[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jan 26 12:06:45 GMT 2023



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c8516a5c by Moritz Muehlenhoff at 2023-01-26T13:05:59+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -11301,6 +11301,7 @@ CVE-2022-47017
 	RESERVED
 CVE-2022-47016 (A null pointer dereference issue was discovered in function window_pan ...)
 	- tmux <unfixed>
+	[bullseye] - tmux <no-dsa> (Minor issue)
 	NOTE: https://github.com/tmux/tmux/issues/3312
 	NOTE: https://github.com/tmux/tmux/issues/3447
 	NOTE: https://github.com/tmux/tmux/commit/e86752820993a00e3d28350cbe46878ba95d9012
@@ -23899,10 +23900,14 @@ CVE-2022-43592 (An information disclosure vulnerability exists in the DPXOutput:
 	- openimageio <unfixed> (bug #1027143)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651
 CVE-2022-43591 (A buffer overflow vulnerability exists in the QML QtScript Reflect API ...)
-	- qt6-declarative <unfixed>
-	- qtdeclarative-opensource-src <undetermined>
-	- qtdeclarative-opensource-src-gles <undetermined>
+	- qt6-declarative 6.4.2+dfsg~rc1-2 (unimportant)
+	- qtdeclarative-opensource-src <unfixed> (unimportant)
+	- qtdeclarative-opensource-src-gles <unfixed> (unimportant)
+	NOTE: Not considered a security issue, QML only supported from a trusted source
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1650
+	NOTE: https://www.qt.io/blog/regarding-recent-reported-security-vulnerabilities-from-cisco-talos
+	NOTE: https://bugreports.qt.io/browse/QTBUG-107619
+	NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/437789
 CVE-2022-43590 (A null pointer dereference vulnerability exists in the handle_ioctl_0x ...)
 	NOT-FOR-US: Callback technologies CBFS Filter
 CVE-2022-43589 (A null pointer dereference vulnerability exists in the handle_ioctl_83 ...)
@@ -30667,10 +30672,14 @@ CVE-2022-41141
 CVE-2022-41140
 	RESERVED
 CVE-2022-40983 (An integer overflow vulnerability exists in the QML QtScript Reflect A ...)
-	- qt6-declarative <unfixed>
-	- qtdeclarative-opensource-src <undetermined>
-	- qtdeclarative-opensource-src-gles <undetermined>
-	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1617
+	- qt6-declarative 6.4.2+dfsg~rc1-2 (unimportant)
+	- qtdeclarative-opensource-src <unfixed> (unimportant)
+	- qtdeclarative-opensource-src-gles <unfixed> (unimportant)
+	NOTE: Not considered a security issue, QML only supported from a trusted source
+	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1650
+	NOTE: https://www.qt.io/blog/regarding-recent-reported-security-vulnerabilities-from-cisco-talos
+	NOTE: https://bugreports.qt.io/browse/QTBUG-107619
+	NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/437921
 CVE-2022-40693
 	RESERVED
 CVE-2022-41222 (mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via ...)
@@ -33045,6 +33054,7 @@ CVE-2022-40153
 	REJECTED
 CVE-2022-40152 (Those using Woodstox to parse XML data may be vulnerable to Denial of  ...)
 	- libwoodstox-java <unfixed>
+	[bullseye] - libwoodstox-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/x-stream/xstream/issues/304
 	NOTE: https://github.com/advisories/GHSA-3f7h-mf4q-vrm4
 CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to Denial o ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -12,10 +12,10 @@ To pick an issue, simply add your uid behind it.
 If needed, specify the release by adding a slash after the name of the source package.
 
 --
-bind9
+bind9 (jmm)
   Maintainer uploaded bullseye-security update
 --
-chromium
+chromium (jmm)
 --
 curl (jmm)
   Team asked maintainer to prepare updates
@@ -27,6 +27,8 @@ git (aron)
 jupyter-core
   Maintainer asked for availability to prepare updates
 --
+libde265
+--
 libhtml-stripscripts-perl (carnil)
 --
 linux (carnil)
@@ -43,7 +45,7 @@ openjdk-11 (jmm)
 --
 openjdk-17 (jmm)
 --
-php-cas (jmm)
+php-cas
 --
 php-horde-mime-viewer
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8516a5c66faf2d9238e807e4879c611e8462fdb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8516a5c66faf2d9238e807e4879c611e8462fdb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230126/a0c3b61d/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list