[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jun 7 12:18:28 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3adefba4 by Moritz Muehlenhoff at 2022-06-07T13:12:07+02:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5478,6 +5478,8 @@ CVE-2022-1651
NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1)
CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
- node-eventsource 2.0.2+~1.1.8-1
+ [bullseye] - node-eventsource <no-dsa> (Minor issue)
+ [buster] - node-eventsource <no-dsa> (Minor issue)
[stretch] - node-eventsource <end-of-life> (not covered by security support)
NOTE: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/
NOTE: https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4 (v2.0.2)
@@ -6792,11 +6794,9 @@ CVE-2022-30067 (GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Thro
CVE-2022-30066
RESERVED
CVE-2022-30065 (A use-after-free in Busybox 1.35-x's awk applet leads to denial of ser ...)
- - busybox <unfixed>
- [bullseye] - busybox <no-dsa> (Minor issue)
- [buster] - busybox <no-dsa> (Minor issue)
- [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
+ - busybox <unfixed> (unimportant)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=14781
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-30064
RESERVED
CVE-2022-30063 (ftcms <=2.1 was discovered to be vulnerable to code execution attac ...)
@@ -7350,6 +7350,8 @@ CVE-2022-1516 (A NULL pointer dereference flaw was found in the Linux kernelR
NOTE: CONFIG_X25 is not set in Debian
CVE-2022-1515 (A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarRea ...)
- libmatio 1.5.22-1
+ [bullseye] - libmatio <no-dsa> (Minor issue)
+ [buster] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/186
NOTE: Fixed by: https://github.com/tbeu/matio/commit/b53b62b756920f4c1509f4ee06427f66c3b5c9c4 (v1.5.22)
CVE-2022-1514 (Stored XSS via upload plugin functionality in zip format in GitHub rep ...)
@@ -7722,16 +7724,18 @@ CVE-2022-29801 (A vulnerability has been identified in Teamcenter V12.4 (All ver
NOT-FOR-US: Siemens
CVE-2022-29800
RESERVED
- - networkd-dispatcher <unfixed> (bug #1010303)
+ - networkd-dispatcher <unfixed> (unimportant; bug #1010303)
NOTE: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/074ff68f08d64a963a13e3cfc4fb3e3fb9006dfe
NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/2e226ee027bdc8022f0e10470318f89f25dc6133
+ NOTE: No security impact in Debian, see #1010303
CVE-2022-29799
RESERVED
- - networkd-dispatcher <unfixed> (bug #1010303)
+ - networkd-dispatcher <unfixed> (unimportant; bug #1010303)
NOTE: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/074ff68f08d64a963a13e3cfc4fb3e3fb9006dfe
NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/2e226ee027bdc8022f0e10470318f89f25dc6133
+ NOTE: No security impact in Debian, see #1010303
CVE-2022-29798
RESERVED
CVE-2022-29797
@@ -11578,14 +11582,17 @@ CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the
NOTE: https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e (v0.8.0)
CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...)
- libowasp-antisamy-java <unfixed> (bug #1010154)
+ [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+ [buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
NOTE: https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6)
NOTE: Make sure to fix the issue completely and include the commit otherwise opening CVE-2022-29577
NOTE: https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7)
CVE-2022-28366 (Certain Neko-related HTML parsers allow a denial of service via crafte ...)
- libowasp-antisamy-java <unfixed> (bug #1010154)
+ [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+ [buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
NOTE: https://github.com/nahsra/antisamy/releases/tag/v1.6.6
NOTE: https://github.com/nahsra/antisamy/issues/174
- TODO: check upstream for commits
CVE-2022-28365 (Reprise License Manager 14.2 is affected by an Information Disclosure ...)
NOT-FOR-US: Reprise License Manager
CVE-2022-28364 (Reprise License Manager 14.2 is affected by a reflected cross-site scr ...)
@@ -21656,6 +21663,8 @@ CVE-2022-24892 (Shopware is an open source e-commerce software platform. Startin
NOT-FOR-US: Shopware
CVE-2022-24891 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...)
- libowasp-esapi-java 2.4.0.0-1 (bug #1010339)
+ [bullseye] - libowasp-esapi-java <no-dsa> (Minor issue)
+ [buster] - libowasp-esapi-java <no-dsa> (Minor issue)
NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q
NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf
NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
@@ -26611,6 +26620,8 @@ CVE-2022-23458
RESERVED
CVE-2022-23457 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...)
- libowasp-esapi-java 2.4.0.0-1 (bug #1010339)
+ [bullseye] - libowasp-esapi-java <no-dsa> (Minor issue)
+ [buster] - libowasp-esapi-java <no-dsa> (Minor issue)
NOTE: https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/
NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
@@ -64384,6 +64395,8 @@ CVE-2021-35044
RESERVED
CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...)
- libowasp-antisamy-java <unfixed>
+ [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+ [buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
NOTE: https://github.com/nahsra/antisamy/pull/87
CVE-2021-35042 (Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orde ...)
- python-django <not-affected> (Vulnerable code introduced in 3.1)
@@ -303915,6 +303928,8 @@ CVE-2017-14736
RESERVED
CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...)
- libowasp-antisamy-java <unfixed>
+ [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+ [buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
NOTE: https://github.com/nahsra/antisamy/issues/10
CVE-2017-14734 (The build_msps function in libbpg.c in libbpg 0.9.7 allows remote atta ...)
NOT-FOR-US: libbpg
@@ -337657,6 +337672,8 @@ CVE-2016-10007 (SQL injection vulnerability in the "Marketing > Forms" screen
NOT-FOR-US: dotCMS
CVE-2016-10006 (In OWASP AntiSamy before 1.5.5, by submitting a specially crafted inpu ...)
- libowasp-antisamy-java <unfixed>
+ [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+ [buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
NOTE: https://github.com/nahsra/antisamy/issues/2
CVE-2016-10005 (Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to ob ...)
NOT-FOR-US: SAP
=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ freecad (aron)
--
kicad
--
+librecad
+--
libpgjava (apo)
--
linux (carnil)
@@ -34,8 +36,12 @@ linux (carnil)
--
ndpi/oldstable
--
+netatalk
+--
nodejs (jmm)
--
+php-horde-turba
+--
puma/oldstable
--
python-bottle (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3adefba4df86b0413321d5aa71da7da899095736
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3adefba4df86b0413321d5aa71da7da899095736
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220607/ef1bba2a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list