[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Feb 21 18:44:27 GMT 2023



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
755f3d05 by Moritz Muehlenhoff at 2023-02-21T19:44:10+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -66583,6 +66583,7 @@ CVE-2022-29979 (Simple Client Management System 1.0 is vulnerable to SQL Injecti
 	NOT-FOR-US: Sourcecodester Simple Client Management System
 CVE-2022-29978 (There is a floating point exception error in sixel_encoder_do_resize,  ...)
 	- libsixel <unfixed> (bug #1014527)
+	[bookworm] - libsixel <no-dsa> (Minor issue)
 	[bullseye] - libsixel <no-dsa> (Minor issue)
 	[buster] - libsixel <no-dsa> (Minor issue)
 	[stretch] - libsixel <no-dsa> (Minor issue)
@@ -66590,6 +66591,7 @@ CVE-2022-29978 (There is a floating point exception error in sixel_encoder_do_re
 	NOTE: Previously also reported in https://github.com/saitoha/libsixel/issues/166
 CVE-2022-29977 (There is an assertion failure error in stbi__jpeg_huff_decode, stb_ima ...)
 	- libsixel <unfixed> (bug #1014526)
+	[bookworm] - libsixel <no-dsa> (Minor issue)
 	[bullseye] - libsixel <no-dsa> (Minor issue)
 	[buster] - libsixel <no-dsa> (Minor issue)
 	[stretch] - libsixel <no-dsa> (Minor issue)
@@ -79987,6 +79989,7 @@ CVE-2022-0684 (The WP Home Page Menu WordPress plugin before 3.1 does not saniti
 	NOT-FOR-US: WordPress plugin
 CVE-2021-46700 (In libsixel 1.8.6, sixel_encoder_output_without_macro (called from six ...)
 	- libsixel <unfixed> (bug #1014469)
+	[bookworm] - libsixel <no-dsa> (Minor issue)
 	[bullseye] - libsixel <no-dsa> (Minor issue)
 	[buster] - libsixel <no-dsa> (Minor issue)
 	[stretch] - libsixel <no-dsa> (Minor issue)
@@ -108120,12 +108123,14 @@ CVE-2021-41738 (ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bi
 CVE-2021-41737
 	RESERVED
 	- faust <unfixed> (bug #1014783)
+	[bookworm] - faust <no-dsa> (Minor issue)
 	[bullseye] - faust <no-dsa> (Minor issue)
 	[buster] - faust <no-dsa> (Minor issue)
 	[stretch] - faust <postponed> (Minor issue, no patch/acknowledgment yet)
 	NOTE: https://github.com/grame-cncm/faust/issues/653
 CVE-2021-41736 (Faust v2.35.0 was discovered to contain a heap-buffer overflow in the  ...)
 	- faust <unfixed> (bug #1014783)
+	[bookworm] - faust <no-dsa> (Minor issue)
 	[bullseye] - faust <no-dsa> (Minor issue)
 	[buster] - faust <no-dsa> (Minor issue)
 	[stretch] - faust <postponed> (Minor issue, no patch/acknowledgment yet)
@@ -115981,6 +115986,7 @@ CVE-2021-38577
 	REJECTED
 CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the Platform a ...)
 	- edk2 <unfixed> (bug #1014468)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
 	[bullseye] - edk2 <no-dsa> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private)
@@ -136920,24 +136926,28 @@ CVE-2021-30473 (aom_image.c in libaom in AOMedia before 2021-04-07 frees memory
 	NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2998
 CVE-2021-30472 (A flaw was found in PoDoFo 0.9.7. A stack-based buffer overflow in Pdf ...)
 	- libpodofo <unfixed> (bug #986794)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://sourceforge.net/p/podofo/tickets/132/
 CVE-2021-30471 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in Pd ...)
 	- libpodofo <unfixed> (bug #986793)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://sourceforge.net/p/podofo/tickets/131/
 CVE-2021-30470 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among ...)
 	- libpodofo <unfixed> (bug #986792)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://sourceforge.net/p/podofo/tickets/130/
 CVE-2021-30469 (A flaw was found in PoDoFo 0.9.7. An use-after-free in PoDoFo::PdfVecO ...)
 	- libpodofo <unfixed> (bug #986791)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <postponed> (Minor issue; can be fixed in next update)
@@ -143459,6 +143469,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
 	NOTE: https://github.com/golang/go/issues/44913
 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...)
 	- newlib <unfixed> (bug #984446)
+	[bookworm] - newlib <no-dsa> (Minor issue)
 	[bullseye] - newlib <no-dsa> (Minor issue)
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
@@ -180510,6 +180521,7 @@ CVE-2020-25744 (SaferVPN before 5.0.3.3 on Windows could allow low-privileged us
 	NOT-FOR-US: SaferVPN
 CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereferen ...)
 	- qemu <unfixed> (bug #970940)
+	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
@@ -180517,6 +180529,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der
 	NOTE: No sanctioned upstream patch as of 2022-11-08
 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...)
 	- qemu <unfixed> (bug #971390)
+	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html
@@ -180524,6 +180537,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a
 	NOTE: No sanctioned upstream patch as of 2022-11-08
 CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...)
 	- qemu <unfixed> (bug #970939)
+	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html
@@ -180894,6 +180908,7 @@ CVE-2020-25659 (python-cryptography 3.2 is vulnerable to Bleichenbacher timing a
 	NOTE: https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 (3.2)
 CVE-2020-25658 (It was found that python-rsa is vulnerable to Bleichenbacher timing at ...)
 	- python-rsa <unfixed> (bug #974685)
+	[bookworm] - python-rsa <no-dsa> (Minor issue)
 	[bullseye] - python-rsa <no-dsa> (Minor issue)
 	[buster] - python-rsa <no-dsa> (Minor issue)
 	[stretch] - python-rsa <no-dsa> (Minor issue)
@@ -195577,6 +195592,7 @@ CVE-2020-18972 (Exposure of Sensitive Information to an Unauthorized Actor in Po
 	NOTE: Negligible security impact
 CVE-2020-18971 (Stack-based Buffer Overflow in PoDoFo v0.9.6 allows attackers to cause ...)
 	- libpodofo <unfixed> (bug #1014858)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <postponed> (Minor issue; can be fixed in next update)
@@ -236678,7 +236694,8 @@ CVE-2019-19815 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem i
 	[stretch] - linux 4.9.184-1
 CVE-2019-19814 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
 	- linux <unfixed>
-	[bullseye] - linux <no-dsa> (Minor issue)
+	[bookworm] - linux <no-dsa> (Minor issue, no upstream fix available)
+	[bullseye] - linux <no-dsa> (Minor issue, no upstream fix available)
 	[buster] - linux <no-dsa> (Minor issue)
 	[stretch] - linux <ignored> (Minor issue; f2fs is not supportable)
 CVE-2019-19813 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
@@ -259584,6 +259601,7 @@ CVE-2019-14561
 CVE-2019-14560 [GetEfiGlobalVariable2() return value not checked]
 	RESERVED
 	- edk2 <unfixed> (bug #967994)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
 	[bullseye] - edk2 <no-dsa> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	[stretch] - edk2 <no-dsa> (Minor issue)
@@ -271989,6 +272007,7 @@ CVE-2019-10736
 	RESERVED
 CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encry ...)
 	- claws-mail <unfixed> (low; bug #926705)
+	[bookworm] - claws-mail <no-dsa> (Minor issue)
 	[bullseye] - claws-mail <no-dsa> (Minor issue)
 	[buster] - claws-mail <postponed> (Revisit when fixed upstream)
 	[stretch] - claws-mail <postponed> (Revisit when fixed upstream)
@@ -333312,6 +333331,7 @@ CVE-2018-8003 (Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a direc
 	NOT-FOR-US: Apache Ambari
 CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfPar ...)
 	- libpodofo <unfixed> (low; bug #892557)
+	[bookworm] - libpodofo <no-dsa> (Minor issue)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/755f3d05e40df715d6066c174f4311689b5b566a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/755f3d05e40df715d6066c174f4311689b5b566a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230221/f5aba580/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list