diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2022-02-07 23:02:45 +0100 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2022-02-07 23:03:36 +0100 |
| commit | cc97fae13aa2023c3003ffcc9ee0d9b14cf48437 (patch) | |
| tree | 1a0514da46e4728a0518241d6e6e57184bc65dfe /data | |
| parent | c061d837bfe30998dd6624b8efcf3fe2bb58b38d (diff) | |
buster/bullseye triage
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list.2021 | 22 | ||||
| -rw-r--r-- | data/CVE/list.2022 | 4 |
2 files changed, 24 insertions, 2 deletions
diff --git a/data/CVE/list.2021 b/data/CVE/list.2021 index 450f33ef69..74e4e13582 100644 --- a/data/CVE/list.2021 +++ b/data/CVE/list.2021 @@ -1514,18 +1514,26 @@ CVE-2021-46047 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the NOTE: https://github.com/gpac/gpac/commit/dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd CVE-2021-46046 (A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_si ...) - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2005 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46045 (GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial ...) - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2007 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46044 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via ShiftMetaOf ...) - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2006 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46043 (A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the gf_list ...) - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2001 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46042 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fsee ...) @@ -1783,6 +1791,8 @@ CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) - assimp 5.1.1~ds0-1 + [bullseye] - assimp <not-affected> (Vulnerable code not present) + [buster] - assimp <not-affected> (Vulnerable code not present) [stretch] - assimp <not-affected> (M3D format support not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml @@ -5758,11 +5768,13 @@ CVE-2021-44514 (OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishan NOT-FOR-US: ManageEngine CVE-2021-44513 (Insecure creation of temporary directories in tmate-ssh-server 2.3.0 a ...) - tmate-ssh-server <unfixed> (bug #1001225) + [bullseye] - tmate-ssh-server <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 CVE-2021-44512 (World-writable permissions on the /tmp/tmate/sessions directory in tma ...) - tmate-ssh-server <unfixed> (bug #1001225) + [bullseye] - tmate-ssh-server <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 @@ -10576,6 +10588,7 @@ CVE-2021-42577 RESERVED CVE-2021-42576 (The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Py ...) - golang-github-microcosm-cc-bluemonday 1.0.16-1 + [bullseye] - golang-github-microcosm-cc-bluemonday <no-dsa> (Minor issue) NOTE: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/ CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not properly enfo ...) NOT-FOR-US: OWASP HTML Sanitizer @@ -14220,6 +14233,8 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 NOTE: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 (8.5.64) CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression Complexity ...) - node-nth-check 2.0.1-1 + [bullseye] - node-nth-check <no-dsa> (Minor issue) + [buster] - node-nth-check <no-dsa> (Minor issue) [stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1) NOTE: https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/ @@ -19992,6 +20007,8 @@ CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin NOT-FOR-US: TastyIgniter CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allow ...) - consul <unfixed> + [bullseye] - consul <no-dsa> (Minor issue) + [buster] - consul <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 NOTE: https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15) CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted Fi ...) @@ -20196,9 +20213,11 @@ CVE-2021-38604 (In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/ NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8 CVE-2021-38603 (PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Informati ...) - pluxml <unfixed> + [buster] - pluxml <ignored> (Minor issue) [stretch] - pluxml <no-dsa> (Minor issue) CVE-2021-38602 (PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content ...) - pluxml <unfixed> + [buster] - pluxml <ignored> (Minor issue) [stretch] - pluxml <no-dsa> (Minor issue) CVE-2021-38601 RESERVED @@ -30189,6 +30208,7 @@ CVE-2021-34432 (In Eclipse Mosquitto versions 2.07 and earlier, the server will NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141 CVE-2021-34431 (In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client ...) - mosquitto 2.0.11-1 + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced later) [stretch] - mosquitto <not-affected> (Vulnerable code introduced later) NOTE: https://mosquitto.org/blog/2021/06/version-2-0-11-released/ @@ -30414,6 +30434,7 @@ CVE-2021-34338 CVE-2021-34337 [password checking timing attack in administrative REST API] RESERVED - mailman3 <unfixed> (bug #1004934) + [bullseye] - mailman3 <no-dsa> (Minor issue) [buster] - mailman3 <no-dsa> (Minor issue; will be fixed via point release) NOTE: Fixed by: https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 (3.3.5b1) CVE-2021-34336 @@ -45888,6 +45909,7 @@ CVE-2021-28167 (In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.r NOT-FOR-US: Eclipse OpenJ9 CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated clien ...) - mosquitto 2.0.10-1 (bug #986701) + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced in 2.0) [stretch] - mosquitto <not-affected> (Vulnerable code introduced in 2.0) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 diff --git a/data/CVE/list.2022 b/data/CVE/list.2022 index 8dab43aa6b..5ea37f4f65 100644 --- a/data/CVE/list.2022 +++ b/data/CVE/list.2022 @@ -3246,11 +3246,10 @@ CVE-2022-0285 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore NOT-FOR-US: pimcore CVE-2022-0284 RESERVED - - imagemagick <undetermined> + - imagemagick <not-affected> (Specific to IM7) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2045943 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4729 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7 - TODO: check if it affects ImageMagick6 CVE-2022-0283 RESERVED CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11. ...) @@ -4990,6 +4989,7 @@ CVE-2022-22814 RESERVED CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...) - node-follow-redirects 1.14.7+~1.13.1-1 + [bullseye] - node-follow-redirects <no-dsa> (Minor issue) [buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport) NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406 NOTE: https://github.com/follow-redirects/follow-redirects/issues/183 |