[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Sep 1 14:44:49 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
93a402ef by Moritz Muehlenhoff at 2022-09-01T15:44:24+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7076,23 +7076,26 @@ CVE-2022-2522 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 	NOTE: https://huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22
 	NOTE: https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089 (v9.0.0061)
 CVE-2022-2521 (It was found in libtiff 4.4.0rc1 that there is an invalid pointer free ...)
-	- tiff <unfixed>
+	- tiff <unfixed> (unimportant)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/422
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2520 (A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion f ...)
-	- tiff <unfixed>
+	- tiff <unfixed> (unimportant)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/424
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2519 (There is a double free or corruption in rotateImage() at tiffcrop.c:88 ...)
-	- tiff <unfixed>
+	- tiff <unfixed> (unimportant)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/423
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-2518
 	RESERVED
 CVE-2022-2517
@@ -7756,7 +7759,8 @@ CVE-2022-36187
 	RESERVED
 CVE-2022-36186 (A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNK ...)
 	- gpac <unfixed>
-	[buster] - gpac <end-of-life> (EOL in buster LTS)
+	[bullseye] - gpac <not-affected> (Vulnerable code not present)
+	[buster] - gpac <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/gpac/gpac/issues/2223
 	NOTE: https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3
 CVE-2022-36185
@@ -54042,6 +54046,7 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
 	- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
+	[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
 	- golang-golang-x-net-dev <removed>
 	[stretch] - golang-golang-x-net-dev <postponed> (Limited support in stretch)
 	NOTE: https://github.com/golang/go/issues/50058
@@ -100469,6 +100474,7 @@ CVE-2021-28133 (Zoom through 5.5.4 sometimes allows attackers to read private in
 	NOT-FOR-US: Zoom
 CVE-2021-3427 (The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. ...)
 	- deluge <unfixed>
+	[bullseye] - deluge <no-dsa> (Minor issue)
 	NOTE: https://dev.deluge-torrent.org/ticket/3459
 	NOTE: https://dev.deluge-torrent.org/changeset/8ece03677
 	NOTE: https://dev.deluge-torrent.org/changeset/a5503c0c606


=====================================
data/dsa-needed.txt
=====================================
@@ -16,6 +16,8 @@ asterisk (apo)
 --
 chromium
 --
+connman
+--
 freecad (aron)
 --
 gdk-pixbuf (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93a402efa03e97dd44b9c75612815b4e025ae670

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93a402efa03e97dd44b9c75612815b4e025ae670
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220901/64e8bca7/attachment.htm>

More information about the debian-security-tracker-commits mailing list