[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2021-37789/libstb

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
00168749 by Salvatore Bonaccorso at 2022-11-08T20:54:46+01:00
Add Debian bug reference for CVE-2021-37789/libstb

- - - - -
bce19224 by Salvatore Bonaccorso at 2022-11-08T21:01:18+01:00
Mark for now CVE-2022-41852 as unimportant

According to the current upstream discussion the CVE might even be
rejected completely as the issue is not to be considered a security
vulnerability by upstream.

Link: https://github.com/apache/commons-jxpath/pull/26#issuecomment-1307567283

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10846,10 +10846,13 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in
 	NOTE: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
 	NOTE: https://sourceforge.net/p/hsqldb/svn/6614/
 CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...)
-	- libcommons-jxpath-java <unfixed>
+	- libcommons-jxpath-java <unfixed> (unimportant)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
 	NOTE: https://github.com/apache/commons-jxpath/pull/25
 	NOTE: https://github.com/apache/commons-jxpath/pull/26
+	NOTE: https://github.com/apache/commons-jxpath/pull/26#issuecomment-1307567283
+	NOTE: JEXL is NOT expected to safely handle untrusted input, not considered a
+	NOTE: vulnerability by upstream
 CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions < V11.1.1 ...)
 	NOT-FOR-US: JTTK
 CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled security policy ...)
@@ -94492,7 +94495,7 @@ CVE-2021-37791 (MyAdmin v1.0 is affected by an incorrect access control vulnerab
 CVE-2021-37790
 	RESERVED
 CVE-2021-37789 (stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, lead ...)
-	- libstb <unfixed>
+	- libstb <unfixed> (bug #1023693)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1178
 CVE-2021-37788 (A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could all ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5a10cee15787ce0a2f1514aa40e0e84e40504ca...bce19224ade71d2bae993366f097deb6c84e5691

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5a10cee15787ce0a2f1514aa40e0e84e40504ca...bce19224ade71d2bae993366f097deb6c84e5691
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221108/142fee15/attachment-0001.htm>