Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a89b938c by Moritz Muehlenhoff at 2022-11-11T16:05:36+01:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -367,6 +367,7 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub
repository jgraph/draw
NOT-FOR-US: jgraph/drawio
CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of
QEMU. ...)
- qemu <unfixed>
+ [bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <postponed> (Minor issue, DoS, waiting for sanctioned
patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567
NOTE: patch proposal 1:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html
@@ -8623,6 +8624,7 @@ CVE-2022-42919 (Python 3.9.x and 3.10.x through 3.10.8 on
Linux allows local pri
- python3.11 3.11.0-2
- python3.10 3.10.8-2
- python3.9 <unfixed>
+ [bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
[buster] - python3.7 <not-affected> (Vulnerable functionality
backported later in 3.7.8)
NOTE: https://github.com/python/cpython/issues/97514
@@ -17202,6 +17204,7 @@ CVE-2022-39378 (Discourse is a platform for community
discussion. Under certain
NOT-FOR-US: Discourse
CVE-2022-39377 (sysstat is a set of system performance tools for the Linux
operating s ...)
- sysstat <unfixed> (bug #1023832)
+ [bullseye] - sysstat <no-dsa> (Minor issue)
NOTE:
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
NOTE:
https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540
(v12.7.1)
CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI
is a Fre ...)
@@ -68232,16 +68235,16 @@ CVE-2021-4194 (bookstack is vulnerable to Improper
Access Control ...)
NOT-FOR-US: bookstack
CVE-2021-4193 (vim is vulnerable to Out-of-bounds Read ...)
{DLA-3182-1 DLA-2947-1}
- - vim 2:8.2.3995-1
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (unimportant)
NOTE: https://huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0
NOTE: Fixed by:
https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b
(v8.2.3950)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-4192 (vim is vulnerable to Use After Free ...)
{DLA-3182-1 DLA-2947-1}
- - vim 2:8.2.3995-1
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (unimportant)
NOTE: https://huntr.dev/bounties/6dd9cb2e-a940-4093-856e-59b502429f22
NOTE: Fixed by:
https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
(v8.2.3949)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-4191 (An issue has been discovered in GitLab CE/EE affecting versions
13.0 t ...)
[experimental] - gitlab 14.6.5+ds1
- gitlab <unfixed>
@@ -69568,12 +69571,10 @@ CVE-2021-45476 (Yordam Library Information Document
Automation product before ve
CVE-2021-45475 (Yordam Library Information Document Automation product before
version ...)
NOT-FOR-US: Yordam Library Information Document Automation
CVE-2021-4166 (vim is vulnerable to Out-of-bounds Read ...)
- - vim 2:8.2.3995-1
- [bullseye] - vim <no-dsa> (Minor issue)
- [buster] - vim <no-dsa> (Minor issue)
- [stretch] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (unimportant)
NOTE: https://huntr.dev/bounties/229df5dd-5507-44e9-832c-c70364bdf035
NOTE:
https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682
(v8.2.3884)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-4165
RESERVED
CVE-2021-4164 (calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
...)
@@ -71185,13 +71186,13 @@ CVE-2021-44462 (This vulnerability can be exploited
by parsing maliciously craft
CVE-2021-4137
RESERVED
CVE-2021-4136 (vim is vulnerable to Heap-based Buffer Overflow ...)
- - vim 2:8.2.3995-1 (bug #1002534)
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (bug #1002534; unimportant)
[buster] - vim <not-affected> (Vulnerable code introduced later)
[stretch] - vim <not-affected> (Vulnerable code introduced later)
NOTE: https://huntr.dev/bounties/5c6b93c1-2d27-4e98-a931-147877b8c938
NOTE: Introduced by:
https://github.com/vim/vim/commit/2949cfdbe4335b9abcfeda1be4dfc52090ee1df6
(v8.2.2257)
NOTE: Fixed by:
https://github.com/vim/vim/commit/605ec91e5a7330d61be313637e495fa02a6dc264
(v8.2.3847)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-4135 (A memory leak vulnerability was found in the Linux kernel's
eBPF for t ...)
{DSA-5096-1 DLA-2941-1}
- linux 5.15.15-1 (unimportant)
@@ -73239,10 +73240,10 @@ CVE-2021-44549 (Apache Sling Commons Messaging Mail
provides a simple layer on t
NOT-FOR-US: Apache Sling
CVE-2021-4069 (vim is vulnerable to Use After Free ...)
{DLA-3182-1 DLA-2947-1}
- - vim 2:8.2.3995-1
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (unimportant)
NOTE: https://huntr.dev/bounties/0efd6d23-2259-4081-9ff1-3ade26907d74/
NOTE:
https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
(v8.2.3741)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-44548 (An Improper Input Validation vulnerability in
DataImportHandler of Apa ...)
- lucene-solr <not-affected> (Issue only affects Windows)
NOTE: https://issues.apache.org/jira/browse/SOLR-15826
@@ -75008,10 +75009,10 @@ CVE-2021-3985 (kimai2 is vulnerable to Improper
Neutralization of Input During W
NOT-FOR-US: kimai2
CVE-2021-3984 (vim is vulnerable to Heap-based Buffer Overflow ...)
{DLA-3182-1 DLA-2947-1}
- - vim 2:8.2.3995-1 (bug #1001896)
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (bug #1001896; unimportant)
NOTE: https://huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426a
NOTE:
https://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655
(v8.2.3625)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-3983 (kimai2 is vulnerable to Improper Neutralization of Input During
Web Pa ...)
NOT-FOR-US: kimai2
CVE-2022-21742 (Realtek USB driver has a buffer overflow vulnerability due to
insuffic ...)
@@ -75246,17 +75247,16 @@ CVE-2021-43960 (** DISPUTED ** Lorensbergs Connect2
3.13.7647.20190 is affected
NOT-FOR-US: Lorensbergs Connect2
CVE-2021-3974 (vim is vulnerable to Use After Free ...)
{DLA-3182-1 DLA-2947-1}
- - vim 2:8.2.3995-1 (bug #1001897)
- [bullseye] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (bug #1001897; unimportant)
NOTE: https://huntr.dev/bounties/e402cb2c-8ec4-4828-a692-c95f8e0de6d4
NOTE:
https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
(v8.2.3612)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-3973 (vim is vulnerable to Heap-based Buffer Overflow ...)
{DLA-2947-1}
- - vim 2:8.2.3995-1 (bug #1001899)
- [bullseye] - vim <no-dsa> (Minor issue)
- [buster] - vim <no-dsa> (Minor issue)
+ - vim 2:8.2.3995-1 (unimportant; bug #1001899)
NOTE: https://huntr.dev/bounties/ce6e8609-77c6-4e17-b9fc-a2e5abed052e
NOTE:
https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847
(v8.2.3611)
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-3972 (A potential vulnerability by a driver used during manufacturing
proces ...)
NOT-FOR-US: Lenovo
CVE-2021-3971 (A potential vulnerability by a driver used during older
manufacturing ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -27,7 +27,7 @@ linux (carnil)
netatalk
open regression with MacOS, tentative patch not yet merged upstream
--
-nginx
+nginx (jmm)
--
nodejs
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89b938c049a35447c6e1ba6b0f5989ebd2e05f0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89b938c049a35447c6e1ba6b0f5989ebd2e05f0
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
