[Git][security-tracker-team/security-tracker][master] new jodd, jupyter-notebook, jupyter-server, gitlab issue

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
36bc6443 by Moritz Muehlenhoff at 2022-06-20T14:51:57+02:00
new jodd, jupyter-notebook, jupyter-server, gitlab issue
new werkzeug non issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10905,7 +10905,7 @@ CVE-2022-29968 (An issue was discovered in the Linux kernel through 5.17.5. io_r
 	[stretch] - linux <not-affected> (Vulnerable code introduced later)
 	NOTE: https://git.kernel.org/linus/32452a3eb8b64e01e2be717f518c0be046975b9d (5.18-rc5)
 CVE-2022-1545 (It was possible to disclose details of confidential notes created via  ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-46790 (ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow i ...)
 	{DSA-5160-1}
 	- ntfs-3g 1:2022.5.17-1 (bug #1011770)
@@ -12003,7 +12003,10 @@ CVE-2022-29633 (An access control issue in Linglong v1.0 allows attackers to acc
 CVE-2022-29632 (An arbitrary file upload vulnerability in the component /course/api/up ...)
 	NOT-FOR-US: Roncoo Education
 CVE-2022-29631 (Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vul ...)
-	TODO: check
+	- jodd <unfixed>
+	[bullseye] - jodd <no-dsa> (Minor issue)
+	[buster] - jodd <no-dsa> (Minor issue)
+	NOTE: https://github.com/oblac/jodd-http/issues/9
 CVE-2022-29630
 	RESERVED
 CVE-2022-29629
@@ -12800,10 +12803,8 @@ CVE-2022-29363 (Phpok v6.1 was discovered to contain a deserialization vulnerabi
 CVE-2022-29362 (A cross-site scripting (XSS) vulnerability in /navigation/create?Paren ...)
 	NOT-FOR-US: ZKEACMS
 CVE-2022-29361 (** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v ...)
-	- python-werkzeug <unfixed> (unimportant)
-	TODO: upstream disputes this as a misfiled CVE
+	NOTE: Disputed Werkzeug issue, no security impact
 	NOTE: https://github.com/pallets/werkzeug/issues/2420
-	NOTE: Not considered a security issue upstream, negligible impact, running dev server should not be run in production
 CVE-2022-29360
 	RESERVED
 CVE-2022-29359 (A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs ...)
@@ -13166,13 +13167,18 @@ CVE-2022-29242 (GOST engine is a reference implementation of the Russian GOST cr
 	NOTE: https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808 (v3.0.1)
 	NOTE: https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81b2fad3 (v3.0.1)
 CVE-2022-29241 (Jupyter Server provides the backend (i.e. the core services, APIs, and ...)
-	TODO: check
+	- jupyter-server <unfixed>
+	[bullseye] - jupyter-server <no-dsa> (Minor issue)
+	NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g
 CVE-2022-29240
 	RESERVED
 CVE-2022-29239
 	RESERVED
 CVE-2022-29238 (Jupyter Notebook is a web-based notebook environment for interactive c ...)
-	TODO: check
+	- jupyter-notebook <unfixed>
+	[bullseye] - jupyter-notebook <no-dsa> (Minor issue)
+	[buster] - jupyter-notebook <no-dsa> (Minor issue)
+	NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
 CVE-2022-29237 (Opencast is a free and open source solution for automated video captur ...)
 	NOT-FOR-US: Opencast
 CVE-2022-29236 (BigBlueButton is an open source web conferencing system. Starting in v ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36bc6443447b2700860025e29385b93eb5275eea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36bc6443447b2700860025e29385b93eb5275eea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220620/cbc4fc4e/attachment.htm>