[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Mar 1 16:05:56 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
527ea393 by Moritz Muehlenhoff at 2023-03-01T17:02:38+01:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -22749,14 +22749,17 @@ CVE-2022-45887 (An issue was discovered in the Linux kernel through 6.0.9. drive
- linux <unfixed>
NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel@gmail.com/
CVE-2022-45886 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...)
- - linux <unfixed>
+ - linux <unfixed> (unimportant)
NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-3-imv4bel@gmail.com/
+ NOTE: Negligible security impact, would need physical access to "exploit"
CVE-2022-45885 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...)
- - linux <unfixed>
+ - linux <unfixed> (unimportant)
NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel@gmail.com/
+ NOTE: Negligible security impact, would need physical access to "exploit"
CVE-2022-45884 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...)
- - linux <unfixed>
+ - linux <unfixed> (unimportant)
NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel@gmail.com/
+ NOTE: Negligible security impact, would need physical access to "exploit"
CVE-2022-45883
REJECTED
CVE-2022-45877 (OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code i ...)
@@ -79405,10 +79408,8 @@ CVE-2022-26637
CVE-2022-26636
RESERVED
CVE-2022-26635 (PHP-Memcached v2.2.0 and below contains an improper NULL termination w ...)
- - php-memcached <unfixed> (bug #1009328)
- [bullseye] - php-memcached <no-dsa> (Minor issue)
- [buster] - php-memcached <no-dsa> (Minor issue)
- [stretch] - php-memcached <no-dsa> (Minor issue)
+ NOTE: Disputed issue, not considered a security issue by upstream:
+ NOTE: https://github.com/php-memcached-dev/php-memcached/issues/519#issuecomment-1259303434
NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/
NOTE: https://github.com/php-memcached-dev/php-memcached/issues/519
CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which allows att ...)
@@ -86209,7 +86210,7 @@ CVE-2022-24331 (In JetBrains TeamCity before 2021.1.4, GitLab authentication imp
CVE-2022-24330 (In JetBrains TeamCity before 2021.2.1, a redirection to an external si ...)
NOT-FOR-US: JetBrains TeamCity
CVE-2022-24329 (In JetBrains Kotlin before 1.6.0, it was not possible to lock dependen ...)
- - kotlin <unfixed> (bug #1007243)
+ - kotlin <undetermined> (bug #1007243)
NOTE: https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
NOTE: https://youtrack.jetbrains.com/issue/KT-49449 (not public)
CVE-2022-24328 (In JetBrains Hub before 2021.1.13956, an unprivileged user could perfo ...)
@@ -113736,10 +113737,12 @@ CVE-2021-40649 (In Connx Version 6.2.0.1269 (20210623), a cookie can be issued b
NOT-FOR-US: Connx
CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the previous ...)
- man2html <unfixed> (bug #1021738)
+ [bookworm] - man2html <no-dsa> (Minor issue)
[bullseye] - man2html <no-dsa> (Minor issue)
NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file will ove ...)
- man2html <unfixed> (bug #1021738)
+ [bookworm] - man2html <no-dsa> (Minor issue)
[bullseye] - man2html <no-dsa> (Minor issue)
NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
CVE-2021-40646
@@ -127791,6 +127794,7 @@ CVE-2021-35044
RESERVED
CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...)
- libowasp-antisamy-java <unfixed> (bug #1014981)
+ [bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
@@ -170346,7 +170350,7 @@ CVE-2020-29584
CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an undocumented ac ...)
NOT-FOR-US: Zyxel
CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for ...)
- - kotlin <unfixed> (bug #1001037)
+ - kotlin <undetermined> (bug #1001037)
NOTE: https://youtrack.jetbrains.com/issue/KT-42181 (not public)
CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a blank pa ...)
NOT-FOR-US: spiped Docker images
@@ -305982,11 +305986,14 @@ CVE-2019-0188 (Apache Camel prior to 2.24.0 contains an XML external entity inje
NOT-FOR-US: Apache Camel
CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in distributed mod ...)
- jakarta-jmeter <unfixed> (bug #1014709)
+ [bookworm] - jakarta-jmeter <no-dsa> (Minor issue)
[bullseye] - jakarta-jmeter <no-dsa> (Minor issue)
[buster] - jakarta-jmeter <no-dsa> (Minor issue)
[stretch] - jakarta-jmeter <no-dsa> (Minor issue)
[jessie] - jakarta-jmeter <no-dsa> (Minor issue)
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62743
+ NOTE: http://svn.apache.org/viewvc?rev=1841383&view=rev
+ NOTE: https://github.com/apache/jmeter/issues/4866
CVE-2019-0186 (The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 an ...)
NOT-FOR-US: Apache Pluto "Chat Room" demo portlet
CVE-2018-19277 (securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypa ...)
@@ -356128,6 +356135,7 @@ CVE-2018-1298 (A Denial of Service vulnerability was found in Apache Qpid Broker
NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=4b9fb37
CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x and 3. ...)
- jakarta-jmeter <unfixed> (low; bug #897259)
+ [bookworm] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
[bullseye] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
[buster] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
[stretch] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
@@ -356135,6 +356143,7 @@ CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x a
[wheezy] - jakarta-jmeter <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2018/02/11/1
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
+ NOTE: https://github.com/apache/jmeter/issues/4677
CVE-2018-1296 (In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5 ...)
- hadoop <itp> (bug #793644)
CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism does not ...)
@@ -356157,6 +356166,7 @@ CVE-2018-1288 (In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.
- kafka <itp> (bug #786460)
CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI ba ...)
- jakarta-jmeter <unfixed> (low; bug #1014709)
+ [bookworm] - jakarta-jmeter <no-dsa> (Minor issue)
[bullseye] - jakarta-jmeter <no-dsa> (Minor issue)
[buster] - jakarta-jmeter <no-dsa> (Minor issue)
[stretch] - jakarta-jmeter <no-dsa> (Minor issue)
@@ -356164,6 +356174,7 @@ CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (R
[wheezy] - jakarta-jmeter <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2018/02/11/2
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
+ NOTE: https://github.com/apache/jmeter/issues/4677
CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged us ...)
NOT-FOR-US: Apache OpenMeetings
CVE-2018-1285 (Apache log4net versions before 2.0.10 do not disable XML external enti ...)
@@ -367500,6 +367511,7 @@ CVE-2017-14736
RESERVED
CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...)
- libowasp-antisamy-java <unfixed> (bug #1014981)
+ [bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
@@ -401234,6 +401246,7 @@ CVE-2016-10007 (SQL injection vulnerability in the "Marketing > Forms" screen
NOT-FOR-US: dotCMS
CVE-2016-10006 (In OWASP AntiSamy before 1.5.5, by submitting a specially crafted inpu ...)
- libowasp-antisamy-java <unfixed> (bug #1014981)
+ [bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/527ea393d46cd968b8023b389a918365019d0074
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/527ea393d46cd968b8023b389a918365019d0074
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230301/555d0157/attachment.htm>
More information about the debian-security-tracker-commits
mailing list