[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Jan 17 20:10:31 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e2c38b1d by security tracker role at 2022-01-17T20:10:21+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,45 @@
+CVE-2022-23307
+ RESERVED
+CVE-2022-23306
+ RESERVED
+CVE-2022-23305
+ RESERVED
+CVE-2022-0263
+ RESERVED
+CVE-2022-0262
+ RESERVED
+CVE-2022-0261
+ RESERVED
+CVE-2022-0260
+ RESERVED
+CVE-2022-0259
+ RESERVED
+CVE-2022-0258 (pimcore is vulnerable to Improper Neutralization of Special Elements u ...)
+ TODO: check
+CVE-2022-0257 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...)
+ TODO: check
+CVE-2022-0256 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...)
+ TODO: check
+CVE-2022-0255
+ RESERVED
+CVE-2022-0254
+ RESERVED
+CVE-2022-0253 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...)
+ TODO: check
+CVE-2022-0252
+ RESERVED
+CVE-2022-0251
+ RESERVED
+CVE-2022-0250
+ RESERVED
+CVE-2022-0249
+ RESERVED
+CVE-2022-0248
+ RESERVED
+CVE-2022-0247
+ RESERVED
+CVE-2022-0246
+ RESERVED
CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...)
- wpa 2:2.10-1
NOTE: https://w1.fi/security/2022-1/
@@ -7,6 +49,7 @@ CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_suppli
NOTE: https://w1.fi/security/2022-1/
NOTE: Issue exists because of an incomplete fix for CVE-2019-9494
CVE-2022-0264 [bpf: Fix kernel address leakage in atomic fetch]
+ RESERVED
- linux 5.15.5-2
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
@@ -24,12 +67,12 @@ CVE-2022-22142
RESERVED
CVE-2022-21805
RESERVED
-CVE-2022-0242
- RESERVED
+CVE-2022-0242 (Unrestricted Upload of File with Dangerous Type in GitHub repository c ...)
+ TODO: check
CVE-2022-0241
RESERVED
-CVE-2022-0240
- RESERVED
+CVE-2022-0240 (mruby is vulnerable to NULL Pointer Dereference ...)
+ TODO: check
CVE-2022-0239 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...)
NOT-FOR-US: corenlp
CVE-2022-0238 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...)
@@ -649,10 +692,10 @@ CVE-2022-0186
RESERVED
CVE-2022-0185
RESERVED
-CVE-2022-0184
- RESERVED
-CVE-2022-0183
- RESERVED
+CVE-2022-0184 (Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR59 ...)
+ TODO: check
+CVE-2022-0183 (Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 ...)
+ TODO: check
CVE-2020-36515
RESERVED
CVE-2022-23101
@@ -895,12 +938,12 @@ CVE-2022-21210
RESERVED
CVE-2022-21145
RESERVED
-CVE-2022-0182
- RESERVED
-CVE-2022-0181
- RESERVED
-CVE-2022-0180
- RESERVED
+CVE-2022-0182 (Stored cross-site scripting vulnerability in Quiz And Survey Master ve ...)
+ TODO: check
+CVE-2022-0181 (Reflected cross-site scripting vulnerability in Quiz And Survey Master ...)
+ TODO: check
+CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Mas ...)
+ TODO: check
CVE-2022-0179 (snipe-it is vulnerable to Improper Access Control ...)
NOT-FOR-US: snipe-it
CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control ...)
@@ -1972,8 +2015,8 @@ CVE-2022-0133 (peertube is vulnerable to Improper Access Control ...)
- peertube <itp> (bug #950821)
CVE-2022-0132 (peertube is vulnerable to Server-Side Request Forgery (SSRF) ...)
- peertube <itp> (bug #950821)
-CVE-2022-0131
- RESERVED
+CVE-2022-0131 (Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API ...)
+ TODO: check
CVE-2021-4201
RESERVED
CVE-2022-22708
@@ -2052,11 +2095,13 @@ CVE-2021-46143 (In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3,
NOTE: https://github.com/libexpat/libexpat/pull/538
NOTE: https://github.com/libexpat/libexpat/commit/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
CVE-2021-46142 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...)
+ {DLA-2883-1}
- uriparser 0.9.6+dfsg-1
NOTE: https://github.com/uriparser/uriparser/issues/122
NOTE: https://github.com/uriparser/uriparser/commit/c0483990e6b5b454f7c8752b36760cfcb0d093f5 (uriparser-0.9.6)
NOTE: https://github.com/uriparser/uriparser/pull/124
CVE-2021-46141 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...)
+ {DLA-2883-1}
- uriparser 0.9.6+dfsg-1
NOTE: https://github.com/uriparser/uriparser/issues/121
NOTE: https://github.com/uriparser/uriparser/commit/b1a34743bc1472e055d886e29e9b53f670eb3282 (uriparser-0.9.6)
@@ -3565,7 +3610,7 @@ CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (calle
NOT-FOR-US: wasm3
CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...)
NOT-FOR-US: wasm3
-CVE-2021-45945 (uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write in std::_ ...)
+CVE-2021-45945 (** DISPUTED ** uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds ...)
NOT-FOR-US: uWebSockets
CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampl ...)
{DSA-5038-1 DLA-2879-1}
@@ -3622,6 +3667,7 @@ CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertib
NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1)
TODO: check correctness of commit, might not affect any Debian released version
CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...)
+ {DLA-2885-1}
- qtsvg-opensource-src 5.15.2-4 (bug #1002991)
[bullseye] - qtsvg-opensource-src <no-dsa> (Minor issue)
[buster] - qtsvg-opensource-src <no-dsa> (Minor issue)
@@ -4505,8 +4551,8 @@ CVE-2021-4173 (vim is vulnerable to Use After Free ...)
NOTE: Fixed by: https://github.com/vim/vim/commit/9c23f9bb5fe435b28245ba8ac65aa0ca6b902c04 (v8.2.3902)
CVE-2021-4172
RESERVED
-CVE-2021-4171
- RESERVED
+CVE-2021-4171 (calibre-web is vulnerable to Business Logic Errors ...)
+ TODO: check
CVE-2021-45679 (Certain NETGEAR devices are affected by privilege escalation. This aff ...)
NOT-FOR-US: Netgear
CVE-2021-45678 (NETGEAR RAX200 devices before 1.0.5.132 are affected by insecure code. ...)
@@ -4944,8 +4990,8 @@ CVE-2021-4166 (vim is vulnerable to Out-of-bounds Read ...)
NOTE: https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682 (v8.2.3884)
CVE-2021-4165
RESERVED
-CVE-2021-4164
- RESERVED
+CVE-2021-4164 (calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) ...)
+ TODO: check
CVE-2021-4163
RESERVED
CVE-2021-4162 (archivy is vulnerable to Cross-Site Request Forgery (CSRF) ...)
@@ -10355,25 +10401,25 @@ CVE-2022-21666 (Useful Simple Open-Source CMS (USOC) is a content management sys
CVE-2022-21665
RESERVED
CVE-2022-21664 (WordPress is a free and open-source content management system written ...)
- {DSA-5039-1}
+ {DSA-5039-1 DLA-2884-1}
- wordpress 5.8.3+dfsg1-1 (bug #1003243)
NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
NOTE: https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
CVE-2022-21663 (WordPress is a free and open-source content management system written ...)
- {DSA-5039-1}
+ {DSA-5039-1 DLA-2884-1}
- wordpress 5.8.3+dfsg1-1 (bug #1003243)
NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
NOTE: https://hackerone.com/reports/541469
CVE-2022-21662 (WordPress is a free and open-source content management system written ...)
- {DSA-5039-1}
+ {DSA-5039-1 DLA-2884-1}
- wordpress 5.8.3+dfsg1-1 (bug #1003243)
NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
NOTE: https://hackerone.com/reports/425342
CVE-2022-21661 (WordPress is a free and open-source content management system written ...)
- {DSA-5039-1}
+ {DSA-5039-1 DLA-2884-1}
- wordpress 5.8.3+dfsg1-1 (bug #1003243)
NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
@@ -18253,8 +18299,8 @@ CVE-2021-42010
RESERVED
CVE-2021-42009 (An authenticated Apache Traffic Control Traffic Ops user with Portal-l ...)
NOT-FOR-US: Apache Traffic Control
-CVE-2021-3862
- RESERVED
+CVE-2021-3862 (icecoder is vulnerable to Improper Neutralization of Input During Web ...)
+ TODO: check
CVE-2021-3861
RESERVED
CVE-2021-3860 (JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vul ...)
@@ -18344,8 +18390,8 @@ CVE-2021-41974 (Tad Book3 editing book page does not perform identity verificati
NOT-FOR-US: Tad Book3
CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: snipe-it
-CVE-2021-3857
- RESERVED
+CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...)
+ TODO: check
CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...)
NOT-FOR-US: Apache MINA
CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database connect ...)
@@ -18577,8 +18623,8 @@ CVE-2021-41867 (An information disclosure vulnerability in OnionShare 2.3 before
TODO: check details, exact fixing commits unclear
CVE-2021-41866 (MyBB before 1.8.28 allows stored XSS because the displayed Template Na ...)
NOT-FOR-US: MyBB
-CVE-2021-3853
- RESERVED
+CVE-2021-3853 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...)
+ TODO: check
CVE-2021-3852 (growi is vulnerable to Authorization Bypass Through User-Controlled Ke ...)
TODO: check
CVE-2021-41865 (HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authe ...)
@@ -25701,8 +25747,8 @@ CVE-2021-38967 (IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileg
NOT-FOR-US: IBM
CVE-2021-38966 (IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site script ...)
NOT-FOR-US: IBM
-CVE-2021-38965
- RESERVED
+CVE-2021-38965 (IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remo ...)
+ TODO: check
CVE-2021-38964
RESERVED
CVE-2021-38963
@@ -40065,8 +40111,8 @@ CVE-2021-33042
RESERVED
CVE-2021-33041 (vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstr ...)
NOT-FOR-US: vmd
-CVE-2021-33040
- RESERVED
+CVE-2021-33040 (managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows X ...)
+ TODO: check
CVE-2021-33039
RESERVED
CVE-2021-33038 (An issue was discovered in management/commands/hyperkitty_import.py in ...)
@@ -44937,6 +44983,7 @@ CVE-2021-31217 (In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, in
CVE-2021-31216 (Siren Investigate before 11.1.1 contains a server side request forgery ...)
NOT-FOR-US: Siren Investigate
CVE-2021-31215 (SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11. ...)
+ {DLA-2886-1}
- slurm-wlm 20.11.7+really20.11.4-2 (bug #988439)
- slurm-llnl <removed>
[buster] - slurm-llnl <no-dsa> (Minor issue)
@@ -48481,6 +48528,7 @@ CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4
NOTE: https://github.com/Exiv2/exiv2/commit/cac151ec052d44da3dc779e9e4028e581acb128a
CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted svg file]
RESERVED
+ {DLA-2885-1}
- qtsvg-opensource-src 5.15.2-3 (bug #986798)
[buster] - qtsvg-opensource-src <no-dsa> (Minor issue)
- qt4-x11 <removed>
@@ -60735,20 +60783,20 @@ CVE-2021-25069
RESERVED
CVE-2021-25068
RESERVED
-CVE-2021-25067
- RESERVED
+CVE-2021-25067 (The Landing Page Builder WordPress plugin before 1.4.9.6 was affected ...)
+ TODO: check
CVE-2021-25066
RESERVED
-CVE-2021-25065
- RESERVED
+CVE-2021-25065 (The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was a ...)
+ TODO: check
CVE-2021-25064
RESERVED
CVE-2021-25063
RESERVED
CVE-2021-25062
RESERVED
-CVE-2021-25061
- RESERVED
+CVE-2021-25061 (The WP Booking System WordPress plugin before 2.0.15 was affected by a ...)
+ TODO: check
CVE-2021-25060
RESERVED
CVE-2021-25059
@@ -60777,8 +60825,8 @@ CVE-2021-25048
RESERVED
CVE-2021-25047 (The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affecte ...)
NOT-FOR-US: WordPress plugin
-CVE-2021-25046
- RESERVED
+CVE-2021-25046 (The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed a ...)
+ TODO: check
CVE-2021-25045
RESERVED
CVE-2021-25044
@@ -60795,10 +60843,10 @@ CVE-2021-25039
RESERVED
CVE-2021-25038
RESERVED
-CVE-2021-25037
- RESERVED
-CVE-2021-25036
- RESERVED
+CVE-2021-25037 (The All in One SEO WordPress plugin before 4.1.5.3 is affected by an a ...)
+ TODO: check
+CVE-2021-25036 (The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Pr ...)
+ TODO: check
CVE-2021-25035
RESERVED
CVE-2021-25034
@@ -60819,10 +60867,10 @@ CVE-2021-25027 (The PowerPack Addons for Elementor WordPress plugin before 2.6.2
NOT-FOR-US: WordPress plugin
CVE-2021-25026
RESERVED
-CVE-2021-25025
- RESERVED
-CVE-2021-25024
- RESERVED
+CVE-2021-25025 (The EventCalendar WordPress plugin before 1.1.51 does not have proper ...)
+ TODO: check
+CVE-2021-25024 (The EventCalendar WordPress plugin before 1.1.51 does not escape some ...)
+ TODO: check
CVE-2021-25023 (The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress ...)
NOT-FOR-US: WordPress plugin
CVE-2021-25022 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.6 ...)
@@ -60859,8 +60907,8 @@ CVE-2021-25007
RESERVED
CVE-2021-25006
RESERVED
-CVE-2021-25005
- RESERVED
+CVE-2021-25005 (The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and e ...)
+ TODO: check
CVE-2021-25004
RESERVED
CVE-2021-25003
@@ -61051,8 +61099,8 @@ CVE-2021-24911
RESERVED
CVE-2021-24910
RESERVED
-CVE-2021-24909
- RESERVED
+CVE-2021-24909 (The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not san ...)
+ TODO: check
CVE-2021-24908 (The Check & Log Email WordPress plugin before 1.0.4 does not escap ...)
NOT-FOR-US: WordPress plugin
CVE-2021-24907 (The Contact Form, Drag and Drop Form Builder for WordPress plugin befo ...)
@@ -61193,8 +61241,8 @@ CVE-2021-24840 (The Squaretype WordPress theme before 3.0.4 allows unauthenticat
NOT-FOR-US: WordPress theme
CVE-2021-24839
RESERVED
-CVE-2021-24838
- RESERVED
+CVE-2021-24838 (The AnyComment WordPress plugin through 0.2.17 has an API endpoint whi ...)
+ TODO: check
CVE-2021-24837
RESERVED
CVE-2021-24836 (The Temporary Login Without Password WordPress plugin before 1.7.1 doe ...)
@@ -85078,7 +85126,7 @@ CVE-2020-27746 (Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive I
NOTE: slurm-wlm/20.02.6-1 changed the source package name and included the fix
NOTE: Introduced by: https://github.com/SchedMD/slurm/commit/e3140b7f8d96ced9dc85089caa65dd7c6be396fd (slurm-17-11-0-0rc1)
CVE-2020-27745 (Slurm before 19.05.8 and 20.x before 20.02.6 has an RPC Buffer Overflo ...)
- {DSA-4841-1}
+ {DSA-4841-1 DLA-2886-1}
- slurm-wlm <not-affected> (Fixed with first upload to Debian with renamed source package)
- slurm-llnl <removed> (bug #974721)
NOTE: https://www.schedmd.com/news.php?id=240
@@ -120689,7 +120737,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-
CVE-2020-12694
RESERVED
CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare c ...)
- {DSA-4841-1}
+ {DSA-4841-1 DLA-2886-1}
- slurm-wlm <not-affected> (Fixed with first upload to Debian with renamed source package)
- slurm-llnl <removed> (bug #961406)
[jessie] - slurm-llnl <not-affected> (Message Aggregation added in 14.11)
@@ -175600,7 +175648,7 @@ CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation erro
CVE-2013-7472 (The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via t ...)
NOT-FOR-US: "Count per Day" plugin for WordPress
CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...)
- {DSA-4572-1 DLA-2143-1}
+ {DSA-4572-1 DLA-2886-1 DLA-2143-1}
- slurm-llnl 19.05.3.2-1 (bug #931880)
NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5
NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2c38b1d5666188aeecb378caa104d6c0770eb90
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2c38b1d5666188aeecb378caa104d6c0770eb90
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220117/ecc9a047/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list