[Git][security-tracker-team/security-tracker][master] 4 commits: Add CVE-2021-44118 and CVE-2021-44123 to DSA 5028-1 and DLA 2867-1

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Jan 31 16:17:22 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fe894492 by Salvatore Bonaccorso at 2022-01-31T17:13:58+01:00
Add CVE-2021-44118 and CVE-2021-44123 to DSA 5028-1 and DLA 2867-1

- - - - -
7ebaff31 by Salvatore Bonaccorso at 2022-01-31T17:14:57+01:00
Drop temporary tracking entry for spip

- - - - -
877cf516 by Salvatore Bonaccorso at 2022-01-31T17:15:27+01:00
Add blogpost reference for spip announce

- - - - -
fdfd35a2 by Salvatore Bonaccorso at 2022-01-31T17:16:59+01:00
Merge remote-tracking branch 'origin/master'

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10004,13 +10004,6 @@ CVE-2021-23157 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable t
 	NOT-FOR-US: WECON LeviStudioU
 CVE-2021-23138 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to a st ...)
 	NOT-FOR-US: WECON LeviStudioU
-CVE-2021-XXXX [several SQL injection, remote code execution, XSS issues]
-	- spip 3.2.12-1
-	[bullseye] - spip 3.2.11-3+deb11u1
-	[buster] - spip 3.2.4-1+deb10u5
-	[stretch] - spip 3.1.4-4~deb9u4+deb9u2
-	NOTE: For the collection of issues fixed in DSA 5028-1
-	NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html
 CVE-2021-45379 (Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access cont ...)
 	- glewlwyd 2.6.1-1
 	[bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
@@ -13220,11 +13213,13 @@ CVE-2021-44123 (SPIP 4.0.0 is affected by a remote command execution vulnerabili
 	- spip 3.2.12-1
 	NOTE: https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a (master)
 	NOTE: https://git.spip.net/spip/spip/commit/97e2888e9c92ad4bd68e8f80079583249714fbfa (v4.0.1)
+	NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html
 CVE-2021-44122 (SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerab ...)
 	{DSA-5028-1 DLA-2867-1}
 	- spip 3.2.12-1
 	NOTE: https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db
 	NOTE: https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805 (v3.2.12)
+	NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html
 CVE-2021-44121
 	REJECTED
 CVE-2021-44120 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability i ...)
@@ -13232,6 +13227,7 @@ CVE-2021-44120 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerabi
 	- spip 3.2.12-1
 	NOTE: https://git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81
 	NOTE: https://git.spip.net/spip/spip/commit/361cc26080d1377bc55d2cb80736e5cfaf5fd242 (v3.2.12)
+	NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html
 CVE-2021-44119
 	RESERVED
 CVE-2021-44118 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability.  ...)
@@ -13240,7 +13236,7 @@ CVE-2021-44118 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerabi
 	NOTE: https://git.spip.net/spip/medias/commit/13c293fabd35e2c152379522c29432423936cbba
 	NOTE: https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a
 	NOTE: https://git.spip.net/spip/spip/commit/4ccf90a6912d7fab97e1bd5619770c9236cc7357
-	TODO: check details
+	NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html
 CVE-2021-44117
 	RESERVED
 CVE-2021-44116 (Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12 ...)


=====================================
data/DLA/list
=====================================
@@ -119,7 +119,7 @@
 [29 Dec 2021] DLA-2857-2 postgis - regression update
 	[stretch] - postgis 2.3.1+dfsg-2+deb9u2
 [29 Dec 2021] DLA-2867-1 spip - security update
-	{CVE-2021-44120 CVE-2021-44122}
+	{CVE-2021-44118 CVE-2021-44120 CVE-2021-44122 CVE-2021-44123}
 	[stretch] - spip 3.1.4-4~deb9u4+deb9u2
 [29 Dec 2021] DLA-2866-1 uw-imap - security update
 	{CVE-2018-19518}


=====================================
data/DSA/list
=====================================
@@ -134,7 +134,7 @@
 	[buster] - sogo 4.0.7-1+deb10u2
 	[bullseye] - sogo 5.0.1-4+deb11u1
 [22 Dec 2021] DSA-5028-1 spip - security update
-	{CVE-2021-44120 CVE-2021-44122 CVE-2021-44123 CVE-2021-44118}
+	{CVE-2021-44118 CVE-2021-44120 CVE-2021-44122 CVE-2021-44123}
 	[buster] - spip 3.2.4-1+deb10u5
 	[bullseye] - spip 3.2.11-3+deb11u1
 [21 Dec 2021] DSA-5027-1 xorg-server - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ad0538b7ee90fa8096bac3ccc31a61b54f4a3c9e...fdfd35a219ee0f1120a57847783b1ddcbb63b900

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ad0538b7ee90fa8096bac3ccc31a61b54f4a3c9e...fdfd35a219ee0f1120a57847783b1ddcbb63b900
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220131/a82fd36e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list