[Git][security-tracker-team/security-tracker][master] 6 commits: mark ckeditor3 sa EOL in Stretch
Thorsten Alteholz (@alteholz)
alteholz at debian.org
Fri Jun 3 22:49:26 BST 2022
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e220945a by Thorsten Alteholz at 2022-06-03T23:23:04+02:00
mark ckeditor3 sa EOL in Stretch
- - - - -
d9997664 by Thorsten Alteholz at 2022-06-03T23:26:39+02:00
add python-bottle
- - - - -
ede8c4a2 by Thorsten Alteholz at 2022-06-03T23:42:19+02:00
mark CVE-2022-32200 as no-dsa for Stretch
- - - - -
3072efb7 by Thorsten Alteholz at 2022-06-03T23:44:20+02:00
mark CVE-2022-1942 as no-dsa for Stretch
- - - - -
1aac2918 by Thorsten Alteholz at 2022-06-03T23:44:53+02:00
mark CVE-2022-1968 as no-dsa for Stretch
- - - - -
b2f5bfe7 by Thorsten Alteholz at 2022-06-03T23:49:09+02:00
add php-horde-turba
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -231,6 +231,7 @@ CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
- vim <unfixed>
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
+ [stretch] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b
NOTE: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 (v8.2.5050)
CVE-2022-1967
@@ -258,6 +259,7 @@ CVE-2022-32200 (libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check
- dwarfutils <unfixed>
[bullseye] - dwarfutils <no-dsa> (Minor issue)
[buster] - dwarfutils <no-dsa> (Minor issue)
+ [stretch] - dwarfutils <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/8151575a6ace77d005ca5bb5d71c1bfdba3f7069
NOTE: https://github.com/davea42/libdwarf-code/issues/116
NOTE: https://www.prevanders.net/dwarfbug.html#DW202205-001
@@ -1125,6 +1127,7 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
- vim <unfixed>
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
+ [stretch] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/67ca4d3b-9175-43c1-925c-72a7091bc071
NOTE: https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d (v8.2.5043)
CVE-2022-1941
@@ -21490,10 +21493,12 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku
CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor <unfixed>
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor <unfixed>
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
NOTE: https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0)
NOTE: MITRE's referenced patch (above) does not seem related
@@ -48413,6 +48418,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0)
CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions ...)
- ckeditor <unfixed> (bug #999909)
@@ -57342,6 +57348,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...)
@@ -66494,6 +66501,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc
- ckeditor 4.16.0+dfsg-2
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
NOTE: https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed
CVE-2021-33828 (The files_antivirus component before 1.0.0 for ownCloud mishandles the ...)
@@ -86141,6 +86149,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <postponed> (Fix along next DLA)
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
CVE-2021-26270
RESERVED
@@ -245485,6 +245494,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a
[stretch] - ckeditor <ignored> (Minor issue, XSS through direct copy/paste by victim, no identified patch)
[jessie] - ckeditor <ignored> (Minor issue)
- ckeditor3 <unfixed> (low)
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
- fckeditor <removed>
CVE-2018-17959
RESERVED
@@ -414223,6 +414233,7 @@ CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin be
[wheezy] - ckeditor <not-affected> (Preview plugin not yet present)
[squeeze] - ckeditor <not-affected> (Preview plugin not yet present)
- ckeditor3 <unfixed>
+ [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE: https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706 (v3.6.x)
NOTE: https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a (v4.4.3)
CVE-2014-5190 (Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/i ...)
=====================================
data/dla-needed.txt
=====================================
@@ -212,6 +212,9 @@ pdns
NOTE: 20220506: package builds but does not run a test suite, and I lack the
NOTE: 20220506: know-how for testing manually (enrico)
--
+php-horde-turba
+ NOTE: 20220603: Programming language: PHP.
+--
pidgin (Andreas Rönnquist)
NOTE: 20220529: Programming language: C.
--
@@ -233,6 +236,9 @@ puppet-module-puppetlabs-firewall
pyjwt
NOTE: 20220529: Programming language: Python.
--
+python-bottle
+ NOTE: 20220603: Programming language: Python.
+--
qemu (Abhijith PA)
NOTE: 20220529: Programming language: C.
NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years,
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe7d353bfb3a7f92d1d089a0c1f4910df2d6ca69...b2f5bfe7e1ce1e44044662c0c10654d73f68eda5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe7d353bfb3a7f92d1d089a0c1f4910df2d6ca69...b2f5bfe7e1ce1e44044662c0c10654d73f68eda5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220603/cd77746d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list