[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Mar 21 14:53:23 GMT 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1898dd4b by Moritz Muehlenhoff at 2022-03-21T15:52:46+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -6029,11 +6029,13 @@ CVE-2022-25052
RESERVED
CVE-2022-25051 (An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when deco ...)
- rtl-433 <unfixed> (bug #1008000)
+ [bullseye] - rtl-433 <no-dsa> (Minor issue)
NOTE: https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8
NOTE: https://github.com/merbanan/rtl_433/issues/1960
NOTE: https://huntr.dev/bounties/78eee103-bd61-4b4f-b054-04ad996b39e7/
CVE-2022-25050 (rtl_433 21.12 was discovered to contain a stack overflow in the functi ...)
- rtl-433 <unfixed> (bug #1008000)
+ [bullseye] - rtl-433 <no-dsa> (Minor issue)
NOTE: https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8
NOTE: https://github.com/merbanan/rtl_433/issues/1960
NOTE: https://huntr.dev/bounties/6c9cd35f-a206-4fdf-b6d1-fcd50926c2d9/
@@ -7053,6 +7055,8 @@ CVE-2022-24669
RESERVED
CVE-2022-0547 (OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass ...)
- openvpn 2.5.6-1 (bug #1008015)
+ [bullseye] - openvpn <no-dsa> (Minor issue)
+ [buster] - openvpn <no-dsa> (Minor issue)
NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
NOTE: https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee (v2.4.12)
NOTE: https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5 (v2.5.6)
@@ -9573,6 +9577,8 @@ CVE-2022-23944 (User can access /plugin api without authentication. This issue a
NOT-FOR-US: Apache ShenYu Admin
CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server all ...)
- apache2 2.4.53-1
+ [bullseye] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943
NOTE: Fixed by: https://svn.apache.org/r1898695
NOTE: Fixed by: https://svn.apache.org/r1898772
@@ -11261,6 +11267,8 @@ CVE-2022-23438
RESERVED
CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...)
- libxerces2-java <unfixed>
+ [bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete)
+ [buster] - libxerces2-java <postponed> (revisit when/if fix is complete)
[stretch] - libxerces2-java <postponed> (revisit when/if fix is complete)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/3
CVE-2022-0311 (Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.46 ...)
@@ -14191,14 +14199,20 @@ CVE-2022-22722 (A CWE-798: Use of Hard-coded Credentials vulnerability exists th
NOT-FOR-US: Schneider Electric
CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger than 350M ...)
- apache2 2.4.53-1
+ [bullseye] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721
NOTE: Fixed by: https://svn.apache.org/r1898693
CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...)
- apache2 2.4.53-1
+ [bullseye] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720
NOTE: Fixed by: https://svn.apache.org/r1898692
CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...)
- apache2 2.4.53-1
+ [bullseye] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719
NOTE: Fixed by: https://svn.apache.org/r1898694
CVE-2022-22718 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...)
@@ -19627,7 +19641,6 @@ CVE-2021-44964 (Use after free in garbage collector and finalizer of lgc.c in Lu
NOTE: http://lua-users.org/lists/lua-l/2021-12/msg00015.html
NOTE: http://lua-users.org/lists/lua-l/2021-12/msg00030.html
NOTE: https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerability
- TODO: check possible fix and other versions of lua
CVE-2021-44963
RESERVED
CVE-2021-44962 (An out-of-bounds read vulnerability exists in the GCode::extrude() fun ...)
@@ -21029,6 +21042,7 @@ CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7
NOTE: Fixed by: https://gitlab.matrix.org/matrix-org/olm/-/commit/c23ce70fc66c26db5839ddb5a3b46d4c3d3abed6 (3.2.8)
CVE-2021-44537 (ownCloud owncloud/client before 2.9.2 allows Resource Injection by a s ...)
- owncloud-client <unfixed>
+ [buster] - owncloud-client <no-dsa> (Minor issue)
[stretch] - owncloud-client <not-affected> (OAuth support introduced in 2.4)
NOTE: https://owncloud.com/security-advisories/cve-2021-44537/
CVE-2021-44536
@@ -47171,6 +47185,8 @@ CVE-2021-35501 (PandoraFMS <=7.54 allows Stored XSS by placing a payload in t
CVE-2021-3621 (A flaw was found in SSSD, where the sssctl command was vulnerable to s ...)
{DLA-2758-1}
- sssd 2.5.2-1 (bug #992710)
+ [bullseye] - sssd <no-dsa> (Minor issue)
+ [buster] - sssd <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975142
NOTE: https://github.com/SSSD/sssd/commit/7ab83f97e1cbefb78ece17232185bdd2985f0bbe
NOTE: Introduced by https://github.com/SSSD/sssd/commit/e157b9f6cb370e1b94bcac2044d26ad66d640fba (v1.13.91)
@@ -49310,6 +49326,7 @@ CVE-2021-34559 (In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerabilit
NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway
CVE-2021-3596 (A NULL pointer dereference flaw was found in ImageMagick in versions p ...)
- imagemagick 8:6.9.11.57+dfsg-1
+ [buster] - imagemagick <ignored> (Minor issue)
[stretch] - imagemagick <postponed> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/2624
NOTE: https://github.com/ImageMagick/ImageMagick/commit/43dfb1894761c4929d5d5c98dc80ba4e59a0d114
@@ -52369,6 +52386,8 @@ CVE-2021-33293 (Panorama Tools libpano13 v2.9.20 was discovered to contain an ou
{DLA-2957-1}
[experimental] - libpano13 2.9.21~rc1+dfsg-1
- libpano13 <unfixed> (bug #1008024)
+ [bullseye] - libpano13 <no-dsa> (Minor issue)
+ [buster] - libpano13 <no-dsa> (Minor issue)
NOTE: https://groups.google.com/u/1/g/hugin-ptx/c/gLtz2vweD74
NOTE: Fixed by: https://sourceforge.net/p/panotools/libpano13/ci/62aa7eed8fae5d8f247a2508a757f31000de386f/
CVE-2021-33292
@@ -76927,6 +76946,7 @@ CVE-2021-23649
RESERVED
CVE-2021-23648 (The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cro ...)
- node-mermaid <unfixed>
+ [bullseye] - node-mermaid <no-dsa> (Minor issue)
NOTE: https://github.com/braintree/sanitize-url/pull/40
NOTE: src:node-mermaid provides embedded @braintree/sanitize-url
CVE-2021-23647
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ condor/oldstable
--
faad2/oldstable (jmm)
--
+fish/stable
+--
freecad (aron)
--
linux (carnil)
@@ -45,3 +47,5 @@ trafficserver (jmm)
unzip
no details public yet
--
+wordpress
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1898dd4bab64bf390a47a72c3226eadc246e83ed
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1898dd4bab64bf390a47a72c3226eadc246e83ed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220321/e56d8dba/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list