[Git][security-tracker-team/security-tracker][master] new openssl issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Feb 7 16:37:55 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
18d017e4 by Moritz Muehlenhoff at 2023-02-07T17:37:32+01:00
new openssl issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4238,8 +4238,12 @@ CVE-2023-0403 (The Social Warfare plugin for WordPress is vulnerable to Cross-Si
 	NOT-FOR-US: Social Warfare plugin for WordPress
 CVE-2023-0402 (The Social Warfare plugin for WordPress is vulnerable to authorization ...)
 	NOT-FOR-US: Social Warfare plugin for WordPress
-CVE-2023-0401
+CVE-2023-0401 [openssl: NULL dereference during PKCS7 data verification]
 	RESERVED
+	- openssl <unfixed>
+	[bullseye] - openssl <not-affected> (Only affects 3.x)
+	[buster] - openssl <not-affected> (Only affects 3.x)
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2023-0400 (The protection bypass vulnerability in DLP for Windows 11.9.x is addre ...)
 	NOT-FOR-US: DLP for Windows
 CVE-2023-0399
@@ -5291,8 +5295,10 @@ CVE-2023-0288 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 	NOTE: Crash in CLI tool, no security impact
 CVE-2023-0287 (A vulnerability was found in ityouknow favorites-web. It has been rate ...)
 	NOT-FOR-US: ityouknow favorites-web
-CVE-2023-0286
+CVE-2023-0286 [openssl: X.400 address type confusion in X.509 GeneralName]
 	RESERVED
+	- openssl <unfixed>
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2023-0285
 	RESERVED
 CVE-2023-0284 (Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows a ...)
@@ -6476,12 +6482,22 @@ CVE-2023-0219
 	RESERVED
 CVE-2023-0218
 	RESERVED
-CVE-2023-0217
+CVE-2023-0217 [openssl: NULL dereference validating DSA public key]
 	RESERVED
-CVE-2023-0216
+	- openssl <unfixed>
+	[bullseye] - openssl <not-affected> (Only affects 3.x)
+	[buster] - openssl <not-affected> (Only affects 3.x)
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
+CVE-2023-0216 [openssl: Invalid pointer dereference in d2i_PKCS7 functions]
 	RESERVED
-CVE-2023-0215
+	- openssl <unfixed>
+	[bullseye] - openssl <not-affected> (Only affects 3.x)
+	[buster] - openssl <not-affected> (Only affects 3.x)
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
+CVE-2023-0215 [openssl: Use-after-free following BIO_new_NDEF]
 	RESERVED
+	- openssl <unfixed>
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2023-0214 (A cross-site scripting vulnerability in Skyhigh SWG in main releases 1 ...)
 	NOT-FOR-US: Skyhigh SWG
 CVE-2023-0213
@@ -13178,8 +13194,10 @@ CVE-2022-4452
 	RESERVED
 CVE-2022-4451 (The Social Sharing WordPress plugin before 3.3.45 does not validate an ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2022-4450
+CVE-2022-4450 [openssl: Double free after calling PEM_read_bio_ex]
 	RESERVED
+	- openssl <unfixed>
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2022-4449 (The Page scroll to id WordPress plugin before 1.7.6 does not validate  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-4448
@@ -15193,8 +15211,10 @@ CVE-2022-4306 (The Panda Pods Repeater Field WordPress plugin before 1.5.4 does
 	NOT-FOR-US: WordPress plugin
 CVE-2022-4305 (The Login as User or Customer WordPress plugin before 3.3 lacks author ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2022-4304
+CVE-2022-4304 [openssl: Timing Oracle in RSA Decryption]
 	RESERVED
+	- openssl <unfixed>
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2022-4303 (The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-4302 (The White Label CMS WordPress plugin before 2.5 unserializes user inpu ...)
@@ -16372,8 +16392,12 @@ CVE-2022-4205 (In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch w
 	- gitlab <unfixed>
 CVE-2022-4204
 	RESERVED
-CVE-2022-4203
+CVE-2022-4203 [openssl: X.509 Name Constraints Read Buffer Overflow]
 	RESERVED
+	- openssl <unfixed>
+	[bullseye] - openssl <not-affected> (Only affects 3.x)
+	[buster] - openssl <not-affected> (Only affects 3.x)
+	NOTE: https://www.openssl.org/news/secadv/20230207.txt
 CVE-2022-4202 (A vulnerability, which was classified as problematic, was found in GPA ...)
 	- gpac <undetermined>
 	TODO: check details


=====================================
data/dsa-needed.txt
=====================================
@@ -43,6 +43,8 @@ php-horde-mime-viewer
 --
 php-horde-turba
 --
+openssl (carnil)
+--
 rails
 --
 ruby-nokogiri



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18d017e414521e3c8675cd6d96708b235781cb52

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18d017e414521e3c8675cd6d96708b235781cb52
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230207/0007ccc2/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list