Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
01392162 by Moritz Muehlenhoff at 2022-09-14T17:25:06+02:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -186,6 +186,7 @@ CVE-2022-3191
RESERVED
CVE-2022-3190 (Infinite loop in the F5 Ethernet Trailer protocol dissector in
Wiresha ...)
- wireshark 3.6.8-1
+ [bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18307
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-06.html
CVE-2022-3189
@@ -1482,6 +1483,7 @@ CVE-2022-40024
RESERVED
CVE-2022-40023 (Sqlalchemy mako before 1.2.2 is vulnerable to Regular
expression Denia ...)
- mako 1.2.2+ds1-1
+ [bullseye] - mako <no-dsa> (Minor issue)
NOTE:
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
(rel_1_2_2)
NOTE: https://github.com/sqlalchemy/mako/issues/366
CVE-2022-40022
@@ -3284,12 +3286,14 @@ CVE-2022-39178
RESERVED
CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to
cause a den ...)
- bluez 5.61-1
+ [bullseye] - bluez <no-dsa> (Minor issue)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4
(5.60)
NOTE: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
CVE-2022-39176 (BlueZ before 5.59 allows physically proximate attackers to
obtain sens ...)
- bluez 5.61-1
+ [bullseye] - bluez <no-dsa> (Minor issue)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4
(5.60)
@@ -4488,18 +4492,22 @@ CVE-2022-2994
RESERVED
CVE-2022-38752 (Using snakeYAML to parse untrusted YAML files may be
vulnerable to Den ...)
- snakeyaml <unfixed>
+ [bullseye] - snakeyaml <no-dsa> (Minor issue)
NOTE:
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not
public)
CVE-2022-38751 (Using snakeYAML to parse untrusted YAML files may be
vulnerable to Den ...)
- snakeyaml <unfixed>
+ [bullseye] - snakeyaml <no-dsa> (Minor issue)
NOTE:
https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
CVE-2022-38750 (Using snakeYAML to parse untrusted YAML files may be
vulnerable to Den ...)
- snakeyaml <unfixed>
+ [bullseye] - snakeyaml <no-dsa> (Minor issue)
NOTE:
https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
CVE-2022-38749 (Using snakeYAML to parse untrusted YAML files may be
vulnerable to Den ...)
- snakeyaml <unfixed>
+ [bullseye] - snakeyaml <no-dsa> (Minor issue)
NOTE:
https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
CVE-2022-38748
@@ -4531,6 +4539,7 @@ CVE-2022-2990 (An incorrect handling of the supplementary
groups in the Buildah
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121453
CVE-2022-2989 (An incorrect handling of the supplementary groups in the Podman
contai ...)
- libpod <unfixed> (bug #1019591)
+ [bullseye] - libpod <no-dsa> (Minor issue)
NOTE:
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121445
CVE-2022-2988
@@ -5143,6 +5152,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to
contain a heap-buffer o
NOTE:
https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72
CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was
discovered to co ...)
- assimp <unfixed>
+ [bullseye] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/4662
CVE-2022-38527
RESERVED
@@ -6422,9 +6432,11 @@ CVE-2022-38154
RESERVED
CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when
--enable-session ...)
- wolfssl <unfixed>
+ [bullseye] - wolfssl <not-affected> (Vulnerable code not present and
session tickets not enabled)
NOTE: https://github.com/wolfSSL/wolfssl/pull/5476
CVE-2022-38152 (An issue was discovered in wolfSSL before 5.5.0. When a TLS
1.3 client ...)
- wolfssl <unfixed>
+ [bullseye] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/5468
CVE-2022-38151
RESERVED
@@ -7266,6 +7278,7 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was discovered
to contain a stack over
NOT-FOR-US: Tenda
CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler
functio ...)
- lighttpd 1.4.66-1
+ [bullseye] - lighttpd <no-dsa> (Minor issue)
NOTE: https://redmine.lighttpd.net/issues/3165
NOTE:
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f
(lighttpd-1.4.66)
CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the
Title, A ...)
@@ -16435,6 +16448,7 @@ CVE-2022-34294 (totd 1.5.3 uses a fixed UDP source port
in upstream queries sent
NOT-FOR-US: totd
CVE-2022-34293 (wolfSSL before 5.4.0 allows remote attackers to cause a denial
of serv ...)
- wolfssl <unfixed> (bug #1016981)
+ [bullseye] - wolfssl <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2022/08/08/6
CVE-2022-34292
RESERVED
@@ -24750,6 +24764,7 @@ CVE-2022-31198 (OpenZeppelin Contracts is a library for
secure smart contract de
NOT-FOR-US: OpenZeppelin
CVE-2022-31197 (PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs
to conn ...)
- libpgjava 42.4.1-1 (bug #1016662)
+ [bullseye] - libpgjava <no-dsa> (Minor issue)
NOTE:
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
NOTE:
https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
(REL42.4.1-rc1)
CVE-2022-31196 (Databasir is a database metadata management platform.
Databasir <= ...)
@@ -40210,6 +40225,7 @@ CVE-2022-25858 (The package terser before 4.8.1, from
5.0.0 and before 5.14.2 ar
NOTE:
https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
(v4.8.1)
CVE-2022-25857 (The package org.yaml:snakeyaml from 0 and before 1.31 are
vulnerable t ...)
- snakeyaml <unfixed> (bug #1019218)
+ [bullseye] - snakeyaml <no-dsa> (Minor issue)
NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/525
NOTE:
https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
NOTE: https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
@@ -51443,6 +51459,7 @@ CVE-2022-0136 (A vulnerability was discovered in GitLab
versions 10.5 to 14.5.4,
- gitlab <unfixed>
CVE-2022-0135 (An out-of-bounds write issue was found in the VirGL virtual
OpenGL ren ...)
- virglrenderer 0.10.0-1 (bug #1009073)
+ [bullseye] - virglrenderer <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2037790
NOTE:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
NOTE: Fixed by:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
(0.10.0)
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ commons-configuration
--
connman (carnil)
--
+fish
+--
gdal
--
linux (carnil)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01392162baab12680165e2171a0b98d9d0015551
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01392162baab12680165e2171a0b98d9d0015551
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
