[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jul 8 13:28:41 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f808e6c8 by Moritz Muehlenhoff at 2022-07-08T14:27:59+02:00
buster/bullseye triage
cyclonedds/fastdds fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18819,11 +18819,10 @@ CVE-2022-28508 (An XSS issue was discovered in browser_search_plugin.php in Mant
 CVE-2022-28507 (Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121 versio ...)
 	NOT-FOR-US: Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121
 CVE-2022-28506 (There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RG ...)
-	- giflib <unfixed>
-	[bullseye] - giflib <no-dsa> (Minor issue)
-	[buster] - giflib <no-dsa> (Minor issue)
-	[stretch] - giflib <no-dsa> (Minor issue)
+	- giflib <unfixed> (unimportant)
 	NOTE: https://sourceforge.net/p/giflib/bugs/159/
+	NOTE: https://sourceforge.net/p/giflib/code/merge-requests/11/
+	NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact
 CVE-2022-28505 (Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system ...)
 	NOT-FOR-US: Jfinal_cms
 CVE-2022-28504
@@ -58275,11 +58274,9 @@ CVE-2021-40635 (OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch
 CVE-2021-40634
 	RESERVED
 CVE-2021-40633 (A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5 ...)
-	- giflib <unfixed>
-	[bullseye] - giflib <no-dsa> (Minor issue)
-	[buster] - giflib <no-dsa> (Minor issue)
-	[stretch] - giflib <no-dsa> (Minor issue)
+	- giflib <unfixed> (unimportant)
 	NOTE: https://sourceforge.net/p/giflib/bugs/157/
+	NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact
 CVE-2021-40632
 	RESERVED
 CVE-2021-40631
@@ -63764,19 +63761,19 @@ CVE-2021-38445 (OCI OpenDDS versions prior to 3.18.1 do not handle a length para
 CVE-2021-38444
 	RESERVED
 CVE-2021-38443 (Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid s ...)
-	- cyclonedds <undetermined>
+	- cyclonedds 0.8.1-2
+	[bullseye] - cyclonedds <no-dsa> (Minor issue)
 	NOTE: No mention of CVE upstream
 	NOTE: https://projects.eclipse.org/projects/iot.cyclonedds
 	NOTE: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
-	TODO: check for upstream commit
 CVE-2021-38442 (FATEK Automation WinProladder versions 3.30 and prior lacks proper val ...)
 	NOT-FOR-US: FATEK Automation
 CVE-2021-38441 (Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-w ...)
-	- cyclonedds <undetermined>
+	- cyclonedds 0.8.1-2
+	[bullseye] - cyclonedds <no-dsa> (Minor issue)
 	NOTE: No mention of CVE upstream
 	NOTE: https://projects.eclipse.org/projects/iot.cyclonedds
 	NOTE: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
-	TODO: check for upstream commit
 CVE-2021-38440 (FATEK Automation WinProladder versions 3.30 and prior is vulnerable to ...)
 	NOT-FOR-US: FATEK Automation
 CVE-2021-38439 (All versions of GurumDDS are vulnerable to heap-based buffer overflow, ...)
@@ -63808,10 +63805,11 @@ CVE-2021-38427 (RTI Connext DDS Professional and Connext DDS Secure Versions 4.2
 CVE-2021-38426 (FATEK Automation WinProladder versions 3.30 and prior lacks proper val ...)
 	NOT-FOR-US: FATEK Automation
 CVE-2021-38425 (eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to e ...)
-	- fastdds <unfixed>
+	- fastdds 2.6.1+ds-1
 	[bullseye] - fastdds <no-dsa> (Minor issue)
 	NOTE: https://github.com/eProsima/Fast-DDS/issues/2267
 	NOTE: https://github.com/eProsima/Fast-DDS/pull/2269
+	NOTE: https://github.com/eProsima/Fast-DDS/commit/01550cfa1b8313c4cb39529960b41f95e4820312
 	NOTE: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
 CVE-2021-38424 (The tag interface of Delta Electronics DIALink versions 1.2.4.0 and pr ...)
 	NOT-FOR-US: Delta Electronics DIALink



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f808e6c84e6e3672c539fa964edade80b20ca059

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f808e6c84e6e3672c539fa964edade80b20ca059
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220708/4958a4b3/attachment.htm>

More information about the debian-security-tracker-commits mailing list