[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Jan 2 20:10:37 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f87924b2 by security tracker role at 2022-01-02T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -51,8 +51,8 @@ CVE-2021-45962
RESERVED
CVE-2021-45961
RESERVED
-CVE-2022-0080
- RESERVED
+CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
+ TODO: check
CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...)
- expat <unfixed> (bug #1002994)
[bullseye] - expat <no-dsa> (Minor issue; can be fixed via point release)
@@ -63,7 +63,7 @@ CVE-2022-0079
RESERVED
CVE-2022-0078
RESERVED
-CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...)
+CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...)
- fmtlib <unfixed> (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
NOTE: https://github.com/fmtlib/fmt/issues/2685
@@ -2963,6 +2963,7 @@ CVE-2021-4127
RESERVED
CVE-2021-4126
RESERVED
+ {DSA-5034-1}
- thunderbird 1:91.4.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126
CVE-2021-26264
@@ -4862,6 +4863,7 @@ CVE-2021-4049 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-44539
RESERVED
CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 is vul ...)
+ {DSA-5034-1}
- element-web <itp> (bug #866502)
- olm 3.2.8~dfsg-1 (bug #1001664)
[buster] - olm <not-affected> (Vulnerable code introduced later)
@@ -8504,7 +8506,7 @@ CVE-2021-43548 (Patient Information Center iX (PIC iX) Versions C.02 and C.03 re
CVE-2021-43547
RESERVED
CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks against u ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8512,7 +8514,7 @@ CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks aga
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43546
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43546
CVE-2021-43545 (Using the Location API in a loop could have caused severe application ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8523,7 +8525,7 @@ CVE-2021-43544 (When receiving a URL through a SEND intent, Firefox would have s
- firefox <not-affected> (Only affects Android)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544
CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escaped the ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8531,7 +8533,7 @@ CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escap
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43543
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43543
CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installed appl ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8539,7 +8541,7 @@ CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installe
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43542
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43542
CVE-2021-43541 (When invoking protocol handlers for external protocols, a supplied par ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8550,7 +8552,7 @@ CVE-2021-43540 (WebExtensions with the correct permissions were able to create a
- firefox 95.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43540
CVE-2021-43539 (Failure to correctly record the location of live pointers across wasm ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8558,7 +8560,7 @@ CVE-2021-43539 (Failure to correctly record the location of live pointers across
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43539
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43539
CVE-2021-43538 (By misusing a race in our notification code, an attacker could have fo ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8566,7 +8568,7 @@ CVE-2021-43538 (By misusing a race in our notification code, an attacker could h
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43538
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43538
CVE-2021-43537 (An incorrect type conversion of sizes from 64bit to 32bit integers all ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8574,7 +8576,7 @@ CVE-2021-43537 (An incorrect type conversion of sizes from 64bit to 32bit intege
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43537
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43537
CVE-2021-43536 (Under certain circumstances, asynchronous functions could have caused ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8582,7 +8584,7 @@ CVE-2021-43536 (Under certain circumstances, asynchronous functions could have c
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43536
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43536
CVE-2021-43535 (A use-after-free could have occured when an HTTP2 session object was r ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 93.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -8590,7 +8592,7 @@ CVE-2021-43535 (A use-after-free could have occured when an HTTP2 session object
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-43535
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-43535
CVE-2021-43534 (Mozilla developers and community members reported memory safety bugs p ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -8611,10 +8613,12 @@ CVE-2021-43530 (A Universal XSS vulnerability was present in Firefox for Android
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43530
CVE-2021-43529
RESERVED
+ {DSA-5034-1}
- thunderbird 1:91.3.0-1
NOTE: https://www.openwall.com/lists/oss-security/2021/12/01/6
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1738501
CVE-2021-43528 (Thunderbird unexpectedly enabled JavaScript in the composition area. T ...)
+ {DSA-5034-1}
- thunderbird 1:91.4.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43528
CVE-2021-43527 (NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR a ...)
@@ -22934,7 +22938,7 @@ CVE-2021-38510 (The executable file warning was not presented when downloading .
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38510
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38510
CVE-2021-38509 (Due to an unusual sequence of attacker-controlled events, a Javascript ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22942,7 +22946,7 @@ CVE-2021-38509 (Due to an unusual sequence of attacker-controlled events, a Java
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38509
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38509
CVE-2021-38508 (By displaying a form validity message in the correct location at the s ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22950,7 +22954,7 @@ CVE-2021-38508 (By displaying a form validity message in the correct location at
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38508
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38508
CVE-2021-38507 (The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a conn ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22958,7 +22962,7 @@ CVE-2021-38507 (The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38507
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38507
CVE-2021-38506 (Through a series of navigations, Firefox could have entered fullscreen ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22973,7 +22977,7 @@ CVE-2021-38505 (Microsoft introduced a new feature in Windows 10 known as Cloud
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38505
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38505
CVE-2021-38504 (When interacting with an HTML input element's file picker dialog with ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22981,7 +22985,7 @@ CVE-2021-38504 (When interacting with an HTML input element's file picker dialog
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38504
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38504
CVE-2021-38503 (The iframe sandbox rules were not correctly applied to XSLT stylesheet ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 94.0-1
- firefox-esr 91.3.0esr-1
- thunderbird 1:91.3.0-1
@@ -22989,6 +22993,7 @@ CVE-2021-38503 (The iframe sandbox rules were not correctly applied to XSLT styl
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38503
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38503
CVE-2021-38502 (Thunderbird ignored the configuration to require STARTTLS security for ...)
+ {DSA-5034-1}
[experimental] - thunderbird 1:91.2.0-1
- thunderbird 1:91.2.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502
@@ -23000,7 +23005,7 @@ CVE-2021-38501 (Mozilla developers reported memory safety bugs present in Firefo
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38501
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38501
CVE-2021-38500 (Mozilla developers reported memory safety bugs present in Firefox 92 a ...)
- {DSA-4981-1 DLA-2782-1}
+ {DSA-5034-1 DSA-4981-1 DLA-2782-1}
- firefox 93.0-1
- firefox-esr 91.2.0esr-1
[experimental] - thunderbird 1:91.2.0-1
@@ -23028,7 +23033,7 @@ CVE-2021-38497 (Through use of reportValidity() and window.open(), a plain-text
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38497
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38497
CVE-2021-38496 (During operations on MessageTasks, a task may have been removed while ...)
- {DSA-4981-1 DLA-2782-1}
+ {DSA-5034-1 DSA-4981-1 DLA-2782-1}
- firefox 93.0-1
- firefox-esr 91.2.0esr-1
[experimental] - thunderbird 1:91.2.0-1
@@ -27334,9 +27339,9 @@ CVE-2021-36753 (sharkdp BAT before 0.18.2 executes less.exe from the current wor
NOT-FOR-US: sharkdp BAT
CVE-2021-36752
RESERVED
-CVE-2021-36751
- RESERVED
-CVE-2021-36750 (ENC DataVault 7.1.1W and VaultAPI v67, which is currently being used i ...)
+CVE-2021-36751 (ENC DataVault 7.1.1W uses an inappropriate encryption algorithm, such ...)
+ TODO: check
+CVE-2021-36750 (ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, ma ...)
NOT-FOR-US: ENC
CVE-2021-36749 (In the Druid ingestion system, the InputSource is used for reading dat ...)
- druid <itp> (bug #825797)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87924b29140841bc80f999295f56f7eeb64b810
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87924b29140841bc80f999295f56f7eeb64b810
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220102/2f19a055/attachment.htm>
More information about the debian-security-tracker-commits
mailing list