[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 29 10:46:37 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
66c973af by Moritz Muehlenhoff at 2022-06-29T11:46:14+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39,7 +39,7 @@ CVE-2022-34752
 CVE-2022-34751
 	RESERVED
 CVE-2022-34750 (An issue was discovered in MediaWiki through 1.38.1. The lemma length  ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extension WikiBase
 CVE-2022-34749
 	RESERVED
 CVE-2022-34748
@@ -708,9 +708,10 @@ CVE-2022-2211 [Buffer overflow in get_keys leads to Dos]
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
 	TODO: check, upstream references, mentioned code is actually in src:guestfs-tools
 CVE-2022-2210 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...)
-	- vim <unfixed>
+	- vim <unfixed> (unimportant)
 	NOTE: https://huntr.dev/bounties/020845f8-f047-4072-af0f-3726fe1aea25
 	NOTE: https://github.com/vim/vim/commit/c101abff4c6756db4f5e740fde289decb9452efa (v8.2.5164)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2209
 	RESERVED
 CVE-2022-2208 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. ...)
@@ -2144,6 +2145,8 @@ CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service wh
 	NOTE: https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm
 CVE-2021-46822 (The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoa ...)
 	- libjpeg-turbo 1:2.1.1-1
+	[bullseye] - libjpeg-turbo <no-dsa> (Minor issue)
+	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 (2.1.0)
 CVE-2017-20081 (A vulnerability, which was classified as critical, was found in Hindu  ...)
 	NOT-FOR-US: Hindu Matrimonial Script
@@ -2521,6 +2524,8 @@ CVE-2022-33880
 	RESERVED
 CVE-2022-33879 (The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in  ...)
 	- tika <unfixed>
+	[bullseye] - tika <no-dsa> (Minor issue)
+	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/06/27/5
 CVE-2022-33878
 	RESERVED
@@ -9857,9 +9862,8 @@ CVE-2022-1771 (Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.
 CVE-2019-25061 (The random_password_generator (aka RandomPasswordGenerator) gem throug ...)
 	NOT-FOR-US: bvsatyaram/random_password_generator
 CVE-2022-30973 (We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the ...)
-	- tika <unfixed>
+	- tika <not-affected> (Affected release which missed the fix was never shipped, issue tracked via CVE-2022-30126)
 	NOTE: http://www.openwall.com/lists/oss-security/2022/05/31/2
-	TODO: check how we want to handle that, because technically this is CVE is for the missing fix for CVE-2022-30126 in upstream 1.x patching specific
 CVE-2022-1770 (Improper Privilege Management in GitHub repository polonel/trudesk pri ...)
 	NOT-FOR-US: Trudesk
 CVE-2022-1769 (Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. ...)
@@ -12385,6 +12389,8 @@ CVE-2022-1554 (Path Traversal due to `send_file` call in GitHub repository clini
 	NOT-FOR-US: clinical-genomics/scout
 CVE-2022-30126 (In Apache Tika, a regular expression in our StandardsText class, used  ...)
 	- tika <unfixed>
+	[bullseye] - tika <no-dsa> (Minor issue)
+	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/3
 CVE-2022-1553 (Leaking password protected articles content due to improper access con ...)
 	NOT-FOR-US: Publify
@@ -16373,6 +16379,8 @@ CVE-2022-28738 (A double free was found in the Regexp compiler in Ruby 3.x befor
 CVE-2022-28737
 	RESERVED
 	- shim <unfixed>
+	[bullseye] - shim <no-dsa> (Fix via point update)
+	[buster] - shim <no-dsa> (Fix via point update)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
 	NOTE: https://github.com/rhboot/shim/commit/e99bdbb827a50cde019393d3ca1e89397db221a7 (15.6)
 	NOTE: https://github.com/rhboot/shim/commit/159151b6649008793d6204a34d7b9c41221fb4b0 (15.6)
@@ -26604,6 +26612,8 @@ CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earli
 	NOT-FOR-US: Jenkins Pipeline: Multibranch Plugin
 CVE-2022-25169 (The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may  ...)
 	- tika <unfixed>
+	[bullseye] - tika <no-dsa> (Minor issue)
+	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/4
 CVE-2022-25168
 	RESERVED
@@ -28105,6 +28115,8 @@ CVE-2022-24713 (regex is an implementation of regular expressions for the Rust l
 	- firefox-esr 91.8.0esr-1
 	- thunderbird 1:91.8.0-1
 	- rust-regex 1.5.5-1 (bug #1007176)
+	[bullseye] - rust-regex <no-dsa> (Minor issue)
+	[buster] - rust-regex <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0013.html
 	NOTE: https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
 	NOTE: https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e (1.5.5)


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ curl
 --
 epiphany-browser
 --
+firefox-esr (jmm)
+--
 freecad (aron)
 --
 kicad (jmm)
@@ -56,6 +58,8 @@ slurm-llnl/oldstable
 sox
   patch needed for CVE-2021-40426, check with upstream
 --
+thunderbird (jmm)
+--
 unzip
   unclear information, initial report indicates writable memory corruption, but
   some identified patch is just for a NULL deref, needs more clarification



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66c973af617378ad69d31895267b22aab265ff7b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66c973af617378ad69d31895267b22aab265ff7b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220629/9fc3d2ee/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list