[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jul 8 10:24:11 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62406382 by Moritz Muehlenhoff at 2022-07-08T11:23:00+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3854,10 +3854,16 @@ CVE-2022-2122
 	RESERVED
 CVE-2022-2121 (OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer derefer ...)
 	- dcmtk <unfixed> (bug #1014044)
+	[bullseye] - dcmtk <no-dsa> (Minor issue)
+	[buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2120 (OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) i ...)
 	- dcmtk <unfixed> (bug #1014044)
+	[bullseye] - dcmtk <no-dsa> (Minor issue)
+	[buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2119 (OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SC ...)
 	- dcmtk <unfixed> (bug #1014044)
+	[bullseye] - dcmtk <no-dsa> (Minor issue)
+	[buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2118
 	RESERVED
 CVE-2014-125025 (A vulnerability classified as problematic has been found in FFmpeg 2.0 ...)
@@ -9669,7 +9675,6 @@ CVE-2022-31627
 CVE-2022-31626 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x belo ...)
 	- php8.1 8.1.7-1 (bug #1014533)
 	- php7.4 <removed>
-	[bullseye] - php7.4 <postponed> (Minor issue, fix along with next security release)
 	- php7.3 <removed>
 	[buster] - php7.3 <postponed> (Minor issue, fix along with next security release)
 	- php7.0 <removed>
@@ -9679,7 +9684,6 @@ CVE-2022-31626 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.
 CVE-2022-31625 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x belo ...)
 	- php8.1 8.1.7-1 (bug #1014533)
 	- php7.4 <removed>
-	[bullseye] - php7.4 <postponed> (Minor issue, fix along with next security release)
 	- php7.3 <removed>
 	[buster] - php7.3 <postponed> (Minor issue, fix along with next security release)
 	- php7.0 <removed>
@@ -12637,9 +12641,12 @@ CVE-2022-XXXX [RUSTSEC-2022-0022]
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
 CVE-2022-XXXX [RUSTSEC-2022-0021]
 	- rust-crossbeam-queue <unfixed>
+	[bullseye] - rust-crossbeam-queue <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html
 CVE-2022-XXXX [RUSTSEC-2022-0019]
 	- rust-crossbeam-channel <unfixed>
+	[bullseye] - rust-crossbeam-channel <no-dsa> (Minor issue)
+	[buster] - rust-crossbeam-channel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
 CVE-2022-XXXX [RUSTSEC-2022-0020]
 	- rust-crossbeam <unfixed>
@@ -28141,9 +28148,11 @@ CVE-2022-25256 (SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonA
 CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux ...)
 	- qt6-base <unfixed>
 	- qtbase-opensource-src 5.15.2+dfsg-15
+	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
 	[stretch] - qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
 	- qtbase-opensource-src-gles <unfixed>
+	[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src-gles <ignored> (Breaks existing behaviour and upstream also skipped from 5.12 branch)
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914
@@ -63332,13 +63341,19 @@ CVE-2021-38579
 	RESERVED
 CVE-2021-38578 (Existing CommBuffer checks in SmmEntryPoint will not catch underflow w ...)
 	- edk2 <unfixed> (bug #1014468)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3387 (private)
 	NOTE: https://edk2.groups.io/g/devel/message/90516
 CVE-2021-38577 (Heap Overflow in BaseBmpSupportLib. ...)
 	- edk2 <unfixed> (bug #1014468)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3360 (private)
 CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the Platform a ...)
 	- edk2 <unfixed> (bug #1014468)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private)
 CVE-2021-38575 (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. ...)
 	- edk2 2021.08-1
@@ -74941,6 +74956,7 @@ CVE-2021-33881 (On NXP MIFARE Ultralight and NTAG cards, an attacker can interru
 	NOT-FOR-US: NXP
 CVE-2021-33880 (The aaugustin websockets library before 9.1 for Python has an Observab ...)
 	- python-websockets 9.1-1 (bug #989561)
+	[bullseye] - python-websockets <no-dsa> (Minor issue)
 	[buster] - python-websockets <not-affected> (Vulnerable code introduced in 8.0)
 	[stretch] - python-websockets <not-affected> (Vulnerable code introduced in 8.0)
 	NOTE: https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
@@ -90418,6 +90434,8 @@ CVE-2021-28022 (Blind SQL injection in the login form in ServiceTonic Helpdesk s
 	NOT-FOR-US: ServiceTonic
 CVE-2021-28021 (Buffer overflow vulnerability in function stbi__extend_receive in stb_ ...)
 	- libstb <unfixed> (bug #1014530)
+	[bullseye] - libstb <no-dsa> (Minor issue)
+	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1108
 	NOTE: https://github.com/nothings/stb/commit/86b7570cfba845e8209c6aec2d15e487bb1d8bb4
 CVE-2021-28020


=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ freecad (aron)
 --
 kicad (jmm)
 --
+kopanocore/oldstable
+--
 librecad
 --
 libpgjava (apo)
@@ -40,6 +42,8 @@ netatalk
 nodejs/oldstable
   one of the upstream fixes doesn't address the security issue	
 --
+php7.4
+--
 php-horde-mime-viewer
 --
 php-horde-turba
@@ -62,5 +66,9 @@ unzip
   unclear information, initial report indicates writable memory corruption, but
   some identified patch is just for a NULL deref, needs more clarification
 --
+webkit2gtk (berto)
+--
+wpewebkit/stable (berto)
+--
 xen (jmm)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624063824b83ea8f3c0915ecc510cc55702bbede

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624063824b83ea8f3c0915ecc510cc55702bbede
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220708/d5baedcd/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list