[Git][security-tracker-team/security-tracker][master] two k8s issues, NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Nov 10 17:49:30 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
652bf02a by Moritz Muehlenhoff at 2022-11-10T18:48:56+01:00
two k8s issues, NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8352,7 +8352,7 @@ CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can
 	NOTE: https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/
 	NOTE: Doesn't seem to be reported upstream so far
 CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...)
-	TODO: check
+	NOT-FOR-US: snowflake-connector-python
 CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...)
 	- pymatgen <unfixed>
 	NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
@@ -12467,6 +12467,9 @@ CVE-2022-3295 (Allocation of Resources Without Limits or Throttling in GitHub re
 	- rdiffweb <itp> (bug #969974)
 CVE-2022-3294
 	RESERVED
+	- kubernetes 1.20.5+really1.20.2-1
+	NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version
+	NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
 CVE-2022-3293 (Email addresses were leaked in WebHook logs in GitLab EE affecting all ...)
 	- gitlab <not-affected> (Only affects Gitlab EE)
 CVE-2022-3292 (Use of Cache Containing Sensitive Information in GitHub repository iku ...)
@@ -15284,6 +15287,9 @@ CVE-2022-40176 (A vulnerability has been identified in Desigo PXM30-1 (All versi
 	NOT-FOR-US: Siemens
 CVE-2022-3162
 	RESERVED
+	- kubernetes 1.20.5+really1.20.2-1
+	NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version
+	NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
 CVE-2022-3161
 	RESERVED
 CVE-2022-3160
@@ -15962,35 +15968,35 @@ CVE-2022-39895
 CVE-2022-39894
 	RESERVED
 CVE-2022-39893 (Sensitive information exposure vulnerability in FmmBaseModel in Galaxy ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39892 (Improper access control in Samsung Pass prior to version 4.0.05.1 allo ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39891 (Heap overflow vulnerability in parse_pce function in libsavsaudio.so i ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39890 (Improper Authorization in Samsung Billing prior to version 5.0.56.0 al ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39889 (Improper access control vulnerability in GalaxyWatch4Plugin prior to v ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39888
 	RESERVED
 CVE-2022-39887 (Improper access control vulnerability in clearAllGlobalProxy in MiscPo ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39886 (Improper access control vulnerability in IpcRxServiceModeBigDataInfo i ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39885 (Improper access control vulnerability in BootCompletedReceiver_CMCC in ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39884 (Improper access control vulnerability in IImsService prior to SMR Nov- ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39883 (Improper authorization vulnerability in StorageManagerService prior to ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39882 (Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsm ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39881 (Improper input validation vulnerability for processing SIB12 PDU in Ex ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39880 (Improper input validation vulnerability in DualOutFocusViewer prior to ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39879 (Improper authorization vulnerability in?CallBGProvider prior to SMR No ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2022-39878 (Improper access control vulnerability in Samsung Checkout prior to ver ...)
 	NOT-FOR-US: Samsung
 CVE-2022-39877 (Improper access control vulnerability in ProfileSharingAccount in Grou ...)
@@ -17062,11 +17068,11 @@ CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E
 	- openjdk-17 17.0.5+8-1
 	[bullseye] - openjdk-17 <postponed> (Minor issue, fix along with next CPU)
 CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions prior to 2 ...)
-	TODO: check
+	NOT-FOR-US: GLPI plugin
 CVE-2022-39397
 	RESERVED
 CVE-2022-39396 (Parse Server is an open source backend that can be deployed to any inf ...)
-	TODO: check
+	NOT-FOR-US: Node parse-server
 CVE-2022-39395
 	RESERVED
 CVE-2022-39394
@@ -17087,7 +17093,7 @@ CVE-2022-39388
 CVE-2022-39387 (XWiki OIDC has various tools to manipulate OpenID Connect protocol in  ...)
 	NOT-FOR-US: XWiki
 CVE-2022-39386 (@fastify/websocket provides WebSocket support for Fastify. Any applica ...)
-	TODO: check
+	NOT-FOR-US: @fastify/websocket
 CVE-2022-39385
 	RESERVED
 CVE-2022-39384 (OpenZeppelin Contracts is a library for secure smart contract developm ...)
@@ -17138,7 +17144,7 @@ CVE-2022-39369 (phpCAS is an authentication library that allows PHP applications
 	NOTE: https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64
 	NOTE: Fixed by: https://github.com/apereo/phpCAS/commit/b759361d904a2cb2a3bcee9411fc348cfde5d163 (1.6.0)
 CVE-2022-39368 (Eclipse Californium is a Java implementation of RFC7252 - Constrained  ...)
-	TODO: check
+	NOT-FOR-US: Eclipse Californium
 CVE-2022-39367 (QTIWorks is a software suite for standards-based assessment delivery.  ...)
 	NOT-FOR-US: QTIWorks
 CVE-2022-39366 (DataHub is an open-source metadata platform. Prior to version 0.8.45,  ...)
@@ -17176,7 +17182,7 @@ CVE-2022-39351 (Dependency-Track is a Component Analysis platform that allows or
 CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) used in D ...)
 	TODO: check
 CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do lists and re ...)
-	TODO: check
+	NOT-FOR-US: Tasks.org Android app
 CVE-2022-39348 (Twisted is an event-based framework for internet applications. Started ...)
 	- twisted <unfixed> (bug #1023359)
 	[bullseye] - twisted <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/652bf02ac028032fed4494341842326401066372

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/652bf02ac028032fed4494341842326401066372
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221110/915799a1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list