[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-42920 and CVE-2022-34169

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Nov 5 19:45:46 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7454a0b9 by Salvatore Bonaccorso at 2022-11-05T20:45:01+01:00
Update information for CVE-2022-42920 and CVE-2022-34169

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7616,6 +7616,16 @@ CVE-2022-42921
 	RESERVED
 CVE-2022-42920
 	RESERVED
+	- bcel 6.5.0-2
+	[bullseye] - bcel 6.5.0-1+deb11u1
+	[buster] - bcel 6.2-1+deb10u1
+	NOTE: https://www.openwall.com/lists/oss-security/2022/11/04/6
+	NOTE: https://www.openwall.com/lists/oss-security/2022/11/04/8
+	NOTE: https://github.com/apache/commons-bcel/pull/147
+	NOTE: https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
+	NOTE: Duplicate of CVE-2022-34169. But CVE-2022-34169 was assigned for Apache Xalan Java XSLT library,
+	NOTE: whereeas CVE-2022-42920 is associated with bcel itself.
+	TODO: check with the assigning CNAs which one to retain if confirmed to be handled as duplicate and move CVE-2022-34169 to Apache Xalan Java XSLT use of BCEL only.
 CVE-2022-3517 (A vulnerability was found in the minimatch package. This flaw allows a ...)
 	- node-minimatch 3.0.5+~3.0.5-1
 	[bullseye] - node-minimatch <no-dsa> (Minor issue)
@@ -30567,6 +30577,7 @@ CVE-2022-34169 (The Apache Xalan Java XSLT library is vulnerable to an integer t
 	NOTE: https://www.openwall.com/lists/oss-security/2022/07/19/5
 	NOTE: https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
 	NOTE: Bug is most likely only in bcel which libxalan2-java depends on.
+	NOTE: https://github.com/apache/commons-bcel/pull/147
 	NOTE: https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
 CVE-2022-34168
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7454a0b9cda2b1520e05c345db613fd754ecf791

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7454a0b9cda2b1520e05c345db613fd754ecf791
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221105/d07d1cd9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list