[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Fri Mar 4 20:15:48 GMT 2022


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
26b4faa3 by Moritz Muehlenhoff at 2022-03-04T21:15:22+01:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4792,10 +4792,11 @@ CVE-2022-0531
 CVE-2022-0530 (A flaw was found in Unzip. The vulnerability occurs during the convers ...)
 	- unzip <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051395
-	NOTE: Crash in CLI tool, no security impact
+	NOTE: No details available yet
 CVE-2022-0529 (A flaw was found in Unzip. The vulnerability occurs during the convers ...)
 	- unzip <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051402
+	NOTE: No details available yet
 CVE-2021-46681
 	RESERVED
 CVE-2021-46680
@@ -4961,9 +4962,13 @@ CVE-2022-24615 (zip4j up to 2.9.0 can throw various uncaught exceptions while pa
 	TODO: check details
 CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor up to 2 ...)
 	- libmetadata-extractor-java <unfixed>
+	[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
+	[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
 CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught exceptions  ...)
 	- libmetadata-extractor-java <unfixed>
+	[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
+	[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
 CVE-2022-24612 (An authenticated user can upload an XML file containing an XSS via the ...)
 	NOT-FOR-US: EyesOfNetwork (EON) eonweb
@@ -15477,6 +15482,8 @@ CVE-2021-45430
 	RESERVED
 CVE-2021-45429 (A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 6 ...)
 	- yara <unfixed>
+	[bullseye] - yara <no-dsa> (Minor issue)
+	[buster] - yara <no-dsa> (Minor issue)
 	[stretch] - yara <no-dsa> (Minor issue)
 	NOTE: https://github.com/VirusTotal/yara/issues/1616
 	NOTE: https://github.com/VirusTotal/yara/commit/a36b497926b141624ea673111a101e9ddd7ac2eb (v4.2.0-rc1)
@@ -15659,6 +15666,8 @@ CVE-2021-45347 (An Incorrect Access Control vulnerability exists in zzcms 8.2, w
 	NOT-FOR-US: zzcms
 CVE-2021-45346 (A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and ...)
 	- sqlite3 <unfixed> (bug #1005974)
+	[bullseye] - sqlite3 <no-dsa> (Minor issue)
+	[buster] - sqlite3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/guyinatuxedo/sqlite3_record_leaking
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054793
 CVE-2021-45345
@@ -17986,6 +17995,7 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un
 	- golang-1.15 1.15.15-5
 	[bullseye] - golang-1.15 1.15.15-1~deb11u2
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
 	- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
@@ -18166,11 +18176,13 @@ CVE-2021-44649 (Django CMS 3.7.3 does not validate the plugin_type parameter whi
 	- python-django-cms <itp> (bug #516183)
 CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulner ...)
 	- gdk-pixbuf <unfixed>
+	[bullseye] - gdk-pixbuf <no-dsa> (Minor issue)
 	[buster] - gdk-pixbuf <not-affected> (Vulnerable code introduced later)
 	[stretch] - gdk-pixbuf <not-affected> (Vulnerable code introduced later)
 	NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136
 	NOTE: https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/
 	NOTE: Introduced by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/b88f1ce91a610a4e491a4ad6352183791e78afac (2.39.2)
+	NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130
 CVE-2021-44647 (Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcname ...)
 	- lua5.4 5.4.4-1 (bug #1004189)
 	NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00195.html
@@ -20381,6 +20393,8 @@ CVE-2022-21709
 	RESERVED
 CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In version ...)
 	- golang-github-graph-gophers-graphql-go 1.3.0-1
+	[bullseye] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue)
+	[buster] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue)
 	NOTE: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe (v1.3.0)
 	NOTE: https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh
 	NOTE: https://github.com/graph-gophers/graphql-go/pull/492


=====================================
data/dsa-needed.txt
=====================================
@@ -14,9 +14,11 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 asterisk/oldstable
 --
-chromium
+containerd (jmm)
 --
-condor
+chromium (jmm)
+--
+condor/oldstable
 --
 faad2/oldstable (jmm)
 --
@@ -40,3 +42,6 @@ runc
 trafficserver (jmm)
   wait until status for CVE-2021-38161 is clarified (upstream patch got reverted)
 --
+unzip
+  no details public yet
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26b4faa32466ef4b5cbfee7d696b824d3db73152

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26b4faa32466ef4b5cbfee7d696b824d3db73152
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220304/c1152b1e/attachment.htm>
