[Git][security-tracker-team/security-tracker][master] mark spring-java issues as unimportant following latest upload to sid which...
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Mar 1 14:50:00 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ed3369d5 by Moritz Muehlenhoff at 2023-03-01T15:49:09+01:00
mark spring-java issues as unimportant following latest upload to sid which adds README.Debian.security
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -91460,35 +91460,29 @@ CVE-2022-22973 (VMware Workspace ONE Access and Identity Manager contain a privi
CVE-2022-22972 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...)
NOT-FOR-US: VMware
CVE-2022-22971 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...)
- - libspring-java <unfixed>
- [buster] - libspring-java <end-of-life> (No longer supported in LTS)
- [stretch] - libspring-java <end-of-life> (No longer supported in LTS)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://tanzu.vmware.com/security/cve-2022-22971
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2022-22970 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...)
- - libspring-java <unfixed>
- [buster] - libspring-java <end-of-life> (No longer supported in LTS)
- [stretch] - libspring-java <end-of-life> (No longer supported in LTS)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://tanzu.vmware.com/security/cve-2022-22970
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2022-22969 (<Issue Description> Spring Security OAuth versions 2.5.x prior t ...)
NOT-FOR-US: spring-security-oauth
CVE-2022-22968 (In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older ...)
- - libspring-java <unfixed>
- [bullseye] - libspring-java <no-dsa> (Minor issue)
- [buster] - libspring-java <no-dsa> (Minor issue)
- [stretch] - libspring-java <end-of-life> (EOL'd for stretch)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://tanzu.vmware.com/security/cve-2022-22968
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2022-22967 (An issue was discovered in SaltStack Salt in versions before 3002.9, 3 ...)
- salt <unfixed> (bug #1013872)
NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/
CVE-2022-22966 (An authenticated, high privileged malicious actor with network access ...)
NOT-FOR-US: VMware
CVE-2022-22965 (A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...)
- - libspring-java <unfixed>
- [bullseye] - libspring-java <no-dsa> (No reverse dependencies in the archive affected)
- [buster] - libspring-java <no-dsa> (No reverse dependencies in the archive affected)
- [stretch] - libspring-java <end-of-life> (EOL'd for stretch)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://bugalert.org/content/notices/2022-03-30-spring.html
NOTE: https://tanzu.vmware.com/security/cve-2022-22965
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2022-22964 (VMware Horizon Agent for Linux (prior to 22.x) contains a local privil ...)
NOT-FOR-US: VMware
CVE-2022-22963 (In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported v ...)
@@ -91518,11 +91512,9 @@ CVE-2022-22952 (VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x pr
CVE-2022-22951 (VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to ...)
NOT-FOR-US: VMware
CVE-2022-22950 (n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versi ...)
- - libspring-java <unfixed>
- [bullseye] - libspring-java <no-dsa> (Minor issue)
- [buster] - libspring-java <no-dsa> (Minor issue)
- [stretch] - libspring-java <end-of-life> (EOL'd for stretch)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://tanzu.vmware.com/security/cve-2022-22950
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2022-22949
RESERVED
CVE-2022-22948 (The vCenter Server contains an information disclosure vulnerability du ...)
@@ -160402,11 +160394,9 @@ CVE-2021-22098 (UAA server versions prior to 75.4.0 are vulnerable to an open re
CVE-2021-22097 (In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring ...)
NOT-FOR-US: Spring AMQP
CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older ...)
- - libspring-java <unfixed>
- [bullseye] - libspring-java <no-dsa> (Minor issue)
- [buster] - libspring-java <no-dsa> (Minor issue)
- [stretch] - libspring-java <ignored> (Minor issue, no known patch)
+ - libspring-java <unfixed> (unimportant)
NOTE: https://github.com/spring-projects/spring-framework/issues/27647 (patch unidentifiable)
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2021-22095 (In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring ...)
NOT-FOR-US: Spring AMQP
CVE-2021-22094
@@ -160478,11 +160468,10 @@ CVE-2021-22062
CVE-2021-22061
RESERVED
CVE-2021-22060 (In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...)
- - libspring-java <unfixed>
- [buster] - libspring-java <end-of-life> (No longer supported in LTS)
- [stretch] - libspring-java <end-of-life> (EOL'd for stretch)
+ - libspring-java <unfixed> (unimportant)
NOTE: follow-up to CVE-2021-22096
NOTE: https://tanzu.vmware.com/security/cve-2021-22060
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2021-22059
RESERVED
CVE-2021-22058
@@ -234151,11 +234140,10 @@ CVE-2020-5423 (CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable
CVE-2020-5422 (BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA pas ...)
NOT-FOR-US: BOSH System Metrics Server
CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...)
- - libspring-java 4.3.30-1 (bug #973381)
- [buster] - libspring-java <no-dsa> (Minor issue)
- [stretch] - libspring-java <ignored> (Minor issue, no known patch)
+ - libspring-java 4.3.30-1 (unimportant; bug #973381)
NOTE: https://tanzu.vmware.com/security/cve-2020-5421
NOTE: https://github.com/spring-projects/spring-framework/issues/26821 (patch unidentifiable)
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2020-5420 (Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a mal ...)
NOT-FOR-US: Cloud Foundry
CVE-2020-5419 (RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed3369d564497b49fc8c55adab86ae7391ead399
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed3369d564497b49fc8c55adab86ae7391ead399
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230301/3e58f960/attachment.htm>
More information about the debian-security-tracker-commits
mailing list