[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jun 17 16:16:34 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7d2c0910 by Moritz Muehlenhoff at 2022-06-17T17:16:22+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2032,9 +2032,10 @@ CVE-2022-32767
 CVE-2022-32979
 	RESERVED
 CVE-2022-32978 (There is an assertion failure in SingleComponentLSScan::ParseMCU in si ...)
-	- libjpeg <unfixed>
+	- libjpeg <unfixed> (unimportant)
 	NOTE: https://github.com/thorfdbg/libjpeg/issues/75
 	NOTE: https://github.com/thorfdbg/libjpeg/commit/4746b577931e926a49e50de9720a4946de3069a7
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-32977
 	RESERVED
 CVE-2022-32976
@@ -2476,11 +2477,10 @@ CVE-2022-2044
 CVE-2022-2043
 	RESERVED
 CVE-2022-2042 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
-	- vim <unfixed>
-	[bullseye] - vim <no-dsa> (Minor issue)
-	[buster] - vim <no-dsa> (Minor issue)
+	- vim <unfixed> (unimportant)
 	NOTE: https://huntr.dev/bounties/8628b4cd-4055-4059-aed4-64f7fdc10eba
 	NOTE: https://github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835 (v8.2.5072)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2041
 	RESERVED
 CVE-2022-2040
@@ -2974,6 +2974,8 @@ CVE-2022-32548
 	RESERVED
 CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'double', ...)
 	- imagemagick <unfixed>
+	[bullseye] - imagemagick <ignored> (Minor issue)
+	[buster] - imagemagick <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091813
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/5033
 	NOTE: https://github.com/ImageMagick/ImageMagick/pull/5034
@@ -2981,6 +2983,8 @@ CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'do
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b (6.9.12-45)
 CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the range ...)
 	- imagemagick <unfixed>
+	[bullseye] - imagemagick <ignored> (Minor issue)
+	[buster] - imagemagick <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091812
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/4985
 	NOTE: https://github.com/ImageMagick/ImageMagick/pull/4986
@@ -2988,6 +2992,8 @@ CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943 (6.9.12-44)
 CVE-2022-32545 (A vulnerability was found in ImageMagick, causing an outside the range ...)
 	- imagemagick <unfixed>
+	[bullseye] - imagemagick <ignored> (Minor issue)
+	[buster] - imagemagick <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091811
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/4962
 	NOTE: https://github.com/ImageMagick/ImageMagick/pull/4963
@@ -6449,6 +6455,8 @@ CVE-2022-31292
 	RESERVED
 CVE-2022-31291 (An issue in dlt_config_file_parser.c of dlt-daemon v2.18.8 allows atta ...)
 	- dlt-daemon <unfixed>
+	[bullseye] - dlt-daemon <no-dsa> (Minor issue)
+	[buster] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/COVESA/dlt-daemon/pull/376
 	NOTE: https://github.com/COVESA/dlt-daemon/commit/6a3bd901d825c7206797e36ea98e10a218f5aad2
 CVE-2022-31290
@@ -19998,6 +20006,8 @@ CVE-2022-26636
 	RESERVED
 CVE-2022-26635 (PHP-Memcached v2.2.0 and below contains an improper NULL termination w ...)
 	- php-memcached <unfixed> (bug #1009328)
+	[bullseye] - php-memcached <no-dsa> (Minor issue)
+	[buster] - php-memcached <no-dsa> (Minor issue)
 	[stretch] - php-memcached <no-dsa> (Minor issue)
 	NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/
 CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which allows att ...)
@@ -20314,6 +20324,8 @@ CVE-2022-26492
 CVE-2022-26491 (An issue was discovered in Pidgin before 2.14.9. A remote attacker who ...)
 	{DLA-3043-1}
 	- pidgin 2.14.9-1
+	[bullseye] - pidgin <no-dsa> (Minor issue)
+	[buster] - pidgin <no-dsa> (Minor issue)
 	NOTE: https://pidgin.im/about/security/advisories/cve-2022-26491/
 	NOTE: https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc
 CVE-2022-26489
@@ -25435,6 +25447,8 @@ CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implem
 	- python-cmarkgfm 0.7.0-1 (bug #1006758)
 	- ruby-commonmarker <unfixed> (bug #1006759)
 	- r-cran-commonmark 1.8.0-1 (bug #1006760)
+	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x
 	NOTE: https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.3
 	NOTE: https://github.com/github/cmark-gfm/commit/ac80f7b56522ffa158e1f0c14a611ffccacd4027 (0.29.0.gfm.3)
@@ -35031,12 +35045,18 @@ CVE-2021-4187 (vim is vulnerable to Use After Free ...)
 CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer  ...)
 	{DLA-2937-1}
 	- gif2apng <removed> (bug #1002687)
+	[bullseye] - gif2apng <no-dsa> (Minor issue)
+	[buster] - gif2apng <no-dsa> (Minor issue)
 CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer  ...)
 	{DLA-2937-1}
 	- gif2apng <removed> (bug #1002667)
+	[bullseye] - gif2apng <no-dsa> (Minor issue)
+	[buster] - gif2apng <no-dsa> (Minor issue)
 CVE-2021-45909 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer  ...)
 	{DLA-2937-1}
 	- gif2apng <removed> (bug #1002668)
+	[bullseye] - gif2apng <no-dsa> (Minor issue)
+	[buster] - gif2apng <no-dsa> (Minor issue)
 CVE-2021-45908 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...)
 	- gif2apng <removed> (bug #1002669; unimportant)
 	NOTE: Negligible security impact
@@ -53748,6 +53768,8 @@ CVE-2021-40634
 	RESERVED
 CVE-2021-40633 (A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5 ...)
 	- giflib <unfixed>
+	[bullseye] - giflib <no-dsa> (Minor issue)
+	[buster] - giflib <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/giflib/bugs/157/
 CVE-2021-40632
 	RESERVED
@@ -53839,8 +53861,9 @@ CVE-2021-40591
 CVE-2021-40590
 	RESERVED
 CVE-2021-40589 (ZAngband zangband-data 2.7.5 is affected by an integer underflow vulne ...)
-	- zangband <unfixed>
+	- zangband <unfixed> (unimportant)
 	NOTE: https://sourceforge.net/p/zangband/bugs/671/
+	NOTE: Negligible security impact
 CVE-2021-40588
 	RESERVED
 CVE-2021-40587


=====================================
data/dsa-needed.txt
=====================================
@@ -20,7 +20,7 @@ curl
 --
 epiphany-browser
 --
-firejail
+firejail (jmm)
 --
 freecad (aron)
 --
@@ -53,7 +53,7 @@ salt
 --
 slurm-llnl/oldstable
 --
-slurm-wlm/stable
+slurm-wlm/stable (jmm)
   Maintainer proposed an update for bullseye-security
 --
 sox



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d2c09103b65a0d8bd455a44398c269ad53c0719

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d2c09103b65a0d8bd455a44398c269ad53c0719
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220617/5f02e2c9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list