[Git][security-tracker-team/security-tracker][master] bulleye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Nov 2 12:37:33 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3edb5343 by Moritz Muehlenhoff at 2022-11-02T13:37:19+01:00
bulleye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5159,17 +5159,21 @@ CVE-2022-43285 (Nginx NJS v0.7.4 was discovered to contain a segmentation violat
 CVE-2022-43284 (Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation vi ...)
 	NOT-FOR-US: njs
 CVE-2022-43283 (wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write. ...)
-	- wabt <unfixed>
+	- wabt <unfixed> (unimportant)
 	NOTE: https://github.com/WebAssembly/wabt/issues/1985
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-43282 (wasm-interp v1.0.29 was discovered to contain an out-of-bounds read vi ...)
-	- wabt <unfixed>
+	- wabt <unfixed> (unimportant)
 	NOTE: https://github.com/WebAssembly/wabt/issues/1983
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-43281 (wasm-interp v1.0.29 was discovered to contain a heap overflow via the  ...)
-	- wabt <unfixed>
+	- wabt <unfixed> (unimportant)
 	NOTE: https://github.com/WebAssembly/wabt/issues/1981
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-43280 (wasm-interp v1.0.29 was discovered to contain an out-of-bounds read vi ...)
-	- wabt <unfixed>
+	- wabt <unfixed> (unimportant)
 	NOTE: https://github.com/WebAssembly/wabt/issues/1982
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-43279
 	RESERVED
 CVE-2022-43278
@@ -5427,9 +5431,10 @@ CVE-2022-43153
 CVE-2022-43152 (tsMuxer v2.6.16 was discovered to contain a heap overflow via the func ...)
 	NOT-FOR-US: tsMuxer
 CVE-2022-43151 (timg v1.4.4 was discovered to contain a memory leak via the function t ...)
-	- timg <unfixed>
+	- timg <unfixed> (unimportant)
 	NOTE: https://github.com/hzeller/timg/issues/92
 	NOTE: https://github.com/hzeller/timg/commit/e9667ea2c811aa9eb399b631aef9bba0d3711834
+	NOTE: Memory leak in terminal application, no security impact
 CVE-2022-43150
 	RESERVED
 CVE-2022-43149
@@ -7807,13 +7812,12 @@ CVE-2022-42253
 	RESERVED
 CVE-2022-42252 (If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10. ...)
 	- tomcat9 9.0.68-1
+	[bullseye] - tomcat9 <postponed> (Minor issue, fix along in future update)
 	[buster] - tomcat9 <no-dsa> (Minor issue, occurs when system is explicitly configured in an insecure way)
 	- tomcat8 <removed>
 	NOTE: https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
 	NOTE: https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 (9.0.68)
 	NOTE: https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a (8.5.83)
-	NOTE: One could consider this security issue as expected behavior because the problem described is that
-	NOTE: a specific invalid header is accepted when tomcat is configured to accept invalid headers.
 CVE-2022-3406
 	RESERVED
 CVE-2022-3405
@@ -14724,6 +14728,7 @@ CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do lists
 	TODO: check
 CVE-2022-39348 (Twisted is an event-based framework for internet applications. Started ...)
 	- twisted <unfixed>
+	[bullseye] - twisted <no-dsa> (Minor issue)
 	NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
 	NOTE: Introduced by: https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4
 	NOTE: Fixed by: https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b (twisted-22.10.0rc1)
@@ -28100,9 +28105,10 @@ CVE-2022-2208 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.
 	NOTE: https://github.com/vim/vim/commit/cd38bb4d83c942c4bad596835c6766cbf32e5195 (v8.2.5163)
 	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2207 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...)
-	- vim 2:9.0.0135-1 (bug #1015984)
+	- vim 2:9.0.0135-1 (unimportant; bug #1015984)
 	NOTE: https://huntr.dev/bounties/05bc6051-4dc3-483b-ae56-cf23346b97b9
 	NOTE: https://github.com/vim/vim/commit/0971c7a4e537ea120a6bb2195960be8d0815e97b (v8.2.5162)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-34493
 	RESERVED
 CVE-2022-34492
@@ -29549,19 +29555,22 @@ CVE-2022-2127
 	RESERVED
 CVE-2022-2126 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...)
 	{DLA-3053-1}
-	- vim 2:9.0.0135-1 (bug #1015984)
+	- vim 2:9.0.0135-1 (unimportant; bug #1015984)
 	NOTE: https://huntr.dev/bounties/8d196d9b-3d10-41d2-9f70-8ef0d08c946e
 	NOTE: https://github.com/vim/vim/commit/156d3911952d73b03d7420dc3540215247db0fe8 (v8.2.5123)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2125 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...)
-	- vim 2:9.0.0135-1 (bug #1015984)
+	- vim 2:9.0.0135-1 (unimportant; bug #1015984)
 	[stretch] - vim <postponed> (Minor issue)
 	NOTE: https://huntr.dev/bounties/17dab24d-beec-464d-9a72-5b6b11283705
 	NOTE: https://github.com/vim/vim/commit/0e8e938d497260dd57be67b4966cb27a5f72376f (v8.2.5122)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2124 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...)
 	{DLA-3053-1}
-	- vim 2:9.0.0135-1 (bug #1015984)
+	- vim 2:9.0.0135-1 (unimportant; bug #1015984)
 	NOTE: https://huntr.dev/bounties/8e9e056d-f733-4540-98b6-414bf36e0b42
 	NOTE: https://github.com/vim/vim/commit/2f074f4685897ab7212e25931eeeb0212292829f (v8.2.5120)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service when lda ...)
 	- python-ldap 3.4.0-1
 	[bullseye] - python-ldap <no-dsa> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -68,5 +68,7 @@ sofia-sip
 sox
   patch needed for CVE-2021-40426, check with upstream
 --
+tiff
+--
 xen
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3edb534300d0734b6126c1c5822fc504d325cbf8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3edb534300d0734b6126c1c5822fc504d325cbf8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221102/cb291ed2/attachment.htm>

More information about the debian-security-tracker-commits mailing list