[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Sep 14 16:25:29 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
01392162 by Moritz Muehlenhoff at 2022-09-14T17:25:06+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -186,6 +186,7 @@ CVE-2022-3191
 	RESERVED
 CVE-2022-3190 (Infinite loop in the F5 Ethernet Trailer protocol dissector in Wiresha ...)
 	- wireshark 3.6.8-1
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18307
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2022-06.html
 CVE-2022-3189
@@ -1482,6 +1483,7 @@ CVE-2022-40024
 	RESERVED
 CVE-2022-40023 (Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denia ...)
 	- mako 1.2.2+ds1-1
+	[bullseye] - mako <no-dsa> (Minor issue)
 	NOTE: https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (rel_1_2_2)
 	NOTE: https://github.com/sqlalchemy/mako/issues/366
 CVE-2022-40022
@@ -3284,12 +3286,14 @@ CVE-2022-39178
 	RESERVED
 CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to cause a den ...)
 	- bluez 5.61-1
+	[bullseye] - bluez <no-dsa> (Minor issue)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
 CVE-2022-39176 (BlueZ before 5.59 allows physically proximate attackers to obtain sens ...)
 	- bluez 5.61-1
+	[bullseye] - bluez <no-dsa> (Minor issue)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59)
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60)
@@ -4488,18 +4492,22 @@ CVE-2022-2994
 	RESERVED
 CVE-2022-38752 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...)
 	- snakeyaml <unfixed>
+	[bullseye] - snakeyaml <no-dsa> (Minor issue)
 	NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not public)
 CVE-2022-38751 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...)
 	- snakeyaml <unfixed>
+	[bullseye] - snakeyaml <no-dsa> (Minor issue)
 	NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
 CVE-2022-38750 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...)
 	- snakeyaml <unfixed>
+	[bullseye] - snakeyaml <no-dsa> (Minor issue)
 	NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
 CVE-2022-38749 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...)
 	- snakeyaml <unfixed>
+	[bullseye] - snakeyaml <no-dsa> (Minor issue)
 	NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
 CVE-2022-38748
@@ -4531,6 +4539,7 @@ CVE-2022-2990 (An incorrect handling of the supplementary groups in the Buildah
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121453
 CVE-2022-2989 (An incorrect handling of the supplementary groups in the Podman contai ...)
 	- libpod <unfixed> (bug #1019591)
+	[bullseye] - libpod <no-dsa> (Minor issue)
 	NOTE: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121445
 CVE-2022-2988
@@ -5143,6 +5152,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o
 	NOTE: https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72
 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...)
 	- assimp <unfixed>
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/4662
 CVE-2022-38527
 	RESERVED
@@ -6422,9 +6432,11 @@ CVE-2022-38154
 	RESERVED
 CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when --enable-session ...)
 	- wolfssl <unfixed>
+	[bullseye] - wolfssl <not-affected> (Vulnerable code not present and session tickets not enabled)
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/5476
 CVE-2022-38152 (An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client ...)
 	- wolfssl <unfixed>
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/5468
 CVE-2022-38151
 	RESERVED
@@ -7266,6 +7278,7 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was discovered to contain a stack over
 	NOT-FOR-US: Tenda
 CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler functio ...)
 	- lighttpd 1.4.66-1
+	[bullseye] - lighttpd <no-dsa> (Minor issue)
 	NOTE: https://redmine.lighttpd.net/issues/3165
 	NOTE: https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66)
 CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the Title, A ...)
@@ -16435,6 +16448,7 @@ CVE-2022-34294 (totd 1.5.3 uses a fixed UDP source port in upstream queries sent
 	NOT-FOR-US: totd
 CVE-2022-34293 (wolfSSL before 5.4.0 allows remote attackers to cause a denial of serv ...)
 	- wolfssl <unfixed> (bug #1016981)
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2022/08/08/6
 CVE-2022-34292
 	RESERVED
@@ -24750,6 +24764,7 @@ CVE-2022-31198 (OpenZeppelin Contracts is a library for secure smart contract de
 	NOT-FOR-US: OpenZeppelin
 CVE-2022-31197 (PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to conn ...)
 	- libpgjava 42.4.1-1 (bug #1016662)
+	[bullseye] - libpgjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637 (REL42.4.1-rc1)
 CVE-2022-31196 (Databasir is a database metadata management platform. Databasir <=  ...)
@@ -40210,6 +40225,7 @@ CVE-2022-25858 (The package terser before 4.8.1, from 5.0.0 and before 5.14.2 ar
 	NOTE: https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012 (v4.8.1)
 CVE-2022-25857 (The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable t ...)
 	- snakeyaml <unfixed> (bug #1019218)
+	[bullseye] - snakeyaml <no-dsa> (Minor issue)
 	NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/525
 	NOTE: https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
 	NOTE: https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
@@ -51443,6 +51459,7 @@ CVE-2022-0136 (A vulnerability was discovered in GitLab versions 10.5 to 14.5.4,
 	- gitlab <unfixed>
 CVE-2022-0135 (An out-of-bounds write issue was found in the VirGL virtual OpenGL ren ...)
 	- virglrenderer 0.10.0-1 (bug #1009073)
+	[bullseye] - virglrenderer <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2037790
 	NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
 	NOTE: Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec (0.10.0)


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ commons-configuration
 --
 connman (carnil)
 --
+fish
+--
 gdal
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01392162baab12680165e2171a0b98d9d0015551

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01392162baab12680165e2171a0b98d9d0015551
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220914/6446e885/attachment.htm>

More information about the debian-security-tracker-commits mailing list