[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Mar 1 16:43:49 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7bf7f45d by Moritz Muehlenhoff at 2023-03-01T17:41:58+01:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -13589,6 +13589,8 @@ CVE-2010-10003 (A vulnerability classified as critical was found in gesellix tit
NOT-FOR-US: gesellix titlelink
CVE-2023-22602 (When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, ...)
- shiro <unfixed> (bug #1029039)
+ [bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
CVE-2023-22601 (InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRo ...)
NOT-FOR-US: InHand Networks InRouter
@@ -19254,8 +19256,11 @@ CVE-2022-47017
CVE-2022-47016
REJECTED
CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of S ...)
+ - mariadb
+ [bookworm] - mariadb <postponed> (Minor issue, wait for next point release)
- mariadb-10.6 <unfixed>
- mariadb-10.5 <removed>
+ [bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-29644
CVE-2022-47014
@@ -39937,6 +39942,8 @@ CVE-2022-40665
REJECTED
CVE-2022-40664 (Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shi ...)
- shiro <unfixed> (bug #1021671)
+ [bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/10/12/1
CVE-2022-40663 (This vulnerability allows remote attackers to execute arbitrary code o ...)
NOT-FOR-US: NIKON
@@ -40965,6 +40972,7 @@ CVE-2022-3168
NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...)
- openvswitch <unfixed> (bug #1021740)
+ [bookworm] - openvswitch <no-dsa> (Minor issue)
[bullseye] - openvswitch <no-dsa> (Minor issue)
[buster] - openvswitch <no-dsa> (Minor issue)
NOTE: https://arxiv.org/abs/2011.09107
@@ -48826,7 +48834,7 @@ CVE-2022-37396 (In JetBrains Rider before 2022.2 Trust and Open Project dialog c
CVE-2022-37395 (A Huawei device has an input verification vulnerability. Successful ex ...)
NOT-FOR-US: Huawei
CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...)
- - nova <unfixed> (bug #1016980)
+ - nova 2:26.0.0-1 (bug #1016980)
[bullseye] - nova <no-dsa> (Minor issue)
[buster] - nova <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ossa/+bug/1981813
@@ -61792,6 +61800,7 @@ CVE-2022-32533 (** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not suffi
NOT-FOR-US: Apache Portals Jetspeed
CVE-2022-32532 (Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured ...)
- shiro <unfixed> (bug #1014820)
+ [bookworm] - shiro <no-dsa> (Minor issue)
[bullseye] - shiro <no-dsa> (Minor issue)
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/28/2
@@ -88497,7 +88506,7 @@ CVE-2022-23838
RESERVED
CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the ...)
{DLA-2943-1}
- - ruby-sidekiq <unfixed> (bug #1004193)
+ - ruby-sidekiq 6.4.1+dfsg-1 (bug #1004193)
[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
NOTE: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0)
CVE-2022-23836
@@ -112052,6 +112061,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o
NOTE: https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884 (v0.11.8)
CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...)
- shiro <unfixed> (bug #1014819)
+ [bookworm] - shiro <no-dsa> (Minor issue)
[bullseye] - shiro <no-dsa> (Minor issue)
[buster] - shiro <no-dsa> (Minor issue)
[stretch] - shiro <no-dsa> (Minor issue)
@@ -129211,6 +129221,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension al
NOT-FOR-US: Eclipse Theia
CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic se ...)
- mosquitto <unfixed> (bug #993400)
+ [bookworm] - mosquitto <no-dsa> (Minor issue)
[bullseye] - mosquitto <no-dsa> (Minor issue)
[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
@@ -130716,6 +130727,7 @@ CVE-2021-3576 (Execution with Unnecessary Privileges vulnerability in Bitdefende
NOT-FOR-US: Bitdefender
CVE-2021-3575 (A heap-based buffer overflow was found in openjpeg in color.c:379:42 i ...)
- openjpeg2 <unfixed> (bug #989775)
+ [bookworm] - openjpeg2 <no-dsa> (Minor issue)
[bullseye] - openjpeg2 <no-dsa> (Minor issue)
[buster] - openjpeg2 <no-dsa> (Minor issue)
[stretch] - openjpeg2 <no-dsa> (Minor issue)
@@ -131487,7 +131499,7 @@ CVE-2021-33517
RESERVED
CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x befo ...)
[experimental] - gupnp 1.2.7-1
- - gupnp <unfixed> (bug #989098)
+ - gupnp 1.4.0-2 (bug #989098)
[bullseye] - gupnp <no-dsa> (Minor issue)
[buster] - gupnp <no-dsa> (Minor issue)
[stretch] - gupnp <no-dsa> (Minor issue)
@@ -140646,7 +140658,7 @@ CVE-2021-30152 (An issue was discovered in MediaWiki before 1.31.13 and 1.32.x t
NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
CVE-2021-30151 (Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue n ...)
{DLA-2943-1}
- - ruby-sidekiq <unfixed> (bug #987354)
+ - ruby-sidekiq 6.3.1+dfsg-1 (bug #987354)
[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
[buster] - ruby-sidekiq <no-dsa> (Minor issue)
NOTE: https://github.com/mperham/sidekiq/issues/4852
@@ -156455,6 +156467,7 @@ CVE-2021-23798
RESERVED
CVE-2021-23797 (All versions of package http-server-node are vulnerable to Directory T ...)
- node-http-server <unfixed> (bug #1031301)
+ [bookworm] - node-http-server <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://security.snyk.io/vuln/SNYK-JS-HTTPSERVERNODE-1727656
CVE-2021-23796
RESERVED
@@ -186892,6 +186905,7 @@ CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure w
NOT-FOR-US: TweetStream
CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
- ruby-twitter-stream <unfixed> (bug #988733)
+ [bookworm] - ruby-twitter-stream <no-dsa> (Minor issue)
[bullseye] - ruby-twitter-stream <no-dsa> (Minor issue)
[buster] - ruby-twitter-stream <no-dsa> (Minor issue)
[stretch] - ruby-twitter-stream <no-dsa> (Minor issue)
@@ -206752,6 +206766,7 @@ CVE-2020-15354
REJECTED
CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...)
- beaker <unfixed> (bug #966197)
+ [bookworm] - beaker <no-dsa> (Minor issue)
[bullseye] - beaker <no-dsa> (Minor issue)
[buster] - beaker <no-dsa> (Minor issue)
[stretch] - beaker <no-dsa> (Minor issue)
@@ -220957,6 +220972,7 @@ CVE-2020-10694
REJECTED
CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in ...)
- libhibernate-validator-java <unfixed> (bug #988946)
+ [bookworm] - libhibernate-validator-java <no-dsa> (Minor issue)
[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
[stretch] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
@@ -274780,6 +274796,7 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...)
- phppgadmin <unfixed> (bug #953945)
+ [bookworm] - phppgadmin <no-dsa> (Minor issue)
[bullseye] - phppgadmin <no-dsa> (Minor issue)
[buster] - phppgadmin <no-dsa> (Minor issue)
[stretch] - phppgadmin <no-dsa> (Minor issue)
@@ -276198,6 +276215,7 @@ CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to
[stretch] - linux 4.9.210-1
CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...)
- libhibernate-validator-java <unfixed> (bug #948235)
+ [bookworm] - libhibernate-validator-java <no-dsa> (Minor issue)
[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
[stretch] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
@@ -286133,6 +286151,7 @@ CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow,
NOT-FOR-US: TP-Link
CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers ...)
- openjpeg2 <unfixed> (low; bug #922648)
+ [bookworm] - openjpeg2 <ignored> (Minor issue)
[bullseye] - openjpeg2 <ignored> (Minor issue)
[buster] - openjpeg2 <ignored> (Minor issue)
[stretch] - openjpeg2 <ignored> (Minor issue)
@@ -318430,7 +318449,8 @@ CVE-2018-14629 (A denial of service vulnerability was discovered in Samba's LDAP
NOTE: https://www.samba.org/samba/security/CVE-2018-14629.html
CVE-2018-14628 (An information leak vulnerability was discovered in Samba's LDAP serve ...)
- samba <unfixed>
- [bullseye] - samba <no-dsa> (Minor issue)
+ [bookworm] - samba <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - samba <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13595
CVE-2018-14627 (The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not h ...)
- wildfly <itp> (bug #752018)
@@ -320240,6 +320260,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.
NOT-FOR-US: Creatiwity wityCMS
CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...)
- wordpress <unfixed> (bug #906565)
+ [bookworm] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
[buster] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - wordpress <postponed> (Minor issue, no sanctioned patch)
@@ -364665,6 +364686,7 @@ CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux En
NOT-FOR-US: SuSEfirewall2 in SUSE
CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing algorit ...)
- wordpress <unfixed> (bug #880868)
+ [bookworm] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
[bullseye] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
[buster] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
[stretch] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bf7f45df05b62e83e2ec4c35e66d75ef3774337
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bf7f45df05b62e83e2ec4c35e66d75ef3774337
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230301/9ace932c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list