[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Sep 13 12:31:22 BST 2022



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8fb35876 by Moritz Muehlenhoff at 2022-09-13T13:31:01+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11515,9 +11515,9 @@ CVE-2022-36104
 CVE-2022-36103
 	RESERVED
 CVE-2022-36102 (Shopware is an open source e-commerce software. In affected versions i ...)
-	TODO: check
+	NOT-FOR-US: Shopware
 CVE-2022-36101 (Shopware is an open source e-commerce software. In affected versions t ...)
-	TODO: check
+	NOT-FOR-US: Shopware
 CVE-2022-36100 (XWiki Platform Applications Tag and XWiki Platform Tag UI are tag appl ...)
 	NOT-FOR-US: XWiki
 CVE-2022-36099 (XWiki Platform Wiki UI Main Wiki is software for managing subwikis on  ...)
@@ -12797,7 +12797,7 @@ CVE-2022-35574
 CVE-2022-35573
 	RESERVED
 CVE-2022-35572 (On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lowe ...)
-	TODO: check
+	NOT-FOR-US: Linksys
 CVE-2022-35571
 	RESERVED
 CVE-2022-35570
@@ -14203,37 +14203,30 @@ CVE-2022-35020 (Advancecomp v2.3 was discovered to contain a heap buffer overflo
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35020.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35019 (Advancecomp v2.3 was discovered to contain a segmentation fault. ...)
 	- advancecomp <unfixed> (bug #1019592)
 	[buster] - advancecomp <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35019.md
-	TODO: check, unclear reporting to upstream
 CVE-2022-35018 (Advancecomp v2.3 was discovered to contain a segmentation fault. ...)
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35018.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35017 (Advancecomp v2.3 was discovered to contain a heap buffer overflow. ...)
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35017.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35016 (Advancecomp v2.3 was discovered to contain a heap buffer overflow. ...)
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35016.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35015 (Advancecomp v2.3 was discovered to contain a heap buffer overflow via  ...)
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35015.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35014 (Advancecomp v2.3 contains a segmentation fault. ...)
 	- advancecomp <unfixed> (unimportant; bug #1019592)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35014.md
 	NOTE: Crash in CLI tool, no security impact
-	TODO: check, unclear reporting to upstream
 CVE-2022-35013 (PNGDec commit 8abf6be was discovered to contain a FPE via SaveBMP at / ...)
 	NOT-FOR-US: bitbank2/PNGdec
 CVE-2022-35012 (PNGDec commit 8abf6be was discovered to contain a heap buffer overflow ...)
@@ -26375,7 +26368,7 @@ CVE-2022-1699 (Uncontrolled Resource Consumption in GitHub repository causefx/or
 CVE-2022-1698 (Allowing long password leads to denial of service in GitHub repository ...)
 	NOT-FOR-US: organizr
 CVE-2022-1697 (Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed th ...)
-	TODO: check
+	NOT-FOR-US: Okta
 CVE-2022-1696
 	RESERVED
 CVE-2022-1695 (The WP Simple Adsense Insertion WordPress plugin before 2.1 does not p ...)
@@ -28438,7 +28431,7 @@ CVE-2022-29909
 CVE-2022-29492
 	RESERVED
 CVE-2022-29490 (Improper Authorization vulnerability exists in the Workplace X WebUI o ...)
-	TODO: check
+	NOT-FOR-US: Workplace X
 CVE-2022-1543 (Improper handling of Length parameter in GitHub repository erudika/sco ...)
 	NOT-FOR-US: scoold
 CVE-2022-1542 (The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and ...)
@@ -38521,7 +38514,7 @@ CVE-2022-26472
 CVE-2022-26471
 	RESERVED
 CVE-2022-26470 (In aie, there is a possible out of bounds write due to an incorrect bo ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-26469 (In MtkEmail, there is a possible escalation of privilege due to fragme ...)
 	NOT-FOR-US: Mediatek
 CVE-2022-26468 (In preloader (usb), there is a possible out of bounds write due to a m ...)
@@ -39796,7 +39789,7 @@ CVE-2022-26060
 CVE-2022-26050
 	RESERVED
 CVE-2022-26049 (This affects the package com.diffplug.gradle:goomph before 3.37.2. It  ...)
-	TODO: check
+	NOT-FOR-US: com.diffplug.gradle:goomph
 CVE-2022-26048
 	RESERVED
 CVE-2022-26046
@@ -39988,7 +39981,7 @@ CVE-2022-25900 (All versions of package git-clone are vulnerable to Command Inje
 CVE-2022-25898 (The package jsrsasign before 10.5.25 are vulnerable to Improper Verifi ...)
 	NOT-FOR-US: Node jsrsasign
 CVE-2022-25897 (The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to ...)
-	TODO: check
+	NOT-FOR-US: org.eclipse.milo:sdk-server
 CVE-2022-25896 (This affects the package passport before 0.6.0. When a user logs in or ...)
 	- passportjs 0.6.0+~1.0.0-1 (bug #1014385)
 	[bullseye] - passportjs <no-dsa> (Minor issue)
@@ -40141,11 +40134,11 @@ CVE-2022-25647 (The package com.google.code.gson:gson before 2.8.9 are vulnerabl
 	NOTE: https://github.com/google/gson/commit/e6fae590cf2a758c47cd5a17f9bf3780ce62c986 (gson-parent-2.8.9)
 	NOTE: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
 CVE-2022-25646 (All versions of package x-data-spreadsheet are vulnerable to Cross-sit ...)
-	TODO: check
+	NOT-FOR-US: Node x-data-spreadsheet
 CVE-2022-25645 (All versions of package dset are vulnerable to Prototype Pollution via ...)
 	NOT-FOR-US: Node dset
 CVE-2022-25644 (All versions of package @pendo324/get-process-by-name are vulnerable t ...)
-	TODO: check
+	NOT-FOR-US: Node @pendo324/get-process-by-name
 CVE-2022-25354 (The package set-in before 2.0.3 are vulnerable to Prototype Pollution  ...)
 	NOT-FOR-US: Node set-in
 CVE-2022-25353
@@ -40902,7 +40895,7 @@ CVE-2022-25627
 CVE-2022-25626
 	RESERVED
 CVE-2022-25625 (A malicious unauthorized PAM user can access the administration config ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2022-25624
 	RESERVED
 CVE-2022-25623 (The Symantec Management Agent is susceptible to a privilege escalation ...)
@@ -41855,7 +41848,7 @@ CVE-2022-25297 (This affects the package drogonframework/drogon before 1.7.5. Th
 CVE-2022-25296 (The package bodymen from 0.0.0 are vulnerable to Prototype Pollution v ...)
 	NOT-FOR-US: Node bodymen
 CVE-2022-25295 (This affects the package github.com/gophish/gophish before 0.12.0. The ...)
-	TODO: check
+	NOT-FOR-US: gophish
 CVE-2022-25294 (Proofpoint Insider Threat Management Agent for Windows relies on an in ...)
 	NOT-FOR-US: Proofpoint Insider Threat Management Agent for Windows
 CVE-2022-25293 (A systemd stack-based buffer overflow in WatchGuard Firebox and XTM ap ...)
@@ -44967,7 +44960,7 @@ CVE-2022-24306 (Zoho ManageEngine SharePoint Manager Plus before 4329 allows acc
 CVE-2022-24305 (Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to ...)
 	NOT-FOR-US: Zoho ManageEngine
 CVE-2022-24304 (Schema in lib/schema.js in Mongoose before 6.4.6 is vulnerable to prot ...)
-	TODO: check
+	NOT-FOR-US: Mongoose
 CVE-2022-24303 (Pillow before 9.0.1 allows attackers to delete files because spaces in ...)
 	- pillow 9.0.1-1
 	[bullseye] - pillow <ignored> (Minor issue)
@@ -47566,7 +47559,7 @@ CVE-2022-23717 (PingID Windows Login prior to 2.8 is vulnerable to a denial of s
 CVE-2022-23716
 	RESERVED
 CVE-2022-23715 (A flaw was discovered in ECE before 3.4.0 that might lead to the discl ...)
-	TODO: check
+	NOT-FOR-US: Elastic Cloud Enterprise
 CVE-2022-23714 (A local privilege escalation (LPE) issue was discovered in the ransomw ...)
 	NOT-FOR-US: Elastic Endpoint Security for Windows
 CVE-2022-23713 (A cross-site-scripting (XSS) vulnerability was discovered in the Vega  ...)
@@ -58708,9 +58701,9 @@ CVE-2021-44428 (Pinkie 2.15 allows remote attackers to cause a denial of service
 CVE-2021-44427 (An unauthenticated SQL Injection vulnerability in Rosario Student Info ...)
 	NOT-FOR-US: Rosario Student Information System
 CVE-2021-44426 (An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5 ...)
-	TODO: check
+	NOT-FOR-US: AnyDesk
 CVE-2021-44425 (An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.3 ...)
-	TODO: check
+	NOT-FOR-US: AnyDesk
 CVE-2021-44424
 	RESERVED
 CVE-2021-44423 (An out-of-bounds read vulnerability exists when reading a BMP file usi ...)
@@ -86100,7 +86093,7 @@ CVE-2021-35111 (Improper validation of tag id while RRC sending tag id to MAC ca
 CVE-2021-35110 (Possible buffer overflow to improper validation of hash segment of fil ...)
 	NOT-FOR-US: Qualcomm
 CVE-2021-35109 (Possible address manipulation from APP-NS while APP-S is configuring a ...)
-	TODO: check
+	NOT-FOR-US: Snapdragon
 CVE-2021-35108 (Improper checking of AP-S lock bit while verifying the secure resource ...)
 	NOT-FOR-US: Snapdragon
 CVE-2021-35107
@@ -102342,7 +102335,7 @@ CVE-2021-28863
 CVE-2021-28862
 	RESERVED
 CVE-2021-28861 (** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnera ...)
-	TODO: check
+	NOT-FOR-US: Disputed Python issue
 CVE-2021-28860 (In Node.js mixme, prior to v0.5.1, an attacker can add or alter proper ...)
 	NOT-FOR-US: Node mixme
 CVE-2021-28859
@@ -103495,7 +103488,7 @@ CVE-2021-28400
 CVE-2021-28399 (OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid us ...)
 	- orangehrm <itp> (bug #786622)
 CVE-2021-28398 (A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 ...)
-	TODO: check
+	NOT-FOR-US: GeoNetwork
 CVE-2021-28397
 	RESERVED
 CVE-2021-28396



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb35876d8c9de5175d203028f2894fdf03be62c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb35876d8c9de5175d203028f2894fdf03be62c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220913/28b25d1c/attachment.htm>


More information about the debian-security-tracker-commits mailing list