[Git][security-tracker-team/security-tracker][master] 2 commits: new liblivemedia issue

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Jul 24 19:58:44 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
11c51a2c by Moritz Muehlenhoff at 2022-07-24T20:49:29+02:00
new liblivemedia issue
waitress n/a for released suites

- - - - -
b8d25a52 by Moritz Muehlenhoff at 2022-07-24T20:58:18+02:00
new angular.js issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -14050,12 +14050,13 @@ CVE-2022-31016 (Argo CD is a declarative continuous deployment for Kubernetes. A
 	NOT-FOR-US: Argo CD
 CVE-2022-31015 (Waitress is a Web Server Gateway Interface server for Python 2 and 3.  ...)
 	- waitress <unfixed> (bug #1012315)
+	[bullseye] - waitress <not-affected> (Only affects 2.1.x)
+	[buster] - waitress <not-affected> (Only affects 2.1.x)
 	[stretch] - waitress <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw
 	NOTE: https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48 (v2.1.2)
 	NOTE: https://github.com/Pylons/waitress/issues/374
 	NOTE: https://github.com/Pylons/waitress/pull/377
-	TODO: double check, the problem seems to be introduced in version 2.1.0 only
 CVE-2022-31014 (Nextcloud server is an open source personal cloud server. Affected ver ...)
 	- nextcloud-server <itp> (bug #941708)
 CVE-2022-31013 (Chat Server is the chat server for Vartalap, an open-source messaging  ...)
@@ -28986,7 +28987,8 @@ CVE-2022-25872 (All versions of package fast-string-search are vulnerable to Out
 CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pollution ...)
 	NOT-FOR-US: Node querymen
 CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...)
-	TODO: check
+	- angular.js <unfixed>
+	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
 CVE-2022-25867
 	RESERVED
 CVE-2022-25866 (The package czproject/git-php before 4.0.3 are vulnerable to Command I ...)
@@ -46727,10 +46729,13 @@ CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow
 	NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130
 CVE-2021-44647 (Lua v5.4.3 and above are affected by SEGV by type confusion in funcnam ...)
 	- lua5.4 5.4.4-1 (bug #1004189)
+	- lua5.3 <not-affected> (Specific to 5.4)
+	- lua5.2 <not-affected> (Specific to 5.4)
+	- lua5.1 <not-affected> (Specific to 5.4)
+	- lua50 <not-affected> (Specific to 5.4)
 	NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00195.html
 	NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00204.html
 	NOTE: Fixed by: https://github.com/lua/lua/commit/1de95e97ef65632a88e08b6184bd9d1ceba7ec2f
-	TODO: check older versions if issue is present, reproducer do not crash, but needs inspection of the code yet
 CVE-2021-44646
 	RESERVED
 CVE-2021-44645
@@ -58257,7 +58262,6 @@ CVE-2021-41753 (A denial-of-service attack in WPA2, and WPA3-SAE authentication
 	NOT-FOR-US: D-Link
 CVE-2021-41752 (Stack overflow vulnerability in Jerryscript before commit e1ce7dd72712 ...)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4779
-	TODO: check - could be only a test artifact
 CVE-2021-41751 (Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:9 ...)
 	- iotjs <unfixed> (bug #1015219)
 	[bullseye] - iotjs <no-dsa> (Minor issue)
@@ -59093,7 +59097,7 @@ CVE-2021-41398
 CVE-2021-41397
 	RESERVED
 CVE-2021-41396 (Live555 through 1.08 does not handle socket connections properly. A hu ...)
-	TODO: check
+	- liblivemedia <removed>
 CVE-2021-41395 (Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to contro ...)
 	NOT-FOR-US: Teleport
 CVE-2021-41394 (Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x b ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/446bcea1f7e283568f02db1a384a94093b388258...b8d25a52cef18cfabbdb7160f99136b18afa9679

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/446bcea1f7e283568f02db1a384a94093b388258...b8d25a52cef18cfabbdb7160f99136b18afa9679
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220724/35266f87/attachment.htm>

More information about the debian-security-tracker-commits mailing list