[Git][security-tracker-team/security-tracker][master] bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d82dbd02 by Moritz Muehlenhoff at 2022-11-16T11:04:49+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -9888,6 +9888,7 @@ CVE-2022-3462 (The Highlight Focus WordPress plugin through 1.1 does not sanitis
 	NOT-FOR-US: WordPress plugin
 CVE-2022-42889 (Apache Commons Text performs variable interpolation, allowing properti ...)
 	- commons-text 1.10.0-1 (bug #1021787)
+	[bullseye] - commons-text <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/4
 	NOTE: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
 	NOTE: https://blogs.apache.org/security/entry/cve-2022-42889
@@ -62120,12 +62121,12 @@ CVE-2022-0395 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelpe
 CVE-2022-0394 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...)
 	NOT-FOR-US: livehelperchat
 CVE-2022-0393 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...)
-	- vim 2:8.2.4659-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.4659-1 (unimportant)
 	[buster] - vim <not-affected> (The vulnerable code is not present)
 	[stretch] - vim <not-affected> (The vulnerable code is not present)
 	NOTE: https://huntr.dev/bounties/ecc8f488-01a0-477f-848f-e30b8e524bba
 	NOTE: https://github.com/vim/vim/commit/a4bc2dd7cccf5a4a9f78b58b6f35a45d17164323 (v8.2.4233)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-24069 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel  ...)
 	NOT-FOR-US: Insyde
 CVE-2022-24064 (This vulnerability allows remote attackers to execute arbitrary code o ...)
@@ -62728,10 +62729,10 @@ CVE-2022-21184 (An information disclosure vulnerability exists in the License re
 	NOT-FOR-US: Bachmann Visutec GmbH Atvise
 CVE-2022-0368 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.4659-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.4659-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/bca9ce1f-400a-4bf9-9207-3f3187cb3fa9/
 	NOTE: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa (v8.2.4217)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-0367 (A heap-based buffer overflow flaw was found in libmodbus in function m ...)
 	{DLA-3098-1}
 	- libmodbus 3.1.6-2.1 (bug #1021270)
@@ -63650,17 +63651,16 @@ CVE-2022-0320 (The Essential Addons for Elementor WordPress plugin before 5.0.5
 	NOT-FOR-US: WordPress plugin
 CVE-2022-0319 (Out-of-bounds Read in vim/vim prior to 8.2. ...)
 	{DLA-3182-1 DLA-2947-1}
-	- vim 2:8.2.4659-1
-	[bullseye] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.4659-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/ba622fd2-e6ef-4ad9-95b4-17f87b68755b
 	NOTE: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9 (v8.2.4154)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-0318 (Heap-based Buffer Overflow in vim/vim prior to 8.2. ...)
-	- vim 2:8.2.4659-1 (bug #1004859)
-	[bullseye] - vim <no-dsa> (Minor issue)
-	[buster] - vim <no-dsa> (Minor issue)
+	- vim 2:8.2.4659-1 (bug #1004859; unimportant)
 	[stretch] - vim <postponed> (Fix introduces a test regression)
 	NOTE: https://huntr.dev/bounties/0d10ba02-b138-4e68-a284-67f781a62d08
 	NOTE: https://github.com/vim/vim/commit/57df9e8a9f9ae1aafdde9b86b10ad907627a87dc (v8.2.4151)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-0317 (An improper input validation vulnerability in go-attestation before 0. ...)
 	NOT-FOR-US: go-attestation
 CVE-2022-0316
@@ -67546,9 +67546,10 @@ CVE-2022-0139 (Use After Free in GitHub repository radareorg/radare2 prior to 5.
 CVE-2022-0138 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...)
 	NOT-FOR-US: Airspan Networks
 CVE-2022-0137 (A heap buffer overflow in image_set_mask function of HTMLDOC before 1. ...)
-	- htmldoc 1.9.15-1
+	- htmldoc 1.9.15-1 (unimportant)
 	NOTE: https://github.com/michaelrsweet/htmldoc/issues/461
 	NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/71fe87878c9cbc3db429f5e5c70f28e4b3d96e3b (v1.9.15)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-0136 (A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 ...)
 	- gitlab <unfixed>
 CVE-2022-0135 (An out-of-bounds write issue was found in the VirGL virtual OpenGL ren ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ heimdal (carnil)
 --
 jackson-databind (apo)
 --
+krb5
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d82dbd02c3402cb2149ccaf630fd5e523dd377f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d82dbd02c3402cb2149ccaf630fd5e523dd377f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221116/18043664/attachment-0001.htm>