[Git][security-tracker-team/security-tracker][master] 5 commits: Marked CVE-2022-36059 affecting node-matrix-js-sdk as no-dsa in buster with motivation minor issue.

Ola Lundqvist (@opal) opal at debian.org
Wed Sep 7 21:06:33 BST 2022 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dbc91343 by Ola Lundqvist at 2022-09-07T22:06:08+02:00
Marked CVE-2022-36059 affecting node-matrix-js-sdk as no-dsa in buster with motivation minor issue.

- - - - -
2b0122c6 by Ola Lundqvist at 2022-09-07T22:06:09+02:00
Marked CVE-2022-39831 CVE-2022-39832 affecting pspp as no-dsa in buster with motivation minor issue.

- - - - -
6dc29d2d by Ola Lundqvist at 2022-09-07T22:06:10+02:00
Marked CVE-2022-25304 affecting python-opcua as no-dsa in buster with motivation minor issue.

- - - - -
c87f2585 by Ola Lundqvist at 2022-09-07T22:06:12+02:00
Marked CVE-2022-0692 and CVE-2022-0687 affecting node-url-parse as no-dsa with motivation minor issue. Authentication bypass is generally a bad thing but since there are previous CVEs with the same severity classified as no-dsa there is no point in fixing the new ones without fixing the old.

- - - - -
6d62b728 by Ola Lundqvist at 2022-09-07T22:06:13+02:00
Marked CVE-2020-29260 affecting libvncserver as no-dsa with motivation minor issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -686,10 +686,12 @@ CVE-2022-39833
 CVE-2022-39832 (An issue was discovered in PSPP 1.6.2. There is a heap-based buffer ov ...)
 	- pspp <unfixed>
 	[bullseye] - pspp <no-dsa> (Minor issue)
+	[buster] - pspp <no-dsa> (Minor issue)
 	NOTE: https://savannah.gnu.org/bugs/index.php?63000
 CVE-2022-39831 (An issue was discovered in PSPP 1.6.2. There is a heap-based buffer ov ...)
 	- pspp <unfixed>
 	[bullseye] - pspp <no-dsa> (Minor issue)
+	[buster] - pspp <no-dsa> (Minor issue)
 	NOTE: https://savannah.gnu.org/bugs/?62977
 CVE-2022-39830 (sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on th ...)
 	NOT-FOR-US: Samsung mTower
@@ -10498,6 +10500,7 @@ CVE-2022-36059
 	RESERVED
 	- node-matrix-js-sdk <unfixed> (bug #1018970)
 	[bullseye] - node-matrix-js-sdk <no-dsa> (Minor issue)
+	[buster] - node-matrix-js-sdk <no-dsa> (Minor issue)
 	- thunderbird 1:102.2.1-1
 	[bullseye] - thunderbird <not-affected> (Only affects ESR102)
 	[buster] - thunderbird <not-affected> (Only affects ESR102)
@@ -39042,6 +39045,7 @@ CVE-2022-25324 (All versions of package bignum are vulnerable to Denial of Servi
 CVE-2022-25304 (All versions of package opcua; all versions of package asyncua are vul ...)
 	- python-opcua <unfixed>
 	[bullseye] - python-opcua <no-dsa> (Minor issue)
+	[buster] - python-opcua <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeOpcUa/python-opcua/issues/1466
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-OPCUA-2988730
 CVE-2022-25303 (The package whoogle-search before 0.7.2 are vulnerable to Cross-site S ...)
@@ -40404,6 +40408,7 @@ CVE-2022-0692 (Open Redirect on Rudloff/alltube in Packagist rudloff/alltube pri
 CVE-2022-0691 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
 	- node-url-parse 1.5.9+~1.4.8-1
 	[bullseye] - node-url-parse 1.5.3-1+deb11u1
+	[buster] - node-url-parse <no-dsa> (Minor issue)
 	[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
 	NOTE: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 (1.5.9)
@@ -40423,6 +40428,7 @@ CVE-2022-0687 (The Amelia WordPress plugin before 1.0.47 stores image blobs into
 CVE-2022-0686 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
 	- node-url-parse 1.5.9+~1.4.8-1
 	[bullseye] - node-url-parse 1.5.3-1+deb11u1
+	[buster] - node-url-parse <no-dsa> (Minor issue)
 	[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
 	NOTE: https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5 (1.5.8)
@@ -128592,6 +128598,7 @@ CVE-2020-29261
 	RESERVED
 CVE-2020-29260 (libvncclient v0.9.13 was discovered to contain a memory leak via the f ...)
 	- libvncserver <unfixed> (bug #1019228)
+	[buster] - libvncserver <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibVNC/libvncserver/commit/bef41f6ec4097a8ee094f90a1b34a708fbd757ec
 CVE-2020-29259 (Cross-site scripting (XSS) vulnerability in Online Examination System  ...)
 	NOT-FOR-US: Online Examination System



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d5609e71d883ebd04b0429e2cb9d3e5d68f25cbd...6d62b7287ac651e8134f7d56aebe81b19b1590b4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d5609e71d883ebd04b0429e2cb9d3e5d68f25cbd...6d62b7287ac651e8134f7d56aebe81b19b1590b4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220907/efda2b69/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list