[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) Wed, 05 Oct 2022 08:03:29 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
f2089065 by Moritz Muehlenhoff at 2022-10-05T17:02:42+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7460,11 +7460,13 @@ CVE-2022-39210 (Nextcloud android is the official 
Android client for the Nextclo
 CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
        - cmark-gfm <unfixed> (bug #1020588)
        - python-cmarkgfm <unfixed>
-       - ghostwriter <unfixed>
+       - ghostwriter <unfixed> (unimportant)
        - ruby-commonmarker <unfixed>
        - r-cran-commonmark <unfixed>
+       [bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
        NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
        NOTE: 
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70
 (0.29.0.gfm.6)
+       NOTE: For ghostwriter just a hang/crash in GUI tool, no security impact
 CVE-2022-39208 (Onedev is an open source, self-hosted Git Server with CI/CD 
and Kanban ...)
        NOT-FOR-US: Onedev
 CVE-2022-39207 (Onedev is an open source, self-hosted Git Server with CI/CD 
and Kanban ...)
@@ -7824,6 +7826,7 @@ CVE-2006-20001
        RESERVED
 CVE-2022-XXXX [wordpress 6.0.2]
        - wordpress 6.0.2+dfsg1-1 (bug #1018863)
+       [bullseye] - wordpress <no-dsa> (Minor issue)
        NOTE: 
https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 CVE-2022-39079
        RESERVED
@@ -18258,11 +18261,13 @@ CVE-2022-2321 (Improper Restriction of Excessive 
Authentication Attempts in GitH
 CVE-2022-35230 (An authenticated user can create a link with reflected 
Javascript code ...)
        [experimental] - zabbix 1:6.0.6+dfsg-1
        - zabbix 1:6.0.7+dfsg-2 (bug #1014994)
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-21305
        NOTE: Fixed in: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b47a97676ee9ca4e16566f1931c456459108eae
 (5.0.25rc1)
 CVE-2022-35229 (An authenticated user can create a link with reflected 
Javascript code ...)
        [experimental] - zabbix 1:6.0.6+dfsg-1
        - zabbix 1:6.0.7+dfsg-2 (bug #1014992)
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-21306
        NOTE: Fixed in: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c
 (5.0.25rc1)
 CVE-2022-35228 (SAP BusinessObjects CMC allows an unauthenticated attacker to 
retrieve ...)
@@ -47753,16 +47758,19 @@ CVE-2022-24920
 CVE-2022-24919 (An authenticated user can create a link with reflected 
Javascript code ...)
        {DLA-2980-1}
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-20680
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
 (5.0.21rc1)
 CVE-2022-24918 (An authenticated user can create a link with reflected 
Javascript code ...)
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        [stretch] - zabbix <not-affected> (The vulnerable code was introduced 
later)
        NOTE: https://support.zabbix.com/browse/ZBX-20680
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
 (5.0.21rc1)
 CVE-2022-24917 (An authenticated user can create a link with reflected 
Javascript code ...)
        {DLA-2980-1}
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-20680
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
 (5.0.21rc1)
 CVE-2022-24911
@@ -48391,6 +48399,7 @@ CVE-2022-24725 (Shescape is a shell escape package for 
JavaScript. An issue in v
 CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference 
implementati ...)
        - cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
        - ghostwriter <unfixed> (bug #1006757)
+       [bullseye] - ghostwriter <no-dsa> (Minor issue)
        - python-cmarkgfm 0.7.0-1 (bug #1006758)
        - ruby-commonmarker <unfixed> (bug #1006759)
        - r-cran-commonmark 1.8.0-1 (bug #1006760)
@@ -49549,6 +49558,7 @@ CVE-2022-24350
 CVE-2022-24349 (An authenticated user can create a link with reflected XSS 
payload for ...)
        {DLA-2980-1}
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-20680
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
 (5.0.21rc1)
 CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory 
traversal ...)
@@ -54285,10 +54295,12 @@ CVE-2022-23135 (There is a directory traversal 
vulnerability in some home gatewa
 CVE-2022-23134 (After the initial setup process, some steps of setup.php file 
are reac ...)
        {DLA-2914-1}
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-20384
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df
 (5.0.19rc2)
 CVE-2022-23133 (An authenticated user can create a hosts group from the 
configuration  ...)
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        [buster] - zabbix <not-affected> (Vulnerable code introduced later, and 
reverted with the fix)
        [stretch] - zabbix <not-affected> (Vulnerable code introduced later, 
and reverted with the fix)
        NOTE: https://support.zabbix.com/browse/ZBX-20388
@@ -54296,6 +54308,7 @@ CVE-2022-23133 (An authenticated user can create a 
hosts group from the configur
        NOTE: Introduced by: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3
 (4.4.0alpha3)
 CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux 
capability i ...)
        - zabbix 1:6.0.7+dfsg-2
+       [bullseye] - zabbix <no-dsa> (Minor issue)
        [stretch] - zabbix <not-affected> (Not using RPM or DAC_OVERRIDE in 
Debian installs, zbx_ipc_service_init_env() not present)
        NOTE: https://support.zabbix.com/browse/ZBX-20341
        NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac
 (5.0.18)


=====================================
data/dsa-needed.txt
=====================================
@@ -42,6 +42,8 @@ rpki-client
 --
 ruby-image-processing
 --
+ruby-nokogiri
+--
 ruby-rack
 --
 ruby-tzinfo



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye triage

Reply via email to