[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Jul 15 17:07:27 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
eb904674 by Moritz Muehlenhoff at 2022-07-15T18:07:08+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3985,7 +3985,7 @@ CVE-2022-34302
CVE-2022-34301
RESERVED
CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::D ...)
- - tinyexr <unfixed>
+ - tinyexr <unfixed> (bug #1014980)
[bullseye] - tinyexr <no-dsa> (Minor issue)
NOTE: https://github.com/syoyo/tinyexr/issues/167
CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This issue i ...)
@@ -19006,9 +19006,8 @@ CVE-2022-1290 (Stored XSS in "Name", "Group Name" & "Title" in GitHub reposi
CVE-2022-1289 (A denial of service vulnerability was found in tildearrow Furnace. It ...)
- furnace <itp> (bug #1008592)
CVE-2022-28890 (A vulnerability in the RDF/XML parser of Apache Jena allows an attacke ...)
- - apache-jena <undetermined>
+ - apache-jena <unfixed> (bug #1014982)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/04/1
- TODO: check, possibly not affected as according to upstrema 4.2.x and 4.3.x doe not allow external entities, double check
CVE-2021-4226
RESERVED
CVE-2022-28889 (In Apache Druid 0.22.1 and earlier, the server did not set appropriate ...)
@@ -19593,7 +19592,7 @@ CVE-2022-1255 (The Import and export users and customers WordPress plugin before
CVE-2022-1254 (A URL redirection vulnerability in Skyhigh SWG in main releases 10.x p ...)
NOT-FOR-US: Skyhigh SWG
CVE-2022-1253 (Heap-based Buffer Overflow in GitHub repository strukturag/libde265 pr ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <no-dsa> (Minor issue)
@@ -63107,7 +63106,7 @@ CVE-2021-39240 (An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before
NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=a495e0d94876c9d39763db319f609351907a31e8
CVE-2021-39239 (A vulnerability in XML processing in Apache Jena, in versions up to 4. ...)
- - apache-jena <undetermined>
+ - apache-jena <unfixed> (bug #1014982)
NOTE: https://lists.apache.org/thread/qpbfrdty7jt3yfm39hx4p9dp151sd6gm
CVE-2021-39238 (Certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise Pag ...)
NOT-FOR-US: HP
@@ -70154,14 +70153,14 @@ CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in G
NOTE: https://github.com/gpac/gpac/issues/1838
NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e (v2.0.0)
CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/302
NOTE: https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c
CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion. ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <no-dsa> (Minor issue)
@@ -70170,14 +70169,14 @@ CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-m
CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following') vulnera ...)
NOT-FOR-US: Bitdefender
CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/300
NOTE: https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c
CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-f ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <no-dsa> (Minor issue)
@@ -72629,7 +72628,7 @@ CVE-2021-35454
CVE-2021-35453
RESERVED
CVE-2021-35452 (An Incorrect Access Control vulnerability exists in libde265 v1.0.8 du ...)
- - libde265 <unfixed>
+ - libde265 <unfixed> (bug #1014977)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
@@ -73529,7 +73528,7 @@ CVE-2021-35045 (Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, a
CVE-2021-35044
RESERVED
CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...)
- - libowasp-antisamy-java <unfixed>
+ - libowasp-antisamy-java <unfixed> (bug #1014981)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
@@ -77999,7 +77998,7 @@ CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and
NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-33193
CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows an atta ...)
- - apache-jena <undetermined>
+ - apache-jena <unfixed> (bug #1014982)
NOTE: https://lists.apache.org/thread/sq6q94q0prqwr9vdm2wptglcq1kv98k8
CVE-2021-33191 (From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements a ...)
NOT-FOR-US: Apache NiFi
@@ -129403,7 +129402,7 @@ CVE-2020-25634 (A flaw was found in Red Hat 3scale’s API docs URL, where i
NOT-FOR-US: 3scale
CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of RESTEasy up to ...)
- resteasy <unfixed> (bug #970585)
- - resteasy3.0 <unfixed>
+ - resteasy3.0 <unfixed> (bug #1014983)
[bullseye] - resteasy3.0 <ignored> (Minor issue)
[buster] - resteasy3.0 <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
@@ -268755,7 +268754,7 @@ CVE-2018-12689 (phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id
NOTE: Non-security issue as demostrated in https://bugs.debian.org/902186
NOTE: and disputed as security issue. Should be properly rejected by MITRE.
CVE-2018-12688 (tinyexr 0.9.5 has a segmentation fault in the wav2Decode function. ...)
- - tinyexr <unfixed>
+ - tinyexr <unfixed> (bug #1014980)
[bullseye] - tinyexr <no-dsa> (Minor issue)
NOTE: https://github.com/syoyo/tinyexr/issues/83
CVE-2018-12687 (tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h ...)
@@ -270816,7 +270815,7 @@ CVE-2018-12067 (The sell function of a smart contract implementation for Substra
CVE-2018-12065 (A Local File Inclusion vulnerability in /system/WCore/WHelper.php in C ...)
NOT-FOR-US: wityCMS
CVE-2018-12064 (tinyexr 0.9.5 has a heap-based buffer over-read via tinyexr::ReadChann ...)
- - tinyexr <undetermined>
+ - tinyexr <unfixed> (bug #1014980)
NOTE: https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_7953aea
CVE-2018-12063 (The sell function of a smart contract implementation for Internet Node ...)
NOT-FOR-US: Internet Node Token
@@ -312995,7 +312994,7 @@ CVE-2017-14737 (A cryptographic cache-based side channel in the RSA implementati
CVE-2017-14736
RESERVED
CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...)
- - libowasp-antisamy-java <unfixed>
+ - libowasp-antisamy-java <unfixed> (bug #1014981)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
@@ -346742,7 +346741,7 @@ CVE-2016-10008 (SQL injection vulnerability in the "Content Types > Content T
CVE-2016-10007 (SQL injection vulnerability in the "Marketing > Forms" screen in do ...)
NOT-FOR-US: dotCMS
CVE-2016-10006 (In OWASP AntiSamy before 1.5.5, by submitting a specially crafted inpu ...)
- - libowasp-antisamy-java <unfixed>
+ - libowasp-antisamy-java <unfixed> (bug #1014981)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb904674080e0c29949c3bc5c9953c8df545fae9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb904674080e0c29949c3bc5c9953c8df545fae9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220715/a2c3cb1f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list