[Git][security-tracker-team/security-tracker][master] bullseye triage

Mon Sep 12 15:00:00 BST 2022


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
39444394 by Moritz Muehlenhoff at 2022-09-12T15:57:12+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -364,6 +364,7 @@ CVE-2022-3173
 	RESERVED
 CVE-2022-40320 (cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffe ...)
 	- libconfuse <unfixed>
+	[bullseye] - libconfuse <no-dsa> (Minor issue)
 	NOTE: https://github.com/libconfuse/libconfuse/issues/163
 	NOTE: Fixed by: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
 CVE-2022-40319
@@ -553,6 +554,7 @@ CVE-2022-3168
 	RESERVED
 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...)
 	- openvswitch <unfixed>
+	[bullseye] - openvswitch <no-dsa> (Minor issue)
 	NOTE: https://arxiv.org/abs/2011.09107
 	NOTE: https://sites.google.com/view/tuple-space-explosion
 	NOTE: https://dl.acm.org/doi/10.1145/3359989.3365431
@@ -4043,6 +4045,7 @@ CVE-2022-2997 (Session Fixation in GitHub repository snipe/snipe-it prior to 6.0
 	- snipe-it <itp> (bug #1005172)
 CVE-2022-2996 (A flaw was found in the python-scciclient when making an HTTPS connect ...)
 	- python-scciclient <unfixed> (bug #1018213)
+	[bullseye] - python-scciclient <no-dsa> (Minor issue)
 	NOTE: https://opendev.org/x/python-scciclient/commit/274dca0344b65b4ac113d3271d21c17e970a636c (0.12)
 CVE-2022-2995
 	RESERVED
@@ -11193,6 +11196,7 @@ CVE-2022-36110 (Netmaker makes networks with WireGuard. Prior to version 0.15.1,
 	TODO: check
 CVE-2022-36109 (Moby is an open-source project created by Docker to enable software co ...)
 	- docker.io <unfixed>
+	[bullseye] - docker.io <no-dsa> (Minor issue)
 	NOTE: https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
 	NOTE: https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
 CVE-2022-36108
@@ -41481,6 +41485,7 @@ CVE-2022-0671 (A flaw was found in vscode-xml in versions prior to 0.19.0. Schem
 	NOT-FOR-US: vscode-xml
 CVE-2022-0670 (A flaw was found in Openstack manilla owning a Ceph File system "share ...)
 	- ceph 16.2.10+ds-1 (bug #1016069)
+	[bullseye] - ceph <no-dsa> (Minor issue)
 	[buster] - ceph <no-dsa> (Minor issue)
 	NOTE: https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
 	NOTE: https://docs.ceph.com/en/latest/security/CVE-2022-0670/
@@ -43917,12 +43922,14 @@ CVE-2022-24578 (GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_Ad
 	NOTE: https://github.com/gpac/gpac/commit/b5741da08e88e8dcc8da0a7669b92405b9862850 (v2.0.0)
 CVE-2022-24577 (GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen ...)
 	- gpac 2.0.0+dfsg1-2
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://huntr.dev/bounties/0758b3a2-8ff2-45fc-8543-7633d605d24e/
 	NOTE: https://github.com/gpac/gpac/commit/586e817dcd531bb3e75438390f1f753cfe6e940a (v2.0.0)
 CVE-2022-24576 (GPAC 1.0.1 is affected by Use After Free through MP4Box. ...)
 	- gpac 2.0.0+dfsg1-2
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2061
@@ -44663,6 +44670,7 @@ CVE-2022-24303 (Pillow before 9.0.1 allows attackers to delete files because spa
 CVE-2022-24302 (In Paramiko before 2.10.1, a race condition (between creation and chmo ...)
 	{DLA-2959-1}
 	- paramiko 2.10.3-1 (bug #1008012)
+	[bullseye] - paramiko <no-dsa> (Minor issue)
 	NOTE: https://github.com/paramiko/paramiko/commit/4c491e299c9b800358b16fa4886d8d94f45abe2e (2.10.1)
 CVE-2022-24296 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in Air  ...)
 	NOT-FOR-US: Mitsubishi
@@ -79262,10 +79270,12 @@ CVE-2021-37820
 	RESERVED
 CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop  ...)
 	- pdftk-java 3.3.2-1
-	- pdftk <unfixed>
+	[bullseye] - pdftk-java <no-dsa> (Minor issue)
+	- pdftk 2.02-5
 	NOTE: https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21
 	NOTE: https://gitlab.com/pdftk-java/pdftk/-/commit/75deacdf5c46fd4eefb310c784eb9dfdc7b9fdc9 (v3.3.0)
 	NOTE: https://gitlab.com/pdftk-java/pdftk/-/commit/9b0cbb76c8434a8505f02ada02a94263dcae9247 (v3.3.0)
+	NOTE: Starting with 2.02-5 src:pdftk is just a transition package towards src:pdftk-java
 	TODO: check impact on other sources embedding lowagie/text/pdf/PdfReader.java
 CVE-2021-37818
 	RESERVED


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ connman (carnil)
 --
 freecad (aron)
 --
+gdal
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39444394b4dc0fee27b256ee5c13377fe1d9276a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39444394b4dc0fee27b256ee5c13377fe1d9276a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220912/79af6bcc/attachment.htm>
