GMT 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f87924b2 by security tracker role at 2022-01-02T20:10:27+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -51,8 +51,8 @@ CVE-2021-45962
 	RESERVED
 CVE-2021-45961
 	RESERVED
-CVE-2022-0080
-	RESERVED
+CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
+	TODO: check
 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...)
 	- expat <unfixed> (bug #1002994)
 	[bullseye] - expat <no-dsa> (Minor issue; can be fixed via point release)
@@ -63,7 +63,7 @@ CVE-2022-0079
 	RESERVED
 CVE-2022-0078
 	RESERVED
-CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...)
+CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...)
 	- fmtlib <unfixed> (unimportant)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
 	NOTE: https://github.com/fmtlib/fmt/issues/2685
@@ -2963,6 +2963,7 @@ CVE-2021-4127
 	RESERVED
 CVE-2021-4126
 	RESERVED
+	{DSA-5034-1}
 	- thunderbird 1:91.4.1-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126
 CVE-2021-26264
@@ -4862,6 +4863,7 @@ CVE-2021-4049 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
 CVE-2021-44539
 	RESERVED
 CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 is vul ...)
+	{DSA-5034-1}
 	- element-web <itp> (bug #866502)
 	- olm 3.2.8~dfsg-1 (bug #1001664)
 	[buster] - olm <not-affected> (Vulnerable code introduced later)
@@ -8504,7 +8506,7 @@ CVE-2021-43548 (Patient Information Center iX (PIC iX) Versions C.02 and C.03 re
 CVE-2021-43547
 	RESERVED
 CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks against u ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8512,7 +8514,7 @@ CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks aga
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43546
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43546
 CVE-2021-43545 (Using the Location API in a loop could have caused severe application  ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8523,7 +8525,7 @@ CVE-2021-43544 (When receiving a URL through a SEND intent, Firefox would have s
 	- firefox <not-affected> (Only affects Android)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544
 CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escaped the ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8531,7 +8533,7 @@ CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escap
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43543
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43543
 CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installed appl ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8539,7 +8541,7 @@ CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installe
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43542
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43542
 CVE-2021-43541 (When invoking protocol handlers for external protocols, a supplied par ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8550,7 +8552,7 @@ CVE-2021-43540 (WebExtensions with the correct permissions were able to create a
 	- firefox 95.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43540
 CVE-2021-43539 (Failure to correctly record the location of live pointers across wasm  ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8558,7 +8560,7 @@ CVE-2021-43539 (Failure to correctly record the location of live pointers across
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43539
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43539
 CVE-2021-43538 (By misusing a race in our notification code, an attacker could have fo ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8566,7 +8568,7 @@ CVE-2021-43538 (By misusing a race in our notification code, an attacker could h
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43538
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43538
 CVE-2021-43537 (An incorrect type conversion of sizes from 64bit to 32bit integers all ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8574,7 +8576,7 @@ CVE-2021-43537 (An incorrect type conversion of sizes from 64bit to 32bit intege
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43537
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43537
 CVE-2021-43536 (Under certain circumstances, asynchronous functions could have caused  ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 95.0-1
 	- firefox-esr 91.4.0esr-1
 	- thunderbird 1:91.4.0-1
@@ -8582,7 +8584,7 @@ CVE-2021-43536 (Under certain circumstances, asynchronous functions could have c
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43536
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43536
 CVE-2021-43535 (A use-after-free could have occured when an HTTP2 session object was r ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 93.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -8590,7 +8592,7 @@ CVE-2021-43535 (A use-after-free could have occured when an HTTP2 session object
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-43535
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-43535
 CVE-2021-43534 (Mozilla developers and community members reported memory safety bugs p ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -8611,10 +8613,12 @@ CVE-2021-43530 (A Universal XSS vulnerability was present in Firefox for Android
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43530
 CVE-2021-43529
 	RESERVED
+	{DSA-5034-1}
 	- thunderbird 1:91.3.0-1
 	NOTE: https://www.openwall.com/lists/oss-security/2021/12/01/6
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1738501
 CVE-2021-43528 (Thunderbird unexpectedly enabled JavaScript in the composition area. T ...)
+	{DSA-5034-1}
 	- thunderbird 1:91.4.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43528
 CVE-2021-43527 (NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR a ...)
@@ -22934,7 +22938,7 @@ CVE-2021-38510 (The executable file warning was not presented when downloading .
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38510
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38510
 CVE-2021-38509 (Due to an unusual sequence of attacker-controlled events, a Javascript ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22942,7 +22946,7 @@ CVE-2021-38509 (Due to an unusual sequence of attacker-controlled events, a Java
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38509
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38509
 CVE-2021-38508 (By displaying a form validity message in the correct location at the s ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22950,7 +22954,7 @@ CVE-2021-38508 (By displaying a form validity message in the correct location at
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38508
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38508
 CVE-2021-38507 (The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a conn ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22958,7 +22962,7 @@ CVE-2021-38507 (The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38507
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38507
 CVE-2021-38506 (Through a series of navigations, Firefox could have entered fullscreen ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22973,7 +22977,7 @@ CVE-2021-38505 (Microsoft introduced a new feature in Windows 10 known as Cloud
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38505
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38505
 CVE-2021-38504 (When interacting with an HTML input element's file picker dialog with  ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22981,7 +22985,7 @@ CVE-2021-38504 (When interacting with an HTML input element's file picker dialog
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38504
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38504
 CVE-2021-38503 (The iframe sandbox rules were not correctly applied to XSLT stylesheet ...)
-	{DSA-5026-1 DLA-2863-1}
+	{DSA-5034-1 DSA-5026-1 DLA-2863-1}
 	- firefox 94.0-1
 	- firefox-esr 91.3.0esr-1
 	- thunderbird 1:91.3.0-1
@@ -22989,6 +22993,7 @@ CVE-2021-38503 (The iframe sandbox rules were not correctly applied to XSLT styl
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38503
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38503
 CVE-2021-38502 (Thunderbird ignored the configuration to require STARTTLS security for ...)
+	{DSA-5034-1}
 	[experimental] - thunderbird 1:91.2.0-1
 	- thunderbird 1:91.2.1-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502
@@ -23000,7 +23005,7 @@ CVE-2021-38501 (Mozilla developers reported memory safety bugs present in Firefo
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38501
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38501
 CVE-2021-38500 (Mozilla developers reported memory safety bugs present in Firefox 92 a ...)
-	{DSA-4981-1 DLA-2782-1}
+	{DSA-5034-1 DSA-4981-1 DLA-2782-1}
 	- firefox 93.0-1
 	- firefox-esr 91.2.0esr-1
 	[experimental] - thunderbird 1:91.2.0-1
@@ -23028,7 +23033,7 @@ CVE-2021-38497 (Through use of reportValidity() and window.open(), a plain-text
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38497
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38497
 CVE-2021-38496 (During operations on MessageTasks, a task may have been removed while  ...)
-	{DSA-4981-1 DLA-2782-1}
+	{DSA-5034-1 DSA-4981-1 DLA-2782-1}
 	- firefox 93.0-1
 	- firefox-esr 91.2.0esr-1
 	[experimental] - thunderbird 1:91.2.0-1
@@ -27334,9 +27339,9 @@ CVE-2021-36753 (sharkdp BAT before 0.18.2 executes less.exe from the current wor
 	NOT-FOR-US: sharkdp BAT
 CVE-2021-36752
 	RESERVED
-CVE-2021-36751
-	RESERVED
-CVE-2021-36750 (ENC DataVault 7.1.1W and VaultAPI v67, which is currently being used i ...)
+CVE-2021-36751 (ENC DataVault 7.1.1W uses an inappropriate encryption algorithm, such  ...)
+	TODO: check
+CVE-2021-36750 (ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, ma ...)
 	NOT-FOR-US: ENC
 CVE-2021-36749 (In the Druid ingestion system, the InputSource is used for reading dat ...)
 	- druid <itp> (bug #825797)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87924b29140841bc80f999295f56f7eeb64b810

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87924b29140841bc80f999295f56f7eeb64b810
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220102/2f19a055/attachment.htm>


More information about the debian-security-tracker-commits mailing list