[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Jan 26 10:56:05 GMT 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3db1fe1a by Moritz Muehlenhoff at 2022-01-26T11:55:52+01:00
buster/bullseye triage
remove node-matrix-js-sdk for CVE-2021-44538, seems unrelated
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -131,6 +131,8 @@ CVE-2022-23936
RESERVED
CVE-2022-23935 (lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ / ...)
- libimage-exiftool-perl 12.38+dfsg-1
+ [bullseye] - libimage-exiftool-perl <no-dsa> (Minor issue)
+ [buster] - libimage-exiftool-perl <no-dsa> (Minor issue)
NOTE: https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582 (12.38)
CVE-2022-23934
RESERVED
@@ -3432,35 +3434,46 @@ CVE-2022-22896
RESERVED
CVE-2022-22895 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4850
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4882
CVE-2022-22894 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4890
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4899
CVE-2022-22893 (Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_lo ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4901
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4945
CVE-2022-22892 (There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_valu ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4872
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4878
CVE-2022-22891 (Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via e ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4871
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4885
CVE-2022-22890 (There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT &am ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4849
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4847
CVE-2022-22889
RESERVED
CVE-2022-22888 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...)
- iotjs <unfixed> (bug #1004298)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4877
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4848
CVE-2022-22887
@@ -8143,6 +8156,8 @@ CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib compo
NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997
CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...)
- libsixel <unfixed> (bug #1004377)
+ [bullseye] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/libsixel/libsixel/issues/51
NOTE: Fixed by: https://github.com/libsixel/libsixel/pull/52
CVE-2021-45339 (Privilege escalation vulnerability in Avast Antivirus prior to 20.4 al ...)
@@ -10914,7 +10929,6 @@ CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7
- olm 3.2.8~dfsg-1 (bug #1001664)
[bullseye] - olm <no-dsa> (Minor issue)
[buster] - olm <not-affected> (Vulnerable code introduced later)
- - node-matrix-js-sdk <unfixed>
- thunderbird 1:91.4.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-44538
NOTE: https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk/
=====================================
data/dsa-needed.txt
=====================================
@@ -28,6 +28,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
--
+minetest
+--
ndpi/oldstable
--
nodejs (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db1fe1ab2c140906022a463cf18046ebbdd8aca
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db1fe1ab2c140906022a463cf18046ebbdd8aca
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220126/bb0e2764/attachment.htm>
More information about the debian-security-tracker-commits
mailing list