[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Oct 4 21:10:33 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
479032bc by security tracker role at 2022-10-04T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1439,6 +1439,7 @@ CVE-2022-41768
RESERVED
CVE-2022-41767 [mediawiki: reassignEdits doesn't update results in an IP range check on Special:Contributions]
RESERVED
+ {DSA-5246-1}
- mediawiki 1:1.35.8-1
NOTE: https://phabricator.wikimedia.org/T316304
CVE-2022-41766 [mediawiki: On action=rollback the message "alreadyrolled" can leak revision deleted user name]
@@ -1449,6 +1450,7 @@ CVE-2022-41766 [mediawiki: On action=rollback the message "alreadyrolled" can le
NOTE: https://phabricator.wikimedia.org/T307278
CVE-2022-41765 [mediawiki: HTMLUserTextField exposes existence of hidden users]
RESERVED
+ {DSA-5246-1}
- mediawiki 1:1.35.8-1
NOTE: https://phabricator.wikimedia.org/T309894
CVE-2022-41764
@@ -6242,7 +6244,7 @@ CVE-2022-3101
NOT-FOR-US: tripleo-ansible
CVE-2022-3100 [access policy bypass via query string injection]
RESERVED
- {DLA-3136-1}
+ {DSA-5247-1 DLA-3136-1}
- barbican <unfixed> (bug #1021139)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125404
NOTE: https://review.opendev.org/c/openstack/barbican/+/859852
@@ -19117,13 +19119,13 @@ CVE-2022-34914 (Webswing before 22.1.3 allows X-Forwarded-For header injection.
CVE-2022-34913 (** DISPUTED ** md2roff 1.7 has a stack-based buffer overflow via a Mar ...)
NOT-FOR-US: md2roff
CVE-2022-34912 (An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1 ...)
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.7-1
NOTE: https://phabricator.wikimedia.org/T308473
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/807225/
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/
CVE-2022-34911 (An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x ...)
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.7-1
NOTE: https://phabricator.wikimedia.org/T308471
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/805208
@@ -29514,12 +29516,14 @@ CVE-2022-31093 (NextAuth.js is a complete open source authentication solution fo
CVE-2022-31092 (Pimcore is an Open Source Data & Experience Management Platform. P ...)
NOT-FOR-US: Pimcore
CVE-2022-31091 (Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` he ...)
+ {DSA-5246-1}
- guzzle 7.4.5-1 (bug #1014492)
- mediawiki 1:1.35.7-1
[buster] - mediawiki <not-affected> (Embedded Guzzle copy not present)
NOTE: https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
NOTE: https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5)
CVE-2022-31090 (Guzzle, an extensible PHP HTTP client. `Authorization` headers on requ ...)
+ {DSA-5246-1}
- guzzle 7.4.5-1 (bug #1014492)
- mediawiki 1:1.35.7-1
[buster] - mediawiki <not-affected> (Embedded Guzzle copy not present)
@@ -29647,12 +29651,14 @@ CVE-2022-31045 (Istio is an open platform to connect, manage, and secure microse
CVE-2022-31044 (Rundeck is an open source automation service with a web console, comma ...)
NOT-FOR-US: Rundesk
CVE-2022-31043 (Guzzle is an open source PHP HTTP client. In affected versions `Author ...)
+ {DSA-5246-1}
- guzzle 7.4.4-1 (bug #1012821)
- mediawiki 1:1.35.7-1
[buster] - mediawiki <not-affected> (Embedded Guzzle copy not present)
NOTE: https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
NOTE: https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8 (7.4.4)
CVE-2022-31042 (Guzzle is an open source PHP HTTP client. In affected versions the `Co ...)
+ {DSA-5246-1}
- guzzle 7.4.4-1 (bug #1012821)
- mediawiki 1:1.35.7-1
[buster] - mediawiki <not-affected> (Embedded Guzzle copy not present)
@@ -35167,6 +35173,7 @@ CVE-2022-29250 (GLPI is a Free Asset and IT Management Software package, that pr
CVE-2022-29249 (JavaEZ is a library that adds new functions to make Java easier. A wea ...)
NOT-FOR-US: JavaEZLib/JavaEZ
CVE-2022-29248 (Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ...)
+ {DSA-5246-1}
- guzzle 7.4.4-1 (bug #1011636)
- mediawiki 1:1.35.7-1
[buster] - mediawiki <not-affected> (Embedded Guzzle copy not present)
@@ -38205,19 +38212,19 @@ CVE-2022-28204 (A denial-of-service issue was discovered in MediaWiki 1.37.x bef
NOTE: https://phabricator.wikimedia.org/T297754
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28203 (A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1 ...)
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.6-1
[stretch] - mediawiki <postponed> (Fix along in next security release)
NOTE: https://phabricator.wikimedia.org/T297731
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28202 (An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before ...)
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.6-1
[stretch] - mediawiki <postponed> (Fix along in next security release)
NOTE: https://phabricator.wikimedia.org/T297543
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28201 (An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36 ...)
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.6-1
[stretch] - mediawiki <postponed> (Fix along in next security release)
NOTE: https://phabricator.wikimedia.org/T297571
@@ -61800,13 +61807,14 @@ CVE-2021-44857 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x befor
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
CVE-2021-44856 [Title blocked in AbuseFilter can be created via Special:ChangeContentModel]
RESERVED
- {DLA-3117-1}
+ {DSA-5246-1 DLA-3117-1}
- mediawiki 1:1.35.5-1
[stretch] - mediawiki <postponed> (Minor issue)
NOTE: https://phabricator.wikimedia.org/T271037
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
CVE-2021-44855 [Blind Stored XSS in VisualEditor media dialog]
RESERVED
+ {DSA-5246-1}
- mediawiki 1:1.35.5-1
[buster] - mediawiki <not-affected> (Vulnerable code not present)
[stretch] - mediawiki <not-affected> (Vulnerable code not present)
@@ -61814,6 +61822,7 @@ CVE-2021-44855 [Blind Stored XSS in VisualEditor media dialog]
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
CVE-2021-44854 [REST API incorrectly publicly caches autocomplete search results from private wikis]
RESERVED
+ {DSA-5246-1}
- mediawiki 1:1.35.5-1
[buster] - mediawiki <not-affected> (Vulnerable code not present)
[stretch] - mediawiki <not-affected> (Vulnerable code not present)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/479032bcb3334a8cb1075ce685658c62865e8a02
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/479032bcb3334a8cb1075ce685658c62865e8a02
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221004/a4666dad/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list