[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu Mar 24 14:37:34 GMT 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
05194bf6 by Moritz Muehlenhoff at 2022-03-24T15:37:04+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3722,10 +3722,13 @@ CVE-2022-26355 (Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes
NOT-FOR-US: Citrix
CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of error, ...)
- qemu <unfixed>
+ [bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf
CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw was inadv ...)
- qemu <unfixed>
+ [bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <not-affected> (Original upstream fix for CVE-2021-3748 not applied)
[stretch] - qemu <not-affected> (Original upstream fix for CVE-2021-3748 not applied)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197
@@ -5998,8 +6001,9 @@ CVE-2022-25486 (CuppaCMS v1.0 was discovered to contain a local file inclusion v
CVE-2022-25485 (CuppaCMS v1.0 was discovered to contain a local file inclusion via the ...)
NOT-FOR-US: CuppaCMS
CVE-2022-25484 (tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in pac ...)
- - tcpreplay <unfixed>
+ - tcpreplay <unfixed> (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/715
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-25483
RESERVED
CVE-2022-25482
@@ -13538,6 +13542,7 @@ CVE-2022-0236 (The WP Import Export WordPress plugin (both free and premium vers
CVE-2022-0235 (node-fetch is vulnerable to Exposure of Sensitive Information to an Un ...)
- node-fetch 2.6.1-7
[bullseye] - node-fetch <no-dsa> (Minor issue)
+ [buster] - node-fetch <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
NOTE: Fixed by: https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80 (v3.1.1)
CVE-2022-0234 (The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape ...)
@@ -17105,6 +17110,8 @@ CVE-2021-45959
CVE-2021-45958 (UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow ...)
{DLA-2929-1}
- ujson <unfixed> (bug #1005140)
+ [bullseye] - ujson <no-dsa> (Minor issue)
+ [buster] - ujson <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
NOTE: https://github.com/ultrajson/ultrajson/issues/501
NOTE: https://github.com/ultrajson/ultrajson/issues/502
@@ -33623,27 +33630,28 @@ CVE-2021-41500 (Incomplete string comparison vulnerability exits in cvxopt.org c
NOTE: https://github.com/cvxopt/cvxopt/issues/193
CVE-2021-41499 (Buffer Overflow Vulnerability exists in ajaxsoundstudio.com n Pyo < ...)
- python-pyo 1.0.4-1
+ [bullseye] - python-pyo <no-dsa> (Minor issue)
+ [buster] - python-pyo <no-dsa> (Minor issue)
[stretch] - python-pyo <no-dsa> (Minor issue)
NOTE: https://github.com/belangeo/pyo/issues/222
NOTE: https://github.com/belangeo/pyo/commit/e7e6d2880469b523e4c41f0da2087a6a3eec4a45 (1.0.4)
CVE-2021-41498 (Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Ser ...)
- python-pyo 1.0.4-1
+ [bullseye] - python-pyo <no-dsa> (Minor issue)
+ [buster] - python-pyo <no-dsa> (Minor issue)
[stretch] - python-pyo <no-dsa> (Minor issue)
NOTE: https://github.com/belangeo/pyo/issues/221
NOTE: https://github.com/belangeo/pyo/commit/017702c73332a8560c8554a36250a6da587a2418 (1.0.4)
CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe-Techn ...)
NOT-FOR-US: RaRe-Technologies bounter
CVE-2021-41496 (** DISPUTED ** Buffer overflow in the array_from_pyobj function of for ...)
- - numpy <unfixed>
- [bullseye] - numpy <no-dsa> (Minor issue)
+ - numpy <unfixed> (unimportant)
NOTE: https://github.com/numpy/numpy/issues/19000
NOTE: https://github.com/numpy/numpy/pull/20630
NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2
CVE-2021-41495 (** DISPUTED ** Null Pointer Dereference vulnerability exists in numpy. ...)
- - numpy <unfixed>
- [bullseye] - numpy <no-dsa> (Minor issue)
+ - numpy <unfixed> (unimportant)
NOTE: https://github.com/numpy/numpy/issues/19038
- TODO: check for classification/severity
CVE-2021-41494
RESERVED
CVE-2021-41493
@@ -34362,6 +34370,7 @@ CVE-2021-41185 (Mycodo is an environmental monitoring and regulation system. An
CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior to vers ...)
- jqueryui 1.13.0+dfsg-1
[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1
+ [buster] - jqueryui <no-dsa> (Minor issue)
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
@@ -34375,6 +34384,7 @@ CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior t
- drupal7 <removed>
- jqueryui 1.13.0+dfsg-1
[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1
+ [buster] - jqueryui <no-dsa> (Minor issue)
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
@@ -34390,6 +34400,7 @@ CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior t
- drupal7 <removed>
- jqueryui 1.13.0+dfsg-1
[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1
+ [buster] - jqueryui <no-dsa> (Minor issue)
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
@@ -78446,6 +78457,8 @@ CVE-2021-23557
RESERVED
CVE-2021-23556 (The package guake before 3.8.5 are vulnerable to Exposed Dangerous Met ...)
- guake 3.8.5-1
+ [bullseye] - guake <no-dsa> (Minor issue)
+ [buster] - guake <no-dsa> (Minor issue)
NOTE: https://github.com/Guake/guake/commit/b769b3a5fd71a107c58679d217cccc971b4196b4 (3.8.5)
NOTE: https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888
NOTE: https://github.com/Guake/guake/issues/1796
@@ -78685,6 +78698,8 @@ CVE-2021-23451
RESERVED
CVE-2021-23450 (All versions of package dojo are vulnerable to Prototype Pollution via ...)
- dojo <unfixed>
+ [bullseye] - dojo <no-dsa> (Minor issue)
+ [buster] - dojo <no-dsa> (Minor issue)
NOTE: https://github.com/advisories/GHSA-m8gw-hjpr-rjv7
NOTE: Fixed by: https://github.com/dojo/dojo/commit/b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9
CVE-2021-23449 (This affects the package vm2 before 3.9.4 via a Prototype Pollution at ...)
@@ -79215,7 +79230,7 @@ CVE-2021-23240 (selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows
NOTE: Neutralised by kernel hardening (fs.protected_symlinks = 1)
CVE-2021-23239 (The sudoedit personality of Sudo before 1.9.5 may allow a local unpriv ...)
- sudo 1.9.5-1
- [buster] - sudo <no-dsa> (Minor issue)
+ [buster] - sudo <ignored> (Minor issue)
[stretch] - sudo <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/01/11/2
NOTE: https://www.sudo.ws/repos/sudo/rev/ea19d0073c02
=====================================
data/dsa-needed.txt
=====================================
@@ -35,7 +35,7 @@ python-pysaml2 (jmm)
rpki-client/stable
new 7.6 release required libretls, which isn't in Bullseye
--
-runc
+sox
--
tiff (jmm)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05194bf693574432243566bcd54ab12a52cf514d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05194bf693574432243566bcd54ab12a52cf514d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220324/d75a84f8/attachment.htm>
More information about the debian-security-tracker-commits
mailing list