diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2022-03-21 15:52:46 +0100 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2022-03-21 15:52:46 +0100 |
| commit | 1898dd4bab64bf390a47a72c3226eadc246e83ed (patch) | |
| tree | d3667b885e22d29da074ef909f267171144d3fe5 /data | |
| parent | 90efbc73c57eb15c5c39d554732f9c315adce4e3 (diff) | |
buster/bullseye triage
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list | 22 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 4 |
2 files changed, 25 insertions, 1 deletions
diff --git a/data/CVE/list b/data/CVE/list index 5460b74f5f..fde62fb979 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -6029,11 +6029,13 @@ CVE-2022-25052 RESERVED CVE-2022-25051 (An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when deco ...) - rtl-433 <unfixed> (bug #1008000) + [bullseye] - rtl-433 <no-dsa> (Minor issue) NOTE: https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 NOTE: https://github.com/merbanan/rtl_433/issues/1960 NOTE: https://huntr.dev/bounties/78eee103-bd61-4b4f-b054-04ad996b39e7/ CVE-2022-25050 (rtl_433 21.12 was discovered to contain a stack overflow in the functi ...) - rtl-433 <unfixed> (bug #1008000) + [bullseye] - rtl-433 <no-dsa> (Minor issue) NOTE: https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 NOTE: https://github.com/merbanan/rtl_433/issues/1960 NOTE: https://huntr.dev/bounties/6c9cd35f-a206-4fdf-b6d1-fcd50926c2d9/ @@ -7053,6 +7055,8 @@ CVE-2022-24669 RESERVED CVE-2022-0547 (OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass ...) - openvpn 2.5.6-1 (bug #1008015) + [bullseye] - openvpn <no-dsa> (Minor issue) + [buster] - openvpn <no-dsa> (Minor issue) NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 NOTE: https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee (v2.4.12) NOTE: https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5 (v2.5.6) @@ -9573,6 +9577,8 @@ CVE-2022-23944 (User can access /plugin api without authentication. This issue a NOT-FOR-US: Apache ShenYu Admin CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server all ...) - apache2 2.4.53-1 + [bullseye] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943 NOTE: Fixed by: https://svn.apache.org/r1898695 NOTE: Fixed by: https://svn.apache.org/r1898772 @@ -11261,6 +11267,8 @@ CVE-2022-23438 RESERVED CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...) - libxerces2-java <unfixed> + [bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete) + [buster] - libxerces2-java <postponed> (revisit when/if fix is complete) [stretch] - libxerces2-java <postponed> (revisit when/if fix is complete) NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/3 CVE-2022-0311 (Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.46 ...) @@ -14191,14 +14199,20 @@ CVE-2022-22722 (A CWE-798: Use of Hard-coded Credentials vulnerability exists th NOT-FOR-US: Schneider Electric CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger than 350M ...) - apache2 2.4.53-1 + [bullseye] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721 NOTE: Fixed by: https://svn.apache.org/r1898693 CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...) - apache2 2.4.53-1 + [bullseye] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720 NOTE: Fixed by: https://svn.apache.org/r1898692 CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...) - apache2 2.4.53-1 + [bullseye] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719 NOTE: Fixed by: https://svn.apache.org/r1898694 CVE-2022-22718 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) @@ -19627,7 +19641,6 @@ CVE-2021-44964 (Use after free in garbage collector and finalizer of lgc.c in Lu NOTE: http://lua-users.org/lists/lua-l/2021-12/msg00015.html NOTE: http://lua-users.org/lists/lua-l/2021-12/msg00030.html NOTE: https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerability - TODO: check possible fix and other versions of lua CVE-2021-44963 RESERVED CVE-2021-44962 (An out-of-bounds read vulnerability exists in the GCode::extrude() fun ...) @@ -21029,6 +21042,7 @@ CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 NOTE: Fixed by: https://gitlab.matrix.org/matrix-org/olm/-/commit/c23ce70fc66c26db5839ddb5a3b46d4c3d3abed6 (3.2.8) CVE-2021-44537 (ownCloud owncloud/client before 2.9.2 allows Resource Injection by a s ...) - owncloud-client <unfixed> + [buster] - owncloud-client <no-dsa> (Minor issue) [stretch] - owncloud-client <not-affected> (OAuth support introduced in 2.4) NOTE: https://owncloud.com/security-advisories/cve-2021-44537/ CVE-2021-44536 @@ -47171,6 +47185,8 @@ CVE-2021-35501 (PandoraFMS <=7.54 allows Stored XSS by placing a payload in t CVE-2021-3621 (A flaw was found in SSSD, where the sssctl command was vulnerable to s ...) {DLA-2758-1} - sssd 2.5.2-1 (bug #992710) + [bullseye] - sssd <no-dsa> (Minor issue) + [buster] - sssd <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975142 NOTE: https://github.com/SSSD/sssd/commit/7ab83f97e1cbefb78ece17232185bdd2985f0bbe NOTE: Introduced by https://github.com/SSSD/sssd/commit/e157b9f6cb370e1b94bcac2044d26ad66d640fba (v1.13.91) @@ -49310,6 +49326,7 @@ CVE-2021-34559 (In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerabilit NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway CVE-2021-3596 (A NULL pointer dereference flaw was found in ImageMagick in versions p ...) - imagemagick 8:6.9.11.57+dfsg-1 + [buster] - imagemagick <ignored> (Minor issue) [stretch] - imagemagick <postponed> (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/2624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/43dfb1894761c4929d5d5c98dc80ba4e59a0d114 @@ -52369,6 +52386,8 @@ CVE-2021-33293 (Panorama Tools libpano13 v2.9.20 was discovered to contain an ou {DLA-2957-1} [experimental] - libpano13 2.9.21~rc1+dfsg-1 - libpano13 <unfixed> (bug #1008024) + [bullseye] - libpano13 <no-dsa> (Minor issue) + [buster] - libpano13 <no-dsa> (Minor issue) NOTE: https://groups.google.com/u/1/g/hugin-ptx/c/gLtz2vweD74 NOTE: Fixed by: https://sourceforge.net/p/panotools/libpano13/ci/62aa7eed8fae5d8f247a2508a757f31000de386f/ CVE-2021-33292 @@ -76927,6 +76946,7 @@ CVE-2021-23649 RESERVED CVE-2021-23648 (The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cro ...) - node-mermaid <unfixed> + [bullseye] - node-mermaid <no-dsa> (Minor issue) NOTE: https://github.com/braintree/sanitize-url/pull/40 NOTE: src:node-mermaid provides embedded @braintree/sanitize-url CVE-2021-23647 diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index f0e9959c26..9a25291873 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,6 +18,8 @@ condor/oldstable -- faad2/oldstable (jmm) -- +fish/stable +-- freecad (aron) -- linux (carnil) @@ -45,3 +47,5 @@ trafficserver (jmm) unzip no details public yet -- +wordpress +-- |