[Git][security-tracker-team/security-tracker][master] bullseye triage

Fri Nov 11 15:05:59 GMT 2022


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a89b938c by Moritz Muehlenhoff at 2022-11-11T16:05:36+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -367,6 +367,7 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/draw
 	NOT-FOR-US: jgraph/drawio
 CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU.  ...)
 	- qemu <unfixed>
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	[buster] - qemu <postponed> (Minor issue, DoS, waiting for sanctioned patch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567
 	NOTE: patch proposal 1: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html
@@ -8623,6 +8624,7 @@ CVE-2022-42919 (Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local pri
 	- python3.11 3.11.0-2
 	- python3.10 3.10.8-2
 	- python3.9 <unfixed>
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <not-affected> (Vulnerable functionality backported later in 3.7.8)
 	NOTE: https://github.com/python/cpython/issues/97514
@@ -17202,6 +17204,7 @@ CVE-2022-39378 (Discourse is a platform for community discussion. Under certain
 	NOT-FOR-US: Discourse
 CVE-2022-39377 (sysstat is a set of system performance tools for the Linux operating s ...)
 	- sysstat <unfixed> (bug #1023832)
+	[bullseye] - sysstat <no-dsa> (Minor issue)
 	NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
 	NOTE: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1)
 CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...)
@@ -68232,16 +68235,16 @@ CVE-2021-4194 (bookstack is vulnerable to Improper Access Control ...)
 	NOT-FOR-US: bookstack
 CVE-2021-4193 (vim is vulnerable to Out-of-bounds Read ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.3995-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0
 	NOTE: Fixed by: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b (v8.2.3950)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-4192 (vim is vulnerable to Use After Free ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.3995-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/6dd9cb2e-a940-4093-856e-59b502429f22
 	NOTE: Fixed by: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952 (v8.2.3949)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-4191 (An issue has been discovered in GitLab CE/EE affecting versions 13.0 t ...)
 	[experimental] - gitlab 14.6.5+ds1
 	- gitlab <unfixed>
@@ -69568,12 +69571,10 @@ CVE-2021-45476 (Yordam Library Information Document Automation product before ve
 CVE-2021-45475 (Yordam Library Information Document Automation product before version  ...)
 	NOT-FOR-US: Yordam Library Information Document Automation
 CVE-2021-4166 (vim is vulnerable to Out-of-bounds Read ...)
-	- vim 2:8.2.3995-1
-	[bullseye] - vim <no-dsa> (Minor issue)
-	[buster] - vim <no-dsa> (Minor issue)
-	[stretch] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/229df5dd-5507-44e9-832c-c70364bdf035
 	NOTE: https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682 (v8.2.3884)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-4165
 	RESERVED
 CVE-2021-4164 (calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) ...)
@@ -71185,13 +71186,13 @@ CVE-2021-44462 (This vulnerability can be exploited by parsing maliciously craft
 CVE-2021-4137
 	RESERVED
 CVE-2021-4136 (vim is vulnerable to Heap-based Buffer Overflow ...)
-	- vim 2:8.2.3995-1 (bug #1002534)
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (bug #1002534; unimportant)
 	[buster] - vim <not-affected> (Vulnerable code introduced later)
 	[stretch] - vim <not-affected> (Vulnerable code introduced later)
 	NOTE: https://huntr.dev/bounties/5c6b93c1-2d27-4e98-a931-147877b8c938
 	NOTE: Introduced by: https://github.com/vim/vim/commit/2949cfdbe4335b9abcfeda1be4dfc52090ee1df6 (v8.2.2257)
 	NOTE: Fixed by: https://github.com/vim/vim/commit/605ec91e5a7330d61be313637e495fa02a6dc264 (v8.2.3847)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-4135 (A memory leak vulnerability was found in the Linux kernel's eBPF for t ...)
 	{DSA-5096-1 DLA-2941-1}
 	- linux 5.15.15-1 (unimportant)
@@ -73239,10 +73240,10 @@ CVE-2021-44549 (Apache Sling Commons Messaging Mail provides a simple layer on t
 	NOT-FOR-US: Apache Sling
 CVE-2021-4069 (vim is vulnerable to Use After Free ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.3995-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/0efd6d23-2259-4081-9ff1-3ade26907d74/
 	NOTE: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 (v8.2.3741)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-44548 (An Improper Input Validation vulnerability in DataImportHandler of Apa ...)
 	- lucene-solr <not-affected> (Issue only affects Windows)
 	NOTE: https://issues.apache.org/jira/browse/SOLR-15826
@@ -75008,10 +75009,10 @@ CVE-2021-3985 (kimai2 is vulnerable to Improper Neutralization of Input During W
 	NOT-FOR-US: kimai2
 CVE-2021-3984 (vim is vulnerable to Heap-based Buffer Overflow ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.3995-1 (bug #1001896)
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (bug #1001896; unimportant)
 	NOTE: https://huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426a
 	NOTE: https://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655 (v8.2.3625)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-3983 (kimai2 is vulnerable to Improper Neutralization of Input During Web Pa ...)
 	NOT-FOR-US: kimai2
 CVE-2022-21742 (Realtek USB driver has a buffer overflow vulnerability due to insuffic ...)
@@ -75246,17 +75247,16 @@ CVE-2021-43960 (** DISPUTED ** Lorensbergs Connect2 3.13.7647.20190 is affected
 	NOT-FOR-US: Lorensbergs Connect2
 CVE-2021-3974 (vim is vulnerable to Use After Free ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.3995-1 (bug #1001897)
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (bug #1001897; unimportant)
 	NOTE: https://huntr.dev/bounties/e402cb2c-8ec4-4828-a692-c95f8e0de6d4
 	NOTE: https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6 (v8.2.3612)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-3973 (vim is vulnerable to Heap-based Buffer Overflow ...)
 	{DLA-2947-1}
-	- vim 2:8.2.3995-1 (bug #1001899)
-	[bullseye] - vim <no-dsa> (Minor issue)
-	[buster] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.3995-1 (unimportant; bug #1001899)
 	NOTE: https://huntr.dev/bounties/ce6e8609-77c6-4e17-b9fc-a2e5abed052e
 	NOTE: https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847 (v8.2.3611)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-3972 (A potential vulnerability by a driver used during manufacturing proces ...)
 	NOT-FOR-US: Lenovo
 CVE-2021-3971 (A potential vulnerability by a driver used during older manufacturing  ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -27,7 +27,7 @@ linux (carnil)
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream
 --
-nginx
+nginx (jmm)
 --
 nodejs
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89b938c049a35447c6e1ba6b0f5989ebd2e05f0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89b938c049a35447c6e1ba6b0f5989ebd2e05f0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221111/ed887191/attachment-0001.htm>
