[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Mar 27 21:35:47 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7ce3d302 by Moritz Muehlenhoff at 2022-03-27T22:35:27+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,7 +1,7 @@
 CVE-2022-27949
 	RESERVED
 CVE-2022-27948 (Certain Tesla vehicles through 2022-03-26 allow attackers to open the  ...)
-	TODO: check
+	NOT-FOR-US: Tesla
 CVE-2022-1110
 	RESERVED
 CVE-2022-1109
@@ -87,7 +87,7 @@ CVE-2022-27920 (libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver
 	NOTE: https://github.com/kiwix/libkiwix/issues/728
 	NOTE: https://github.com/kiwix/libkiwix/pull/721
 CVE-2022-27919 (Gradle Enterprise before 2022.1 allows remote code execution if the in ...)
-	TODO: check
+	NOT-FOR-US: Gradle Enterprise
 CVE-2022-27918
 	RESERVED
 CVE-2022-27917
@@ -177,9 +177,9 @@ CVE-2022-27884 (Maccms v10 was discovered to contain a reflected cross-site scri
 CVE-2022-27883
 	RESERVED
 CVE-2022-27882 (slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedn ...)
-	TODO: check
+	NOT-FOR-US: slaacd from OpenBSD
 CVE-2022-27881 (engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buff ...)
-	TODO: check
+	NOT-FOR-US: slaacd from OpenBSD
 CVE-2022-27873
 	RESERVED
 CVE-2022-27872
@@ -4366,11 +4366,11 @@ CVE-2022-26256
 CVE-2022-26255
 	RESERVED
 CVE-2022-26254 (WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovere ...)
-	TODO: check
+	NOT-FOR-US: WoWonder
 CVE-2022-26253
 	RESERVED
 CVE-2022-26252 (aaPanel v6.8.21 was discovered to be vulnerable to directory traversal ...)
-	TODO: check
+	NOT-FOR-US: aaPanel
 CVE-2022-26251
 	RESERVED
 CVE-2022-26250
@@ -4384,7 +4384,7 @@ CVE-2022-26247 (TMS v2.28.0 contains an insecure permissions vulnerability via t
 CVE-2022-26246 (TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vul ...)
 	NOT-FOR-US: TMS
 CVE-2022-26245 (Falcon-plus v0.3 was discovered to contain a SQL injection vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Falcon-plus
 CVE-2022-26244
 	RESERVED
 CVE-2022-26243 (Tenda AC10-1200 v15.03.06.23_EN was discovered to contain a buffer ove ...)
@@ -4464,7 +4464,7 @@ CVE-2022-26207 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200
 CVE-2022-26206 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A ...)
 	NOT-FOR-US: Totolink
 CVE-2022-26205 (Marky commit 3686565726c65756e was discovered to contain a remote code ...)
-	TODO: check
+	NOT-FOR-US: Marky
 CVE-2022-26204
 	RESERVED
 CVE-2022-26203
@@ -4478,7 +4478,7 @@ CVE-2022-26200
 CVE-2022-26199
 	RESERVED
 CVE-2022-26198 (Notable v1.8.4 does not filter text editing, allowing attackers to exe ...)
-	TODO: check
+	NOT-FOR-US: Notable
 CVE-2022-26197 (Joget DX 7 was discovered to contain a cross-site scripting (XSS) vuln ...)
 	NOT-FOR-US: Joget
 CVE-2022-26196
@@ -6183,7 +6183,7 @@ CVE-2022-25576 (Anchor CMS v0.12.7 was discovered to contain a Cross-Site Reques
 CVE-2022-25575 (Multiple cross-site scripting (XSS) vulnerabilities in Parking Managem ...)
 	NOT-FOR-US: Parking Management System
 CVE-2022-25574 (A stored cross-site scripting (XSS) vulnerability in the upload functi ...)
-	TODO: check
+	NOT-FOR-US: douphp
 CVE-2022-25573
 	RESERVED
 CVE-2022-25572
@@ -8361,9 +8361,9 @@ CVE-2022-24786
 CVE-2022-24785
 	RESERVED
 CVE-2022-24784 (Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and  ...)
-	TODO: check
+	NOT-FOR-US: Statamic
 CVE-2022-24783 (Deno is a runtime for JavaScript and TypeScript. The versions of Deno  ...)
-	TODO: check
+	NOT-FOR-US: Deno
 CVE-2022-24782 (Discourse is an open source discussion platform. Versions 2.8.2 and pr ...)
 	NOT-FOR-US: Discourse
 CVE-2022-24781 (Geon is a board game based on solving questions about the Pythagorean  ...)
@@ -8435,7 +8435,7 @@ CVE-2022-24761 (Waitress is a Web Server Gateway Interface server for Python 2 a
 CVE-2022-24760 (Parse Server is an open source http web server backend. In versions pr ...)
 	TODO: check
 CVE-2022-24759 (`@chainsafe/libp2p-noise` contains TypeScript implementation of noise  ...)
-	TODO: check
+	NOT-FOR-US: chainsafe/libp2p-noise
 CVE-2022-24758
 	RESERVED
 CVE-2022-24757 (The Jupyter Server provides the backend (i.e. the core services, APIs, ...)
@@ -8466,11 +8466,11 @@ CVE-2022-24754 (PJSIP is a free and open source multimedia communication library
 	NOTE: https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47
 	TODO: check impact on src:asterisk and src:ring
 CVE-2022-24753 (Stripe CLI is a command-line tool for the Stripe eCommerce platform. A ...)
-	TODO: check
+	NOT-FOR-US: Stripe CLI
 CVE-2022-24752 (SyliusGridBundle is a package of generic data grids for Symfony applic ...)
-	TODO: check
+	NOT-FOR-US: SyliusGridBundle
 CVE-2022-24751 (Zulip is an open source group chat application. Starting with version  ...)
-	TODO: check
+	- zulip-server <itp> (bug #800052)
 CVE-2022-24750 (UltraVNC is a free and open source remote pc access software. A vulner ...)
 	NOT-FOR-US: UltraVNC
 CVE-2022-24749 (Sylius is an open source eCommerce platform. In versions prior to 1.9. ...)
@@ -8547,7 +8547,7 @@ CVE-2022-24723 (URI.js is a Javascript URL mutation library. Before version 1.19
 CVE-2022-24722 (VIewComponent is a framework for building view components in Ruby on R ...)
 	NOT-FOR-US: VIewComponent
 CVE-2022-24721 (CometD is a scalable comet implementation for web messaging. In any ve ...)
-	TODO: check
+	NOT-FOR-US: CometD
 CVE-2022-24720 (image_processing is an image processing wrapper for libvips and ImageM ...)
 	- ruby-image-processing <unfixed> (bug #1007225)
 	NOTE: https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
@@ -8910,7 +8910,7 @@ CVE-2022-24645
 CVE-2022-24644 (ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code e ...)
 	NOT-FOR-US: KeyMouse
 CVE-2022-24643 (A stored cross-site scripting (XSS) issue was discovered in the OpenEM ...)
-	TODO: check
+	NOT-FOR-US: OpenEMR
 CVE-2022-24642
 	RESERVED
 CVE-2022-24641
@@ -9766,7 +9766,8 @@ CVE-2022-0476 (Denial of Service in GitHub repository radareorg/radare2 prior to
 	NOTE: https://huntr.dev/bounties/81ddfbda-6c9f-4b69-83ff-85b15141e35d
 	NOTE: https://github.com/radareorg/radare2/commit/27fe8031782d3a06c3998eaa94354867864f9f1b
 CVE-2022-0475 (Malicious translator is able to inject JavaScript code in few translat ...)
-	TODO: check
+	NOT-FOR-US: OTRS
+	NOTE: Only affects 7.x/8.x, so won't affect znuny fork packaged in Debian
 CVE-2022-0474 (Full list of recipients from customer users in a contact field could b ...)
 	NOT-FOR-US: OTRS
 	NOTE: Only affects 8.x, so won't affect znuny fork packaged in Debian
@@ -14705,7 +14706,7 @@ CVE-2022-22997
 CVE-2022-22996
 	RESERVED
 CVE-2022-22995 (The combination of primitives offered by SMB and AFP in their default  ...)
-	TODO: check
+	NOT-FOR-US: Western Digital
 CVE-2022-22994 (A remote code execution vulnerability was discovered on Western Digita ...)
 	NOT-FOR-US: Western Digital
 CVE-2022-22993 (A limited SSRF vulnerability was discovered on Western Digital My Clou ...)
@@ -17752,7 +17753,7 @@ CVE-2022-22276
 CVE-2022-22275
 	RESERVED
 CVE-2022-22274 (A Stack-based buffer overflow vulnerability in the SonicOS via HTTP re ...)
-	TODO: check
+	NOT-FOR-US: Sonicwall
 CVE-2022-22273 (** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of Special Ele ...)
 	NOT-FOR-US: Sonicwall
 CVE-2022-22272 (Improper authorization in TelephonyManager prior to SMR Jan-2022 Relea ...)
@@ -21248,7 +21249,7 @@ CVE-2021-45012
 CVE-2021-45011
 	RESERVED
 CVE-2021-45010 (A path traversal vulnerability in the file upload functionality in tin ...)
-	TODO: check
+	NOT-FOR-US: Tiny File Manager
 CVE-2021-45009
 	RESERVED
 CVE-2021-45008 (** DISPUTED ** Plesk CMS 18.0.37 is affected by an insecure permission ...)
@@ -21519,7 +21520,7 @@ CVE-2021-44906 (Minimist <=1.2.5 is vulnerable to Prototype Pollution via fil
 	NOTE: The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in setKey()
 	NOTE: was insufficient.
 CVE-2021-44905 (Incorrect permissions in the Bluetooth Services in the Fortessa FTBTLD ...)
-	TODO: check
+	NOT-FOR-US: Fortessa
 CVE-2021-44904
 	RESERVED
 CVE-2021-44903 (Micro-Star International (MSI) Center Pro <= 2.0.16.0 is vulnerable ...)
@@ -22300,7 +22301,7 @@ CVE-2021-44685 (Git-it through 4.4.0 allows OS command injection at the Branches
 CVE-2021-44684 (naholyr github-todos 3.1.0 is vulnerable to command injection. The ran ...)
 	NOT-FOR-US: naholyr github-todos
 CVE-2021-44683 (The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due t ...)
-	TODO: check
+	NOT-FOR-US: DuckDuckGo browser
 CVE-2021-44682 (An issue (6 of 6) was discovered in Veritas Enterprise Vault through 1 ...)
 	NOT-FOR-US: Veritas
 CVE-2021-44681 (An issue (5 of 6) was discovered in Veritas Enterprise Vault through 1 ...)
@@ -24581,7 +24582,7 @@ CVE-2022-21719 (GLPI is a free asset and IT management software package. All GLP
 	- glpi <removed> (unimportant)
 	NOTE: Only supported behind an authenticated HTTP zone
 CVE-2022-21718 (Electron is a framework for writing cross-platform desktop application ...)
-	TODO: check
+	- electron <itp> (bug #842420)
 CVE-2022-21717
 	RESERVED
 CVE-2022-21716 (Twisted is an event-based framework for internet applications, support ...)
@@ -26439,7 +26440,7 @@ CVE-2021-43638 (Amazon Amazon WorkSpaces agent is affected by Integer Overflow.
 CVE-2021-43637 (Amazon WorkSpaces agent is affected by Buffer Overflow. IOCTL Handler  ...)
 	NOT-FOR-US: Amazon
 CVE-2021-43636 (Two Buffer Overflow vulnerabilities exists in T10 V2_Firmware V4.1.8cu ...)
-	TODO: check
+	NOT-FOR-US: T10 V2_Firmware
 CVE-2021-43635 (A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4. ...)
 	NOT-FOR-US: Codex
 CVE-2021-43634



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ce3d3029da2a98a27596dd633144ae86bd8f7e2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ce3d3029da2a98a27596dd633144ae86bd8f7e2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220327/f60dd28a/attachment.htm>

More information about the debian-security-tracker-commits mailing list