[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Sep 20 16:04:20 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b9ae6ff5 by Moritz Mühlenhoff at 2022-09-20T17:03:48+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5240,20 +5240,23 @@ CVE-2022-38855 (Certain The MPlayer Project products are vulnerable to Buffer Ov
 CVE-2022-38854
 	RESERVED
 CVE-2022-38853 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...)
-	- mplayer <unfixed>
+	- mplayer <unfixed> (unimportant)
 	NOTE: https://trac.mplayerhq.hu/ticket/2398
 	NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380)
 	NOTE: Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-38852
 	RESERVED
 CVE-2022-38851 (Certain The MPlayer Project products are vulnerable to Out-of-bounds R ...)
-	- mplayer <unfixed>
+	- mplayer <unfixed> (unimportant)
 	NOTE: https://trac.mplayerhq.hu/ticket/2393
 	NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/58db9292a414ebf13a2cacdb3ffa967fb9036935 (r38382)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-38850 (The MPlayer Project mencoder SVN-r38374-13.0.1 is vulnerable to Divide ...)
-	- mplayer <unfixed>
+	- mplayer <unfixed> (unimportant)
 	NOTE: https://trac.mplayerhq.hu/ticket/2399
 	NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/d19ea1ce173e95c31b0e8acbe471ea26c292be2b (r38390)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-38849
 	RESERVED
 CVE-2022-38848
@@ -8585,6 +8588,7 @@ CVE-2022-37704
 	RESERVED
 CVE-2022-37703 (In Amanda 3.5.1, an information leak vulnerability was found in the ca ...)
 	- amanda <unfixed>
+	[bullseye] - amanda <no-dsa> (Minor issue)
 	NOTE: https://github.com/MaherAzzouzi/CVE-2022-37703
 CVE-2022-37702
 	RESERVED
@@ -33634,6 +33638,7 @@ CVE-2022-1228 (The Opensea WordPress plugin before 1.0.3 does not sanitize and e
 	NOT-FOR-US: WordPress plugin
 CVE-2022-1227 (A privilege escalation flaw was found in Podman. This flaw allows an a ...)
 	- libpod 3.4.7+ds1-1
+	[bullseye] - libpod <no-dsa> (Minor issue)
 	- golang-github-containers-psgo 1.7.1+ds1-1
 	[bullseye] - golang-github-containers-psgo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
@@ -36530,6 +36535,7 @@ CVE-2022-27650 (A flaw was found in crun where containers were incorrectly start
 	NOTE: https://github.com/containers/crun/commit/b847d146d496c9d7beba166fd595488e85488562 (1.4.4)
 CVE-2022-27649 (A flaw was found in Podman, where containers were started incorrectly  ...)
 	- libpod 3.4.6+ds1-1
+	[bullseye] - libpod <no-dsa> (Minor issue)
 	NOTE: https://github.com/containers/podman/releases/tag/v4.0.3
 	NOTE: https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0 (main)
 	NOTE: https://github.com/containers/podman/commit/7b368768c2990b9781b2b6813e1c7f91c7e6cb13 (v4.0.3)
@@ -41359,6 +41365,7 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol
 	NOT-FOR-US: Node querymen
 CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...)
 	- angular.js <unfixed>
+	[bullseye] - angular.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
 CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are vulnerable to  ...)
 	NOT-FOR-US: socket.io-client-java
@@ -41414,6 +41421,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to
 	NOT-FOR-US: com.alibaba:fastjson
 CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...)
 	- angular.js <unfixed> (bug #1014779)
+	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[stretch] - angular.js <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
 CVE-2022-25843
@@ -44956,6 +44964,7 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku
 	NOT-FOR-US: Argo CD
 CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.  ...)
 	- ckeditor 4.19.0+dfsg-1
+	[bullseye] - ckeditor <no-dsa> (Minor issue)
 	- ckeditor3 <unfixed> (bug #1015217)
 	[bullseye] - ckeditor3 <no-dsa> (Minor issue)
 	[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
@@ -44963,6 +44972,7 @@ CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
 CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.  ...)
 	- ckeditor 4.19.0+dfsg-1
+	[bullseye] - ckeditor <no-dsa> (Minor issue)
 	- ckeditor3 <unfixed> (bug #1015217)
 	[bullseye] - ckeditor3 <no-dsa> (Minor issue)
 	[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
@@ -45539,6 +45549,7 @@ CVE-2022-24579
 	RESERVED
 CVE-2022-24578 (GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_AddStrin ...)
 	- gpac 2.0.0+dfsg1-2
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://huntr.dev/bounties/1691cca3-ab54-4259-856b-751be2395b11/
@@ -45568,6 +45579,7 @@ CVE-2022-24575 (GPAC 1.0.1 is affected by a stack-based buffer overflow through
 	NOTE: https://github.com/gpac/gpac/commit/b13e9986aa1134c764b0d84f0f66328429b9c2eb (v2.0.0)
 CVE-2022-24574 (GPAC 1.0.1 is affected by a NULL pointer dereference in gf_dump_vrml_f ...)
 	- gpac 2.0.0+dfsg1-2
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://huntr.dev/bounties/a08437cc-25aa-4116-8069-816f78a2247c/
@@ -74245,6 +74257,7 @@ CVE-2021-40404 (An authentication bypass vulnerability exists in the cgiserver.c
 	NOT-FOR-US: Reolink
 CVE-2021-40403 (An information disclosure vulnerability exists in the pick-and-place r ...)
 	- gerbv 2.9.2-1
+	[bullseye] - gerbv <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1417
 	NOTE: https://github.com/gerbv/gerbv/issues/82
 	NOTE: Fixed by: https://github.com/gerbv/gerbv/commit/c32c6f9c0b5d3b0ecc33de21d8532de6c2df5878 (v2.9.1-rc.1)


=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ expat
 --
 fish (aron)
 --
+gerbv
+--
 gdal
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ae6ff53492c18b23e97b41cd9c941f84a1f1ea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ae6ff53492c18b23e97b41cd9c941f84a1f1ea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220920/5cd70f4c/attachment.htm>

More information about the debian-security-tracker-commits mailing list