[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Nov 3 20:30:11 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e201f029 by Salvatore Bonaccorso at 2022-11-03T21:29:50+01:00
Process some NFUs
- - - - -
165dbef7 by Salvatore Bonaccorso at 2022-11-03T21:29:52+01:00
Add new glpi CVEs
- - - - -
8984d6bb by Salvatore Bonaccorso at 2022-11-03T21:29:53+01:00
Add CVE-2022-39369/php-cas
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -35,7 +35,7 @@ CVE-2022-44648
CVE-2022-44647
RESERVED
CVE-2022-44646 (In JetBrains TeamCity version before 2022.10, no audit items were adde ...)
- TODO: check
+ NOT-FOR-US: JetBrains TeamCity
CVE-2022-44645
RESERVED
CVE-2022-44644
@@ -107,11 +107,11 @@ CVE-2022-44626
CVE-2022-44625
RESERVED
CVE-2022-44624 (In JetBrains TeamCity version before 2022.10, Password parameters coul ...)
- TODO: check
+ NOT-FOR-US: JetBrains TeamCity
CVE-2022-44623 (In JetBrains TeamCity version before 2022.10, Project Viewer could see ...)
- TODO: check
+ NOT-FOR-US: JetBrains TeamCity
CVE-2022-44622 (In JetBrains TeamCity version between 2021.2 and 2022.10 access permis ...)
- TODO: check
+ NOT-FOR-US: JetBrains TeamCity
CVE-2022-44621
RESERVED
CVE-2022-44618
@@ -4967,7 +4967,7 @@ CVE-2022-3597 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtif
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/413
CVE-2021-46846 (Cross Site Scripting vulnerability in Hewlett Packard Enterprise Integ ...)
- TODO: check
+ NOT-FOR-US: HPE
CVE-2020-36607
RESERVED
CVE-2016-20017 (D-Link DSL-2750B devices before 1.05 allow remote unauthenticated comm ...)
@@ -5180,7 +5180,7 @@ CVE-2022-43374
CVE-2022-43373
RESERVED
CVE-2022-43372 (Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scri ...)
- TODO: check
+ NOT-FOR-US: Emlog Pro
CVE-2022-43371
RESERVED
CVE-2022-43370
@@ -5739,7 +5739,7 @@ CVE-2022-43111
CVE-2022-43110
RESERVED
CVE-2022-43109 (D-Link DIR-823G v1.0.2 was found to contain a command injection vulner ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2022-43108 (Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow ...)
NOT-FOR-US: Tenda
CVE-2022-43107 (Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow ...)
@@ -6845,13 +6845,13 @@ CVE-2022-42755
CVE-2022-42754
RESERVED
CVE-2022-42753 (SalonERP version 3.0.2 allows an external attacker to steal the cookie ...)
- TODO: check
+ NOT-FOR-US: SalonERP
CVE-2022-42752
RESERVED
CVE-2022-42751 (CandidATS version 3.0.0 allows an external attacker to elevate privile ...)
- TODO: check
+ NOT-FOR-US: CandidATS
CVE-2022-42750 (CandidATS version 3.0.0 allows an external attacker to steal the cooki ...)
- TODO: check
+ NOT-FOR-US: CandidATS
CVE-2022-42749
RESERVED
CVE-2022-42748
@@ -10040,7 +10040,7 @@ CVE-2022-41437 (Billing System Project v1.0 was discovered to contain a remote c
CVE-2022-41436 (An issue in OXHOO TP50 OXH1.50 allows unauthenticated attackers to acc ...)
NOT-FOR-US: OXHOO
CVE-2022-41435 (OpenWRT LuCI version git-22.140.66206-02913be was discovered to contai ...)
- TODO: check
+ NOT-FOR-US: OpenWRT LuCI
CVE-2022-41434
RESERVED
CVE-2022-41433
@@ -10550,7 +10550,7 @@ CVE-2022-3260
CVE-2022-3259
RESERVED
CVE-2022-3258 (Incorrect Permission Assignment for Critical Resource vulnerability in ...)
- TODO: check
+ NOT-FOR-US: HYPR Workforce Access
CVE-2022-3257 (Mattermost version 7.1.x and earlier fails to sufficiently process a s ...)
- mattermost-server <itp> (bug #823556)
CVE-2022-3256 (Use After Free in GitHub repository vim/vim prior to 9.0.0530. ...)
@@ -12339,7 +12339,7 @@ CVE-2022-40503
CVE-2022-40502
RESERVED
CVE-2022-3181 (An Improper Input Validation vulnerability exists in Trihedral VTScada ...)
- TODO: check
+ NOT-FOR-US: Trihedral VTScada
CVE-2022-3180
RESERVED
CVE-2022-3179 (Weak Password Requirements in GitHub repository ikus060/rdiffweb prior ...)
@@ -13645,9 +13645,9 @@ CVE-2022-39952
CVE-2022-39951
RESERVED
CVE-2022-39950 (An improper neutralization of input during web page generation vulnera ...)
- TODO: check
+ NOT-FOR-US: FortiGuard
CVE-2022-39949 (An improper control of a resource through its lifetime vulnerability [ ...)
- TODO: check
+ NOT-FOR-US: FortiGuard
CVE-2022-39948
RESERVED
CVE-2022-39947
@@ -13655,7 +13655,7 @@ CVE-2022-39947
CVE-2022-39946
RESERVED
CVE-2022-39945 (An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, ...)
- TODO: check
+ NOT-FOR-US: FortiGuard
CVE-2022-39944 (In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a de ...)
NOT-FOR-US: Apache Linkis
CVE-2022-39943
@@ -14899,25 +14899,38 @@ CVE-2022-39380
CVE-2022-39379 (Fluentd collects events from various data sources and writes them to f ...)
TODO: check
CVE-2022-39378 (Discourse is a platform for community discussion. Under certain condit ...)
- TODO: check
+ NOT-FOR-US: Discourse
CVE-2022-39377
RESERVED
CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-6rh5-m5g7-327w
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39375 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-fxcx-93fq-8r9g
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39374
RESERVED
CVE-2022-39373 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-cw37-q82c-w546
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39372 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-5rj7-95qc-89h2
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39371 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-w7wc-728f-6mm8
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39370 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-6c2p-wgx9-vrjc
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39369 (phpCAS is an authentication library that allows PHP applications to ea ...)
- TODO: check
+ - php-cas <unfixed>
+ NOTE: https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64
CVE-2022-39368
RESERVED
CVE-2022-39367 (QTIWorks is a software suite for standards-based assessment delivery. ...)
@@ -14943,7 +14956,7 @@ CVE-2022-39358 (Metabase is data visualization software. Prior to versions 0.44.
CVE-2022-39357 (Winter is a free, open-source content management system based on the L ...)
NOT-FOR-US: Winter
CVE-2022-39356 (Discourse is a platform for community discussion. Users who receive an ...)
- TODO: check
+ NOT-FOR-US: Discourse
CVE-2022-39355 (Discourse Patreon enables syncronization between Discourse Groups and ...)
NOT-FOR-US: Discourse Patreon
CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum Virtu ...)
@@ -15013,7 +15026,9 @@ CVE-2022-39325
CVE-2022-39324
RESERVED
CVE-2022-39323 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-cp6q-9p4x-8hr9
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39322 (@keystone-6/core is a core package for Keystone 6, a content managemen ...)
TODO: check
CVE-2022-39321 (GitHub Actions Runner is the application that runs a job from a GitHub ...)
@@ -15129,9 +15144,15 @@ CVE-2022-39279 (discourse-chat is a plugin for the Discourse message board which
CVE-2022-39278 (Istio is an open platform-independent service mesh that provides traff ...)
NOT-FOR-US: Istio
CVE-2022-39277 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-rhcw-8r7g-8pwc
+ NOTE: https://huntr.dev/bounties/8e047ae1-7a7c-48e0-bee3-d1c36e52ff42/
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39276 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-8vwg-7x42-7v6p
+ NOTE: https://huntr.dev/bounties/7a88f92b-1ee2-4ca8-9cf8-05fcf6cfe73f/
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39275 (Saleor is a headless, GraphQL commerce platform. In affected versions ...)
NOT-FOR-US: Saleor
CVE-2022-39274 (LoRaMac-node is a reference implementation and documentation of a LoRa ...)
@@ -15165,7 +15186,10 @@ CVE-2022-39264 (nheko is a desktop client for the Matrix communication applicati
CVE-2022-39263 (`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for Ne ...)
NOT-FOR-US: next-auth/upstash-redis-adapter
CVE-2022-39262 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-4x48-q2wr-cpg4
+ NOTE: https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39261 (Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x ...)
{DSA-5248-1 DLA-3147-1}
- php-twig 3.4.3-1 (bug #1020991)
@@ -15246,7 +15270,7 @@ CVE-2022-39243 (NuProcess is an external process execution implementation for Ja
CVE-2022-39242 (Frontier is an Ethereum compatibility layer for Substrate. Prior to co ...)
NOT-FOR-US: Frontier
CVE-2022-39241 (Discourse is a platform for community discussion. A malicious admin co ...)
- TODO: check
+ NOT-FOR-US: Discourse
CVE-2022-39240 (MyGraph is a permission management system. Versions prior to 1.0.4 are ...)
NOT-FOR-US: MyGraph
CVE-2022-39239 (netlify-ipx is an on-Demand image optimization for Netlify using ipx. ...)
@@ -15267,7 +15291,9 @@ CVE-2022-39236 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaSc
CVE-2022-39235
RESERVED
CVE-2022-39234 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
- TODO: check
+ - glpi <removed> (unimportant)
+ NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-pgcx-mc58-3gmg
+ NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-39233 (Tuleap is a Free & Open Source Suite to improve management of soft ...)
NOT-FOR-US: Tuleap
CVE-2022-39232 (Discourse is an open source discussion platform. Starting with version ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ef6cca26880dfc0000dc811039b0ee382b87a0b...8984d6bbec7034636c0214409b03ae2332b4d672
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ef6cca26880dfc0000dc811039b0ee382b87a0b...8984d6bbec7034636c0214409b03ae2332b4d672
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221103/dd971233/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list