[Git][security-tracker-team/security-tracker][master] 7 commits: Triage CVE-2021-41458 in gpac for stretch LTS.

Tue Jun 21 12:59:07 BST 2022


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6b11750d by Chris Lamb at 2022-06-21T12:40:56+01:00
Triage CVE-2021-41458 in gpac for stretch LTS.

- - - - -
1523942d by Chris Lamb at 2022-06-21T12:40:57+01:00
Triage CVE-2022-33903 in tor for stretch LTS.

- - - - -
1d0faf50 by Chris Lamb at 2022-06-21T12:40:57+01:00
Triage CVE-2022-24065 in cookiecutter for stretch LTS.

- - - - -
3aeff4ee by Chris Lamb at 2022-06-21T12:40:57+01:00
Triage CVE-2022-30552 & CVE-2022-30790 in u-boot for stretch LTS.

- - - - -
7e776f4e by Chris Lamb at 2022-06-21T12:40:57+01:00
Triage CVE-2022-23457 & CVE-2022-24891 in libowasp-esapi-java for stretch LTS.

- - - - -
15f28db2 by Chris Lamb at 2022-06-21T12:41:33+01:00
data/dla-needed.txt: Triage exo for stretch LTS (CVE-2022-32278)

- - - - -
640c566f by Chris Lamb at 2022-06-21T12:46:26+01:00
Triage CVE-2022-31625 & CVE-2022-31626 in php7.0 for stretch LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -768,6 +768,7 @@ CVE-2022-33904
 CVE-2022-33903
 	RESERVED
 	- tor 0.4.7.8-1
+	[stretch] - tor <end-of-life> (Not supported in LTS)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2099227
 	NOTE: https://gitlab.torproject.org/tpo/core/tor/-/issues/40626
 	NOTE: https://lists.torproject.org/pipermail/tor-announce/2022-June/000242.html
@@ -6263,6 +6264,7 @@ CVE-2022-31626 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.
 	- php7.3 <removed>
 	[buster] - php7.3 <postponed> (Minor issue, fix along with next security release)
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed in 7.4.30, 8.0.20, 8.1.7
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=81719
 CVE-2022-31625 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x belo ...)
@@ -6272,6 +6274,7 @@ CVE-2022-31625 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.
 	- php7.3 <removed>
 	[buster] - php7.3 <postponed> (Minor issue, fix along with next security release)
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed in 7.4.30, 8.0.20, 8.1.7
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=81720
 CVE-2022-31624 (MariaDB Server before 10.7 is vulnerable to Denial of Service. While e ...)
@@ -8694,6 +8697,7 @@ CVE-2022-30790 (Das U-Boot 2022.01 has a Buffer Overflow, a different issue than
 	- u-boot <unfixed>
 	[bullseye] - u-boot <no-dsa> (Minor issue)
 	[buster] - u-boot <no-dsa> (Minor issue)
+	[stretch] - u-boot <no-dsa> (Minor issue)
 	NOTE: https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
 	NOTE: Fixed by: https://source.denx.de/u-boot/u-boot/-/commit/b85d130ea0cac152c21ec38ac9417b31d41b5552 (v2022.07-rc4~4)
 CVE-2022-30789 (A crafted NTFS image can cause a heap-based buffer overflow in ntfs_ch ...)
@@ -9303,6 +9307,7 @@ CVE-2022-30552 (Das U-Boot 2022.01 has a Buffer Overflow. ...)
 	- u-boot <unfixed>
 	[bullseye] - u-boot <no-dsa> (Minor issue)
 	[buster] - u-boot <no-dsa> (Minor issue)
+	[stretch] - u-boot <no-dsa> (Minor issue)
 	NOTE: https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
 	NOTE: Fixed by: https://source.denx.de/u-boot/u-boot/-/commit/b85d130ea0cac152c21ec38ac9417b31d41b5552 (v2022.07-rc4)
 CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause  ...)
@@ -22865,6 +22870,7 @@ CVE-2022-24066 (The package simple-git before 3.5.0 are vulnerable to Command In
 CVE-2022-24065 (The package cookiecutter before 2.1.1 are vulnerable to Command Inject ...)
 	- cookiecutter <unfixed> (bug #1013279)
 	[buster] - cookiecutter <no-dsa> (Minor issue)
+	[stretch] - cookiecutter <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
 	NOTE: https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
 	NOTE: https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
@@ -25700,6 +25706,7 @@ CVE-2022-24891 (ESAPI (The OWASP Enterprise Security API) is a free, open source
 	- libowasp-esapi-java 2.4.0.0-1 (bug #1010339)
 	[bullseye] - libowasp-esapi-java <no-dsa> (Minor issue)
 	[buster] - libowasp-esapi-java <no-dsa> (Minor issue)
+	[stretch] - libowasp-esapi-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
@@ -30663,6 +30670,7 @@ CVE-2022-23457 (ESAPI (The OWASP Enterprise Security API) is a free, open source
 	- libowasp-esapi-java 2.4.0.0-1 (bug #1010339)
 	[bullseye] - libowasp-esapi-java <no-dsa> (Minor issue)
 	[buster] - libowasp-esapi-java <no-dsa> (Minor issue)
+	[stretch] - libowasp-esapi-java <no-dsa> (Minor issue)
 	NOTE: https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
@@ -52491,6 +52499,7 @@ CVE-2021-41459 (There is a stack buffer overflow in MP4Box v1.0.1 at src/filters
 	NOTE: Fixed by: https://github.com/gpac/gpac/commit/7d4538e104f2b3ff6a65a41394795654e6972339 (v2.0.0)
 CVE-2021-41458 (In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/e ...)
 	- gpac 2.0.0+dfsg1-2
+	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://github.com/gpac/gpac/issues/1910
 	NOTE: https://github.com/gpac/gpac/commit/74695dea7278e78af3db467e586233fe8773c07e (v2.0.0)
 CVE-2021-41457 (There is a stack buffer overflow in MP4Box 1.1.0 at src/filters/dmx_nh ...)


=====================================
data/dla-needed.txt
=====================================
@@ -57,6 +57,9 @@ exempi
   NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
   NOTE: 20220517: is needed.
 --
+exo
+  NOTE: 20220621: Programming language: C/GLib
+--
 firejail
   NOTE: 20220616: Programming language: C
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4...640c566fc40da1a03cf9ee8f77d36c53ff14cce5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4...640c566fc40da1a03cf9ee8f77d36c53ff14cce5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220621/0485b092/attachment-0001.htm>
