[Git][security-tracker-team/security-tracker][master] automatic update

Sun May 29 21:10:40 BST 2022


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
786c47a5 by security tracker role at 2022-05-29T20:10:24+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,13 @@
+CVE-2022-31796 (libjpeg 1.63 has a heap-based buffer over-read in HierarchicalBitmapRe ...)
+	TODO: check
+CVE-2022-31795
+	RESERVED
+CVE-2022-31794
+	RESERVED
+CVE-2022-1933
+	RESERVED
+CVE-2022-1932
+	RESERVED
 CVE-2022-XXXX [Gracefully handle errors during early request binding]
 	- python-bottle 0.12.20-1
 	NOTE: Fixed by: https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00 (0.12.20)
@@ -7,10 +17,10 @@ CVE-2022-1930
 	RESERVED
 CVE-2022-1929
 	RESERVED
-CVE-2022-1928
-	RESERVED
-CVE-2022-1927
-	RESERVED
+CVE-2022-1928 (Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gite ...)
+	TODO: check
+CVE-2022-1927 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...)
+	TODO: check
 CVE-2022-1926
 	RESERVED
 CVE-2022-31793
@@ -6841,7 +6851,7 @@ CVE-2022-29381
 	RESERVED
 CVE-2022-29380 (Academy-LMS v4.3 was discovered to contain a stored cross-site scripti ...)
 	NOT-FOR-US: Academy-LMS
-CVE-2022-29379 (Nginx NJS v0.7.3 was discovered to contain a stack overflow in the fun ...)
+CVE-2022-29379 (** DISPUTED ** Nginx NJS v0.7.3 was discovered to contain a stack over ...)
 	NOT-FOR-US: njs
 CVE-2022-29378
 	RESERVED
@@ -6877,7 +6887,7 @@ CVE-2022-29363 (Phpok v6.1 was discovered to contain a deserialization vulnerabi
 	NOT-FOR-US: qinggan phpok
 CVE-2022-29362 (A cross-site scripting (XSS) vulnerability in /navigation/create?Paren ...)
 	NOT-FOR-US: ZKEACMS
-CVE-2022-29361 (Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below ...)
+CVE-2022-29361 (** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v ...)
 	- python-werkzeug <unfixed> (unimportant)
 	TODO: upstream disputes this as a misfiled CVE
 	NOTE: https://github.com/pallets/werkzeug/issues/2420
@@ -7283,6 +7293,7 @@ CVE-2022-29222 (Pion DTLS is a Go implementation of Datagram Transport Layer Sec
 	NOTE: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412 (v2.1.5)
 	NOTE: https://github.com/pion/dtls/releases/tag/v2.1.5
 CVE-2022-29221 (Smarty is a template engine for PHP, facilitating the separation of pr ...)
+	{DSA-5151-1 DLA-3033-1}
 	- smarty4 4.1.1-1 (bug #1011757)
 	- smarty3 <unfixed> (bug #1011758)
 	- smarty <removed>
@@ -19407,8 +19418,8 @@ CVE-2022-24969
 	RESERVED
 CVE-2022-24968 (In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoo ...)
 	NOT-FOR-US: Mellium
-CVE-2022-24967
-	RESERVED
+CVE-2022-24967 (Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting ( ...)
+	TODO: check
 CVE-2022-24966
 	RESERVED
 CVE-2022-24965
@@ -76818,7 +76829,7 @@ CVE-2021-29456 (Authelia is an open-source authentication and authorization serv
 CVE-2021-29455 (Grassroot Platform is an application to make it faster, cheaper and ea ...)
 	NOT-FOR-US: Grassroot Platform
 CVE-2021-29454 (Smarty is a template engine for PHP, facilitating the separation of pr ...)
-	{DLA-2995-1}
+	{DSA-5151-1 DLA-2995-1}
 	- smarty4 4.1.1-1 (bug #1010375)
 	- smarty3 <unfixed>
 	NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m
@@ -97739,7 +97750,7 @@ CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network appli
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
 	NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
 CVE-2021-21408 (Smarty is a template engine for PHP, facilitating the separation of pr ...)
-	{DLA-2995-1}
+	{DSA-5151-1 DLA-2995-1}
 	- smarty4 4.1.1-1 (bug #1010375)
 	- smarty3 <unfixed>
 	NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m
@@ -112099,6 +112110,7 @@ CVE-2020-27819 (An issue was discovered in libxls before and including 1.6.1 whe
 	- r-cran-readxl <not-affected> (Embeds libxls, but not affected)
 	NOTE: https://github.com/libxls/libxls/issues/84
 CVE-2020-27818 (A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. ...)
+	{DLA-3032-1}
 	- pngcheck 2.3.0-13 (bug #976350)
 	[buster] - pngcheck 2.3.0-7+deb10u1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1902011



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786c47a5dcedfdb4cd13e02d812fc1a202aed457

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786c47a5dcedfdb4cd13e02d812fc1a202aed457
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220529/f67805a1/attachment.htm>
