[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Mar 14 15:30:06 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1b5eb28 by Moritz Muehlenhoff at 2023-03-14T16:29:52+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -557,6 +557,7 @@ CVE-2023-1351 (A vulnerability classified as critical has been found in SourceCo
 	NOT-FOR-US: SourceCodester Computer Parts Sales and Inventory System
 CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critical. A ...)
 	- liferea 1.14.1-1 (bug #1032822)
+	[bullseye] - liferea <no-dsa> (Minor issue)
 	NOTE: Introduced by: https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5 (v1.12.0)
 	NOTE: introduced by: https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e (v1.12.0)
 	NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 (v1.14.1)
@@ -1003,6 +1004,7 @@ CVE-2023-1290 (A vulnerability, which was classified as critical, has been found
 CVE-2023-1289
 	RESERVED
 	- imagemagick <unfixed>
+	[bullseye] - imagemagick <no-dsa> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4
 CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...)
@@ -2112,6 +2114,7 @@ CVE-2023-1176
 	RESERVED
 CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository vim/vim prio ...)
 	- vim 2:9.0.1378-1
+	[bullseye] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/7e93fc17-92eb-4ae7-b01a-93bb460b643e
 	NOTE: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba (v9.0.1378)
 CVE-2022-4930 (A vulnerability classified as problematic was found in nuxsmin sysPass ...)
@@ -2245,9 +2248,10 @@ CVE-2023-1172
 CVE-2023-1171
 	RESERVED
 CVE-2023-1170 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...)
-	- vim 2:9.0.1378-1
+	- vim 2:9.0.1378-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/286e0090-e654-46d2-ac60-29f81799d0a4
 	NOTE: https://github.com/vim/vim/commit/1c73b65229c25e3c1fd8824ba958f7cc4d604f9c (v9.0.1376)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-1169
 	RESERVED
 CVE-2015-10089 (A vulnerability classified as problematic has been found in flame.js.  ...)
@@ -7762,6 +7766,7 @@ CVE-2023-25567 (GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that imple
 	NOTE: https://github.com/gssapi/gss-ntlmssp/commit/025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 (v1.2.0)
 CVE-2023-25566 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...)
 	- gss-ntlmssp 1.2.0-1 (bug #1031369)
+	[bullseye] - gss-ntlmssp <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-mfm4-6g58-jw74
 	NOTE: https://github.com/gssapi/gss-ntlmssp/commit/8660fb16474054e692a596e9c79670cd4d3954f4 (v1.2.0)
 CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...)
@@ -7770,6 +7775,7 @@ CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that imp
 	NOTE: https://github.com/gssapi/gss-ntlmssp/commit/c16100f60907a2de92bcb676f303b81facee0f64 (v1.2.0)
 CVE-2023-25564 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...)
 	- gss-ntlmssp 1.2.0-1 (bug #1031369)
+	[bullseye] - gss-ntlmssp <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-r85x-q5px-9xfq
 	NOTE: https://github.com/gssapi/gss-ntlmssp/commit/c753000eb31835c0664e528fbc99378ae0cbe950 (v1.2.0)
 CVE-2023-25563 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...)
@@ -48847,6 +48853,7 @@ CVE-2022-38102
 	RESERVED
 CVE-2022-38090 (Improper isolation of shared resources in some Intel(R) Processors whe ...)
 	- intel-microcode <unfixed> (bug #1031334)
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-38084
@@ -54402,6 +54409,7 @@ CVE-2022-34657
 	RESERVED
 CVE-2022-33196 (Incorrect default permissions in some memory controller configurations ...)
 	- intel-microcode <unfixed> (bug #1031334)
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-32570 (Improper authentication in the Intel(R) Quartus Prime Pro and Standard ...)
@@ -58463,6 +58471,7 @@ CVE-2022-34346 (Out-of-bounds read in the Intel(R) Media SDK software before ver
 	NOT-FOR-US: Intel
 CVE-2022-33972 (Incorrect calculation in microcode keying mechanism for some 3rd Gener ...)
 	- intel-microcode <unfixed> (bug #1031334)
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00730.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-33197
@@ -106282,6 +106291,7 @@ CVE-2021-3961 (snipe-it is vulnerable to Improper Neutralization of Input During
 	- snipe-it <itp> (bug #1005172)
 CVE-2022-21216 (Insufficient granularity of access control in out-of-band management i ...)
 	- intel-microcode <unfixed> (bug #1031334)
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00700.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-21204 (Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before  ...)
@@ -106297,6 +106307,7 @@ CVE-2022-21153 (Improper access control in the Intel(R) Capital Global Summit An
 CVE-2022-21151 (Processor optimization removal or modification of security-critical co ...)
 	{DSA-5178-1}
 	- intel-microcode 3.20220510.1 (bug #1010947)
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220510
 CVE-2022-21138
@@ -106725,6 +106736,7 @@ CVE-2022-21180 (Improper input validation for some Intel(R) Processors may allow
 CVE-2022-21166 (Incomplete cleanup in specific special register write operations for s ...)
 	{DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
 	- intel-microcode 3.20220510.1
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	- linux 5.18.5-1
 	[bullseye] - linux 5.10.127-1
 	- xen 4.16.2-1
@@ -106736,12 +106748,14 @@ CVE-2022-21166 (Incomplete cleanup in specific special register write operations
 CVE-2022-21127 (Incomplete cleanup in specific special register read operations for so ...)
 	{DSA-5178-1}
 	- intel-microcode 3.20220510.1
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
 	NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#SRBDS-Update
 	NOTE: https://xenbits.xen.org/xsa/advisory-404.html
 CVE-2022-21125 (Incomplete cleanup of microarchitectural fill buffers on some Intel(R) ...)
 	{DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
 	- intel-microcode 3.20220510.1
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	- linux 5.18.5-1
 	[bullseye] - linux 5.10.127-1
 	- xen 4.16.2-1
@@ -106753,6 +106767,7 @@ CVE-2022-21125 (Incomplete cleanup of microarchitectural fill buffers on some In
 CVE-2022-21123 (Incomplete cleanup of multi-core shared buffers for some Intel(R) Proc ...)
 	{DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
 	- intel-microcode 3.20220510.1
+	[bullseye] - intel-microcode <no-dsa> (Minor issue)
 	- linux 5.18.5-1
 	[bullseye] - linux 5.10.127-1
 	- xen 4.16.2-1


=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ linux (carnil)
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream
 --
+node-sqlite3 (jmm)
+--
 nodejs (aron)
 --
 openimageio



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b5eb28454db6d688b0729f059177a02c40bb4e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b5eb28454db6d688b0729f059177a02c40bb4e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230314/13619ded/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list