[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Oct 5 16:03:16 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f2089065 by Moritz Muehlenhoff at 2022-10-05T17:02:42+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7460,11 +7460,13 @@ CVE-2022-39210 (Nextcloud android is the official Android client for the Nextclo
 CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
 	- cmark-gfm <unfixed> (bug #1020588)
 	- python-cmarkgfm <unfixed>
-	- ghostwriter <unfixed>
+	- ghostwriter <unfixed> (unimportant)
 	- ruby-commonmarker <unfixed>
 	- r-cran-commonmark <unfixed>
+	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
 	NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
 	NOTE: https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6)
+	NOTE: For ghostwriter just a hang/crash in GUI tool, no security impact
 CVE-2022-39208 (Onedev is an open source, self-hosted Git Server with CI/CD and Kanban ...)
 	NOT-FOR-US: Onedev
 CVE-2022-39207 (Onedev is an open source, self-hosted Git Server with CI/CD and Kanban ...)
@@ -7824,6 +7826,7 @@ CVE-2006-20001
 	RESERVED
 CVE-2022-XXXX [wordpress 6.0.2]
 	- wordpress 6.0.2+dfsg1-1 (bug #1018863)
+	[bullseye] - wordpress <no-dsa> (Minor issue)
 	NOTE: https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 CVE-2022-39079
 	RESERVED
@@ -18258,11 +18261,13 @@ CVE-2022-2321 (Improper Restriction of Excessive Authentication Attempts in GitH
 CVE-2022-35230 (An authenticated user can create a link with reflected Javascript code ...)
 	[experimental] - zabbix 1:6.0.6+dfsg-1
 	- zabbix 1:6.0.7+dfsg-2 (bug #1014994)
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-21305
 	NOTE: Fixed in: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b47a97676ee9ca4e16566f1931c456459108eae (5.0.25rc1)
 CVE-2022-35229 (An authenticated user can create a link with reflected Javascript code ...)
 	[experimental] - zabbix 1:6.0.6+dfsg-1
 	- zabbix 1:6.0.7+dfsg-2 (bug #1014992)
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-21306
 	NOTE: Fixed in: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c (5.0.25rc1)
 CVE-2022-35228 (SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve ...)
@@ -47753,16 +47758,19 @@ CVE-2022-24920
 CVE-2022-24919 (An authenticated user can create a link with reflected Javascript code ...)
 	{DLA-2980-1}
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-20680
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1)
 CVE-2022-24918 (An authenticated user can create a link with reflected Javascript code ...)
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	[stretch] - zabbix <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://support.zabbix.com/browse/ZBX-20680
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1)
 CVE-2022-24917 (An authenticated user can create a link with reflected Javascript code ...)
 	{DLA-2980-1}
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-20680
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1)
 CVE-2022-24911
@@ -48391,6 +48399,7 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v
 CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...)
 	- cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
 	- ghostwriter <unfixed> (bug #1006757)
+	[bullseye] - ghostwriter <no-dsa> (Minor issue)
 	- python-cmarkgfm 0.7.0-1 (bug #1006758)
 	- ruby-commonmarker <unfixed> (bug #1006759)
 	- r-cran-commonmark 1.8.0-1 (bug #1006760)
@@ -49549,6 +49558,7 @@ CVE-2022-24350
 CVE-2022-24349 (An authenticated user can create a link with reflected XSS payload for ...)
 	{DLA-2980-1}
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-20680
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1)
 CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal ...)
@@ -54285,10 +54295,12 @@ CVE-2022-23135 (There is a directory traversal vulnerability in some home gatewa
 CVE-2022-23134 (After the initial setup process, some steps of setup.php file are reac ...)
 	{DLA-2914-1}
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-20384
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df (5.0.19rc2)
 CVE-2022-23133 (An authenticated user can create a hosts group from the configuration  ...)
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	[buster] - zabbix <not-affected> (Vulnerable code introduced later, and reverted with the fix)
 	[stretch] - zabbix <not-affected> (Vulnerable code introduced later, and reverted with the fix)
 	NOTE: https://support.zabbix.com/browse/ZBX-20388
@@ -54296,6 +54308,7 @@ CVE-2022-23133 (An authenticated user can create a hosts group from the configur
 	NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3 (4.4.0alpha3)
 CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability i ...)
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	[stretch] - zabbix <not-affected> (Not using RPM or DAC_OVERRIDE in Debian installs, zbx_ipc_service_init_env() not present)
 	NOTE: https://support.zabbix.com/browse/ZBX-20341
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac (5.0.18)


=====================================
data/dsa-needed.txt
=====================================
@@ -42,6 +42,8 @@ rpki-client
 --
 ruby-image-processing
 --
+ruby-nokogiri
+--
 ruby-rack
 --
 ruby-tzinfo



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221005/aecbb28a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list