[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Oct 5 21:10:39 BST 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
774a0214 by security tracker role at 2022-10-05T20:10:27+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10622,13 +10622,13 @@ CVE-2022-38180 (In JetBrains Ktor before 2.1.0 the wrong authentication provider
 CVE-2022-38179 (JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Downloa ...)
 	NOT-FOR-US: JetBrains Ktor
 CVE-2022-38178 (By spoofing the target resolver with responses that have a malformed E ...)
-	{DSA-5235-1}
+	{DSA-5235-1 DLA-3138-1}
 	- bind9 1:9.18.7-1
 	NOTE: https://kb.isc.org/docs/cve-2022-38178
 	NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c0028cfad2ae5fdf82c4d02d3b8b3a1e96dc6ec (v9_18_7)
 	NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d (v9_16_33)
 CVE-2022-38177 (By spoofing the target resolver with responses that have a malformed E ...)
-	{DSA-5235-1}
+	{DSA-5235-1 DLA-3138-1}
 	- bind9 1:9.17.20-1
 	NOTE: https://kb.isc.org/docs/cve-2022-38177
 	NOTE: Fixed by (while refactoring): https://gitlab.isc.org/isc-projects/bind9/-/commit/d4eb6e0a57a7eeb42328ff66865fa66688603c17 (v9_17_20)
@@ -10661,7 +10661,7 @@ CVE-2022-2797 (A vulnerability classified as critical was found in SourceCodeste
 CVE-2022-2796 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...)
 	NOT-FOR-US: pimcore
 CVE-2022-2795 (By flooding the target resolver with queries exploiting this flaw an a ...)
-	{DSA-5235-1}
+	{DSA-5235-1 DLA-3138-1}
 	- bind9 1:9.18.7-1
 	NOTE: https://kb.isc.org/docs/cve-2022-2795
 	NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/e2014ba9e3b4236b0384ba17abfb2c9a155412f6 (v9_18_7)
@@ -26279,6 +26279,7 @@ CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in
 	NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213
 CVE-2022-32212 (A OS Command Injection vulnerability exists in Node.js versions <14 ...)
+	{DLA-3137-1}
 	- nodejs 18.6.0+dfsg-3
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212
 	NOTE: https://github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131 (v14.x)
@@ -63011,7 +63012,7 @@ CVE-2021-44536
 CVE-2021-44535
 	RESERVED
 CVE-2022-21824 (Due to the formatting logic of the "console.table()" function it was n ...)
-	{DSA-5170-1}
+	{DSA-5170-1 DLA-3137-1}
 	- nodejs 12.22.9~dfsg-1 (bug #1004177)
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824
@@ -121528,6 +121529,7 @@ CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization
 CVE-2021-22941 (Improper Access Control in Citrix ShareFile storage zones controller b ...)
 	NOT-FOR-US: Citrix
 CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use aft ...)
+	{DLA-3137-1}
 	- nodejs 12.22.5~dfsg-1
 	[bullseye] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not applied)
 	[stretch] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not applied)
@@ -121535,6 +121537,7 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a u
 	NOTE: https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b (v12.22.5)
 	NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
 CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined" was in p ...)
+	{DLA-3137-1}
 	- nodejs 12.22.5~dfsg-1
 	[bullseye] - nodejs 12.22.5~dfsg-2~11u1
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
@@ -121558,6 +121561,7 @@ CVE-2021-22931 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Rem
 	- nodejs <not-affected> (Debian builds nodejs against src:c-ares)
 	NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931
 CVE-2021-22930 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ...)
+	{DLA-3137-1}
 	- nodejs 12.22.4~dfsg-1
 	[bullseye] - nodejs 12.22.5~dfsg-2~11u1
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774a02141e3524ddd74aca137be4c8a481264180

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774a02141e3524ddd74aca137be4c8a481264180
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221005/b35e4e14/attachment.htm>

More information about the debian-security-tracker-commits mailing list