[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jul 5 12:58:53 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
87080950 by Moritz Muehlenhoff at 2022-07-05T13:58:25+02:00
buster/bullseye triage
add reference for openssl issue
- - - - -
2 changed files:
- data/CVE/list
- data/embedded-code-copies
Changes:
=====================================
data/CVE/list
=====================================
@@ -898,6 +898,7 @@ CVE-2022-2274 (The OpenSSL 3.0.4 release introduced a serious bug in the RSA imp
[buster] - openssl <not-affected> (Vulnerable code not present)
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345
NOTE: https://github.com/openssl/openssl/issues/18625
+ NOTE: https://www.openssl.org/news/secadv/20220705.txt
CVE-2022-2273
RESERVED
CVE-2022-2272
@@ -13816,10 +13817,11 @@ CVE-2022-30047 (Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection v
CVE-2022-30046
RESERVED
CVE-2022-30045 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #1014389)
+ - mapcache <unfixed> (unimportant; bug #1014389)
- navit <unfixed> (bug #1014390)
- scilab <unfixed> (bug #1014391)
NOTE: https://sourceforge.net/p/ezxml/bugs/29/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2022-30044
RESERVED
CVE-2022-30043
@@ -80464,9 +80466,7 @@ CVE-2021-31599 (An issue was discovered in Hitachi Vantara Pentaho through 9.1 a
NOT-FOR-US: Hitachi
CVE-2021-31598 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
{DLA-2705-1}
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
[stretch] - mapcache <no-dsa> (Minor issue)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
@@ -80479,6 +80479,7 @@ CVE-2021-31598 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/28/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-31597 (The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL c ...)
- node-xmlhttprequest-ssl <unfixed>
[buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
@@ -81114,10 +81115,7 @@ CVE-2021-31349 (The usage of an internal HTTP header created an authentication b
NOT-FOR-US: Juniper
CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
{DLA-2705-1}
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -81129,12 +81127,10 @@ CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/27/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-31347 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
{DLA-2705-1}
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -81146,6 +81142,7 @@ CVE-2021-31347 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/27/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-31346 (A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All ...)
NOT-FOR-US: Siemens
CVE-2021-31345 (A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All ...)
@@ -81433,10 +81430,7 @@ CVE-2021-31230
RESERVED
CVE-2021-31229 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
{DLA-2705-1}
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -81448,6 +81442,7 @@ CVE-2021-31229 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/26/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-31228 (An issue was discovered in HCC embedded InterNiche 4.0.1. This vulnera ...)
NOT-FOR-US: HCC embedded InterNiche
CVE-2021-31227 (An issue was discovered in HCC embedded InterNiche 4.0.1. A potential ...)
@@ -83551,10 +83546,7 @@ CVE-2021-30486 (SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injectio
NOT-FOR-US: SysAid
CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...)
{DLA-2705-1}
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -83566,6 +83558,7 @@ CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/25
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-30484
RESERVED
CVE-2021-30483 (isomorphic-git before 1.8.2 allows Directory Traversal via a crafted r ...)
@@ -94275,10 +94268,7 @@ CVE-2021-26224 (Cross-site scripting (XSS) vulnerability in SourceCodester Fanta
CVE-2021-26223 (SQL injection vulnerability in SourceCodester CASAP Automated Enrollme ...)
NOT-FOR-US: SourceCodester CASAP Automated Enrollment System
CVE-2021-26222 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -94291,11 +94281,9 @@ CVE-2021-26222 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/22/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-26221 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -94308,11 +94296,9 @@ CVE-2021-26221 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/21/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-26220 (The ezxml_toxml function in ezxml 0.8.6 and earlier is vulnerable to O ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -94325,6 +94311,7 @@ CVE-2021-26220 (The ezxml_toxml function in ezxml 0.8.6 and earlier is vulnerabl
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/223/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2021-26219
RESERVED
CVE-2021-26218
@@ -178744,10 +178731,7 @@ CVE-2019-20203 (The Authorized Addresses feature in the Postie plugin 1.9.40 for
CVE-2020-5179 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...)
NOT-FOR-US: Comtech Stampede FX-1010 7.4.3 devices
CVE-2019-20202 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -178760,11 +178744,9 @@ CVE-2019-20202 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/17/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20201 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_ ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -178777,11 +178759,9 @@ CVE-2019-20201 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/16/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20200 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -178794,11 +178774,9 @@ CVE-2019-20200 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/19/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20199 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -178811,11 +178789,9 @@ CVE-2019-20199 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/18/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20198 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -178828,6 +178804,7 @@ CVE-2019-20198 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/20/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2020-5178
RESERVED
CVE-2020-5177
@@ -181908,10 +181885,7 @@ CVE-2019-20009 (An issue was discovered in GNU LibreDWG before 0.93. Crafted inp
CVE-2019-20008 (In Archery before 1.3, inserting an XSS payload into a project name (e ...)
NOT-FOR-US: Archery
CVE-2019-20007 (An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -181924,11 +181898,9 @@ CVE-2019-20007 (An issue was discovered in ezXML 0.8.2 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/13/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20006 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -181941,11 +181913,9 @@ CVE-2019-20006 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/15/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20005 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- - mapcache <unfixed> (bug #989363)
- [bullseye] - mapcache <no-dsa> (Minor issue)
- [buster] - mapcache <no-dsa> (Minor issue)
- [stretch] - mapcache <no-dsa> (Minor issue)
+ - mapcache <unfixed> (unimportant; bug #989363)
- scilab <unfixed> (bug #989364)
[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
@@ -181958,6 +181928,7 @@ CVE-2019-20005 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The functi
[bullseye] - netcdf-parallel <no-dsa> (Minor issue)
[buster] - netcdf-parallel <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/ezxml/bugs/14/
+ NOTE: mapcache only uses ezxml to parse config files which are trusted
CVE-2019-20004 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the ...)
NOT-FOR-US: Intelbras
CVE-2019-20003 (Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored ...)
=====================================
data/embedded-code-copies
=====================================
@@ -3495,6 +3495,7 @@ ezxml (not packaged in Debian; no ITP)
- netcdf-parallel <unfixed> (embed; bug #989361)
- navit <not-affected> (embed; bug #989362)
- mapcache <unfixed> (embed; bug #989363)
+ NOTE: mapcache only uses ezxml to parse config file, doesn't trust any trust boundary, no need to file bugs
- scilab <unfixed> (embed; bug #989364)
libstb
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870809503daeedbaddd825dff6f1c46113aec776
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870809503daeedbaddd825dff6f1c46113aec776
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220705/39845f9b/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list