diff options
| author | Anton Gladky <gladk@debian.org> | 2022-08-16 18:28:37 +0200 |
|---|---|---|
| committer | Anton Gladky <gladk@debian.org> | 2022-08-16 18:28:37 +0200 |
| commit | a33c360942ab7a10d9bce039ab5f154d83ed868c (patch) | |
| tree | 60df73e3d5c0078dcb50f70bbfa5742cbdef9c18 | |
| parent | c28bf164fff7792988c502883f4ef69dc1e62da7 (diff) | |
| parent | ec45dbf532b0ccce3f239922c5e5e98dbd0b9bd1 (diff) | |
Merge remote-tracking branch 'origin/master' into fix_987283
| -rwxr-xr-x | bin/add-dsa-needed.sh | 2 | ||||
| -rwxr-xr-x | bin/lts-auto-eol | 68 | ||||
| -rwxr-xr-x | bin/lts-cve-triage.py | 2 | ||||
| -rwxr-xr-x | bin/lts-missing-uploads | 2 | ||||
| -rw-r--r-- | bin/unsupported_packages.py | 10 | ||||
| -rw-r--r-- | conf/cvelist.el | 7 | ||||
| -rw-r--r-- | data/CVE/list | 8290 | ||||
| -rw-r--r-- | data/DLA/list | 15 | ||||
| -rw-r--r-- | data/DSA/list | 43 | ||||
| -rw-r--r-- | data/config.json | 2 | ||||
| -rw-r--r-- | data/dla-needed.txt | 92 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 44 | ||||
| -rw-r--r-- | data/next-oldstable-point-update.txt | 20 | ||||
| -rw-r--r-- | data/next-point-update.txt | 26 | ||||
| -rw-r--r-- | data/packages/removed-packages | 105 | ||||
| -rw-r--r-- | doc/DLA.template | 6 | ||||
| -rw-r--r-- | doc/DSA.template | 3 | ||||
| -rw-r--r-- | doc/security-team.d.o/index | 8 | ||||
| -rw-r--r-- | static/distributions.json | 4 | ||||
| -rw-r--r-- | templates/lts-no-dsa.txt | 8 | ||||
| -rw-r--r-- | templates/lts-update-planned-minor.txt | 6 | ||||
| -rw-r--r-- | templates/lts-update-planned.txt | 4 |
22 files changed, 6369 insertions, 2398 deletions
diff --git a/bin/add-dsa-needed.sh b/bin/add-dsa-needed.sh index 3a79b36a31..28d70af1fc 100755 --- a/bin/add-dsa-needed.sh +++ b/bin/add-dsa-needed.sh @@ -20,7 +20,7 @@ set -eu -include_oldstable=true +include_oldstable=false turl="https://security-tracker.debian.org/tracker/status/release" [ -f data/dsa-needed.txt ] || { diff --git a/bin/lts-auto-eol b/bin/lts-auto-eol deleted file mode 100755 index 3ae392d64e..0000000000 --- a/bin/lts-auto-eol +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/perl -use File::Copy; -my $pkg = $ARGV[0]; -shift @ARGV; -while (my $cve = shift @ARGV) { - &addEol($pkg, $cve); -} -exit; - -sub addEol { - my ($pkg, $cve) = @_; -# print "Searching for $cve\n"; - # Mode - # d - default - # c - cve found - # p - pkg found - # e - eol printed, just continue to end of file as we are done - my $mode = "d"; - open IF, "data/CVE/list"; - open OF, ">data/CVE/list.x"; - while (my $line = <IF>) { - if ($mode eq "e") { - print OF $line; - next; - } - if ($mode eq "d") { - if ($line =~ /$cve\s/) { -# print " CVE $cve found\n"; - $mode = "c"; - print OF $line; - next; - } - } - if ($mode eq "c") { - if ($line =~ /^\s+- $pkg\s/) { - $mode = "p"; -# print " Package $pkg found\n"; - print OF $line; - next; - } - } - if ($mode eq "p") { - if ($line =~ /^\s+\[buster\] - $pkg\s/) { - $mode = "e"; - print "Existing LTS line found, skipping: $line"; - print OF $line; - next; - } - if ($line =~ /^\s+\[bullseye\] - $pkg\s/ || - $line =~ /^\s+\[bookworm\] - $pkg\s/ || - $line =~ /^\s+\[trixie\] - $pkg\s/) { - # skipping through other distribution info - print OF $line; - next; - } - # End of package entry add EOL - print "EOL $cve for $pkg added.\n"; - print OF "\t[buster] - $pkg <end-of-life> (No longer supported in LTS buster)\n"; - print OF $line; - $mode = "e"; - next; - } - print OF $line; - } - close IF; - close OF; - move ("data/CVE/list.x", "data/CVE/list"); -} diff --git a/bin/lts-cve-triage.py b/bin/lts-cve-triage.py index 0ae205ee00..87e0a74fa9 100755 --- a/bin/lts-cve-triage.py +++ b/bin/lts-cve-triage.py @@ -97,7 +97,7 @@ parser.add_argument('--exclude', nargs='+', choices=[x[0] for x in LIST_NAMES], args = parser.parse_args() tracker = TrackerData(update_cache=not args.skip_cache_update) -unsupported = UnsupportedPackages(debian_version=10, +unsupported = UnsupportedPackages(codename=RELEASES['lts'], update_cache=not args.skip_cache_update) limited = LimitedSupportPackages(update_cache=not args.skip_cache_update) # unsupport/limited package names can be regexps diff --git a/bin/lts-missing-uploads b/bin/lts-missing-uploads index eb84a234df..faa4088a38 100755 --- a/bin/lts-missing-uploads +++ b/bin/lts-missing-uploads @@ -28,7 +28,7 @@ from debian.debian_support import Version class LTSMissingUploads(object): MONTHS = 6 - SOURCES = ['http://security.debian.org/dists/stretch/updates/{}/source/Sources.gz'.format(component) + SOURCES = ['http://security.debian.org/dists/buster/updates/{}/source/Sources.gz'.format(component) for component in ('main', 'contrib', 'non-free')] re_line = re.compile( diff --git a/bin/unsupported_packages.py b/bin/unsupported_packages.py index 0f68305c67..c6c6fdc82f 100644 --- a/bin/unsupported_packages.py +++ b/bin/unsupported_packages.py @@ -13,6 +13,9 @@ # You should have received a copy of the GNU General Public License # along with this file. If not, see <https://www.gnu.org/licenses/>. +import setup_paths # noqa # pylint: disable=unused-import + +import config import os import re import requests @@ -49,8 +52,11 @@ class UnsupportedPackages(DebSecSupport): URL = "https://salsa.debian.org/debian/debian-security-support/raw/master/security-support-ended.deb{}" CACHED_DATA_PATH = "~/.cache/security-support-ended.deb{}" - def __init__(self, debian_version, update_cache=True): - self.debian_version = debian_version + def __init__(self, codename, update_cache=True): + # codename to version number + dists = list(config.get_config().keys()) + self.debian_version = dists.index(codename) + 1 + self.url = self.URL.format(self.debian_version) self.cache = os.path.expanduser(self.CACHED_DATA_PATH).format( diff --git a/conf/cvelist.el b/conf/cvelist.el index 86bac21211..9ccb8e4aea 100644 --- a/conf/cvelist.el +++ b/conf/cvelist.el @@ -18,6 +18,7 @@ (setq last-nfu "") (setq bugnum "") (setq newsrcpkg "") +(setq default_distro "bullseye") ; TODO: Tab completion for existing NFUs (defun debian-cvelist-insert-not-for-us () @@ -48,7 +49,7 @@ (setq srcpkg (thing-at-point 'filename)) (next-line) (beginning-of-line) - (insert (concat "\t[buster] - " srcpkg " <no-dsa> (" reason ")\n" ))) + (insert (concat "\t[" default_distro "] - " srcpkg " <no-dsa> (" reason ")\n" ))) (defun debian-cvelist-insert-postponed () "Insert postponed comment based on the current source entry." @@ -57,7 +58,7 @@ (setq srcpkg (thing-at-point 'filename)) (next-line) (beginning-of-line) - (insert (concat "\t[buster] - " srcpkg " <postponed> (" reason ")\n" ))) + (insert (concat "\t[" default_distro "] - " srcpkg " <postponed> (" reason ")\n" ))) ; TODO: Read supported distros from central config and prompt for applicable suites (defun debian-cvelist-insert-not-affected () @@ -67,7 +68,7 @@ (setq srcpkg (thing-at-point 'filename)) (next-line) (beginning-of-line) - (insert (concat "\t[buster] - " srcpkg " <not-affected> (" reason ")\n" ))) + (insert (concat "\t[" default_distro "] - " srcpkg " <not-affected> (" reason ")\n" ))) ; TODO: Parse existing source entries for buffer tab completion (defun debian-cvelist-insert-srcentry () diff --git a/data/CVE/list b/data/CVE/list index 04191ba2e8..0c2e681153 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,3422 @@ +CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x ...) + NOT-FOR-US: Aviatrix Gateway +CVE-2022-38367 + RESERVED +CVE-2022-38366 + RESERVED +CVE-2022-38365 + RESERVED +CVE-2022-38364 + RESERVED +CVE-2022-38363 + RESERVED +CVE-2022-2829 + RESERVED +CVE-2022-2828 + RESERVED +CVE-2022-2827 + RESERVED +CVE-2022-2826 + RESERVED +CVE-2022-38362 + RESERVED +CVE-2022-38361 + RESERVED +CVE-2022-38360 + RESERVED +CVE-2022-38359 (Cross-site request forgery attacks can be carried out against the Eyes ...) + TODO: check +CVE-2022-38358 (Improper neutralization of input during web page generation leaves the ...) + TODO: check +CVE-2022-38357 (Improper neutralization of special elements leaves the Eyes of Network ...) + TODO: check +CVE-2022-38354 + RESERVED +CVE-2022-38353 + RESERVED +CVE-2022-38352 + RESERVED +CVE-2022-38351 + RESERVED +CVE-2022-38350 + RESERVED +CVE-2022-38349 + RESERVED +CVE-2022-38348 + RESERVED +CVE-2022-38347 + RESERVED +CVE-2022-38346 + RESERVED +CVE-2022-38345 + RESERVED +CVE-2022-38344 + RESERVED +CVE-2022-38343 + RESERVED +CVE-2022-38342 + RESERVED +CVE-2022-38341 + RESERVED +CVE-2022-38340 + RESERVED +CVE-2022-38339 + RESERVED +CVE-2022-38338 + RESERVED +CVE-2022-38337 + RESERVED +CVE-2022-38336 + RESERVED +CVE-2022-38335 + RESERVED +CVE-2022-38334 + RESERVED +CVE-2022-38333 + RESERVED +CVE-2022-38332 + RESERVED +CVE-2022-38331 + RESERVED +CVE-2022-38330 + RESERVED +CVE-2022-38329 + RESERVED +CVE-2022-38328 + RESERVED +CVE-2022-38327 + RESERVED +CVE-2022-38326 + RESERVED +CVE-2022-38325 + RESERVED +CVE-2022-38324 + RESERVED +CVE-2022-38323 + RESERVED +CVE-2022-38322 + RESERVED +CVE-2022-38321 + RESERVED +CVE-2022-38320 + RESERVED +CVE-2022-38319 + RESERVED +CVE-2022-38318 + RESERVED +CVE-2022-38317 + RESERVED +CVE-2022-38316 + RESERVED +CVE-2022-38315 + RESERVED +CVE-2022-38314 + RESERVED +CVE-2022-38313 + RESERVED +CVE-2022-38312 + RESERVED +CVE-2022-38311 + RESERVED +CVE-2022-38310 + RESERVED +CVE-2022-38309 + RESERVED +CVE-2022-38308 + RESERVED +CVE-2022-38307 + RESERVED +CVE-2022-38306 + RESERVED +CVE-2022-36403 + RESERVED +CVE-2022-2825 + RESERVED +CVE-2022-2824 (Improper Access Control in GitHub repository openemr/openemr prior to ...) + NOT-FOR-US: OpenEMR +CVE-2022-2823 + RESERVED +CVE-2022-2822 (An attacker can freely brute force username and password and can takeo ...) + - octoprint <itp> (bug #718591) +CVE-2022-2821 (Missing Critical Step in Authentication in GitHub repository namelessm ...) + NOT-FOR-US: NamelessMC/Nameless +CVE-2022-2820 (Improper Access Control in GitHub repository namelessmc/nameless prior ...) + NOT-FOR-US: NamelessMC/Nameless +CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) + - vim <unfixed> + NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59 + NOTE: https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c988889 (v9.0.0211) +CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...) + NOT-FOR-US: Cockpit-HQ/Cockpit +CVE-2022-38305 + RESERVED +CVE-2022-38304 + RESERVED +CVE-2022-38303 + RESERVED +CVE-2022-38302 + RESERVED +CVE-2022-38301 + RESERVED +CVE-2022-38300 + RESERVED +CVE-2022-38299 + RESERVED +CVE-2022-38298 + RESERVED +CVE-2022-38297 + RESERVED +CVE-2022-38296 + RESERVED +CVE-2022-38295 + RESERVED +CVE-2022-38294 + RESERVED +CVE-2022-38293 + RESERVED +CVE-2022-38292 + RESERVED +CVE-2022-38291 + RESERVED +CVE-2022-38290 + RESERVED +CVE-2022-38289 + RESERVED +CVE-2022-38288 + RESERVED +CVE-2022-38287 + RESERVED +CVE-2022-38286 + RESERVED +CVE-2022-38285 + RESERVED +CVE-2022-38284 + RESERVED +CVE-2022-38283 + RESERVED +CVE-2022-38282 + RESERVED +CVE-2022-38281 + RESERVED +CVE-2022-38280 + RESERVED +CVE-2022-38279 + RESERVED +CVE-2022-38278 + RESERVED +CVE-2022-38277 + RESERVED +CVE-2022-38276 + RESERVED +CVE-2022-38275 + RESERVED +CVE-2022-38274 + RESERVED +CVE-2022-38273 + RESERVED +CVE-2022-38272 + RESERVED +CVE-2022-38271 + RESERVED +CVE-2022-38270 + RESERVED +CVE-2022-38269 + RESERVED +CVE-2022-38268 + RESERVED +CVE-2022-38267 + RESERVED +CVE-2022-38266 + RESERVED +CVE-2022-38265 + RESERVED +CVE-2022-38264 + RESERVED +CVE-2022-38263 + RESERVED +CVE-2022-38262 + RESERVED +CVE-2022-38261 + RESERVED +CVE-2022-38260 + RESERVED +CVE-2022-38259 + RESERVED +CVE-2022-38258 + RESERVED +CVE-2022-38257 + RESERVED +CVE-2022-38256 + RESERVED +CVE-2022-38255 + RESERVED +CVE-2022-38254 + RESERVED +CVE-2022-38253 + RESERVED +CVE-2022-38252 + RESERVED +CVE-2022-38251 + RESERVED +CVE-2022-38250 + RESERVED +CVE-2022-38249 + RESERVED +CVE-2022-38248 + RESERVED +CVE-2022-38247 + RESERVED +CVE-2022-38246 + RESERVED +CVE-2022-38245 + RESERVED +CVE-2022-38244 + RESERVED +CVE-2022-38243 + RESERVED +CVE-2022-38242 + RESERVED +CVE-2022-38241 + RESERVED +CVE-2022-38240 + RESERVED +CVE-2022-38239 + RESERVED +CVE-2022-38238 + RESERVED +CVE-2022-38237 + RESERVED +CVE-2022-38236 + RESERVED +CVE-2022-38235 + RESERVED +CVE-2022-38234 + RESERVED +CVE-2022-38233 + RESERVED +CVE-2022-38232 + RESERVED +CVE-2022-38231 + RESERVED +CVE-2022-38230 + RESERVED +CVE-2022-38229 + RESERVED +CVE-2022-38228 + RESERVED +CVE-2022-38227 + RESERVED +CVE-2022-38226 + RESERVED +CVE-2022-38225 + RESERVED +CVE-2022-38224 + RESERVED +CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in w3m 0 ...) + - w3m <unfixed> + [bullseye] - w3m <no-dsa> (Minor issue) + [buster] - w3m <no-dsa> (Minor issue) + NOTE: https://github.com/tats/w3m/issues/242 +CVE-2022-38222 (There is a use-after-free issue in JBIG2Stream::close() located in JBI ...) + TODO: check +CVE-2022-38221 (A buffer overflow in the FTcpListener thread in The Isle Evrima (the d ...) + NOT-FOR-US: The Isle Evrima +CVE-2022-38220 + RESERVED +CVE-2022-38219 + RESERVED +CVE-2022-38218 + RESERVED +CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. ...) + - vim <unfixed> + NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f + NOTE: https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 (v9.0.0213) +CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0211. ...) + - vim <unfixed> + NOTE: https://huntr.dev/bounties/e2a83037-fcf9-4218-b2b9-b7507dacde58 + NOTE: https://github.com/vim/vim/commit/dbdd16b62560413abcc3c8e893cc3010ccf31666 (v9.0.0212) +CVE-2022-38217 + RESERVED +CVE-2022-2815 + RESERVED +CVE-2022-2814 (A vulnerability has been found in SourceCodester Simple and Nice Shopp ...) + NOT-FOR-US: SourceCodester Simple and Nice Shopping Cart Script +CVE-2022-2813 (A vulnerability, which was classified as problematic, was found in Sou ...) + NOT-FOR-US: SourceCodester +CVE-2022-2812 (A vulnerability classified as critical was found in SourceCodester Gue ...) + NOT-FOR-US: SourceCodester +CVE-2022-2811 (A vulnerability classified as problematic has been found in SourceCode ...) + NOT-FOR-US: SourceCodester +CVE-2022-2810 + RESERVED +CVE-2022-38216 (An integer overflow exists in Mapbox's closed source gl-native library ...) + TODO: check +CVE-2022-38215 + RESERVED +CVE-2022-38214 + RESERVED +CVE-2022-38213 + RESERVED +CVE-2022-38212 + RESERVED +CVE-2022-38211 + RESERVED +CVE-2022-38210 + RESERVED +CVE-2022-38209 + RESERVED +CVE-2022-38208 + RESERVED +CVE-2022-38207 + RESERVED +CVE-2022-38206 + RESERVED +CVE-2022-38205 + RESERVED +CVE-2022-38204 + RESERVED +CVE-2022-38203 + RESERVED +CVE-2022-38202 + RESERVED +CVE-2022-38201 + RESERVED +CVE-2022-38200 + RESERVED +CVE-2022-38199 + RESERVED +CVE-2022-38198 + RESERVED +CVE-2022-38197 + RESERVED +CVE-2022-38196 + RESERVED +CVE-2022-38195 + RESERVED +CVE-2022-38194 + RESERVED +CVE-2022-38193 + RESERVED +CVE-2022-38192 + RESERVED +CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS versions 10 ...) + NOT-FOR-US: Esri Portal for ArcGIS +CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) + NOT-FOR-US: Esri Portal for ArcGIS +CVE-2022-38189 + RESERVED +CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) + NOT-FOR-US: Esri Portal for ArcGIS +CVE-2022-38187 (Prior to version 10.9.0, the sharing/rest/content/features/analyze end ...) + NOT-FOR-US: Esri Portal for ArcGIS +CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) + NOT-FOR-US: Esri Portal for ArcGIS +CVE-2022-38185 + RESERVED +CVE-2022-38184 + RESERVED +CVE-2022-38183 (In Gitea before 1.16.9, it was possible for users to add existing issu ...) + - gitea <removed> +CVE-2022-38182 + RESERVED +CVE-2022-38181 + RESERVED +CVE-2022-2809 + RESERVED +CVE-2022-38180 (In JetBrains Ktor before 2.1.0 the wrong authentication provider could ...) + NOT-FOR-US: JetBrains Ktor +CVE-2022-38179 (JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Downloa ...) + NOT-FOR-US: JetBrains Ktor +CVE-2022-38178 + RESERVED +CVE-2022-38177 + RESERVED +CVE-2022-2808 + RESERVED +CVE-2022-2807 + RESERVED +CVE-2022-2806 + RESERVED +CVE-2022-2805 + RESERVED +CVE-2022-2804 (A vulnerability was found in SourceCodester Zoo Management System. It ...) + NOT-FOR-US: SourceCodester Zoo Management System +CVE-2022-2803 (A vulnerability was found in SourceCodester Zoo Management System and ...) + NOT-FOR-US: SourceCodester Zoo Management System +CVE-2022-2802 (A vulnerability has been found in SourceCodester Gas Agency Management ...) + NOT-FOR-US: SourceCodester Gas Agency Management System +CVE-2022-2801 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Automated Beer Parlour Billing System +CVE-2022-2800 (A vulnerability, which was classified as problematic, has been found i ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2799 + RESERVED +CVE-2022-2798 + RESERVED +CVE-2022-2797 (A vulnerability classified as critical was found in SourceCodester Stu ...) + NOT-FOR-US: SourceCodester Student Information System +CVE-2022-2796 + RESERVED +CVE-2022-2795 + RESERVED +CVE-2022-38176 + RESERVED +CVE-2022-38175 + RESERVED +CVE-2022-38174 + RESERVED +CVE-2022-38173 + RESERVED +CVE-2022-38172 + RESERVED +CVE-2022-38171 + RESERVED +CVE-2022-2794 + RESERVED +CVE-2022-2793 + RESERVED +CVE-2022-2792 + RESERVED +CVE-2022-2791 + RESERVED +CVE-2022-2790 + RESERVED +CVE-2022-2789 + RESERVED +CVE-2022-2788 + RESERVED +CVE-2022-2787 + RESERVED + - schroot 1.6.12-2 + NOTE: https://codeberg.org/shelter/reschroot/commit/6f7166a285e1e97aea390be633591f9791b29a6d +CVE-2022-38170 + RESERVED +CVE-2022-38082 + RESERVED +CVE-2022-2786 + RESERVED +CVE-2022-2785 + RESERVED +CVE-2022-2784 + RESERVED +CVE-2022-2783 + RESERVED +CVE-2022-2782 + RESERVED +CVE-2022-2781 + RESERVED +CVE-2022-2780 + RESERVED +CVE-2022-2779 (A vulnerability classified as critical was found in SourceCodester Gas ...) + NOT-FOR-US: SourceCodester Gas Agency Management System +CVE-2022-2778 + RESERVED +CVE-2022-2777 (Cross-site Scripting (XSS) - Stored in GitHub repository microweber/mi ...) + NOT-FOR-US: microweber +CVE-2022-2776 (A vulnerability classified as problematic has been found in SourceCode ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2775 + RESERVED +CVE-2022-2774 (A vulnerability was found in SourceCodester Library Management System. ...) + NOT-FOR-US: SourceCodester Library Management System +CVE-2022-2773 (A vulnerability was found in SourceCodester Apartment Visitor Manageme ...) + NOT-FOR-US: SourceCodester Apartment Visitor Management System +CVE-2022-2772 (A vulnerability was found in SourceCodester Apartment Visitor Manageme ...) + NOT-FOR-US: SourceCodester Apartment Visitor Management System +CVE-2022-2771 (A vulnerability has been found in SourceCodester Simple Online Book St ...) + NOT-FOR-US: SourceCodester Simple Online Book Store System +CVE-2022-2770 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Simple Online Book Store System +CVE-2022-2769 (A vulnerability, which was classified as problematic, has been found i ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2768 (A vulnerability classified as problematic was found in SourceCodester ...) + NOT-FOR-US: SourceCodester Library Management System +CVE-2022-2767 (A vulnerability classified as problematic has been found in SourceCode ...) + NOT-FOR-US: SourceCodester Online Admission System +CVE-2022-2766 (A vulnerability was found in SourceCodester Loan Management System. It ...) + NOT-FOR-US: SourceCodester Loan Management System +CVE-2022-2765 (A vulnerability was found in SourceCodester Company Website CMS 1.0. I ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2764 + RESERVED +CVE-2022-2763 + RESERVED +CVE-2022-2762 + RESERVED +CVE-2022-2761 + RESERVED +CVE-2022-2760 + RESERVED +CVE-2022-38169 + RESERVED +CVE-2022-38168 + RESERVED +CVE-2022-38167 + RESERVED +CVE-2022-38166 + RESERVED +CVE-2022-38165 + RESERVED +CVE-2022-38164 + RESERVED +CVE-2022-38163 + RESERVED +CVE-2022-38162 + RESERVED +CVE-2022-38161 (The Gumstix Overo SBC on the VSKS board through 2022-08-09, as used on ...) + NOT-FOR-US: Gumstix Overo SBC +CVE-2022-38160 + RESERVED +CVE-2022-38159 + RESERVED +CVE-2022-38158 + RESERVED +CVE-2022-38157 + RESERVED +CVE-2022-38156 + RESERVED +CVE-2022-38155 (TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted applicatio ...) + NOT-FOR-US: Samsung mTower +CVE-2022-38154 + RESERVED +CVE-2022-38153 + RESERVED +CVE-2022-38152 + RESERVED +CVE-2022-38151 + RESERVED +CVE-2022-38149 + RESERVED +CVE-2022-38148 + RESERVED +CVE-2022-38147 + RESERVED +CVE-2022-38146 + RESERVED +CVE-2022-38145 + RESERVED +CVE-2022-38133 (In JetBrains TeamCity before 2022.04.3 the private SSH key could be wr ...) + NOT-FOR-US: JetBrains TeamCity +CVE-2022-38132 + RESERVED +CVE-2022-38131 + RESERVED +CVE-2022-38130 (The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip ...) + NOT-FOR-US: Keysight Sensor Management Server +CVE-2022-38129 (A path traversal vulnerability exists in the com.keysight.tentacle.lic ...) + NOT-FOR-US: Keysight Sensor Management Server +CVE-2022-38128 + RESERVED +CVE-2022-38127 + RESERVED +CVE-2022-38126 + RESERVED +CVE-2022-38125 + RESERVED +CVE-2022-38124 + RESERVED +CVE-2022-38123 + RESERVED +CVE-2022-38122 + RESERVED +CVE-2022-38121 + RESERVED +CVE-2022-38120 + RESERVED +CVE-2022-38119 + RESERVED +CVE-2022-38118 + RESERVED +CVE-2022-38117 + RESERVED +CVE-2022-38116 + RESERVED +CVE-2022-38103 + RESERVED +CVE-2022-38092 + RESERVED +CVE-2022-38087 + RESERVED +CVE-2022-38076 + RESERVED +CVE-2022-38060 + RESERVED +CVE-2022-38056 + RESERVED +CVE-2022-37336 + RESERVED +CVE-2022-37329 + RESERVED +CVE-2022-36406 + RESERVED +CVE-2022-36351 + RESERVED +CVE-2022-33893 + RESERVED +CVE-2022-2759 + RESERVED +CVE-2022-2758 + RESERVED +CVE-2022-2757 + RESERVED +CVE-2022-2756 (Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavi ...) + NOT-FOR-US: Kareadita/Kavita +CVE-2022-2755 + RESERVED +CVE-2022-2754 + RESERVED +CVE-2022-2753 + RESERVED +CVE-2022-2752 + RESERVED +CVE-2022-2751 (A vulnerability was found in SourceCodester Company Website CMS and cl ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2750 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2749 (A vulnerability was found in SourceCodester Gym Management System. It ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2748 (A vulnerability was found in SourceCodester Simple Online Book Store S ...) + NOT-FOR-US: SourceCodester Simple Online Book Store System +CVE-2022-2747 (A vulnerability was found in SourceCodester Simple Online Book Store a ...) + NOT-FOR-US: SourceCodester Simple Online Book Store System +CVE-2022-2746 (A vulnerability has been found in SourceCodester Simple Online Book St ...) + NOT-FOR-US: SourceCodester Simple Online Book Store System +CVE-2022-2745 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2744 (A vulnerability, which was classified as critical, has been found in S ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-38150 (In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cau ...) + - varnish 7.1.1-1 + [bullseye] - varnish <not-affected> (Vulnerable code not present) + [buster] - varnish <not-affected> (Vulnerable code not present) + NOTE: https://varnish-cache.org/security/VSV00009.html + NOTE: Introduced by: https://github.com/varnishcache/varnish-cache/commit/f4dffe593b04a33f07423db3f9dc69eb428b2e85 (varnish-7.0.0) + NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/c5fd097e5cce8b461c6443af02b3448baef2491d (master) + NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/19544fdc6649bd294f25314d9f609b4979b1fe48 (varnish-7.1.1) +CVE-2022-38115 + RESERVED +CVE-2022-38114 + RESERVED +CVE-2022-38113 + RESERVED +CVE-2022-38112 + RESERVED +CVE-2022-38111 + RESERVED +CVE-2022-38110 + RESERVED +CVE-2022-38109 + RESERVED +CVE-2022-38108 + RESERVED +CVE-2022-38107 + RESERVED +CVE-2022-38106 + RESERVED +CVE-2022-38093 + RESERVED +CVE-2022-38070 + RESERVED +CVE-2022-38068 + RESERVED +CVE-2022-38067 + RESERVED +CVE-2022-38062 + RESERVED +CVE-2022-38061 + RESERVED +CVE-2022-38059 + RESERVED +CVE-2022-38058 + RESERVED +CVE-2022-38054 + RESERVED +CVE-2022-37412 + RESERVED +CVE-2022-37411 + RESERVED +CVE-2022-37407 + RESERVED +CVE-2022-37405 + RESERVED +CVE-2022-37404 + RESERVED +CVE-2022-37403 + RESERVED +CVE-2022-37402 + RESERVED +CVE-2022-37344 + RESERVED +CVE-2022-37339 + RESERVED +CVE-2022-37338 + RESERVED +CVE-2022-37335 + RESERVED +CVE-2022-37330 + RESERVED +CVE-2022-37328 + RESERVED +CVE-2022-36798 + RESERVED +CVE-2022-36796 + RESERVED +CVE-2022-36793 + RESERVED +CVE-2022-36791 + RESERVED +CVE-2022-36428 + RESERVED +CVE-2022-36427 + RESERVED +CVE-2022-36425 + RESERVED +CVE-2022-36422 + RESERVED +CVE-2022-36405 + RESERVED +CVE-2022-36394 + RESERVED +CVE-2022-36390 + RESERVED +CVE-2022-36387 + RESERVED +CVE-2022-36383 + RESERVED +CVE-2022-36376 + RESERVED +CVE-2022-36373 + RESERVED +CVE-2022-36365 + RESERVED +CVE-2022-36358 + RESERVED +CVE-2022-36355 + RESERVED +CVE-2022-36352 + RESERVED +CVE-2022-36347 + RESERVED +CVE-2022-36345 + RESERVED +CVE-2022-35726 + RESERVED +CVE-2022-35725 + RESERVED +CVE-2022-35277 + RESERVED +CVE-2022-35275 + RESERVED +CVE-2022-35242 + RESERVED +CVE-2022-35235 + RESERVED +CVE-2022-31474 + RESERVED +CVE-2022-29476 + RESERVED +CVE-2022-2743 + RESERVED +CVE-2022-2742 + RESERVED +CVE-2022-2741 + RESERVED +CVE-2022-2740 (A vulnerability was found in SourceCodester Company Website CMS. It ha ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2739 + RESERVED +CVE-2022-2738 + RESERVED +CVE-2022-2737 + RESERVED +CVE-2022-2736 (A vulnerability was found in SourceCodester Company Website CMS. It ha ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2735 + RESERVED +CVE-2022-2734 (Improper Restriction of Rendered UI Layers or Frames in GitHub reposit ...) + NOT-FOR-US: OpenEMR +CVE-2022-2733 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...) + NOT-FOR-US: OpenEMR +CVE-2022-2732 (Improper Privilege Management in GitHub repository openemr/openemr pri ...) + NOT-FOR-US: OpenEMR +CVE-2022-2731 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...) + NOT-FOR-US: OpenEMR +CVE-2022-2730 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) + NOT-FOR-US: OpenEMR +CVE-2022-2729 (Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr ...) + NOT-FOR-US: OpenEMR +CVE-2022-2728 (A vulnerability was found in SourceCodester Gym Management System. It ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2727 (A vulnerability was found in SourceCodester Gym Management System. It ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2726 (A vulnerability classified as critical has been found in SEMCMS. This ...) + NOT-FOR-US: SEMCMS +CVE-2022-38053 + RESERVED +CVE-2022-38052 + RESERVED +CVE-2022-38051 + RESERVED +CVE-2022-38050 + RESERVED +CVE-2022-38049 + RESERVED +CVE-2022-38048 + RESERVED +CVE-2022-38047 + RESERVED +CVE-2022-38046 + RESERVED +CVE-2022-38045 + RESERVED +CVE-2022-38044 + RESERVED +CVE-2022-38043 + RESERVED +CVE-2022-38042 + RESERVED +CVE-2022-38041 + RESERVED +CVE-2022-38040 + RESERVED +CVE-2022-38039 + RESERVED +CVE-2022-38038 + RESERVED +CVE-2022-38037 + RESERVED +CVE-2022-38036 + RESERVED +CVE-2022-38035 + RESERVED +CVE-2022-38034 + RESERVED +CVE-2022-38033 + RESERVED +CVE-2022-38032 + RESERVED +CVE-2022-38031 + RESERVED +CVE-2022-38030 + RESERVED +CVE-2022-38029 + RESERVED +CVE-2022-38028 + RESERVED +CVE-2022-38027 + RESERVED +CVE-2022-38026 + RESERVED +CVE-2022-38025 + RESERVED +CVE-2022-38024 + RESERVED +CVE-2022-38023 + RESERVED +CVE-2022-38022 + RESERVED +CVE-2022-38021 + RESERVED +CVE-2022-38020 + RESERVED +CVE-2022-38019 + RESERVED +CVE-2022-38018 + RESERVED +CVE-2022-38017 + RESERVED +CVE-2022-38016 + RESERVED +CVE-2022-38015 + RESERVED +CVE-2022-38014 + RESERVED +CVE-2022-38013 + RESERVED +CVE-2022-38012 + RESERVED +CVE-2022-38011 + RESERVED +CVE-2022-38010 + RESERVED +CVE-2022-38009 + RESERVED +CVE-2022-38008 + RESERVED +CVE-2022-38007 + RESERVED +CVE-2022-38006 + RESERVED +CVE-2022-38005 + RESERVED +CVE-2022-38004 + RESERVED +CVE-2022-38003 + RESERVED +CVE-2022-38002 + RESERVED +CVE-2022-38001 + RESERVED +CVE-2022-38000 + RESERVED +CVE-2022-37999 + RESERVED +CVE-2022-37998 + RESERVED +CVE-2022-37997 + RESERVED +CVE-2022-37996 + RESERVED +CVE-2022-37995 + RESERVED +CVE-2022-37994 + RESERVED +CVE-2022-37993 + RESERVED +CVE-2022-37992 + RESERVED +CVE-2022-37991 + RESERVED +CVE-2022-37990 + RESERVED +CVE-2022-37989 + RESERVED +CVE-2022-37988 + RESERVED +CVE-2022-37987 + RESERVED +CVE-2022-37986 + RESERVED +CVE-2022-37985 + RESERVED +CVE-2022-37984 + RESERVED +CVE-2022-37983 + RESERVED +CVE-2022-37982 + RESERVED +CVE-2022-37981 + RESERVED +CVE-2022-37980 + RESERVED +CVE-2022-37979 + RESERVED +CVE-2022-37978 + RESERVED +CVE-2022-37977 + RESERVED +CVE-2022-37976 + RESERVED +CVE-2022-37975 + RESERVED +CVE-2022-37974 + RESERVED +CVE-2022-37973 + RESERVED +CVE-2022-37972 + RESERVED +CVE-2022-37971 + RESERVED +CVE-2022-37970 + RESERVED +CVE-2022-37969 + RESERVED +CVE-2022-37968 + RESERVED +CVE-2022-37967 + RESERVED +CVE-2022-37966 + RESERVED +CVE-2022-37965 + RESERVED +CVE-2022-37964 + RESERVED +CVE-2022-37963 + RESERVED +CVE-2022-37962 + RESERVED +CVE-2022-37961 + RESERVED +CVE-2022-37960 + RESERVED +CVE-2022-37959 + RESERVED +CVE-2022-37958 + RESERVED +CVE-2022-37957 + RESERVED +CVE-2022-37956 + RESERVED +CVE-2022-37955 + RESERVED +CVE-2022-37954 + RESERVED +CVE-2022-37953 + RESERVED +CVE-2022-37952 + RESERVED +CVE-2022-37951 + RESERVED +CVE-2022-37950 + RESERVED +CVE-2022-37949 + RESERVED +CVE-2022-37948 + RESERVED +CVE-2022-37947 + RESERVED +CVE-2022-37946 + RESERVED +CVE-2022-37945 + RESERVED +CVE-2022-37944 + RESERVED +CVE-2022-37943 + RESERVED +CVE-2022-37942 + RESERVED +CVE-2022-37941 + RESERVED +CVE-2022-37940 + RESERVED +CVE-2022-37939 + RESERVED +CVE-2022-37938 + RESERVED +CVE-2022-37937 + RESERVED +CVE-2022-37936 + RESERVED +CVE-2022-37935 + RESERVED +CVE-2022-37934 + RESERVED +CVE-2022-37933 + RESERVED +CVE-2022-37932 + RESERVED +CVE-2022-37931 + RESERVED +CVE-2022-37930 + RESERVED +CVE-2022-37929 + RESERVED +CVE-2022-37928 + RESERVED +CVE-2022-37927 + RESERVED +CVE-2022-37926 + RESERVED +CVE-2022-37925 + RESERVED +CVE-2022-37924 + RESERVED +CVE-2022-37923 + RESERVED +CVE-2022-37922 + RESERVED +CVE-2022-37921 + RESERVED +CVE-2022-37920 + RESERVED +CVE-2022-37919 + RESERVED +CVE-2022-37918 + RESERVED +CVE-2022-37917 + RESERVED +CVE-2022-37916 + RESERVED +CVE-2022-37915 + RESERVED +CVE-2022-37914 + RESERVED +CVE-2022-37913 + RESERVED +CVE-2022-37912 + RESERVED +CVE-2022-37911 + RESERVED +CVE-2022-37910 + RESERVED +CVE-2022-37909 + RESERVED +CVE-2022-37908 + RESERVED +CVE-2022-37907 + RESERVED +CVE-2022-37906 + RESERVED +CVE-2022-37905 + RESERVED +CVE-2022-37904 + RESERVED +CVE-2022-37903 + RESERVED +CVE-2022-37902 + RESERVED +CVE-2022-37901 + RESERVED +CVE-2022-37900 + RESERVED +CVE-2022-37899 + RESERVED +CVE-2022-37898 + RESERVED +CVE-2022-37897 + RESERVED +CVE-2022-37896 + RESERVED +CVE-2022-37895 + RESERVED +CVE-2022-37894 + RESERVED +CVE-2022-37893 + RESERVED +CVE-2022-37892 + RESERVED +CVE-2022-37891 + RESERVED +CVE-2022-37890 + RESERVED +CVE-2022-37889 + RESERVED +CVE-2022-37888 + RESERVED +CVE-2022-37887 + RESERVED +CVE-2022-37886 + RESERVED +CVE-2022-37885 + RESERVED +CVE-2022-37884 + RESERVED +CVE-2022-37883 + RESERVED +CVE-2022-37882 + RESERVED +CVE-2022-37881 + RESERVED +CVE-2022-37880 + RESERVED +CVE-2022-37879 + RESERVED +CVE-2022-37878 + RESERVED +CVE-2022-37877 + RESERVED +CVE-2022-2725 (A vulnerability was found in SourceCodester Company Website CMS. It ha ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2724 (A vulnerability was found in SourceCodester Employee Management System ...) + NOT-FOR-US: SourceCodester Employee Management System +CVE-2022-2723 (A vulnerability was found in SourceCodester Employee Management System ...) + NOT-FOR-US: SourceCodester Employee Management System +CVE-2022-2722 (A vulnerability was found in SourceCodester Simple Student Information ...) + NOT-FOR-US: SourceCodester Simple Student Information System +CVE-2022-2721 + RESERVED +CVE-2022-2720 + RESERVED +CVE-2021-46833 + RESERVED +CVE-2021-46832 + RESERVED +CVE-2022-37876 + RESERVED +CVE-2022-37875 + RESERVED +CVE-2022-37874 + RESERVED +CVE-2022-37873 + RESERVED +CVE-2022-37872 + RESERVED +CVE-2022-37871 + RESERVED +CVE-2022-37870 + RESERVED +CVE-2022-37869 + RESERVED +CVE-2022-37868 + RESERVED +CVE-2022-37867 + RESERVED +CVE-2022-37866 + RESERVED +CVE-2022-37865 + RESERVED +CVE-2022-37864 + RESERVED +CVE-2022-35733 + RESERVED +CVE-2022-2719 (In ImageMagick, a crafted file could trigger an assertion failure when ...) + - imagemagick <not-affected> (Specific to IM7) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2116537 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/716496e6df0add89e9679d6da9c0afca814cfe49 +CVE-2022-2718 + RESERVED +CVE-2022-2717 + RESERVED +CVE-2022-2716 + RESERVED +CVE-2022-2715 (A vulnerability has been found in SourceCodester Employee Management S ...) + NOT-FOR-US: SourceCodester Employee Management System +CVE-2022-2714 + RESERVED +CVE-2022-2713 (Insufficient Session Expiration in GitHub repository cockpit-hq/cockpi ...) + NOT-FOR-US: Cockpit-HQ/Cockpit +CVE-2022-2712 + RESERVED +CVE-2022-2711 + RESERVED +CVE-2022-2710 + RESERVED +CVE-2022-2709 + RESERVED +CVE-2022-37863 + RESERVED +CVE-2022-37862 + RESERVED +CVE-2022-37861 + RESERVED +CVE-2022-37860 + RESERVED +CVE-2022-37859 + RESERVED +CVE-2022-37858 + RESERVED +CVE-2022-37857 + RESERVED +CVE-2022-37856 + RESERVED +CVE-2022-37855 + RESERVED +CVE-2022-37854 + RESERVED +CVE-2022-37853 + RESERVED +CVE-2022-37852 + RESERVED +CVE-2022-37851 + RESERVED +CVE-2022-37850 + RESERVED +CVE-2022-37849 + RESERVED +CVE-2022-37848 + RESERVED +CVE-2022-37847 + RESERVED +CVE-2022-37846 + RESERVED +CVE-2022-37845 + RESERVED +CVE-2022-37844 + RESERVED +CVE-2022-37843 + RESERVED +CVE-2022-37842 + RESERVED +CVE-2022-37841 + RESERVED +CVE-2022-37840 + RESERVED +CVE-2022-37839 + RESERVED +CVE-2022-37838 + RESERVED +CVE-2022-37837 + RESERVED +CVE-2022-37836 + RESERVED +CVE-2022-37835 + RESERVED +CVE-2022-37834 + RESERVED +CVE-2022-37833 + RESERVED +CVE-2022-37832 + RESERVED +CVE-2022-37831 + RESERVED +CVE-2022-37830 + RESERVED +CVE-2022-37829 + RESERVED +CVE-2022-37828 + RESERVED +CVE-2022-37827 + RESERVED +CVE-2022-37826 + RESERVED +CVE-2022-37825 + RESERVED +CVE-2022-37824 + RESERVED +CVE-2022-37823 + RESERVED +CVE-2022-37822 + RESERVED +CVE-2022-37821 + RESERVED +CVE-2022-37820 + RESERVED +CVE-2022-37819 + RESERVED +CVE-2022-37818 + RESERVED +CVE-2022-37817 + RESERVED +CVE-2022-37816 + RESERVED +CVE-2022-37815 + RESERVED +CVE-2022-37814 + RESERVED +CVE-2022-37813 + RESERVED +CVE-2022-37812 + RESERVED +CVE-2022-37811 + RESERVED +CVE-2022-37810 + RESERVED +CVE-2022-37809 + RESERVED +CVE-2022-37808 + RESERVED +CVE-2022-37807 + RESERVED +CVE-2022-37806 + RESERVED +CVE-2022-37805 + RESERVED +CVE-2022-37804 + RESERVED +CVE-2022-37803 + RESERVED +CVE-2022-37802 + RESERVED +CVE-2022-37801 + RESERVED +CVE-2022-37800 + RESERVED +CVE-2022-37799 + RESERVED +CVE-2022-37798 + RESERVED +CVE-2022-37797 + RESERVED +CVE-2022-37796 + RESERVED +CVE-2022-37795 + RESERVED +CVE-2022-37794 + RESERVED +CVE-2022-37793 + RESERVED +CVE-2022-37792 + RESERVED +CVE-2022-37791 + RESERVED +CVE-2022-37790 + RESERVED +CVE-2022-37789 + RESERVED +CVE-2022-37788 + RESERVED +CVE-2022-37787 + RESERVED +CVE-2022-37786 + RESERVED +CVE-2022-37785 + RESERVED +CVE-2022-37784 + RESERVED +CVE-2022-37783 + RESERVED +CVE-2022-37782 + RESERVED +CVE-2022-37781 + RESERVED +CVE-2022-37780 + RESERVED +CVE-2022-37779 + RESERVED +CVE-2022-37778 + RESERVED +CVE-2022-37777 + RESERVED +CVE-2022-37776 + RESERVED +CVE-2022-37775 + RESERVED +CVE-2022-37774 + RESERVED +CVE-2022-37773 + RESERVED +CVE-2022-37772 + RESERVED +CVE-2022-37771 + RESERVED +CVE-2022-37770 + RESERVED +CVE-2022-37769 + RESERVED +CVE-2022-37768 + RESERVED +CVE-2022-37767 + RESERVED +CVE-2022-37766 + RESERVED +CVE-2022-37765 + RESERVED +CVE-2022-37764 + RESERVED +CVE-2022-37763 + RESERVED +CVE-2022-37762 + RESERVED +CVE-2022-37761 + RESERVED +CVE-2022-37760 + RESERVED +CVE-2022-37759 + RESERVED +CVE-2022-37758 + RESERVED +CVE-2022-37757 + RESERVED +CVE-2022-37756 + RESERVED +CVE-2022-37755 + RESERVED +CVE-2022-37754 + RESERVED +CVE-2022-37753 + RESERVED +CVE-2022-37752 + RESERVED +CVE-2022-37751 + RESERVED +CVE-2022-37750 + RESERVED +CVE-2022-37749 + RESERVED +CVE-2022-37748 + RESERVED +CVE-2022-37747 + RESERVED +CVE-2022-37746 + RESERVED +CVE-2022-37745 + RESERVED +CVE-2022-37744 + RESERVED +CVE-2022-37743 + RESERVED +CVE-2022-37742 + RESERVED +CVE-2022-37741 + RESERVED +CVE-2022-37740 + RESERVED +CVE-2022-37739 + RESERVED +CVE-2022-37738 + RESERVED +CVE-2022-37737 + RESERVED +CVE-2022-37736 + RESERVED +CVE-2022-37735 + RESERVED +CVE-2022-37734 + RESERVED +CVE-2022-37733 + RESERVED +CVE-2022-37732 + RESERVED +CVE-2022-37731 + RESERVED +CVE-2022-37730 + RESERVED +CVE-2022-37729 + RESERVED +CVE-2022-37728 + RESERVED +CVE-2022-37727 + RESERVED +CVE-2022-37726 + RESERVED +CVE-2022-37725 + RESERVED +CVE-2022-37724 + RESERVED +CVE-2022-37723 + RESERVED +CVE-2022-37722 + RESERVED +CVE-2022-37721 + RESERVED +CVE-2022-37720 + RESERVED +CVE-2022-37719 + RESERVED +CVE-2022-37718 + RESERVED +CVE-2022-37717 + RESERVED +CVE-2022-37716 + RESERVED +CVE-2022-37715 + RESERVED +CVE-2022-37714 + RESERVED +CVE-2022-37713 + RESERVED +CVE-2022-37712 + RESERVED +CVE-2022-37711 + RESERVED +CVE-2022-37710 + RESERVED +CVE-2022-37709 + RESERVED +CVE-2022-37708 + RESERVED +CVE-2022-37707 + RESERVED +CVE-2022-37706 + RESERVED +CVE-2022-37705 + RESERVED +CVE-2022-37704 + RESERVED +CVE-2022-37703 + RESERVED +CVE-2022-37702 + RESERVED +CVE-2022-37701 + RESERVED +CVE-2022-37700 + RESERVED +CVE-2022-37699 + RESERVED +CVE-2022-37698 + RESERVED +CVE-2022-37697 + RESERVED +CVE-2022-37696 + RESERVED +CVE-2022-37695 + RESERVED +CVE-2022-37694 + RESERVED +CVE-2022-37693 + RESERVED +CVE-2022-37692 + RESERVED +CVE-2022-37691 + RESERVED +CVE-2022-37690 + RESERVED +CVE-2022-37689 + RESERVED +CVE-2022-37688 + RESERVED +CVE-2022-37687 + RESERVED +CVE-2022-37686 + RESERVED +CVE-2022-37685 + RESERVED +CVE-2022-37684 + RESERVED +CVE-2022-37683 + RESERVED +CVE-2022-37682 + RESERVED +CVE-2022-37681 + RESERVED +CVE-2022-37680 + RESERVED +CVE-2022-37679 + RESERVED +CVE-2022-37678 + RESERVED +CVE-2022-37677 + RESERVED +CVE-2022-37676 + RESERVED +CVE-2022-37675 + RESERVED +CVE-2022-37674 + RESERVED +CVE-2022-37673 + RESERVED +CVE-2022-37672 + RESERVED +CVE-2022-37671 + RESERVED +CVE-2022-37670 + RESERVED +CVE-2022-37669 + RESERVED +CVE-2022-37668 + RESERVED +CVE-2022-37667 + RESERVED +CVE-2022-37666 + RESERVED +CVE-2022-37665 + RESERVED +CVE-2022-37664 + RESERVED +CVE-2022-37663 + RESERVED +CVE-2022-37662 + RESERVED +CVE-2022-37661 + RESERVED +CVE-2022-37660 + RESERVED +CVE-2022-37659 + RESERVED +CVE-2022-37658 + RESERVED +CVE-2022-37657 + RESERVED +CVE-2022-37656 + RESERVED +CVE-2022-37655 + RESERVED +CVE-2022-37654 + RESERVED +CVE-2022-37653 + RESERVED +CVE-2022-37652 + RESERVED +CVE-2022-37651 + RESERVED +CVE-2022-37650 + RESERVED +CVE-2022-37649 + RESERVED +CVE-2022-37648 + RESERVED +CVE-2022-37647 + RESERVED +CVE-2022-37646 + RESERVED +CVE-2022-37645 + RESERVED +CVE-2022-37644 + RESERVED +CVE-2022-37643 + RESERVED +CVE-2022-37642 + RESERVED +CVE-2022-37641 + RESERVED +CVE-2022-37640 + RESERVED +CVE-2022-37639 + RESERVED +CVE-2022-37638 + RESERVED +CVE-2022-37637 + RESERVED +CVE-2022-37636 + RESERVED +CVE-2022-37635 + RESERVED +CVE-2022-37634 + RESERVED +CVE-2022-37633 + RESERVED +CVE-2022-37632 + RESERVED +CVE-2022-37631 + RESERVED +CVE-2022-37630 + RESERVED +CVE-2022-37629 + RESERVED +CVE-2022-37628 + RESERVED +CVE-2022-37627 + RESERVED +CVE-2022-37626 + RESERVED +CVE-2022-37625 + RESERVED +CVE-2022-37624 + RESERVED +CVE-2022-37623 + RESERVED +CVE-2022-37622 + RESERVED +CVE-2022-37621 + RESERVED +CVE-2022-37620 + RESERVED +CVE-2022-37619 + RESERVED +CVE-2022-37618 + RESERVED +CVE-2022-37617 + RESERVED +CVE-2022-37616 + RESERVED +CVE-2022-37615 + RESERVED +CVE-2022-37614 + RESERVED +CVE-2022-37613 + RESERVED +CVE-2022-37612 + RESERVED +CVE-2022-37611 + RESERVED +CVE-2022-37610 + RESERVED +CVE-2022-37609 + RESERVED +CVE-2022-37608 + RESERVED +CVE-2022-37607 + RESERVED +CVE-2022-37606 + RESERVED +CVE-2022-37605 + RESERVED +CVE-2022-37604 + RESERVED +CVE-2022-37603 + RESERVED +CVE-2022-37602 + RESERVED +CVE-2022-37601 + RESERVED +CVE-2022-37600 + RESERVED +CVE-2022-37599 + RESERVED +CVE-2022-37598 + RESERVED +CVE-2022-37597 + RESERVED +CVE-2022-37596 + RESERVED +CVE-2022-37595 + RESERVED +CVE-2022-37594 + RESERVED +CVE-2022-37593 + RESERVED +CVE-2022-37592 + RESERVED +CVE-2022-37591 + RESERVED +CVE-2022-37590 + RESERVED +CVE-2022-37589 + RESERVED +CVE-2022-37588 + RESERVED +CVE-2022-37587 + RESERVED +CVE-2022-37586 + RESERVED +CVE-2022-37585 + RESERVED +CVE-2022-37584 + RESERVED +CVE-2022-37583 + RESERVED +CVE-2022-37582 + RESERVED +CVE-2022-37581 + RESERVED +CVE-2022-37580 + RESERVED +CVE-2022-37579 + RESERVED +CVE-2022-37578 + RESERVED +CVE-2022-37577 + RESERVED +CVE-2022-37576 + RESERVED +CVE-2022-37575 + RESERVED +CVE-2022-37574 + RESERVED +CVE-2022-37573 + RESERVED +CVE-2022-37572 + RESERVED +CVE-2022-37571 + RESERVED +CVE-2022-37570 + RESERVED +CVE-2022-37569 + RESERVED +CVE-2022-37568 + RESERVED +CVE-2022-37567 + RESERVED +CVE-2022-37566 + RESERVED +CVE-2022-37565 + RESERVED +CVE-2022-37564 + RESERVED +CVE-2022-37563 + RESERVED +CVE-2022-37562 + RESERVED +CVE-2022-37561 + RESERVED +CVE-2022-37560 + RESERVED +CVE-2022-37559 + RESERVED +CVE-2022-37558 + RESERVED +CVE-2022-37557 + RESERVED +CVE-2022-37556 + RESERVED +CVE-2022-37555 + RESERVED +CVE-2022-37554 + RESERVED +CVE-2022-37553 + RESERVED +CVE-2022-37552 + RESERVED +CVE-2022-37551 + RESERVED +CVE-2022-37550 + RESERVED +CVE-2022-37549 + RESERVED +CVE-2022-37548 + RESERVED +CVE-2022-37547 + RESERVED +CVE-2022-37546 + RESERVED +CVE-2022-37545 + RESERVED +CVE-2022-37544 + RESERVED +CVE-2022-37543 + RESERVED +CVE-2022-37542 + RESERVED +CVE-2022-37541 + RESERVED +CVE-2022-37540 + RESERVED +CVE-2022-37539 + RESERVED +CVE-2022-37538 + RESERVED +CVE-2022-37537 + RESERVED +CVE-2022-37536 + RESERVED +CVE-2022-37535 + RESERVED +CVE-2022-37534 + RESERVED +CVE-2022-37533 + RESERVED +CVE-2022-37532 + RESERVED +CVE-2022-37531 + RESERVED +CVE-2022-37530 + RESERVED +CVE-2022-37529 + RESERVED +CVE-2022-37528 + RESERVED +CVE-2022-37527 + RESERVED +CVE-2022-37526 + RESERVED +CVE-2022-37525 + RESERVED +CVE-2022-37524 + RESERVED +CVE-2022-37523 + RESERVED +CVE-2022-37522 + RESERVED +CVE-2022-37521 + RESERVED +CVE-2022-37520 + RESERVED +CVE-2022-37519 + RESERVED +CVE-2022-37518 + RESERVED +CVE-2022-37517 + RESERVED +CVE-2022-37516 + RESERVED +CVE-2022-37515 + RESERVED +CVE-2022-37514 + RESERVED +CVE-2022-37513 + RESERVED +CVE-2022-37512 + RESERVED +CVE-2022-37511 + RESERVED +CVE-2022-37510 + RESERVED +CVE-2022-37509 + RESERVED +CVE-2022-37508 + RESERVED +CVE-2022-37507 + RESERVED +CVE-2022-37506 + RESERVED +CVE-2022-37505 + RESERVED +CVE-2022-37504 + RESERVED +CVE-2022-37503 + RESERVED +CVE-2022-37502 + RESERVED +CVE-2022-37501 + RESERVED +CVE-2022-37500 + RESERVED +CVE-2022-37499 + RESERVED +CVE-2022-37498 + RESERVED +CVE-2022-37497 + RESERVED +CVE-2022-37496 + RESERVED +CVE-2022-37495 + RESERVED +CVE-2022-37494 + RESERVED +CVE-2022-37493 + RESERVED +CVE-2022-37492 + RESERVED +CVE-2022-37491 + RESERVED +CVE-2022-37490 + RESERVED +CVE-2022-37489 + RESERVED +CVE-2022-37488 + RESERVED +CVE-2022-37487 + RESERVED +CVE-2022-37486 + RESERVED +CVE-2022-37485 + RESERVED +CVE-2022-37484 + RESERVED +CVE-2022-37483 + RESERVED +CVE-2022-37482 + RESERVED +CVE-2022-37481 + RESERVED +CVE-2022-37480 + RESERVED +CVE-2022-37479 + RESERVED +CVE-2022-37478 + RESERVED +CVE-2022-37477 + RESERVED +CVE-2022-37476 + RESERVED +CVE-2022-37475 + RESERVED +CVE-2022-37474 + RESERVED +CVE-2022-37473 + RESERVED +CVE-2022-37472 + RESERVED +CVE-2022-37471 + RESERVED +CVE-2022-37470 + RESERVED +CVE-2022-37469 + RESERVED +CVE-2022-37468 + RESERVED +CVE-2022-37467 + RESERVED +CVE-2022-37466 + RESERVED +CVE-2022-37465 + RESERVED +CVE-2022-37464 + RESERVED +CVE-2022-37463 + RESERVED +CVE-2022-37462 + RESERVED +CVE-2022-37461 + RESERVED +CVE-2022-37460 + RESERVED +CVE-2022-37459 + RESERVED +CVE-2022-37458 + RESERVED +CVE-2022-37457 + RESERVED +CVE-2022-37456 + RESERVED +CVE-2022-37455 + RESERVED +CVE-2022-37454 + RESERVED +CVE-2022-37453 + RESERVED +CVE-2022-2708 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2707 (A vulnerability classified as critical was found in SourceCodester Onl ...) + NOT-FOR-US: SourceCodester Online Class and Exam Scheduling System +CVE-2022-2706 (A vulnerability classified as critical has been found in SourceCodeste ...) + NOT-FOR-US: SourceCodester Online Class and Exam Scheduling System +CVE-2022-2705 (A vulnerability was found in SourceCodester Simple Student Information ...) + NOT-FOR-US: SourceCodester Simple Student Information System +CVE-2022-2704 (A vulnerability was found in SourceCodester Simple E-Learning System. ...) + NOT-FOR-US: SourceCodester Simple E-Learning System +CVE-2022-2703 (A vulnerability was found in SourceCodester Gym Management System. It ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2702 (A vulnerability was found in SourceCodester Company Website CMS and cl ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2701 (A vulnerability classified as problematic was found in SourceCodester ...) + NOT-FOR-US: SourceCodester Simple E-Learning System +CVE-2022-2700 (A vulnerability classified as critical has been found in SourceCodeste ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2699 (A vulnerability was found in SourceCodester Simple E-Learning System. ...) + NOT-FOR-US: SourceCodester Simple E-Learning System +CVE-2022-2698 (A vulnerability was found in SourceCodester Simple E-Learning System. ...) + NOT-FOR-US: SourceCodester Simple E-Learning System +CVE-2022-2697 (A vulnerability was found in SourceCodester Simple E-Learning System. ...) + NOT-FOR-US: SourceCodester Simple E-Learning System +CVE-2022-2696 + RESERVED +CVE-2022-2695 + RESERVED +CVE-2022-2694 (A vulnerability was found in SourceCodester Company Website CMS and cl ...) + NOT-FOR-US: SourceCodester Company Website CMS +CVE-2022-2693 (A vulnerability has been found in SourceCodester Electronic Medical Re ...) + NOT-FOR-US: SourceCodester Electronic Medical Records System +CVE-2022-2692 (A vulnerability, which was classified as problematic, was found in Sou ...) + NOT-FOR-US: SourceCodester Wedding Hall Booking System +CVE-2022-2691 (A vulnerability, which was classified as problematic, has been found i ...) + NOT-FOR-US: SourceCodester Wedding Hall Booking System +CVE-2022-2690 (A vulnerability classified as problematic was found in SourceCodester ...) + NOT-FOR-US: SourceCodester Wedding Hall Booking System +CVE-2022-2689 (A vulnerability classified as problematic has been found in SourceCode ...) + NOT-FOR-US: SourceCodester Wedding Hall Booking System +CVE-2022-2688 (A vulnerability was found in SourceCodester Expense Management System. ...) + NOT-FOR-US: SourceCodester Expense Management System +CVE-2022-37452 (Exim before 4.95 has a heap-based buffer overflow for the alias list i ...) + - exim4 4.94.2-5 + NOTE: https://www.openwall.com/lists/oss-security/2022/08/06/8 + NOTE: https://github.com/ivd38/exim_overflow + NOTE: https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 (exim-4.95-RC0) +CVE-2022-37451 (Exim before 4.96 has an invalid free in pam_converse in auths/call_pam ...) + - exim4 4.95-4 + [bullseye] - exim4 <not-affected> (Vulnerable code not present) + [buster] - exim4 <not-affected> (Vulnerable code not present) + NOTE: https://github.com/ivd38/exim_invalid_free + NOTE: https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42 (exim-4.96-RC0) + NOTE: Introduced in https://github.com/Exim/exim/commit/1e30b0199daf7a7a882458251a3dc10d45d4c7d1 (exim-4.95-RC0) +CVE-2022-37450 (Go Ethereum (aka geth) through 1.10.21 allows attackers to increase re ...) + - golang-github-go-ethereum <itp> (bug #890541) +CVE-2022-37449 + REJECTED +CVE-2022-37448 + REJECTED +CVE-2022-37447 + REJECTED +CVE-2022-37446 + REJECTED +CVE-2022-37445 + REJECTED +CVE-2022-37444 + REJECTED +CVE-2022-37443 + REJECTED +CVE-2022-37442 + REJECTED +CVE-2022-37441 + REJECTED +CVE-2022-37440 + REJECTED +CVE-2022-2687 (A vulnerability, which was classified as critical, was found in Source ...) + NOT-FOR-US: SourceCodester Gym Management System +CVE-2022-2686 (A vulnerability, which was classified as problematic, was found in ore ...) + NOT-FOR-US: oretnom23 Fast Food Ordering System +CVE-2022-2685 (A vulnerability was found in SourceCodester Interview Management Syste ...) + NOT-FOR-US: SourceCodester Interview Management System +CVE-2022-2684 (A vulnerability has been found in SourceCodester Apartment Visitor Man ...) + NOT-FOR-US: SourceCodester Apartment Visitor Management System +CVE-2022-2683 (A vulnerability, which was classified as problematic, was found in Sou ...) + NOT-FOR-US: SourceCodester Simple Food Ordering System +CVE-2022-2682 (A vulnerability, which was classified as problematic, has been found i ...) + NOT-FOR-US: SourceCodester Alphaware Simple E-Commerce System +CVE-2022-2681 (A vulnerability classified as problematic was found in SourceCodester ...) + NOT-FOR-US: Online Student Admission System +CVE-2022-2680 (A vulnerability classified as critical has been found in SourceCodeste ...) + NOT-FOR-US: SourceCodester Church Management System +CVE-2022-2679 (A vulnerability was found in SourceCodester Interview Management Syste ...) + NOT-FOR-US: SourceCodester Interview Management System +CVE-2022-2678 (A vulnerability was found in SourceCodester Alphaware Simple E-Commerc ...) + NOT-FOR-US: SourceCodester Alphaware Simple E-Commerce System +CVE-2022-2677 (A vulnerability was found in SourceCodester Apartment Visitor Manageme ...) + NOT-FOR-US: SourceCodester Apartment Visitor Management System +CVE-2022-2676 (A vulnerability was found in SourceCodester Electronic Medical Records ...) + NOT-FOR-US: SourceCodester Electronic Medical Records System +CVE-2022-37439 + RESERVED +CVE-2022-37438 + RESERVED +CVE-2022-37437 + RESERVED +CVE-2022-37436 + RESERVED +CVE-2022-37435 + RESERVED +CVE-2022-37433 + RESERVED +CVE-2022-37432 + RESERVED +CVE-2022-2675 (Using off-the-shelf commodity hardware, the Unitree Go 1 robotics plat ...) + NOT-FOR-US: Unitree Go 1 robotics platform +CVE-2022-2674 (A vulnerability was found in SourceCodester Best Fee Management System ...) + NOT-FOR-US: SourceCodester +CVE-2022-2673 (A vulnerability was found in Rigatur Online Booking and Hotel Manageme ...) + NOT-FOR-US: Rigatur Online Booking and Hotel Management System +CVE-2022-2672 (A vulnerability was found in SourceCodester Garage Management System. ...) + NOT-FOR-US: SourceCodester +CVE-2022-2671 (A vulnerability was found in SourceCodester Garage Management System a ...) + NOT-FOR-US: SourceCodester +CVE-2022-2670 + RESERVED +CVE-2022-2669 + RESERVED +CVE-2022-2668 (An issue was discovered in Keycloak that allows arbitrary Javascript t ...) + NOT-FOR-US: Keycloak +CVE-2022-37434 (zlib through 1.2.12 has a heap-based buffer over-read or buffer overfl ...) + - zlib <unfixed> (bug #1016710) + NOTE: https://github.com/ivd38/zlib_overflow + NOTE: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 + NOTE: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d +CVE-2022-37431 (** DISPUTED ** A Reflected Cross-site scripting (XSS) issue was discov ...) + NOT-FOR-US: dotCMS +CVE-2022-37430 + RESERVED +CVE-2022-37429 + RESERVED +CVE-2022-37428 + RESERVED +CVE-2022-37427 + RESERVED +CVE-2022-37426 + RESERVED +CVE-2022-37425 + RESERVED +CVE-2022-37424 + RESERVED +CVE-2022-37423 (Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x befor ...) + NOT-FOR-US: Neo4j APOC (Awesome Procedures on Cypher) +CVE-2022-37422 + RESERVED +CVE-2022-37421 + RESERVED +CVE-2022-37420 + RESERVED +CVE-2022-37419 + RESERVED +CVE-2022-37418 + RESERVED +CVE-2022-37417 + RESERVED +CVE-2022-37416 (Ittiam libmpeg2 before 2022-07-27 uses memcpy with overlapping memory ...) + NOT-FOR-US: Android +CVE-2022-37415 (The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buff ...) + NOT-FOR-US: Uniwill SparkIO.sys driver +CVE-2022-37414 + RESERVED +CVE-2022-37413 + RESERVED +CVE-2022-37401 (Apache OpenOffice supports the storage of passwords for web connection ...) + NOT-FOR-US: Apache OpenOffice +CVE-2022-37400 (Apache OpenOffice supports the storage of passwords for web connection ...) + NOT-FOR-US: Apache OpenOffice +CVE-2022-37399 + RESERVED +CVE-2022-37398 (A stack-based buffer overflow vulnerability was found inside ADM when ...) + NOT-FOR-US: ASUSTOR Data Master (ADM) +CVE-2022-36350 + RESERVED +CVE-2022-2667 (A vulnerability was found in SourceCodester Loan Management System and ...) + NOT-FOR-US: SourceCodester +CVE-2022-2666 + RESERVED +CVE-2022-2665 (A vulnerability classified as critical was found in SourceCodester Sim ...) + NOT-FOR-US: SourceCodester +CVE-2022-2664 (A vulnerability classified as critical has been found in Private Cloud ...) + NOT-FOR-US: Private Cloud Management Platform +CVE-2020-36591 + RESERVED +CVE-2020-36590 + RESERVED +CVE-2020-36589 + RESERVED +CVE-2020-36588 + RESERVED +CVE-2020-36587 + RESERVED +CVE-2020-36586 + RESERVED +CVE-2020-36585 + RESERVED +CVE-2020-36584 + RESERVED +CVE-2020-36583 + RESERVED +CVE-2020-36582 + RESERVED +CVE-2020-36581 + RESERVED +CVE-2020-36580 + RESERVED +CVE-2020-36579 + RESERVED +CVE-2020-36578 + RESERVED +CVE-2020-36577 + RESERVED +CVE-2020-36576 + RESERVED +CVE-2020-36575 + RESERVED +CVE-2020-36574 + RESERVED +CVE-2020-36573 + RESERVED +CVE-2020-36572 + RESERVED +CVE-2020-36571 + RESERVED +CVE-2020-36570 + RESERVED +CVE-2022-2663 + RESERVED +CVE-2022-2662 + RESERVED +CVE-2022-2661 + RESERVED +CVE-2022-2660 + RESERVED +CVE-2022-2659 + RESERVED +CVE-2022-2658 + RESERVED +CVE-2022-2657 + RESERVED +CVE-2022-2656 (A vulnerability classified as critical has been found in SourceCodeste ...) + NOT-FOR-US: SourceCodester Multi Language Hotel Management Software +CVE-2022-2655 + RESERVED +CVE-2022-2654 + RESERVED +CVE-2022-2653 (With this vulnerability an attacker can read many sensitive files like ...) + NOT-FOR-US: plankanban/planka +CVE-2022-2652 (Depending on the way the format strings in the card label are crafted ...) + - v4l2loopback 0.12.7-1 (bug #1016685) + NOTE: https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5 + NOTE: https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd (main) + NOTE: https://github.com/umlaeute/v4l2loopback/commit/64a216af4c09c9ba9326057d7e78994271827eff (v0.12.6) +CVE-2022-2651 (Authentication Bypass by Primary Weakness in GitHub repository bookwyr ...) + NOT-FOR-US: BookWyrm +CVE-2022-2650 + RESERVED +CVE-2022-2649 + RESERVED +CVE-2022-2648 (A vulnerability was found in SourceCodester Multi Language Hotel Manag ...) + NOT-FOR-US: SourceCodester Multi Language Hotel Management Software +CVE-2022-2647 (A vulnerability was found in jeecg-boot. It has been declared as criti ...) + NOT-FOR-US: Jeecg-boot +CVE-2022-37397 (An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based ...) + NOT-FOR-US: YugabyteDB +CVE-2022-37345 + RESERVED +CVE-2022-37334 + RESERVED +CVE-2022-37327 + RESERVED +CVE-2022-36789 + RESERVED +CVE-2022-36391 + RESERVED +CVE-2022-36339 + RESERVED +CVE-2022-35400 + RESERVED +CVE-2022-35276 + RESERVED +CVE-2022-34152 + RESERVED +CVE-2022-32766 + RESERVED +CVE-2022-2646 (A vulnerability, which was classified as problematic, was found in Sou ...) + NOT-FOR-US: SourceCodester Online Admission System +CVE-2022-2645 (A vulnerability has been found in SourceCodester Garage Management Sys ...) + NOT-FOR-US: SourceCodester Garage Management System +CVE-2022-2644 (A vulnerability was found in SourceCodester Online Admission System an ...) + NOT-FOR-US: SourceCodester Online Admission System +CVE-2022-2643 (A vulnerability has been found in SourceCodester Online Admission Syst ...) + NOT-FOR-US: SourceCodester Online Admission System +CVE-2022-2642 + RESERVED +CVE-2022-2641 + RESERVED +CVE-2022-2640 + RESERVED +CVE-2022-37396 (In JetBrains Rider before 2022.2 Trust and Open Project dialog could b ...) + NOT-FOR-US: JetBrains +CVE-2022-37395 + RESERVED +CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...) + - nova <unfixed> (bug #1016980) + [bullseye] - nova <no-dsa> (Minor issue) + [buster] - nova <no-dsa> (Minor issue) + NOTE: https://bugs.launchpad.net/ossa/+bug/1981813 + NOTE: https://review.opendev.org/c/openstack/nova/+/849985 + NOTE: https://review.opendev.org/c/openstack/nova/+/850003 +CVE-2022-2639 + RESERVED + - linux 5.17.6-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/cefa91b2332d7009bc0be5d951d6cbbf349f90f8 (5.18-rc4) +CVE-2022-2638 + RESERVED +CVE-2022-2637 + RESERVED +CVE-2022-2636 (Improper Input Validation in GitHub repository hestiacp/hestiacp prior ...) + NOT-FOR-US: Hestia Control Panel +CVE-2022-2635 + RESERVED +CVE-2022-37393 + RESERVED +CVE-2022-2634 (An attacker may be able to execute malicious actions due to the lack o ...) + NOT-FOR-US: Digi ConnectPort X2D +CVE-2022-37392 + RESERVED +CVE-2022-37391 + RESERVED +CVE-2022-37390 + RESERVED +CVE-2022-37389 + RESERVED +CVE-2022-37388 + RESERVED +CVE-2022-37387 + RESERVED +CVE-2022-37386 + RESERVED +CVE-2022-37385 + RESERVED +CVE-2022-37384 + RESERVED +CVE-2022-37383 + RESERVED +CVE-2022-37382 + RESERVED +CVE-2022-37381 + RESERVED +CVE-2022-37380 + RESERVED +CVE-2022-37379 + RESERVED +CVE-2022-37378 + RESERVED +CVE-2022-37377 + RESERVED +CVE-2022-37376 + RESERVED +CVE-2022-37375 + RESERVED +CVE-2022-37374 + RESERVED +CVE-2022-37373 + RESERVED +CVE-2022-37372 + RESERVED +CVE-2022-37371 + RESERVED +CVE-2022-37370 + RESERVED +CVE-2022-37369 + RESERVED +CVE-2022-37368 + RESERVED +CVE-2022-37367 + RESERVED +CVE-2022-37366 + RESERVED +CVE-2022-37365 + RESERVED +CVE-2022-37364 + RESERVED +CVE-2022-37363 + RESERVED +CVE-2022-37362 + RESERVED +CVE-2022-37361 + RESERVED +CVE-2022-37360 + RESERVED +CVE-2022-37359 + RESERVED +CVE-2022-37358 + RESERVED +CVE-2022-37357 + RESERVED +CVE-2022-37356 + RESERVED +CVE-2022-37355 + RESERVED +CVE-2022-37354 + RESERVED +CVE-2022-37353 + RESERVED +CVE-2022-37352 + RESERVED +CVE-2022-37351 + RESERVED +CVE-2022-37350 + RESERVED +CVE-2022-37349 + RESERVED +CVE-2022-2633 + RESERVED +CVE-2022-2632 + RESERVED +CVE-2022-2631 (Improper Access Control in GitHub repository tooljet/tooljet prior to ...) + NOT-FOR-US: ToolJet +CVE-2022-2630 + RESERVED +CVE-2022-2629 + RESERVED +CVE-2022-2628 + RESERVED +CVE-2022-2627 + RESERVED +CVE-2022-2626 (Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp ...) + NOT-FOR-US: Hestia Control Panel +CVE-2022-37348 + RESERVED +CVE-2022-37347 + RESERVED +CVE-2022-37341 + RESERVED +CVE-2022-37340 + RESERVED +CVE-2022-37326 + RESERVED +CVE-2022-37325 + RESERVED +CVE-2022-37324 + RESERVED +CVE-2022-37323 + RESERVED +CVE-2022-37322 + RESERVED +CVE-2022-37321 + RESERVED +CVE-2022-37320 + RESERVED +CVE-2022-37319 + RESERVED +CVE-2022-37318 + RESERVED +CVE-2022-37317 + RESERVED +CVE-2022-37316 + RESERVED +CVE-2022-37315 (graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion i ...) + NOT-FOR-US: graphql-go +CVE-2022-37314 + RESERVED +CVE-2022-37313 + RESERVED +CVE-2022-37312 + RESERVED +CVE-2022-37311 + RESERVED +CVE-2022-37310 + RESERVED +CVE-2022-37309 + RESERVED +CVE-2022-37308 + RESERVED +CVE-2022-37307 + RESERVED +CVE-2022-37306 + RESERVED +CVE-2022-37305 + RESERVED +CVE-2022-36426 + RESERVED +CVE-2022-36397 + RESERVED +CVE-2022-36369 + RESERVED +CVE-2022-36353 + RESERVED +CVE-2022-36348 + RESERVED +CVE-2022-36291 + RESERVED +CVE-2022-36281 + RESERVED +CVE-2022-33940 + RESERVED +CVE-2022-2625 [extension scripts replace objects not owned by the extension] + RESERVED + {DLA-3072-1} + - postgresql-14 14.5-1 + - postgresql-13 <removed> + [bullseye] - postgresql-13 <postponed> (Minor issue, fix along in next update) + - postgresql-11 <removed> + NOTE: https://www.postgresql.org/support/security/CVE-2022-2625/ +CVE-2022-2624 (Heap buffer overflow in PDF in Google Chrome prior to 104.0.5112.79 al ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2623 (Use after free in Offline in Google Chrome on Android prior to 104.0.5 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2622 (Insufficient validation of untrusted input in Safe Browsing in Google ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2621 (Use after free in Extensions in Google Chrome prior to 104.0.5112.79 a ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2620 (Use after free in WebUI in Google Chrome on Chrome OS prior to 104.0.5 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2619 (Insufficient validation of untrusted input in Settings in Google Chrom ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2618 (Insufficient validation of untrusted input in Internals in Google Chro ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2617 (Use after free in Extensions API in Google Chrome prior to 104.0.5112. ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2616 (Inappropriate implementation in Extensions API in Google Chrome prior ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2615 (Insufficient policy enforcement in Cookies in Google Chrome prior to 1 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2614 (Use after free in Sign-In Flow in Google Chrome prior to 104.0.5112.79 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2613 (Use after free in Input in Google Chrome on Chrome OS prior to 104.0.5 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2612 (Side-channel information leakage in Keyboard input in Google Chrome pr ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2611 (Inappropriate implementation in Fullscreen API in Google Chrome on And ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2610 (Insufficient policy enforcement in Background Fetch in Google Chrome p ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2609 (Use after free in Nearby Share in Google Chrome on Chrome OS prior to ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2608 (Use after free in Overview Mode in Google Chrome on Chrome OS prior to ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2607 (Use after free in Tab Strip in Google Chrome on Chrome OS prior to 104 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2606 (Use after free in Managed devices API in Google Chrome prior to 104.0. ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2605 (Out of bounds read in Dawn in Google Chrome prior to 104.0.5112.79 all ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2604 (Use after free in Safe Browsing in Google Chrome prior to 104.0.5112.7 ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2603 (Use after free in Omnibox in Google Chrome prior to 104.0.5112.79 allo ...) + {DSA-5201-1} + - chromium 104.0.5112.79-1 + [buster] - chromium <end-of-life> (see DSA 5046) +CVE-2022-2602 + RESERVED +CVE-2021-46831 + RESERVED +CVE-2022-37304 + RESERVED +CVE-2022-37303 + RESERVED +CVE-2022-37302 + RESERVED +CVE-2022-37301 + RESERVED +CVE-2022-37300 + RESERVED +CVE-2022-2601 + RESERVED +CVE-2022-2600 + RESERVED +CVE-2022-2599 + RESERVED +CVE-2022-2598 (Undefined Behavior for Input to API in GitHub repository vim/vim prior ...) + - vim 2:9.0.0135-1 + NOTE: https://huntr.dev/bounties/2f08363a-47a2-422d-a7de-ce96a89ad08e/ + NOTE: https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf05541d (v9.0.0101) +CVE-2022-2597 + RESERVED +CVE-2022-2596 (Denial of Service in GitHub repository node-fetch/node-fetch prior to ...) + - node-fetch <not-affected> (Vulnerable code not present) + NOTE: https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7/ + NOTE: Introduced in: https://github.com/node-fetch/node-fetch/commit/2d80b0bb3fb746ff77cfe604f21ef9e47352ece0 (v3.1.0) + NOTE: https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d (v3.2.10) +CVE-2022-2595 (Improper Authorization in GitHub repository kromitgmbh/titra prior to ...) + NOT-FOR-US: Titra +CVE-2022-2594 + RESERVED +CVE-2022-2593 + RESERVED +CVE-2022-37299 + RESERVED +CVE-2022-37298 + RESERVED +CVE-2022-37297 + RESERVED +CVE-2022-37296 + RESERVED +CVE-2022-37295 + RESERVED +CVE-2022-37294 + RESERVED +CVE-2022-37293 + RESERVED +CVE-2022-37292 + RESERVED +CVE-2022-37291 + RESERVED +CVE-2022-37290 + RESERVED +CVE-2022-37289 + RESERVED +CVE-2022-37288 + RESERVED +CVE-2022-37287 + RESERVED +CVE-2022-37286 + RESERVED +CVE-2022-37285 + RESERVED +CVE-2022-37284 + RESERVED +CVE-2022-37283 + RESERVED +CVE-2022-37282 + RESERVED +CVE-2022-37281 + RESERVED +CVE-2022-37280 + RESERVED +CVE-2022-37279 + RESERVED +CVE-2022-37278 + RESERVED +CVE-2022-37277 + RESERVED +CVE-2022-37276 + RESERVED +CVE-2022-37275 + RESERVED +CVE-2022-37274 + RESERVED +CVE-2022-37273 + RESERVED +CVE-2022-37272 + RESERVED +CVE-2022-37271 + RESERVED +CVE-2022-37270 + RESERVED +CVE-2022-37269 + RESERVED +CVE-2022-37268 + RESERVED +CVE-2022-37267 + RESERVED +CVE-2022-37266 + RESERVED +CVE-2022-37265 + RESERVED +CVE-2022-37264 + RESERVED +CVE-2022-37263 + RESERVED +CVE-2022-37262 + RESERVED +CVE-2022-37261 + RESERVED +CVE-2022-37260 + RESERVED +CVE-2022-37259 + RESERVED +CVE-2022-37258 + RESERVED +CVE-2022-37257 + RESERVED +CVE-2022-37256 + RESERVED +CVE-2022-37255 + RESERVED +CVE-2022-37254 + RESERVED +CVE-2022-37253 + RESERVED +CVE-2022-37252 + RESERVED +CVE-2022-37251 + RESERVED +CVE-2022-37250 + RESERVED +CVE-2022-37249 + RESERVED +CVE-2022-37248 + RESERVED +CVE-2022-37247 + RESERVED +CVE-2022-37246 + RESERVED +CVE-2022-37245 + RESERVED +CVE-2022-37244 + RESERVED +CVE-2022-37243 + RESERVED +CVE-2022-37242 + RESERVED +CVE-2022-37241 + RESERVED +CVE-2022-37240 + RESERVED +CVE-2022-37239 + RESERVED +CVE-2022-37238 + RESERVED +CVE-2022-37237 + RESERVED +CVE-2022-37236 + RESERVED +CVE-2022-37235 + RESERVED +CVE-2022-37234 + RESERVED +CVE-2022-37233 + RESERVED +CVE-2022-37232 + RESERVED +CVE-2022-37231 + RESERVED +CVE-2022-37230 + RESERVED +CVE-2022-37229 + RESERVED +CVE-2022-37228 + RESERVED +CVE-2022-37227 + RESERVED +CVE-2022-37226 + RESERVED +CVE-2022-37225 + RESERVED +CVE-2022-37224 + RESERVED +CVE-2022-37223 + RESERVED +CVE-2022-37222 + RESERVED +CVE-2022-37221 + RESERVED +CVE-2022-37220 + RESERVED +CVE-2022-37219 + RESERVED +CVE-2022-37218 + RESERVED +CVE-2022-37217 + RESERVED +CVE-2022-37216 + RESERVED +CVE-2022-37215 + RESERVED +CVE-2022-37214 + RESERVED +CVE-2022-37213 + RESERVED +CVE-2022-37212 + RESERVED +CVE-2022-37211 + RESERVED +CVE-2022-37210 + RESERVED +CVE-2022-37209 + RESERVED +CVE-2022-37208 + RESERVED +CVE-2022-37207 + RESERVED +CVE-2022-37206 + RESERVED +CVE-2022-37205 + RESERVED +CVE-2022-37204 + RESERVED +CVE-2022-37203 + RESERVED +CVE-2022-37202 + RESERVED +CVE-2022-37201 + RESERVED +CVE-2022-37200 + RESERVED +CVE-2022-37199 + RESERVED +CVE-2022-37198 + RESERVED +CVE-2022-37197 + RESERVED +CVE-2022-37196 + RESERVED +CVE-2022-37195 + RESERVED +CVE-2022-37194 + RESERVED +CVE-2022-37193 + RESERVED +CVE-2022-37192 + RESERVED +CVE-2022-37191 + RESERVED +CVE-2022-37190 + RESERVED +CVE-2022-37189 + RESERVED +CVE-2022-37188 + RESERVED +CVE-2022-37187 + RESERVED +CVE-2022-37186 + RESERVED +CVE-2022-37185 + RESERVED +CVE-2022-37184 + RESERVED +CVE-2022-37183 + RESERVED +CVE-2022-37182 + RESERVED +CVE-2022-37181 + RESERVED +CVE-2022-37180 + RESERVED +CVE-2022-37179 + RESERVED +CVE-2022-37178 + RESERVED +CVE-2022-37177 + RESERVED +CVE-2022-37176 + RESERVED +CVE-2022-37175 + RESERVED +CVE-2022-37174 + RESERVED +CVE-2022-37173 + RESERVED +CVE-2022-37172 + RESERVED +CVE-2022-37171 + RESERVED +CVE-2022-37170 + RESERVED +CVE-2022-37169 + RESERVED +CVE-2022-37168 + RESERVED +CVE-2022-37167 + RESERVED +CVE-2022-37166 + RESERVED +CVE-2022-37165 + RESERVED +CVE-2022-37164 + RESERVED +CVE-2022-37163 + RESERVED +CVE-2022-37162 + RESERVED +CVE-2022-37161 + RESERVED +CVE-2022-37160 + RESERVED +CVE-2022-37159 + RESERVED +CVE-2022-37158 + RESERVED +CVE-2022-37157 + RESERVED +CVE-2022-37156 + RESERVED +CVE-2022-37155 + RESERVED +CVE-2022-37154 + RESERVED +CVE-2022-37153 + RESERVED +CVE-2022-37152 + RESERVED +CVE-2022-37151 + RESERVED +CVE-2022-37150 + RESERVED +CVE-2022-37149 + RESERVED +CVE-2022-37148 + RESERVED +CVE-2022-37147 + RESERVED +CVE-2022-37146 + RESERVED +CVE-2022-37145 + RESERVED +CVE-2022-37144 + RESERVED +CVE-2022-37143 + RESERVED +CVE-2022-37142 + RESERVED +CVE-2022-37141 + RESERVED +CVE-2022-37140 + RESERVED +CVE-2022-37139 + RESERVED +CVE-2022-37138 + RESERVED +CVE-2022-37137 + RESERVED +CVE-2022-37136 + RESERVED +CVE-2022-37135 + RESERVED +CVE-2022-37134 + RESERVED +CVE-2022-37133 + RESERVED +CVE-2022-37132 + RESERVED +CVE-2022-37131 + RESERVED +CVE-2022-37130 + RESERVED +CVE-2022-37129 + RESERVED +CVE-2022-37128 + RESERVED +CVE-2022-37127 + RESERVED +CVE-2022-37126 + RESERVED +CVE-2022-37125 + RESERVED +CVE-2022-37124 + RESERVED +CVE-2022-37123 + RESERVED +CVE-2022-37122 + RESERVED +CVE-2022-37121 + RESERVED +CVE-2022-37120 + RESERVED +CVE-2022-37119 + RESERVED +CVE-2022-37118 + RESERVED +CVE-2022-37117 + RESERVED +CVE-2022-37116 + RESERVED +CVE-2022-37115 + RESERVED +CVE-2022-37114 + RESERVED +CVE-2022-37113 + RESERVED +CVE-2022-37112 + RESERVED +CVE-2022-37111 + RESERVED +CVE-2022-37110 + RESERVED +CVE-2022-37109 + RESERVED +CVE-2022-37108 + RESERVED +CVE-2022-37107 + RESERVED +CVE-2022-37106 + RESERVED +CVE-2022-37105 + RESERVED +CVE-2022-37104 + RESERVED +CVE-2022-37103 + RESERVED +CVE-2022-37102 + RESERVED +CVE-2022-37101 + RESERVED +CVE-2022-37100 + RESERVED +CVE-2022-37099 + RESERVED +CVE-2022-37098 + RESERVED +CVE-2022-37097 + RESERVED +CVE-2022-37096 + RESERVED +CVE-2022-37095 + RESERVED +CVE-2022-37094 + RESERVED +CVE-2022-37093 + RESERVED +CVE-2022-37092 + RESERVED +CVE-2022-37091 + RESERVED +CVE-2022-37090 + RESERVED +CVE-2022-37089 + RESERVED +CVE-2022-37088 + RESERVED +CVE-2022-37087 + RESERVED +CVE-2022-37086 + RESERVED +CVE-2022-37085 + RESERVED +CVE-2022-37084 + RESERVED +CVE-2022-37083 + RESERVED +CVE-2022-37082 + RESERVED +CVE-2022-37081 + RESERVED +CVE-2022-37080 + RESERVED +CVE-2022-37079 + RESERVED +CVE-2022-37078 + RESERVED +CVE-2022-37077 + RESERVED +CVE-2022-37076 + RESERVED +CVE-2022-37075 + RESERVED +CVE-2022-37074 + RESERVED +CVE-2022-37073 + RESERVED +CVE-2022-37072 + RESERVED +CVE-2022-37071 + RESERVED +CVE-2022-37070 + RESERVED +CVE-2022-37069 + RESERVED +CVE-2022-37068 + RESERVED +CVE-2022-37067 + RESERVED +CVE-2022-37066 + RESERVED +CVE-2022-37065 + RESERVED +CVE-2022-37064 + RESERVED +CVE-2022-37063 + RESERVED +CVE-2022-37062 + RESERVED +CVE-2022-37061 + RESERVED +CVE-2022-37060 + RESERVED +CVE-2022-37059 + RESERVED +CVE-2022-37058 + RESERVED +CVE-2022-37057 + RESERVED +CVE-2022-37056 + RESERVED +CVE-2022-37055 + RESERVED +CVE-2022-37054 + RESERVED +CVE-2022-37053 + RESERVED +CVE-2022-37052 + RESERVED +CVE-2022-37051 + RESERVED +CVE-2022-37050 + RESERVED +CVE-2022-37049 + RESERVED +CVE-2022-37048 + RESERVED +CVE-2022-37047 + RESERVED +CVE-2022-37046 + RESERVED +CVE-2022-37045 + RESERVED +CVE-2022-37044 (In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?actio ...) + NOT-FOR-US: Zimbra +CVE-2022-37043 (An issue was discovered in the webmail component in Zimbra Collaborati ...) + NOT-FOR-US: Zimbra +CVE-2022-37042 (Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functio ...) + NOT-FOR-US: Zimbra +CVE-2022-37041 (An issue was discovered in ProxyServlet.java in the /proxy servlet in ...) + NOT-FOR-US: Zimbra +CVE-2022-2592 + RESERVED +CVE-2022-2591 (A vulnerability classified as critical has been found in TEM FLEX-1085 ...) + NOT-FOR-US: TEM +CVE-2022-37040 + RESERVED +CVE-2022-37039 + RESERVED +CVE-2022-37038 + RESERVED +CVE-2022-2590 + RESERVED + - linux 5.18.16-1 + [bullseye] - linux <not-affected> (Vulnerable code introduced later) + [buster] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://lore.kernel.org/linux-mm/20220808073232.8808-1-david@redhat.com/ + NOTE: https://lore.kernel.org/all/b314c287-5fc2-9f61-53f6-33282a2bed92@redhat.com/ + NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1 +CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) + - fava <unfixed> (bug #1016971) + [bullseye] - fava <no-dsa> (Minor issue) + [buster] - fava <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/ + NOTE: https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539 (v1.22.3) +CVE-2022-37037 + RESERVED +CVE-2022-37036 + RESERVED +CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_ ...) + - frr <unfixed> (bug #1016978) + [bullseye] - frr <no-dsa> (Minor issue) + NOTE: https://github.com/FRRouting/frr/issues/11698 +CVE-2022-37034 + RESERVED +CVE-2022-37033 + RESERVED +CVE-2022-37032 + RESERVED +CVE-2022-37031 + RESERVED +CVE-2022-37030 (Weak permissions on the configuration file in the PAM module in Grommu ...) + NOT-FOR-US: Gromox +CVE-2022-37029 + RESERVED +CVE-2022-37028 + RESERVED +CVE-2022-37027 + RESERVED +CVE-2022-37026 + RESERVED +CVE-2022-37025 + RESERVED +CVE-2022-37024 (Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Co ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2022-2588 + RESERVED + {DSA-5207-1} + - linux 5.18.16-1 + NOTE: https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u + NOTE: https://www.openwall.com/lists/oss-security/2022/08/09/6 +CVE-2022-2587 (Out of bounds write in Chrome OS Audio Server in Google Chrome on Chro ...) + - chromium <not-affected> (Chrome on Chrome OS) +CVE-2022-2586 + RESERVED + {DSA-5207-1} + - linux 5.18.16-1 + NOTE: https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t + NOTE: https://www.openwall.com/lists/oss-security/2022/08/09/5 +CVE-2022-2585 + RESERVED + {DSA-5207-1} + - linux 5.18.16-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u + NOTE: https://www.openwall.com/lists/oss-security/2022/08/09/7 +CVE-2022-2584 + RESERVED +CVE-2022-2583 + RESERVED +CVE-2022-2582 + RESERVED +CVE-2021-4239 + RESERVED +CVE-2021-4238 + RESERVED +CVE-2021-4237 + RESERVED +CVE-2021-4236 + RESERVED +CVE-2021-4235 + RESERVED +CVE-2020-36569 + RESERVED +CVE-2020-36568 + RESERVED +CVE-2020-36567 + RESERVED +CVE-2020-36566 + RESERVED +CVE-2020-36565 + RESERVED +CVE-2020-36564 + RESERVED +CVE-2020-36563 + RESERVED +CVE-2019-25075 + RESERVED +CVE-2019-25074 + RESERVED +CVE-2019-25073 + RESERVED +CVE-2016-15005 + RESERVED +CVE-2022-37023 + RESERVED +CVE-2022-37022 + RESERVED +CVE-2022-37021 + RESERVED +CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104. ...) + - vim 2:9.0.0135-1 (unimportant) + NOTE: https://huntr.dev/bounties/0bedbae2-82ae-46ae-aa68-1c28b309b60b/ + NOTE: https://github.com/vim/vim/commit/f50940531dd57135fe60aa393ac9d3281f352d88 (v9.0.0105) + NOTE: Crash in CLI tool, no security impact +CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) + - vim 2:9.0.0135-1 + NOTE: https://huntr.dev/bounties/c5f2f1d4-0441-4881-b19c-055acaa16249/ + NOTE: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) +CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...) + NOT-FOR-US: SourceCodester +CVE-2022-2578 (A vulnerability, which was classified as critical, has been found in S ...) + NOT-FOR-US: SourceCodester +CVE-2022-2577 (A vulnerability classified as critical was found in SourceCodester Gar ...) + NOT-FOR-US: SourceCodester +CVE-2022-2576 (In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS r ...) + NOT-FOR-US: Eclipse Californium +CVE-2022-2575 + RESERVED +CVE-2022-2574 + RESERVED +CVE-2022-2573 + RESERVED +CVE-2020-36562 + RESERVED +CVE-2020-36561 + RESERVED +CVE-2020-36560 + RESERVED +CVE-2020-36559 + RESERVED +CVE-2019-25072 + RESERVED +CVE-2018-25046 + RESERVED +CVE-2017-20146 + RESERVED +CVE-2015-10004 + RESERVED +CVE-2014-125026 + RESERVED +CVE-2013-10005 + RESERVED CVE-2022-37020 RESERVED CVE-2022-37019 @@ -14,8 +3433,10 @@ CVE-2022-37014 RESERVED CVE-2022-2572 RESERVED -CVE-2022-2571 - RESERVED +CVE-2022-2571 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) + - vim 2:9.0.0135-1 + NOTE: https://huntr.dev/bounties/2e5a1dc4-2dfb-4e5f-8c70-e1ede21f3571/ + NOTE: https://github.com/vim/vim/commit/a6f9e300161f4cb54713da22f65b261595e8e614 (v9.0.0102) CVE-2022-2570 RESERVED CVE-2022-37013 @@ -42,22 +3463,22 @@ CVE-2022-2564 (Prototype Pollution in GitHub repository automattic/mongoose prio NOT-FOR-US: Mongoose CVE-2022-2563 RESERVED -CVE-2022-37008 - RESERVED -CVE-2022-37007 - RESERVED -CVE-2022-37006 - RESERVED -CVE-2022-37005 - RESERVED -CVE-2022-37004 - RESERVED -CVE-2022-37003 - RESERVED -CVE-2022-37002 - RESERVED -CVE-2022-37001 - RESERVED +CVE-2022-37008 (The recovery module has a vulnerability of bypassing the verification ...) + NOT-FOR-US: Huawei +CVE-2022-37007 (The chinadrm module has an out-of-bounds read vulnerability. Successfu ...) + NOT-FOR-US: Huawei +CVE-2022-37006 (Permission control vulnerability in the network module. Successful exp ...) + NOT-FOR-US: Huawei +CVE-2022-37005 (The Settings application has an argument injection vulnerability. Succ ...) + NOT-FOR-US: Huawei +CVE-2022-37004 (The Settings application has a vulnerability of bypassing the out-of-b ...) + NOT-FOR-US: Huawei +CVE-2022-37003 (The AOD module has a vulnerability in permission assignment. Successfu ...) + NOT-FOR-US: Huawei +CVE-2022-37002 (The SystemUI module has a privilege escalation vulnerability. Successf ...) + NOT-FOR-US: Huawei +CVE-2022-37001 (The diag-router module has a vulnerability in intercepting excessive l ...) + NOT-FOR-US: Huawei CVE-2022-37000 (An issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, ...) NOT-FOR-US: Veritas CVE-2022-36999 (An issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, ...) @@ -122,10 +3543,10 @@ CVE-2022-36970 RESERVED CVE-2022-36969 RESERVED -CVE-2022-36968 - RESERVED -CVE-2022-36967 - RESERVED +CVE-2022-36968 (In Progress WS_FTP Server prior to version 8.7.3, forms within the adm ...) + NOT-FOR-US: Progress WS_FTP Server +CVE-2022-36967 (In Progress WS_FTP Server prior to version 8.7.3, multiple reflected c ...) + NOT-FOR-US: Progress WS_FTP Server CVE-2022-36966 RESERVED CVE-2022-36965 @@ -167,8 +3588,10 @@ CVE-2022-36948 (In Veritas NetBackup OpsCenter, a DOM XSS attack can occur. This CVE-2022-36947 RESERVED CVE-2022-36946 (nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel th ...) - - linux <unfixed> + {DSA-5207-1} + - linux 5.18.16-1 NOTE: https://marc.info/?l=netfilter-devel&m=165883202007292&w=2 + NOTE: Fixed by: https://git.kernel.org/linus/99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 CVE-2022-36945 RESERVED CVE-2022-36944 @@ -247,8 +3670,8 @@ CVE-2022-36925 RESERVED CVE-2022-36924 RESERVED -CVE-2022-36923 - RESERVED +CVE-2022-36923 (Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Co ...) + NOT-FOR-US: Zoho ManageEngine CVE-2022-2556 RESERVED CVE-2022-2555 @@ -256,7 +3679,8 @@ CVE-2022-2555 CVE-2022-2554 RESERVED CVE-2022-2553 (The authfile directive in the booth config file is ignored, preventing ...) - - booth <unfixed> + {DSA-5194-1} + - booth 1.0-268-gdce51f9-1 NOTE: https://github.com/ClusterLabs/booth/issues/114 CVE-2022-2552 RESERVED @@ -357,7 +3781,8 @@ CVE-2022-36881 (Jenkins Git client Plugin 3.11.0 and earlier does not perform SS CVE-2022-36880 (The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows ...) NOT-FOR-US: Webmin module CVE-2022-36879 (An issue was discovered in the Linux kernel through 5.18.14. xfrm_expa ...) - - linux <unfixed> + {DSA-5207-1} + - linux 5.18.16-1 NOTE: https://git.kernel.org/linus/f85daf0e725358be78dfd208dea5fd665d8cb901 (v5.19-rc8) CVE-2022-36878 RESERVED @@ -435,30 +3860,30 @@ CVE-2022-36842 RESERVED CVE-2022-36841 RESERVED -CVE-2022-36840 - RESERVED -CVE-2022-36839 - RESERVED -CVE-2022-36838 - RESERVED -CVE-2022-36837 - RESERVED -CVE-2022-36836 - RESERVED -CVE-2022-36835 - RESERVED -CVE-2022-36834 - RESERVED -CVE-2022-36833 - RESERVED -CVE-2022-36832 - RESERVED -CVE-2022-36831 - RESERVED -CVE-2022-36830 - RESERVED -CVE-2022-36829 - RESERVED +CVE-2022-36840 (DLL hijacking vulnerability in Samsung Update Setup prior to version 2 ...) + NOT-FOR-US: Samsung +CVE-2022-36839 (SQL injection vulnerability via IAPService in Samsung Checkout prior t ...) + NOT-FOR-US: Samsung +CVE-2022-36838 (Implicit Intent hijacking vulnerability in Galaxy Wearable prior to ve ...) + NOT-FOR-US: Samsung +CVE-2022-36837 (Intent redirection vulnerability using implicit intent in Samsung emai ...) + NOT-FOR-US: Samsung +CVE-2022-36836 (Unprotected provider vulnerability in Charm by Samsung prior to versio ...) + NOT-FOR-US: Samsung +CVE-2022-36835 (Implicit Intent hijacking vulnerability in Samsung Internet Browser pr ...) + NOT-FOR-US: Samsung +CVE-2022-36834 (Exposure of Sensitive Information vulnerability in Game Launcher prior ...) + NOT-FOR-US: Samsung +CVE-2022-36833 (Improper Privilege Management vulnerability in Game Optimizing Service ...) + NOT-FOR-US: Samsung +CVE-2022-36832 (Improper access control vulnerability in WebApp in Cameralyzer prior t ...) + NOT-FOR-US: Samsung +CVE-2022-36831 (Path traversal vulnerability in UriFileUtils of Samsung Notes prior to ...) + NOT-FOR-US: Samsung +CVE-2022-36830 (PendingIntent hijacking vulnerability in cancelAlarmManager in Charm b ...) + NOT-FOR-US: Samsung +CVE-2022-36829 (PendingIntent hijacking vulnerability in releaseAlarm in Charm by Sams ...) + NOT-FOR-US: Samsung CVE-2022-36828 RESERVED CVE-2022-36827 @@ -513,12 +3938,12 @@ CVE-2022-36803 RESERVED CVE-2022-36802 RESERVED -CVE-2022-36801 - RESERVED -CVE-2022-36800 - RESERVED -CVE-2022-36799 - RESERVED +CVE-2022-36801 (Affected versions of Atlassian Jira Server and Data Center allow anony ...) + NOT-FOR-US: Atlassian +CVE-2022-36800 (Affected versions of Atlassian Jira Service Management Server and Data ...) + NOT-FOR-US: Atlassian +CVE-2022-36799 (This issue exists to document that a security improvement in the way t ...) + NOT-FOR-US: Atlassian CVE-2022-35401 RESERVED CVE-2022-2548 @@ -579,8 +4004,7 @@ CVE-2022-2541 RESERVED CVE-2022-2540 RESERVED -CVE-2022-2539 - RESERVED +CVE-2022-2539 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab <unfixed> CVE-2022-2538 RESERVED @@ -623,8 +4047,8 @@ CVE-2022-36752 (png2webp v1.0.4 was discovered to contain an out-of-bounds write NOT-FOR-US: png2webp CVE-2022-36751 RESERVED -CVE-2022-36750 - RESERVED +CVE-2022-36750 (Clinic's Patient Management System v1.0 is vulnerable to SQL injection ...) + NOT-FOR-US: Clinic's Patient Management System CVE-2022-36749 RESERVED CVE-2022-36748 @@ -1071,14 +4495,14 @@ CVE-2022-36528 RESERVED CVE-2022-36527 RESERVED -CVE-2022-36526 - RESERVED -CVE-2022-36525 - RESERVED -CVE-2022-36524 - RESERVED -CVE-2022-36523 - RESERVED +CVE-2022-36526 (D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv20 ...) + NOT-FOR-US: D-Link +CVE-2022-36525 (D-Link Go-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv20 ...) + NOT-FOR-US: D-Link +CVE-2022-36524 (D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv20 ...) + NOT-FOR-US: D-Link +CVE-2022-36523 (D-Link Go-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv20 ...) + NOT-FOR-US: D-Link CVE-2022-36522 RESERVED CVE-2022-36521 @@ -1229,8 +4653,8 @@ CVE-2022-36449 RESERVED CVE-2022-36448 RESERVED -CVE-2022-36447 - RESERVED +CVE-2022-36447 (An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. ...) + NOT-FOR-US: Chia Network CAT1 Standard CVE-2022-36446 (software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a U ...) - webmin <removed> CVE-2022-36445 @@ -1249,17 +4673,15 @@ CVE-2022-2537 RESERVED CVE-2022-2536 RESERVED -CVE-2022-2535 - RESERVED -CVE-2022-2534 - RESERVED +CVE-2022-2535 (The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not e ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2534 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab <unfixed> CVE-2022-2533 RESERVED CVE-2022-2532 RESERVED -CVE-2022-2531 - RESERVED +CVE-2022-2531 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab <not-affected> (Specific to EE) CVE-2022-2530 RESERVED @@ -1291,9 +4713,10 @@ CVE-2022-2527 RESERVED CVE-2021-46829 (GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buf ...) - gdk-pixbuf 2.42.8+dfsg-1 + [buster] - gdk-pixbuf <not-affected> (Vulnerable code not present; GIF animation support added later) NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121 - NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512 + NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6976bdc8ee9dd2c2954f91066f7b0f643769a379 (2.42.8) NOTE: https://www.openwall.com/lists/oss-security/2022/07/23/1 NOTE: http://www.openwall.com/lists/oss-security/2022/07/25/1 CVE-2022-2526 @@ -1327,7 +4750,11 @@ CVE-2022-34859 CVE-2022-33963 RESERVED CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - NOT-FOR-US: Fava + - fava <unfixed> (bug #1016971) + [bullseye] - fava <no-dsa> (Minor issue) + [buster] - fava <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f + NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) CVE-2022-36381 RESERVED CVE-2022-36293 @@ -1350,8 +4777,8 @@ CVE-2022-36410 RESERVED CVE-2022-36409 RESERVED -CVE-2022-36408 (PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 allows remote attacke ...) - NOT-FOR-US: PrestaShop +CVE-2022-36408 + REJECTED CVE-2022-36398 RESERVED CVE-2022-36396 @@ -1375,9 +4802,9 @@ CVE-2022-34147 CVE-2022-31137 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...) NOT-FOR-US: Roxy-WI CVE-2022-2522 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - - vim <unfixed> (bug #1016068) + - vim 2:9.0.0135-1 (bug #1016068) NOTE: https://huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22 - NOTE: https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089 + NOTE: https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089 (v9.0.0061) CVE-2022-2521 RESERVED CVE-2022-2520 @@ -1393,7 +4820,6 @@ CVE-2022-2516 CVE-2018-25045 (Django REST framework (aka django-rest-framework) before 3.9.1 allows ...) {DSA-5186-1} - djangorestframework 3.10.2-1 - [buster] - djangorestframework 3.9.0-1+deb10u1 NOTE: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8 (3.9.1) CVE-2022-36407 RESERVED @@ -1403,8 +4829,8 @@ CVE-2022-36386 RESERVED CVE-2022-36379 RESERVED -CVE-2022-36378 - RESERVED +CVE-2022-36378 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...) + NOT-FOR-US: WordPress plugin CVE-2022-36375 (Authenticated (high role user) WordPress Options Change vulnerability ...) NOT-FOR-US: WordPress plugin CVE-2022-36371 @@ -1415,20 +4841,20 @@ CVE-2022-36346 RESERVED CVE-2022-36344 RESERVED -CVE-2022-36343 - RESERVED +CVE-2022-36343 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...) + NOT-FOR-US: WordPress plugin CVE-2022-36341 RESERVED -CVE-2022-36296 - RESERVED +CVE-2022-36296 (Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND pl ...) + NOT-FOR-US: JumpDEMAND CVE-2022-36292 RESERVED CVE-2022-36288 RESERVED CVE-2022-36285 RESERVED -CVE-2022-36284 - RESERVED +CVE-2022-36284 (Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerc ...) + NOT-FOR-US: WooCommerce addon CVE-2022-36282 RESERVED CVE-2022-35882 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...) @@ -1447,26 +4873,29 @@ CVE-2022-34648 RESERVED CVE-2022-34344 RESERVED -CVE-2022-34154 - RESERVED +CVE-2022-34154 (Authenticated (author or higher user role) Arbitrary File Upload vulne ...) + NOT-FOR-US: WordPress plugin CVE-2022-33970 (Authenticated WordPress Options Change vulnerability in Biplob018 Shor ...) NOT-FOR-US: WordPress plugin CVE-2022-33969 (Authenticated WordPress Options Change vulnerability in Biplob Adhikar ...) NOT-FOR-US: WordPress plugin CVE-2022-33943 (Authenticated (contributor or higher user role) Cross-Site Scripting ( ...) NOT-FOR-US: WordPress plugin -CVE-2022-33201 - RESERVED +CVE-2022-33201 (Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – ...) + NOT-FOR-US: MailerLite CVE-2022-33142 RESERVED CVE-2022-2515 RESERVED CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...) - NOT-FOR-US: Fava + - fava <unfixed> (bug #1016971) + [bullseye] - fava <no-dsa> (Minor issue) + [buster] - fava <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429 + NOTE: https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22) CVE-2022-2513 RESERVED -CVE-2022-2512 - RESERVED +CVE-2022-2512 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab <unfixed> CVE-2022-2511 (Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" ...) NOT-FOR-US: BlueSpice @@ -1494,8 +4923,12 @@ CVE-2022-32570 RESERVED CVE-2022-32232 RESERVED -CVE-2022-2509 - RESERVED +CVE-2022-2509 (A vulnerability found in gnutls. This security flaw happens because of ...) + {DSA-5203-1 DLA-3070-1} + - gnutls28 3.7.7-1 + NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2022-07-07 + NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1383 (restricted) + NOTE: https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2 CVE-2022-2508 RESERVED CVE-2022-2507 @@ -1516,24 +4949,31 @@ CVE-2022-2505 RESERVED - firefox 103.0-1 - thunderbird 1:102.1.0-1 + [bullseye] - thunderbird <not-affected> (Only affects 102 ESR) + [buster] - thunderbird <not-affected> (Only affects 102 ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/#CVE-2022-2505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-32/#CVE-2022-2505 CVE-2022-2504 RESERVED -CVE-2022-2503 - RESERVED +CVE-2022-2503 (Dm-verity is used for extending root-of-trust to root filesystems. Loa ...) + TODO: check CVE-2022-2502 RESERVED -CVE-2022-36359 - RESERVED +CVE-2022-36359 (An issue was discovered in the HTTP FileResponse class in Django 3.2 b ...) + - python-django 3:3.2.15-1 + [buster] - python-django <not-affected> (Vulnerable code introduced in 2.1) + NOTE: https://www.openwall.com/lists/oss-security/2022/08/03/1 + NOTE: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173 (main) + NOTE: https://github.com/django/django/commit/b3e4494d759202a3b6bf247fd34455bf13be5b80 (3.2.15) + NOTE: Introduced by: https://github.com/django/django/commit/a177f854c34718e473bcd0a2dc6c4fd935c8e327 CVE-2022-36342 RESERVED CVE-2022-36338 RESERVED CVE-2022-36337 RESERVED -CVE-2022-36336 - RESERVED +CVE-2022-36336 (A link following vulnerability in the scanning function of Trend Micro ...) + NOT-FOR-US: Trend Micro CVE-2022-36297 RESERVED CVE-2022-36286 @@ -1552,28 +4992,25 @@ CVE-2022-29494 RESERVED CVE-2022-29493 RESERVED -CVE-2022-2501 - RESERVED +CVE-2022-2501 (An improper access control issue in GitLab EE affecting all versions f ...) - gitlab <not-affected> (Specific to EE) -CVE-2022-2500 - RESERVED +CVE-2022-2500 (A cross-site scripting issue has been discovered in GitLab CE/EE affec ...) - gitlab <unfixed> -CVE-2022-2499 - RESERVED +CVE-2022-2499 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab <not-affected> (Specific to EE) -CVE-2022-2498 - RESERVED +CVE-2022-2498 (An issue in pipeline subscriptions in GitLab EE affecting all versions ...) - gitlab <unfixed> -CVE-2022-2497 - RESERVED +CVE-2022-2497 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab <unfixed> CVE-2022-2496 RESERVED CVE-2020-36558 (A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX ...) - - linux 5.6.7-1 + - linux 5.5.13-1 + [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/6cd1ed50efd88261298577cd92a14f2768eddeeb (v5.6-rc3) CVE-2020-36557 (A race condition in the Linux kernel before 5.6.2 between the VT_DISAL ...) - - linux 5.7.6-1 + - linux 5.5.17-1 + [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/ca4463bf8438b403596edd0ec961ca0d4fbe0220 (v5.7-rc1) CVE-2022-36335 RESERVED @@ -1595,12 +5032,12 @@ CVE-2022-36327 RESERVED CVE-2022-36326 RESERVED -CVE-2022-36325 - RESERVED -CVE-2022-36324 - RESERVED -CVE-2022-36323 - RESERVED +CVE-2022-36325 (A vulnerability has been identified in SCALANCE M-800 / S615 (All vers ...) + NOT-FOR-US: Siemens +CVE-2022-36324 (A vulnerability has been identified in SCALANCE M-800 / S615 (All vers ...) + NOT-FOR-US: Siemens +CVE-2022-36323 (A vulnerability has been identified in SCALANCE M-800 / S615 (All vers ...) + NOT-FOR-US: Siemens CVE-2022-36322 (In JetBrains TeamCity before 2022.04.2 build parameter injection was p ...) NOT-FOR-US: JetBrains TeamCity CVE-2022-36321 (In JetBrains TeamCity before 2022.04.2 the private SSH key could be wr ...) @@ -1611,7 +5048,7 @@ CVE-2022-36320 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/#CVE-2022-36320 CVE-2022-36319 RESERVED - {DSA-5193-1} + {DSA-5195-1 DSA-5193-1} - firefox 103.0-1 - firefox-esr 91.12.0esr-1 - thunderbird 1:102.1.0-1 @@ -1620,7 +5057,7 @@ CVE-2022-36319 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-32/#CVE-2022-36319 CVE-2022-36318 RESERVED - {DSA-5193-1} + {DSA-5195-1 DSA-5193-1} - firefox 103.0-1 - firefox-esr 91.12.0esr-1 - thunderbird 1:102.1.0-1 @@ -1668,23 +5105,24 @@ CVE-2022-2487 (A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and CVE-2022-2486 (A vulnerability, which was classified as critical, was found in WAVLIN ...) NOT-FOR-US: WAVLINK CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote attackers could exhaust the file d ...) - - libtirpc <unfixed> (bug #1015873) - NOTE: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed - NOTE: Introduced by http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (libtirpc-0-3-3-rc3) -CVE-2022-36312 - RESERVED -CVE-2022-36311 - RESERVED -CVE-2022-36310 - RESERVED -CVE-2022-36309 - RESERVED -CVE-2022-36308 - RESERVED -CVE-2022-36307 - RESERVED -CVE-2022-36306 - RESERVED + {DSA-5200-1 DLA-3071-1} + - libtirpc 1.3.2-2.1 (bug #1015873) + NOTE: Fixed by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed (libtirpc-1-3-3-rc1) + NOTE: Introduced by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (libtirpc-0-3-3-rc3) +CVE-2022-36312 (Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF pro ...) + NOT-FOR-US: Airspan AirVelocity 1500 software +CVE-2022-36311 (Airspan AirVelocity 1500 prior to software version 15.18.00.2511 is vu ...) + NOT-FOR-US: Airspan AirVelocity 1500 software +CVE-2022-36310 (Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had N ...) + NOT-FOR-US: Airspan AirVelocity 1500 software +CVE-2022-36309 (Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have ...) + NOT-FOR-US: Airspan AirVelocity 1500 software +CVE-2022-36308 (Airspan AirVelocity 1500 web management UI displays SNMP credentials i ...) + NOT-FOR-US: Airspan AirVelocity 1500 +CVE-2022-36307 (The AirVelocity 1500 prints SNMP credentials on its physically accessi ...) + NOT-FOR-US: Airspan AirVelocity 1500 +CVE-2022-36306 (An authenticated attacker can enumerate and download sensitive files, ...) + NOT-FOR-US: Airspan AirVelocity 1500 CVE-2022-36294 RESERVED CVE-2022-36290 @@ -1739,20 +5177,20 @@ CVE-2022-36304 (Vesta v1.0.0-5 was discovered to contain a cross-site scripting NOT-FOR-US: Vesta CVE-2022-36303 (Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) ...) NOT-FOR-US: Vesta -CVE-2022-36302 - RESERVED -CVE-2022-36301 - RESERVED +CVE-2022-36302 (File path manipulation vulnerability in BF-OS version 3.00 up to and i ...) + NOT-FOR-US: BF-OS +CVE-2022-36301 (BF-OS version 3.x up to and including 3.83 do not enforce strong passw ...) + NOT-FOR-US: BF-OS CVE-2022-36300 RESERVED CVE-2022-30706 (Open redirect vulnerability in Booked versions prior to 3.3 allows a r ...) NOT-FOR-US: Booked CVE-2022-2476 (A null pointer dereference bug was found in wavpack-5.4.0 The results ...) - - wavpack <unfixed> (bug #1015790) + - wavpack 5.5.0-1 (bug #1015790) [bullseye] - wavpack <no-dsa> (Minor issue) [buster] - wavpack <no-dsa> (Minor issue) NOTE: https://github.com/dbry/WavPack/issues/121 - NOTE: https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac + NOTE: https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac (5.5.0) CVE-2022-2475 RESERVED CVE-2022-2474 @@ -1777,48 +5215,48 @@ CVE-2022-2467 (A vulnerability has been found in SourceCodester Garage Managemen NOT-FOR-US: SourceCodester Garage Management CVE-2016-15004 (A vulnerability was found in InfiniteWP Client Plugin 1.5.1.3/1.6.0. I ...) NOT-FOR-US: InfiniteWP -CVE-2022-35735 - RESERVED -CVE-2022-35728 - RESERVED -CVE-2022-35272 - RESERVED -CVE-2022-35245 - RESERVED -CVE-2022-35243 - RESERVED -CVE-2022-35241 - RESERVED -CVE-2022-35240 - RESERVED -CVE-2022-35236 - RESERVED -CVE-2022-34865 - RESERVED -CVE-2022-34862 - RESERVED -CVE-2022-34851 - RESERVED -CVE-2022-34844 - RESERVED -CVE-2022-34655 - RESERVED -CVE-2022-34651 - RESERVED -CVE-2022-33968 - RESERVED -CVE-2022-33962 - RESERVED -CVE-2022-33947 - RESERVED -CVE-2022-33203 - RESERVED -CVE-2022-32455 - RESERVED -CVE-2022-31473 - RESERVED -CVE-2022-30535 - RESERVED +CVE-2022-35735 (In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35728 (In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35272 (In BIG-IP Versions 17.0.x before 17.0.0.1 and 16.1.x before 16.1.3.1, ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35245 (In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, and ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35243 (In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35241 (In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Insta ...) + NOT-FOR-US: F5 +CVE-2022-35240 (In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, and ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-35236 (In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, and ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34865 (In BIG-IP Versions 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and a ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34862 (In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34851 (In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34844 (In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34655 (In BIG-IP Versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.6.1, and ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-34651 (In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-33968 (In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-33962 (In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-33947 (In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-33203 (In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, and 1 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-32455 (In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-31473 (In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-30535 (In versions 2.x before 2.3.0 and all versions of 1.x, An attacker auth ...) + NOT-FOR-US: F5 CVE-2022-2466 RESERVED CVE-2022-2465 @@ -1835,17 +5273,15 @@ CVE-2022-36277 RESERVED CVE-2022-36276 RESERVED -CVE-2022-2460 - RESERVED -CVE-2022-2459 - RESERVED +CVE-2022-2460 (The WPDating WordPress plugin through 7.1.9 does not properly escape u ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2459 (An issue has been discovered in GitLab EE affecting all versions befor ...) - gitlab <not-affected> (Specific to EE) -CVE-2022-2458 - RESERVED -CVE-2022-2457 - RESERVED -CVE-2022-2456 - RESERVED +CVE-2022-2458 (XML external entity injection(XXE) is a vulnerability that allows an a ...) + NOT-FOR-US: Red Hat Process Automation Manager +CVE-2022-2457 (A flaw was found in Red Hat Process Automation Manager 7 where an atta ...) + NOT-FOR-US: Red Hat Process Automation Manager +CVE-2022-2456 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) - gitlab <unfixed> CVE-2022-36275 RESERVED @@ -1857,24 +5293,24 @@ CVE-2022-36272 RESERVED CVE-2022-36271 RESERVED -CVE-2022-36270 - RESERVED +CVE-2022-36270 (Clinic's Patient Management System v1.0 has arbitrary code execution v ...) + NOT-FOR-US: Clinic's Patient Management System CVE-2022-36269 RESERVED CVE-2022-36268 RESERVED -CVE-2022-36267 - RESERVED -CVE-2022-36266 - RESERVED -CVE-2022-36265 - RESERVED -CVE-2022-36264 - RESERVED +CVE-2022-36267 (In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Una ...) + NOT-FOR-US: Airspan AirSpot +CVE-2022-36266 (In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a sto ...) + NOT-FOR-US: Airspan AirSpot +CVE-2022-36265 (In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hid ...) + NOT-FOR-US: Airspan AirSpot +CVE-2022-36264 (In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists an Un ...) + NOT-FOR-US: Airspan AirSpot CVE-2022-36263 RESERVED -CVE-2022-36262 - RESERVED +CVE-2022-36262 (An issue was discovered in taocms 3.0.2. in the website settings that ...) + NOT-FOR-US: taocms CVE-2022-36261 RESERVED CVE-2022-36260 @@ -2003,8 +5439,8 @@ CVE-2022-36199 RESERVED CVE-2022-36198 RESERVED -CVE-2022-36197 - RESERVED +CVE-2022-36197 (BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload ...) + NOT-FOR-US: BigTree CMS CVE-2022-36196 RESERVED CVE-2022-36195 @@ -2139,7 +5575,7 @@ CVE-2022-36131 (The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is pron NOT-FOR-US: Atlassian addon CVE-2022-36130 RESERVED -CVE-2022-36129 (HashiCorp Vault and Vault Enterprise through 2022-07-17 have Incorrect ...) +CVE-2022-36129 (HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clu ...) NOT-FOR-US: HashiCorp Vault CVE-2022-2455 RESERVED @@ -2187,12 +5623,16 @@ CVE-2016-15003 (A vulnerability has been found in FileZilla Client 3.17.0.0 and - filezilla <not-affected> (Installer not relevant to Debian) CVE-2015-10003 (A vulnerability, which was classified as problematic, was found in Fil ...) NOT-FOR-US: FileZilla server -CVE-2022-36125 - RESERVED -CVE-2022-36124 - RESERVED -CVE-2022-36123 - RESERVED +CVE-2022-36125 (It is possible to crash (panic) an application by providing a corrupte ...) + NOT-FOR-US: Apache Avro +CVE-2022-36124 (It is possible for a Reader to consume memory beyond the allowed const ...) + NOT-FOR-US: Apache Avro +CVE-2022-36123 (The Linux kernel before 5.18.13 lacks a certain clear operation for th ...) + - linux 5.18.14-1 + [bullseye] - linux <not-affected> (Vulnerability introduced later) + [buster] - linux <not-affected> (Vulnerability introduced later) + NOTE: https://github.com/sickcodes/security/blob/master/advisories/SICK-2022-128.md + NOTE: https://sick.codes/sick-2022-128 CVE-2022-36122 RESERVED CVE-2022-36121 @@ -2417,16 +5857,16 @@ CVE-2022-36012 RESERVED CVE-2022-36011 RESERVED -CVE-2022-36010 - RESERVED +CVE-2022-36010 (This library allows strings to be parsed as functions and stored as a ...) + TODO: check CVE-2022-36009 RESERVED CVE-2022-36008 RESERVED -CVE-2022-36007 - RESERVED -CVE-2022-36006 - RESERVED +CVE-2022-36007 (Venice is a Clojure inspired sandboxed Lisp dialect with excellent Jav ...) + NOT-FOR-US: Venice +CVE-2022-36006 (Arvados is an open source platform for managing, processing, and shari ...) + NOT-FOR-US: Arvados CVE-2022-36005 RESERVED CVE-2022-36004 @@ -2477,12 +5917,12 @@ CVE-2022-35982 RESERVED CVE-2022-35981 RESERVED -CVE-2022-35980 - RESERVED +CVE-2022-35980 (OpenSearch Security is a plugin for OpenSearch that offers encryption, ...) + NOT-FOR-US: OpenSearch Security plugin for OpenSearch CVE-2022-35979 RESERVED -CVE-2022-35978 - RESERVED +CVE-2022-35978 (Minetest is a free open-source voxel game engine with easy modding and ...) + TODO: check CVE-2022-35977 RESERVED CVE-2022-35976 @@ -2515,34 +5955,38 @@ CVE-2022-35963 RESERVED CVE-2022-35962 RESERVED -CVE-2022-35961 - RESERVED +CVE-2022-35961 (OpenZeppelin Contracts is a library for secure smart contract developm ...) + NOT-FOR-US: OpenZeppelin CVE-2022-35960 RESERVED CVE-2022-35959 RESERVED -CVE-2022-35958 - RESERVED +CVE-2022-35958 (Discourse is a 100% open source discussion platform. A malicious user ...) + NOT-FOR-US: Discourse CVE-2022-35957 RESERVED -CVE-2022-35956 - RESERVED +CVE-2022-35956 (This Rails gem adds two methods to the ActiveRecord::Base class that a ...) + TODO: check CVE-2022-35955 RESERVED -CVE-2022-35954 - RESERVED -CVE-2022-35953 - RESERVED +CVE-2022-35954 (The GitHub Actions ToolKit provides a set of packages to make creating ...) + NOT-FOR-US: GitHub Actions ToolKit +CVE-2022-35953 (BookWyrm is a social network for tracking your reading, talking about ...) + NOT-FOR-US: BookWyrm CVE-2022-35952 RESERVED CVE-2022-35951 RESERVED CVE-2022-35950 RESERVED -CVE-2022-35949 - RESERVED -CVE-2022-35948 - RESERVED +CVE-2022-35949 (undici is an HTTP/1.1 client, written from scratch for Node.js.`undici ...) + - node-undici 5.8.2+dfsg1+~cs18.9.18.1-1 + NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 + NOTE: https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 (v5.8.2) +CVE-2022-35948 (undici is an HTTP/1.1 client, written from scratch for Node.js.`=< ...) + - node-undici 5.8.2+dfsg1+~cs18.9.18.1-1 + NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 + NOTE: https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 (v5.8.2) CVE-2022-35947 RESERVED CVE-2022-35946 @@ -2551,10 +5995,10 @@ CVE-2022-35945 RESERVED CVE-2022-35944 RESERVED -CVE-2022-35943 - RESERVED -CVE-2022-35942 - RESERVED +CVE-2022-35943 (Shield is an authentication and authorization framework for CodeIgnite ...) + - codeigniter <itp> (bug #471583) +CVE-2022-35942 (Improper input validation on the `contains` LoopBack filter may allow ...) + NOT-FOR-US: PostgreSQL connector for LoopBack CVE-2022-35941 RESERVED CVE-2022-35940 @@ -2565,50 +6009,50 @@ CVE-2022-35938 RESERVED CVE-2022-35937 RESERVED -CVE-2022-35936 - RESERVED +CVE-2022-35936 (Ethermint is an Ethereum library. In Ethermint running versions before ...) + NOT-FOR-US: Ethermint CVE-2022-35935 RESERVED CVE-2022-35934 RESERVED CVE-2022-35933 RESERVED -CVE-2022-35932 - RESERVED +CVE-2022-35932 (Nextcloud Talk is a video and audio conferencing app for Nextcloud. Pr ...) + NOT-FOR-US: Nextcloud Talk CVE-2022-35931 RESERVED -CVE-2022-35930 - RESERVED -CVE-2022-35929 - RESERVED -CVE-2022-35928 - RESERVED -CVE-2022-35927 - RESERVED -CVE-2022-35926 - RESERVED -CVE-2022-35925 - RESERVED -CVE-2022-35924 - RESERVED -CVE-2022-35923 - RESERVED -CVE-2022-35922 - RESERVED -CVE-2022-35921 - RESERVED -CVE-2022-35920 - RESERVED -CVE-2022-35919 - RESERVED -CVE-2022-35918 - RESERVED -CVE-2022-35917 - RESERVED -CVE-2022-35916 - RESERVED -CVE-2022-35915 - RESERVED +CVE-2022-35930 (PolicyController is a utility used to enforce supply chain policy in K ...) + NOT-FOR-US: sigstore/policy-controller +CVE-2022-35929 (cosign is a container signing and verification utility. In versions pr ...) + NOT-FOR-US: Cosign +CVE-2022-35928 (AES Crypt is a file encryption software for multiple platforms. AES Cr ...) + NOT-FOR-US: AES Crypt +CVE-2022-35927 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) + NOT-FOR-US: Contiki-NG +CVE-2022-35926 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) + NOT-FOR-US: Contiki-NG +CVE-2022-35925 (BookWyrm is a social network for tracking reading. Versions prior to 0 ...) + NOT-FOR-US: BookWyrm +CVE-2022-35924 (NextAuth.js is a complete open source authentication solution for Next ...) + NOT-FOR-US: Node NextAuth.js +CVE-2022-35923 (v8n is a javascript validation library. Versions of v8n prior to 1.5.1 ...) + NOT-FOR-US: Node v8n +CVE-2022-35922 (Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In ve ...) + NOT-FOR-US: Rust crate websocket +CVE-2022-35921 (fof/byobu is a private discussions extension for Flarum forum. Affecte ...) + NOT-FOR-US: Sanicfof/byobu (different from src:byobu) +CVE-2022-35920 (Sanic is an opensource python web server/framework. Affected versions ...) + NOT-FOR-US: Sanic +CVE-2022-35919 (MinIO is a High Performance Object Storage released under GNU Affero G ...) + NOT-FOR-US: MinIO +CVE-2022-35918 (Streamlit is a data oriented application development framework for pyt ...) + NOT-FOR-US: Streamlit +CVE-2022-35917 (Solana Pay is a protocol and set of reference implementations that ena ...) + NOT-FOR-US: Solana Pay +CVE-2022-35916 (OpenZeppelin Contracts is a library for secure smart contract developm ...) + NOT-FOR-US: OpenZeppelin +CVE-2022-35915 (OpenZeppelin Contracts is a library for secure smart contract developm ...) + NOT-FOR-US: OpenZeppelin CVE-2022-35914 RESERVED CVE-2022-35913 @@ -2731,14 +6175,14 @@ CVE-2022-2428 RESERVED CVE-2022-2427 RESERVED -CVE-2022-2426 - RESERVED -CVE-2022-2425 - RESERVED -CVE-2022-2424 - RESERVED -CVE-2022-2423 - RESERVED +CVE-2022-2426 (The Thinkific Uploader WordPress plugin through 1.0.0 does not sanitis ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2425 (The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise an ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2424 (The Google Maps Anywhere WordPress plugin through 1.2.6.3 does not san ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2423 (The DW Promobar WordPress plugin through 1.0.4 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin CVE-2022-2422 RESERVED CVE-2022-2421 @@ -2749,8 +6193,7 @@ CVE-2022-2419 (A vulnerability was found in URVE Web Manager. It has been declar NOT-FOR-US: URVE Web Manager CVE-2022-2418 (A vulnerability was found in URVE Web Manager. It has been classified ...) NOT-FOR-US: URVE Web Manager -CVE-2022-2417 - RESERVED +CVE-2022-2417 (Insufficient validation in GitLab CE/EE affecting all versions from 12 ...) - gitlab <unfixed> CVE-2022-2416 RESERVED @@ -2770,30 +6213,30 @@ CVE-2022-35869 (This vulnerability allows remote attackers to bypass authenticat NOT-FOR-US: Ignition CVE-2022-35868 RESERVED -CVE-2022-35867 - RESERVED -CVE-2022-35866 - RESERVED -CVE-2022-35865 - RESERVED -CVE-2022-35864 - RESERVED -CVE-2022-2414 - RESERVED +CVE-2022-35867 (This vulnerability allows local attackers to escalate privileges on af ...) + NOT-FOR-US: xhyve +CVE-2022-35866 (This vulnerability allows remote attackers to bypass authentication on ...) + NOT-FOR-US: Vinchin Backup and Recovery +CVE-2022-35865 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: BMC Track-It! +CVE-2022-35864 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: BMC Track-It! +CVE-2022-2414 (Access to external entities when parsing XML documents can lead to XML ...) - dogtag-pki <unfixed> (bug #1014957) + [bullseye] - dogtag-pki <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2104676 NOTE: https://github.com/dogtagpki/pki/pull/4021 NOTE: https://github.com/dogtagpki/pki/commit/4e893243d72ad766558c10c907841f5f9c047055 CVE-2022-2413 RESERVED -CVE-2022-2412 - RESERVED -CVE-2022-2411 - RESERVED -CVE-2022-2410 - RESERVED -CVE-2022-2409 - RESERVED +CVE-2022-2412 (The Better Tag Cloud WordPress plugin through 0.99.5 does not sanitise ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2411 (The Auto More Tag WordPress plugin through 4.0.0 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2410 (The mTouch Quiz WordPress plugin through 3.1.3 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2409 (The Rough Chart WordPress plugin through 1.0.0 does not properly escap ...) + NOT-FOR-US: WordPress plugin CVE-2022-2408 (The Guest account feature in Mattermost version 6.7.0 and earlier fail ...) - mattermost-server <itp> (bug #823556) CVE-2022-2407 @@ -2812,13 +6255,13 @@ CVE-2022-35863 CVE-2022-35862 RESERVED CVE-2022-35861 (pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a ...) - NOT-FOR-US: pyenv + - pyenv <itp> (bug #978149) CVE-2022-35860 RESERVED CVE-2022-35859 RESERVED -CVE-2022-35858 - RESERVED +CVE-2022-35858 (The TEE_PopulateTransientObject and __utee_from_attr functions in Sams ...) + NOT-FOR-US: Samsung mTower CVE-2022-35857 (kvf-admin through 2022-02-12 allows remote attackers to execute arbitr ...) NOT-FOR-US: kvf-admin CVE-2022-35856 @@ -2879,142 +6322,142 @@ CVE-2022-35829 RESERVED CVE-2022-35828 RESERVED -CVE-2022-35827 - RESERVED -CVE-2022-35826 - RESERVED -CVE-2022-35825 - RESERVED -CVE-2022-35824 - RESERVED +CVE-2022-35827 (Visual Studio Remote Code Execution Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-35826 (Visual Studio Remote Code Execution Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-35825 (Visual Studio Remote Code Execution Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-35824 (Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID i ...) + NOT-FOR-US: Microsoft CVE-2022-35823 RESERVED -CVE-2022-35822 - RESERVED -CVE-2022-35821 - RESERVED -CVE-2022-35820 - RESERVED -CVE-2022-35819 - RESERVED -CVE-2022-35818 - RESERVED -CVE-2022-35817 - RESERVED -CVE-2022-35816 - RESERVED -CVE-2022-35815 - RESERVED -CVE-2022-35814 - RESERVED -CVE-2022-35813 - RESERVED -CVE-2022-35812 - RESERVED -CVE-2022-35811 - RESERVED -CVE-2022-35810 - RESERVED -CVE-2022-35809 - RESERVED -CVE-2022-35808 - RESERVED -CVE-2022-35807 - RESERVED -CVE-2022-35806 - RESERVED +CVE-2022-35822 (Windows Defender Credential Guard Security Feature Bypass Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-35821 (Azure Sphere Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35820 (Windows Bluetooth Driver Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35819 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35818 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35817 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35816 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35815 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35814 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35813 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35812 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35811 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35810 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35809 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35808 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35807 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35806 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft CVE-2022-35805 RESERVED -CVE-2022-35804 - RESERVED +CVE-2022-35804 (SMB Client and Server Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-35803 RESERVED -CVE-2022-35802 - RESERVED -CVE-2022-35801 - RESERVED -CVE-2022-35800 - RESERVED -CVE-2022-35799 - RESERVED +CVE-2022-35802 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35801 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35800 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35799 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft CVE-2022-35798 RESERVED -CVE-2022-35797 - RESERVED -CVE-2022-35796 - RESERVED -CVE-2022-35795 - RESERVED -CVE-2022-35794 - RESERVED -CVE-2022-35793 - RESERVED -CVE-2022-35792 - RESERVED -CVE-2022-35791 - RESERVED -CVE-2022-35790 - RESERVED -CVE-2022-35789 - RESERVED -CVE-2022-35788 - RESERVED -CVE-2022-35787 - RESERVED -CVE-2022-35786 - RESERVED -CVE-2022-35785 - RESERVED -CVE-2022-35784 - RESERVED -CVE-2022-35783 - RESERVED -CVE-2022-35782 - RESERVED -CVE-2022-35781 - RESERVED -CVE-2022-35780 - RESERVED -CVE-2022-35779 - RESERVED +CVE-2022-35797 (Windows Hello Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35796 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35795 (Windows Error Reporting Service Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35794 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-35793 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35792 (Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35791 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35790 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35789 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35788 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35787 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35786 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35785 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35784 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35783 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35782 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35781 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35780 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35779 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft CVE-2022-35778 RESERVED -CVE-2022-35777 - RESERVED -CVE-2022-35776 - RESERVED -CVE-2022-35775 - RESERVED -CVE-2022-35774 - RESERVED -CVE-2022-35773 - RESERVED -CVE-2022-35772 - RESERVED -CVE-2022-35771 - RESERVED +CVE-2022-35777 (Visual Studio Remote Code Execution Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-35776 (Azure Site Recovery Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35775 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35774 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-35773 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35772 (Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID i ...) + NOT-FOR-US: Microsoft +CVE-2022-35771 (Windows Defender Credential Guard Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2022-35770 RESERVED -CVE-2022-35769 - RESERVED -CVE-2022-35768 - RESERVED -CVE-2022-35767 - RESERVED -CVE-2022-35766 - RESERVED -CVE-2022-35765 - RESERVED -CVE-2022-35764 - RESERVED -CVE-2022-35763 - RESERVED -CVE-2022-35762 - RESERVED -CVE-2022-35761 - RESERVED -CVE-2022-35760 - RESERVED +CVE-2022-35769 (Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-35768 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-35767 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-35766 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-35765 (Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35764 (Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35763 (Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35762 (Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-35761 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-35760 (Microsoft ATA Port Driver Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-35759 RESERVED CVE-2022-35758 @@ -3060,12 +6503,13 @@ CVE-2022-2400 (External Control of File Name or Path in GitHub repository dompdf NOTE: https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a NOTE: https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a CVE-2022-2399 (Use after free in WebGPU in Google Chrome prior to 100.0.4896.88 allow ...) + {DSA-5120-1} - chromium 100.0.4896.88-1 [buster] - chromium <end-of-life> (see DSA 5046) CVE-2022-35741 (Apache CloudStack version 4.5.0 and later has a SAML 2.0 authenticatio ...) NOT-FOR-US: Apache CloudStack -CVE-2022-2398 - RESERVED +CVE-2022-2398 (The WordPress Comments Fields WordPress plugin before 4.1 does not esc ...) + NOT-FOR-US: WordPress plugin CVE-2022-2397 RESERVED CVE-2022-2396 (A vulnerability classified as problematic was found in SourceCodester ...) @@ -3076,14 +6520,14 @@ CVE-2022-35739 RESERVED CVE-2022-35738 RESERVED -CVE-2022-35737 - RESERVED - - sqlite3 3.39.2-1 +CVE-2022-35737 (SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-b ...) + - sqlite3 3.39.2-1 (unimportant) NOTE: https://sqlite.org/forum/forumpost/3607259d3c + NOTE: Debian sqlite3 packages not compiled with -DSQLITE_ENABLE_STAT4 CVE-2022-35736 RESERVED -CVE-2022-35724 - RESERVED +CVE-2022-35724 (It is possible to provide data to be read that leads the reader to loo ...) + NOT-FOR-US: Apache Avro CVE-2022-35723 RESERVED CVE-2022-35722 @@ -3098,10 +6542,10 @@ CVE-2022-35718 RESERVED CVE-2022-35717 RESERVED -CVE-2022-35716 - RESERVED -CVE-2022-35715 - RESERVED +CVE-2022-35716 (IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7 ...) + NOT-FOR-US: IBM +CVE-2022-35715 (IBM InfoSphere Information Server 11.7 could allow a remote attacker t ...) + NOT-FOR-US: IBM CVE-2022-35714 RESERVED CVE-2022-34861 @@ -3122,8 +6566,8 @@ CVE-2022-29870 RESERVED CVE-2022-27170 RESERVED -CVE-2022-2395 - RESERVED +CVE-2022-2395 (The weForms WordPress plugin before 1.6.14 does not sanitise and escap ...) + NOT-FOR-US: WordPress plugin CVE-2022-2394 (Puppet Bolt prior to version 3.24.0 will print sensitive parameters wh ...) NOT-FOR-US: Puppet Bolt CVE-2021-46827 (An issue was discovered in Oxygen XML WebHelp before 22.1 build 202108 ...) @@ -3160,8 +6604,8 @@ CVE-2022-35699 RESERVED CVE-2022-35698 RESERVED -CVE-2022-35697 - RESERVED +CVE-2022-35697 (Adobe Experience Manager Core Components version 2.20.6 (and earlier) ...) + NOT-FOR-US: Adobe CVE-2022-35696 RESERVED CVE-2022-35695 @@ -3198,34 +6642,34 @@ CVE-2022-35680 RESERVED CVE-2022-35679 RESERVED -CVE-2022-35678 - RESERVED -CVE-2022-35677 - RESERVED -CVE-2022-35676 - RESERVED -CVE-2022-35675 - RESERVED -CVE-2022-35674 - RESERVED -CVE-2022-35673 - RESERVED +CVE-2022-35678 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe +CVE-2022-35677 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe +CVE-2022-35676 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe +CVE-2022-35675 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe +CVE-2022-35674 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe +CVE-2022-35673 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe CVE-2022-35672 (Adobe Acrobat Reader version 22.001.20085 (and earlier), 20.005.30314 ...) NOT-FOR-US: Adobe -CVE-2022-35671 - RESERVED -CVE-2022-35670 - RESERVED +CVE-2022-35671 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe +CVE-2022-35670 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe CVE-2022-35669 (Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and ...) NOT-FOR-US: Adobe -CVE-2022-35668 - RESERVED -CVE-2022-35667 - RESERVED -CVE-2022-35666 - RESERVED -CVE-2022-35665 - RESERVED +CVE-2022-35668 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe +CVE-2022-35667 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe +CVE-2022-35666 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe +CVE-2022-35665 (Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 ...) + NOT-FOR-US: Adobe CVE-2022-35664 RESERVED CVE-2022-35663 @@ -3271,18 +6715,18 @@ CVE-2022-2393 (A flaw was found in pki-core, which could allow a user to get a c NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2101046 CVE-2022-2392 RESERVED -CVE-2022-2391 - RESERVED -CVE-2022-2390 - RESERVED +CVE-2022-2391 (The Inspiro PRO WordPress plugin does not sanitize the portfolio slide ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2390 (Apps developed with Google Play Services SDK incorrectly had the mutab ...) + NOT-FOR-US: Apps developed with Google Play Services SDK CVE-2022-2389 RESERVED CVE-2022-2388 RESERVED CVE-2022-2387 RESERVED -CVE-2022-2386 - RESERVED +CVE-2022-2386 (The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanit ...) + NOT-FOR-US: WordPress plugin CVE-2022-35648 (Nautilus treadmills T616 S/N 100672PRO21140001 through 100672PRO211719 ...) NOT-FOR-US: Nautilus treadmills CVE-2022-35647 @@ -3293,8 +6737,8 @@ CVE-2022-35645 RESERVED CVE-2022-35644 RESERVED -CVE-2022-35643 - RESERVED +CVE-2022-35643 (IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with syst ...) + NOT-FOR-US: IBM CVE-2022-35642 RESERVED CVE-2022-35641 @@ -3315,37 +6759,37 @@ CVE-2022-35634 RESERVED CVE-2022-35633 RESERVED -CVE-2022-35632 - RESERVED -CVE-2022-35631 - RESERVED -CVE-2022-35630 - RESERVED -CVE-2022-35629 - RESERVED +CVE-2022-35632 (The Velociraptor GUI contains an editor suggestion feature that can di ...) + NOT-FOR-US: Rapid7 Velociraptor +CVE-2022-35631 (On MacOS and Linux, it may be possible to perform a symlink attack by ...) + NOT-FOR-US: Rapid7 Velociraptor +CVE-2022-35630 (A cross-site scripting (XSS) issue in generating a collection report m ...) + NOT-FOR-US: Rapid7 Velociraptor +CVE-2022-35629 (Due to a bug in the handling of the communication between the client a ...) + NOT-FOR-US: Rapid7 Velociraptor CVE-2022-35628 (A SQL injection issue was discovered in the lux extension before 17.6. ...) NOT-FOR-US: TYPO3 extension CVE-2022-35627 RESERVED CVE-2022-2385 (A security issue was discovered in aws-iam-authenticator where an allo ...) NOT-FOR-US: Kubernetes aws-iam-authenticator -CVE-2022-2384 - RESERVED +CVE-2022-2384 (The Digital Publications by Supsystic WordPress plugin before 1.7.4 do ...) + NOT-FOR-US: WordPress plugin CVE-2022-2383 RESERVED CVE-2022-2382 RESERVED -CVE-2022-2381 - RESERVED +CVE-2022-2381 (The E Unlocked - Student Result WordPress plugin through 1.0.4 is lack ...) + NOT-FOR-US: WordPress plugin CVE-2022-2380 (The Linux kernel was found vulnerable out of bounds memory access in t ...) - linux 5.17.3-1 [bullseye] - linux 5.10.113-1 [buster] - linux 4.19.249-1 NOTE: https://git.kernel.org/linus/bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 (5.18-rc1) -CVE-2022-2379 - RESERVED -CVE-2022-2378 - RESERVED +CVE-2022-2379 (The Easy Student Results WordPress plugin through 2.2.8 lacks authoris ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2378 (The Easy Student Results WordPress plugin through 2.2.8 does not sanit ...) + NOT-FOR-US: WordPress plugin CVE-2022-2377 RESERVED CVE-2022-2376 @@ -3356,34 +6800,34 @@ CVE-2022-2374 RESERVED CVE-2022-2373 RESERVED -CVE-2022-2372 - RESERVED -CVE-2022-2371 - RESERVED -CVE-2022-2370 - RESERVED -CVE-2022-2369 - RESERVED +CVE-2022-2372 (The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2371 (The YaySMTP WordPress plugin before 2.2.1 does not have proper authori ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2370 (The YaySMTP WordPress plugin before 2.2.1 does not have capability che ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2369 (The YaySMTP WordPress plugin before 2.2.1 does not have capability che ...) + NOT-FOR-US: WordPress plugin CVE-2022-2368 (Business Logic Errors in GitHub repository microweber/microweber prior ...) NOT-FOR-US: microweber -CVE-2022-2367 - RESERVED +CVE-2022-2367 (The WSM Downloader WordPress plugin through 1.4.0 allows only specific ...) + NOT-FOR-US: WordPress plugin CVE-2022-35626 RESERVED CVE-2022-35625 RESERVED -CVE-2022-35624 - RESERVED -CVE-2022-35623 - RESERVED +CVE-2022-35624 (In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be ...) + NOT-FOR-US: Nordic nRF5 SDK for Mesh +CVE-2022-35623 (In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be ...) + NOT-FOR-US: Nordic nRF5 SDK for Mesh CVE-2022-35622 RESERVED CVE-2022-35621 RESERVED -CVE-2022-35620 - RESERVED -CVE-2022-35619 - RESERVED +CVE-2022-35620 (D-LINK DIR-818LW A1:DIR818L_FW105b01 was discovered to contain a remot ...) + NOT-FOR-US: D-LINK +CVE-2022-35619 (D-LINK DIR-818LW A1:DIR818L_FW105b01 was discovered to contain a remot ...) + NOT-FOR-US: D-LINK CVE-2022-35618 RESERVED CVE-2022-35617 @@ -3440,18 +6884,18 @@ CVE-2022-35592 RESERVED CVE-2022-35591 RESERVED -CVE-2022-35590 - RESERVED -CVE-2022-35589 - RESERVED +CVE-2022-35590 (A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows ...) + NOT-FOR-US: ForkCMS +CVE-2022-35589 (A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows re ...) + NOT-FOR-US: ForkCMS CVE-2022-35588 RESERVED -CVE-2022-35587 - RESERVED +CVE-2022-35587 (A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows re ...) + NOT-FOR-US: ForkCMS CVE-2022-35586 RESERVED -CVE-2022-35585 - RESERVED +CVE-2022-35585 (A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 ...) + NOT-FOR-US: ForkCMS CVE-2022-35584 RESERVED CVE-2022-35583 @@ -3498,20 +6942,20 @@ CVE-2022-35563 RESERVED CVE-2022-35562 RESERVED -CVE-2022-35561 - RESERVED -CVE-2022-35560 - RESERVED -CVE-2022-35559 - RESERVED -CVE-2022-35558 - RESERVED -CVE-2022-35557 - RESERVED +CVE-2022-35561 (A stack overflow vulnerability exists in /goform/WifiMacFilterSet in T ...) + NOT-FOR-US: Tenda +CVE-2022-35560 (A stack overflow vulnerability exists in /goform/wifiSSIDset in Tenda ...) + NOT-FOR-US: Tenda +CVE-2022-35559 (A stack overflow vulnerability exists in /goform/setAutoPing in Tenda ...) + NOT-FOR-US: Tenda +CVE-2022-35558 (A stack overflow vulnerability exists in /goform/WifiMacFilterGet in T ...) + NOT-FOR-US: Tenda +CVE-2022-35557 (A stack overflow vulnerability exists in /goform/wifiSSIDget in Tenda ...) + NOT-FOR-US: Tenda CVE-2022-35556 RESERVED -CVE-2022-35555 - RESERVED +CVE-2022-35555 (A command injection vulnerability exists in /goform/exeCommand in Tend ...) + NOT-FOR-US: Tenda CVE-2022-35554 RESERVED CVE-2022-35553 @@ -3544,18 +6988,18 @@ CVE-2022-35540 RESERVED CVE-2022-35539 RESERVED -CVE-2022-35538 - RESERVED -CVE-2022-35537 - RESERVED -CVE-2022-35536 - RESERVED -CVE-2022-35535 - RESERVED -CVE-2022-35534 - RESERVED -CVE-2022-35533 - RESERVED +CVE-2022-35538 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35537 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35536 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35535 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35534 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35533 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no fi ...) + NOT-FOR-US: WAVLINK CVE-2022-35532 RESERVED CVE-2022-35531 @@ -3568,26 +7012,26 @@ CVE-2022-35528 RESERVED CVE-2022-35527 RESERVED -CVE-2022-35526 - RESERVED -CVE-2022-35525 - RESERVED -CVE-2022-35524 - RESERVED -CVE-2022-35523 - RESERVED -CVE-2022-35522 - RESERVED -CVE-2022-35521 - RESERVED -CVE-2022-35520 - RESERVED -CVE-2022-35519 - RESERVED -CVE-2022-35518 - RESERVED -CVE-2022-35517 - RESERVED +CVE-2022-35526 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 login.cgi has no ...) + NOT-FOR-US: WAVLINK +CVE-2022-35525 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35524 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35523 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35522 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35521 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35520 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35519 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has ...) + NOT-FOR-US: WAVLINK +CVE-2022-35518 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no fi ...) + NOT-FOR-US: WAVLINK +CVE-2022-35517 (WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no fi ...) + NOT-FOR-US: WAVLINK CVE-2022-35516 RESERVED CVE-2022-35515 @@ -3602,16 +7046,16 @@ CVE-2022-35511 RESERVED CVE-2022-35510 RESERVED -CVE-2022-35509 - RESERVED +CVE-2022-35509 (An issue was discovered in EyouCMS 1.5.8. There is a Storage XSS vulne ...) + NOT-FOR-US: Eyoucms CVE-2022-35508 RESERVED CVE-2022-35507 RESERVED -CVE-2022-35506 - RESERVED -CVE-2022-35505 - RESERVED +CVE-2022-35506 (TripleCross v0.1.0 was discovered to contain a stack overflow which oc ...) + NOT-FOR-US: TripleCross +CVE-2022-35505 (A segmentation fault in TripleCross v0.1.0 occurs when sending a contr ...) + NOT-FOR-US: TripleCross CVE-2022-35504 RESERVED CVE-2022-35503 @@ -3634,20 +7078,20 @@ CVE-2022-35495 RESERVED CVE-2022-35494 RESERVED -CVE-2022-35493 - RESERVED +CVE-2022-35493 (A Cross-site scripting (XSS) vulnerability in json search parse and th ...) + NOT-FOR-US: eShop - Multipurpose Ecommerce Store Website CVE-2022-35492 RESERVED -CVE-2022-35491 - RESERVED -CVE-2022-35490 - RESERVED -CVE-2022-35489 - RESERVED -CVE-2022-35488 - RESERVED -CVE-2022-35487 - RESERVED +CVE-2022-35491 (TOTOLINK A3002RU V3.0.0-B20220304.1804 has a hardcoded password for ro ...) + NOT-FOR-US: TOTOLINK +CVE-2022-35490 (Zammad 5.2.0 is vulnerable to privilege escalation. Zammad has a preve ...) + - zammad <itp> (bug #841355) +CVE-2022-35489 (In Zammad 5.2.0, customers who have secondary organizations assigned w ...) + - zammad <itp> (bug #841355) +CVE-2022-35488 (In Zammad 5.2.0, an attacker could manipulate the rate limiting in the ...) + - zammad <itp> (bug #841355) +CVE-2022-35487 (Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not cor ...) + - zammad <itp> (bug #841355) CVE-2022-35486 RESERVED CVE-2022-35485 @@ -3768,18 +7212,18 @@ CVE-2022-35428 RESERVED CVE-2022-35427 RESERVED -CVE-2022-35426 - RESERVED +CVE-2022-35426 (UCMS 1.6 is vulnerable to arbitrary file upload via ucms/sadmin/file P ...) + NOT-FOR-US: UCMS CVE-2022-35425 RESERVED CVE-2022-35424 RESERVED CVE-2022-35423 RESERVED -CVE-2022-35422 - RESERVED -CVE-2022-35421 - RESERVED +CVE-2022-35422 (Web Based Quiz System v1.0 was discovered to contain a SQL injection v ...) + NOT-FOR-US: Web Based Quiz System +CVE-2022-35421 (Online Tours And Travels Management System v1.0 was discovered to cont ...) + NOT-FOR-US: Online Tours And Travels Management System CVE-2022-35420 RESERVED CVE-2022-35419 @@ -3794,6 +7238,7 @@ CVE-2022-35415 RESERVED CVE-2022-35414 (softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized r ...) - qemu <unfixed> (bug #1014958) + [bullseye] - qemu <no-dsa> (Minor issue) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1065 NOTE: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c NOTE: https://sick.codes/sick-2022-113 @@ -3819,14 +7264,14 @@ CVE-2022-2359 RESERVED CVE-2022-2358 RESERVED -CVE-2022-2357 - RESERVED -CVE-2022-2356 - RESERVED -CVE-2022-2355 - RESERVED -CVE-2022-2354 - RESERVED +CVE-2022-2357 (The WSM Downloader WordPress plugin through 1.4.0 allows any visitor t ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2356 (The Frontend File Manager & Sharing WordPress plugin before 1.1.3 ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2355 (The Easy Username Updater WordPress plugin before 1.0.5 does not imple ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2354 (The WP-DBManager WordPress plugin before 2.80.8 does not prevent admin ...) + NOT-FOR-US: WordPress plugin CVE-2022-35411 (rpc.py through 0.6.0 allows Remote Code Execution because an unpickle ...) NOT-FOR-US: rpc.py CVE-2022-35410 (mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ dir ...) @@ -3876,6 +7321,7 @@ CVE-2022-2348 CVE-2022-2347 [Unchecked Download Size and Direction in U-Boot USB DFU] RESERVED - u-boot <unfixed> (bug #1014959) + [bullseye] - u-boot <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/07/08/2 CVE-2022-35399 REJECTED @@ -4082,12 +7528,12 @@ CVE-2022-33939 CVE-2022-2346 RESERVED CVE-2022-2345 (Use After Free in GitHub repository vim/vim prior to 9.0.0046. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/1eed7009-db6d-487b-bc41-8f2fd260483f NOTE: https://github.com/vim/vim/commit/32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea (v9.0.0047) NOTE: Crash in CLI tool, no security impact CVE-2022-2344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/4a095ed9-3125-464a-b656-c31b437e1996 NOTE: https://github.com/vim/vim/commit/baefde14550231f6468ac2ed2ed495bc381c0c92 (v9.0.0046) NOTE: Crash in CLI tool, no security impact @@ -4098,7 +7544,7 @@ CVE-2020-36555 CVE-2020-36554 RESERVED CVE-2022-2343 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/2ecb4345-2fc7-4e7f-adb0-83a20bb458f5 NOTE: https://github.com/vim/vim/commit/caea66442d86e7bbba3bf3dc202c3c0d549b9853 (v9.0.0045) NOTE: Crash in CLI tool, no security impact @@ -4120,14 +7566,14 @@ CVE-2022-35295 RESERVED CVE-2022-35294 RESERVED -CVE-2022-35293 - RESERVED +CVE-2022-35293 (Due to insecure session management, SAP Enable Now allows an unauthent ...) + NOT-FOR-US: SAP CVE-2022-35292 RESERVED CVE-2022-35291 (Due to misconfigured application endpoints, SAP SuccessFactors attachm ...) NOT-FOR-US: SAP -CVE-2022-35290 - RESERVED +CVE-2022-35290 (Under certain conditions SAP Authenticator for Android allows an attac ...) + NOT-FOR-US: SAP CVE-2022-35289 RESERVED CVE-2022-35288 (IBM Security Verify Information Queue 10.0.2 could allow a user to obt ...) @@ -4146,8 +7592,8 @@ CVE-2022-35282 RESERVED CVE-2022-35281 RESERVED -CVE-2022-35280 - RESERVED +CVE-2022-35280 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not req ...) + NOT-FOR-US: IBM CVE-2022-35279 RESERVED CVE-2022-35278 @@ -4240,15 +7686,16 @@ CVE-2022-2330 RESERVED CVE-2022-2329 RESERVED -CVE-2022-2328 - RESERVED +CVE-2022-2328 (The Flexi Quote Rotator WordPress plugin through 0.9.4 does not saniti ...) + NOT-FOR-US: WordPress plugin CVE-2022-2327 (io_uring use work_flags to determine which identity need to grab from ...) - - linux <unfixed> -CVE-2022-2326 - RESERVED + - linux 5.14.6-1 + [bullseye] - linux 5.10.127-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) +CVE-2022-2326 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) - gitlab <unfixed> -CVE-2022-35234 - RESERVED +CVE-2022-35234 (Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out- ...) + NOT-FOR-US: Trend Micro CVE-2022-35233 RESERVED CVE-2022-35232 @@ -4257,22 +7704,24 @@ CVE-2022-35231 RESERVED CVE-2022-33896 RESERVED -CVE-2022-2325 - RESERVED -CVE-2022-2324 - RESERVED -CVE-2022-2323 - RESERVED +CVE-2022-2325 (The Invitation Based Registrations WordPress plugin through 2.2.84 doe ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2324 (Improperly Implemented Security Check vulnerability in the SonicWall H ...) + NOT-FOR-US: SonicWall +CVE-2022-2323 (Improper neutralization of special elements used in a user input allow ...) + NOT-FOR-US: SonicWall CVE-2022-2322 RESERVED CVE-2022-2321 (Improper Restriction of Excessive Authentication Attempts in GitHub re ...) NOT-FOR-US: Nakama CVE-2022-35230 (An authenticated user can create a link with reflected Javascript code ...) - - zabbix <unfixed> (bug #1014994) + [experimental] - zabbix 1:6.0.6+dfsg-1 + - zabbix 1:6.0.7+dfsg-2 (bug #1014994) NOTE: https://support.zabbix.com/browse/ZBX-21305 NOTE: Fixed in: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b47a97676ee9ca4e16566f1931c456459108eae (5.0.25rc1) CVE-2022-35229 (An authenticated user can create a link with reflected Javascript code ...) - - zabbix <unfixed> (bug #1014992) + [experimental] - zabbix 1:6.0.6+dfsg-1 + - zabbix 1:6.0.7+dfsg-2 (bug #1014992) NOTE: https://support.zabbix.com/browse/ZBX-21306 NOTE: Fixed in: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c (5.0.25rc1) CVE-2022-35228 (SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve ...) @@ -4285,43 +7734,47 @@ CVE-2022-35225 (SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.3 NOT-FOR-US: SAP CVE-2022-35224 (SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7 ...) NOT-FOR-US: SAP -CVE-2022-35223 - RESERVED -CVE-2022-35222 - RESERVED -CVE-2022-35221 - RESERVED -CVE-2022-35220 - RESERVED -CVE-2022-35219 - RESERVED -CVE-2022-35218 - RESERVED -CVE-2022-35217 - RESERVED -CVE-2022-35216 - RESERVED +CVE-2022-35223 (EasyUse MailHunter Ultimate’s cookie deserialization function ha ...) + NOT-FOR-US: EasyUse MailHunter Ultimate +CVE-2022-35222 (HiCOS Citizen verification component has a stack-based buffer overflow ...) + NOT-FOR-US: HiCOS Citizen verification component +CVE-2022-35221 (Teamplus Pro community discussion has an ‘allocation of resource ...) + NOT-FOR-US: Teamplus Pro community discussion +CVE-2022-35220 (Teamplus Pro community discussion function has an ‘allocation of ...) + NOT-FOR-US: Teamplus Pro community discussion +CVE-2022-35219 (The NHI card’s web service component has a stack-based buffer ov ...) + NOT-FOR-US: The NHI card +CVE-2022-35218 (The NHI card’s web service component has a heap-based buffer ove ...) + NOT-FOR-US: The NHI card +CVE-2022-35217 (The NHI card’s web service component has a stack-based buffer ov ...) + NOT-FOR-US: NHI card +CVE-2022-35216 (OMICARD EDM’s mail image relay function has a path traversal vul ...) + NOT-FOR-US: OMICARD EDM CVE-2022-2320 [ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds Access] RESERVED + {DSA-5199-1 DLA-3068-1} - xorg-server 2:21.1.4-1 (bug #1014903) + - xwayland 2:22.1.3-1 NOTE: Introduced by: https://github.com/freedesktop/xorg-xserver/commit/c06e27b2f6fd9f7b9f827623a48876a225264132 (xorg-server-1.5.99.1) NOTE: Fixed by: https://github.com/freedesktop/xorg-xserver/commit/dd8caf39e9e15d8f302e54045dd08d8ebf1025dc NOTE: Required for fixes: https://github.com/freedesktop/xorg-xserver/commit/f1070c01d616c5f21f939d5ebc533738779451ac NOTE: https://www.openwall.com/lists/oss-security/2022/07/12/1 CVE-2022-2319 [ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Access] RESERVED + {DSA-5199-1 DLA-3068-1} - xorg-server 2:21.1.4-1 (bug #1014903) + - xwayland 2:22.1.3-1 NOTE: Fixed by: https://github.com/freedesktop/xorg-xserver/commit/6907b6ea2b4ce949cb07271f5b678d5966d9df42 NOTE: Required for fixes: https://github.com/freedesktop/xorg-xserver/commit/f1070c01d616c5f21f939d5ebc533738779451ac NOTE: https://www.openwall.com/lists/oss-security/2022/07/12/1 -CVE-2022-2317 - RESERVED +CVE-2022-2317 (The Simple Membership WordPress plugin before 4.1.3 allows user to cha ...) + NOT-FOR-US: WordPress plugin CVE-2022-2316 (HTML injection vulnerability in secure messages of Devolutions Server ...) NOT-FOR-US: Devolutions Server CVE-2022-2315 RESERVED -CVE-2022-2314 - RESERVED +CVE-2022-2314 (The VR Calendar WordPress plugin through 2.2.2 lets any user execute a ...) + NOT-FOR-US: WordPress plugin CVE-2022-2313 (A DLL hijacking vulnerability in the MA Smart Installer for Windows pr ...) NOT-FOR-US: MA Smart Installer for Windows CVE-2022-2312 @@ -4447,18 +7900,18 @@ CVE-2022-35165 RESERVED CVE-2022-35164 RESERVED -CVE-2022-35163 - RESERVED -CVE-2022-35162 - RESERVED -CVE-2022-35161 - RESERVED +CVE-2022-35163 (Complete Online Job Search System v1.0 was discovered to contain a cro ...) + NOT-FOR-US: Complete Online Job Search System +CVE-2022-35162 (Complete Online Job Search System v1.0 was discovered to contain a cro ...) + NOT-FOR-US: Complete Online Job Search System +CVE-2022-35161 (GVRET Stable Release as of Aug 15, 2015 was discovered to contain a bu ...) + NOT-FOR-US: GVRET CVE-2022-35160 RESERVED CVE-2022-35159 RESERVED -CVE-2022-35158 - RESERVED +CVE-2022-35158 (A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows ...) + NOT-FOR-US: TScanCode CVE-2022-35157 RESERVED CVE-2022-35156 @@ -4485,12 +7938,12 @@ CVE-2022-35146 RESERVED CVE-2022-35145 RESERVED -CVE-2022-35144 - RESERVED -CVE-2022-35143 - RESERVED -CVE-2022-35142 - RESERVED +CVE-2022-35144 (Renato v0.17.0 was discovered to contain a cross-site scripting (XSS) ...) + NOT-FOR-US: gilbitron/Renato +CVE-2022-35143 (Renato v0.17.0 employs weak password complexity requirements, allowing ...) + NOT-FOR-US: gilbitron/Renato +CVE-2022-35142 (An issue in Renato v0.17.0 allows attackers to cause a Denial of Servi ...) + NOT-FOR-US: gilbitron/Renato CVE-2022-35141 RESERVED CVE-2022-35140 @@ -4537,8 +7990,8 @@ CVE-2022-35120 RESERVED CVE-2022-35119 RESERVED -CVE-2022-35118 - RESERVED +CVE-2022-35118 (PyroCMS v3.9 was discovered to contain multiple cross-site scripting ( ...) + NOT-FOR-US: PyroCMS CVE-2022-35117 RESERVED CVE-2022-35116 @@ -4787,10 +8240,10 @@ CVE-2022-34995 RESERVED CVE-2022-34994 RESERVED -CVE-2022-34993 - RESERVED -CVE-2022-34992 - RESERVED +CVE-2022-34993 (Totolink A3600R_Firmware V4.1.2cu.5182_B20201102 contains a hard code ...) + NOT-FOR-US: Totolink +CVE-2022-34992 (Luadec v0.9.9 was discovered to contain a heap-buffer overflow via the ...) + NOT-FOR-US: viruscamp/luadec CVE-2022-34991 (Paymoney v3.3 was discovered to contain multiple reflected cross-site ...) NOT-FOR-US: Paymoney CVE-2022-34990 @@ -4825,22 +8278,22 @@ CVE-2022-34976 RESERVED CVE-2022-34975 RESERVED -CVE-2022-34974 - RESERVED -CVE-2022-34973 - RESERVED +CVE-2022-34974 (D-Link DIR810LA1_FW102B22 was discovered to contain a command injectio ...) + NOT-FOR-US: D-Link +CVE-2022-34973 (D-Link DIR820LA1_FW106B02 was discovered to contain a buffer overflow ...) + NOT-FOR-US: D-Link CVE-2022-34972 (So Filter Shop v3.x was discovered to contain multiple blind SQL injec ...) NOT-FOR-US: So Filter Shop CVE-2022-34971 (An arbitrary file upload vulnerability in the Advertising Management m ...) NOT-FOR-US: Feehi CMS -CVE-2022-34970 - RESERVED -CVE-2022-34969 - RESERVED -CVE-2022-34968 - RESERVED -CVE-2022-34967 - RESERVED +CVE-2022-34970 (Crow before 1.0+4 has a heap-based buffer overflow via the function qs ...) + NOT-FOR-US: CrowCpp +CVE-2022-34969 (PingCAP TiDB v6.1.0 was discovered to contain a NULL pointer dereferen ...) + NOT-FOR-US: pingcap/tidb +CVE-2022-34968 (An issue in the fetch_step function in Percona Server for MySQL v8.0.2 ...) + NOT-FOR-US: Percona Server for MySQL v8 +CVE-2022-34967 (The assertion `stmt->Dbc->FirstStmt' failed in MonetDB Database ...) + NOT-FOR-US: MonetDB CVE-2022-34966 (OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered ...) NOT-FOR-US: OpenTeknik CVE-2022-34965 (OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered ...) @@ -4861,34 +8314,34 @@ CVE-2022-34958 RESERVED CVE-2022-34957 RESERVED -CVE-2022-34956 - RESERVED -CVE-2022-34955 - RESERVED -CVE-2022-34954 - RESERVED -CVE-2022-34953 - RESERVED -CVE-2022-34952 - RESERVED -CVE-2022-34951 - RESERVED -CVE-2022-34950 - RESERVED -CVE-2022-34949 - RESERVED -CVE-2022-34948 - RESERVED -CVE-2022-34947 - RESERVED -CVE-2022-34946 - RESERVED -CVE-2022-34945 - RESERVED +CVE-2022-34956 (Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection ...) + NOT-FOR-US: Pligg CMS +CVE-2022-34955 (Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection ...) + NOT-FOR-US: Pligg CMS +CVE-2022-34954 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34953 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34952 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34951 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34950 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34949 (Pharmacy Management System v1.0 was discovered to contain multiple SQL ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34948 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34947 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34946 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System +CVE-2022-34945 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Pharmacy Management System CVE-2022-34944 RESERVED CVE-2022-34943 - RESERVED + REJECTED CVE-2022-34942 RESERVED CVE-2022-34941 @@ -4899,8 +8352,8 @@ CVE-2022-34939 RESERVED CVE-2022-34938 RESERVED -CVE-2022-34937 - RESERVED +CVE-2022-34937 (Yuba u5cms v8.3.5 was discovered to contain a Cross-Site Request Forge ...) + NOT-FOR-US: Yuba u5cms CVE-2022-34936 RESERVED CVE-2022-34935 @@ -4917,16 +8370,19 @@ CVE-2022-34930 RESERVED CVE-2022-34929 RESERVED -CVE-2022-34928 - RESERVED -CVE-2022-34927 - RESERVED +CVE-2022-34928 (JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerabil ...) + NOT-FOR-US: JFinal CMS +CVE-2022-34927 (MilkyTracker v1.03.00 was discovered to contain a stack overflow via t ...) + - milkytracker <unfixed> (unimportant; bug #1016578) + NOTE: https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b + NOTE: https://github.com/milkytracker/MilkyTracker/issues/275 + NOTE: Crash in GUI tool, no security impact CVE-2022-34926 RESERVED CVE-2022-34925 RESERVED -CVE-2022-34924 - RESERVED +CVE-2022-34924 (Lanling OA Landray Office Automation (OA) internal patch number #13338 ...) + NOT-FOR-US: Lanling OA Landray Office Automation CVE-2022-34923 RESERVED CVE-2022-34922 @@ -4943,8 +8399,7 @@ CVE-2022-34918 (An issue was discovered in the Linux kernel through 5.18.9. A ty [buster] - linux <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/07/02/3 NOTE: https://www.randorisec.fr/crack-linux-firewall/ -CVE-2022-2307 - RESERVED +CVE-2022-2307 (A lack of cascading deletes in GitLab CE/EE affecting all versions sta ...) - gitlab <unfixed> CVE-2022-34917 RESERVED @@ -4952,16 +8407,15 @@ CVE-2022-34916 RESERVED CVE-2022-2306 (Old session tokens can be used to authenticate to the application and ...) NOT-FOR-US: Nakama -CVE-2022-2305 - RESERVED +CVE-2022-2305 (The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise ...) + NOT-FOR-US: WordPress plugin CVE-2022-2304 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/eb7402f3-025a-402f-97a7-c38700d9548a/ NOTE: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939 (v9.0.0035) -CVE-2022-2303 - RESERVED +CVE-2022-2303 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) - gitlab <unfixed> CVE-2022-2302 (Multiple Lenze products of the cabinet series skip the password verifi ...) NOT-FOR-US: Lenze @@ -4994,6 +8448,10 @@ CVE-2022-2294 (Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.50 - chromium 103.0.5060.114-1 [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) + - webkit2gtk 2.36.6-1 (unimportant) + - wpewebkit 2.36.6-1 (unimportant) + NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2 + NOTE: Debian WebKitGTK and WPE WebKit binary packages are built without LibWebRTC CVE-2022-2293 (A vulnerability classified as problematic was found in SourceCodester ...) NOT-FOR-US: Simple Sales Management System CVE-2022-2292 (A vulnerability classified as problematic has been found in SourceCode ...) @@ -5023,12 +8481,12 @@ CVE-2022-34911 (An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1 CVE-2022-2290 (Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/tril ...) NOT-FOR-US: Trilium Notes CVE-2022-2289 (Use After Free in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/7447d2ea-db5b-4883-adf4-1eaf7deace64/ NOTE: https://github.com/vim/vim/commit/c5274dd12224421f2430b30c53b881b9403d649e (v9.0.0026) NOTE: Crash in CLI tool, no security impact CVE-2022-2288 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) NOTE: https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad/ NOTE: https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a (v9.0.0025) CVE-2022-34910 @@ -5066,12 +8524,12 @@ CVE-2022-32581 CVE-2022-30531 RESERVED CVE-2022-2287 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/654aa069-3a9d-45d3-9a52-c1cf3490c284/ NOTE: https://github.com/vim/vim/commit/5e59ea54c0c37c2f84770f068d95280069828774 (v9.0.0021) NOTE: Crash in CLI tool, no security impact CVE-2022-2286 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/fe7681fb-2318-436b-8e65-daf66cd597d8/ NOTE: https://github.com/vim/vim/commit/f12129f1714f7d2301935bb21d896609bdac221c (v9.0.0020) CVE-2022-34902 (This vulnerability allows local attackers to escalate privileges on af ...) @@ -5093,13 +8551,13 @@ CVE-2022-34895 CVE-2022-34894 (In JetBrains Hub before 2022.2.14799, insufficient access control allo ...) NOT-FOR-US: JetBrains Hub CVE-2022-2285 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/64574b28-1779-458d-a221-06c434042736/ NOTE: https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036fe (v9.0.0018) CVE-2022-2284 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/571d25ce-8d53-4fa0-b620-27f2a8a14874/ NOTE: https://github.com/vim/vim/commit/3d51ce18ab1be4f9f6061568a4e7fabf00b21794 (v9.0.0017) NOTE: Crash in CLI tool, no security impact @@ -5115,8 +8573,8 @@ CVE-2022-2279 (NULL Pointer Dereference in GitHub repository bfabiszewski/libmob - libmobi 0.11+dfsg-1 NOTE: https://huntr.dev/bounties/68c249e2-779d-4871-b7e3-851f03aca2de/ NOTE: https://github.com/bfabiszewski/libmobi/commit/c0699c8693c47f14a2e57dec7292e862ac7adf9c (v0.11) -CVE-2022-2278 - RESERVED +CVE-2022-2278 (The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does ...) + NOT-FOR-US: WordPress plugin CVE-2022-2277 RESERVED CVE-2021-4234 (OpenVPN Access Server 2.10 and prior versions are susceptible to resen ...) @@ -5169,10 +8627,10 @@ CVE-2022-34874 (This vulnerability allows remote attackers to disclose sensitive NOT-FOR-US: Foxit CVE-2022-34873 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit -CVE-2022-34872 - RESERVED -CVE-2022-34871 - RESERVED +CVE-2022-34872 (This vulnerability allows remote attackers to disclose sensitive infor ...) + - centreon-web <itp> (bug #913903) +CVE-2022-34871 (This vulnerability allows remote attackers to escalate privileges on a ...) + - centreon-web <itp> (bug #913903) CVE-2022-34870 RESERVED CVE-2022-34858 @@ -5252,16 +8710,16 @@ CVE-2022-2274 (The OpenSSL 3.0.4 release introduced a serious bug in the RSA imp NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345 NOTE: https://github.com/openssl/openssl/issues/18625 NOTE: https://www.openssl.org/news/secadv/20220705.txt -CVE-2022-2273 - RESERVED -CVE-2022-2272 - RESERVED +CVE-2022-2273 (The Simple Membership WordPress plugin before 4.1.3 does not properly ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2272 (This vulnerability allows remote attackers to bypass authentication on ...) + NOT-FOR-US: Sante PACS Server CVE-2022-2271 RESERVED CVE-2022-2270 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab <unfixed> -CVE-2022-2269 - RESERVED +CVE-2022-2269 (The Website File Changes Monitor WordPress plugin before 1.8.3 does no ...) + NOT-FOR-US: WordPress plugin CVE-2022-2268 (The Import any XML or CSV File to WordPress plugin before 3.6.8 accept ...) NOT-FOR-US: WordPress plugin CVE-2022-2267 @@ -5271,7 +8729,7 @@ CVE-2022-2266 CVE-2022-2265 RESERVED CVE-2022-2264 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/2241c773-02c9-4708-b63e-54aef99afa6c/ NOTE: Fixed by: https://github.com/vim/vim/commit/d25f003342aca9889067f2e839963dfeccf1fe05 (v9.0.0011) NOTE: Crash in CLI tool, no security impact @@ -5281,14 +8739,14 @@ CVE-2022-2262 (A vulnerability has been found in Online Hotel Booking System 1.0 NOT-FOR-US: Online Hotel Booking System CVE-2022-2261 RESERVED -CVE-2022-2260 - RESERVED +CVE-2022-2260 (The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place ...) + NOT-FOR-US: WordPress plugin CVE-2022-34835 (In Das U-Boot through 2022.07-rc5, an integer signedness error and res ...) - - u-boot <unfixed> (bug #1014529) + - u-boot 2022.07+dfsg-1 (bug #1014529) [bullseye] - u-boot <no-dsa> (Minor issue) [buster] - u-boot <no-dsa> (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2022-June/486113.html - NOTE: https://source.denx.de/u-boot/u-boot/-/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 + NOTE: https://source.denx.de/u-boot/u-boot/-/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 (v2022.07-rc6) CVE-2022-34834 RESERVED CVE-2022-34833 @@ -5320,17 +8778,18 @@ CVE-2022-2259 CVE-2022-2258 RESERVED CVE-2022-2257 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/ca581f80-03ba-472a-b820-78f7fd05fe89 NOTE: https://github.com/vim/vim/commit/083692d598139228e101b8c521aaef7bcf256e9a (v9.0.0009) NOTE: Crash in CLI tool, no security impact CVE-2022-2256 RESERVED -CVE-2022-2255 + NOT-FOR-US: Keycloak +CVE-2022-2255 [Trusted Proxy Headers Removing Bypass] RESERVED - - mod-wsgi <unfixed> + - mod-wsgi 4.9.0-1.1 (bug #1016476) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100563 - NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 + NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 (4.9.3) NOTE: WSGITrustedProxies and vulnerable code introduced in https://github.com/GrahamDumpleton/mod_wsgi/commit/543fc33c23b4cb5e623d574b7efbf85c8dedb396 (4.4.10) CVE-2022-34821 (A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versi ...) NOT-FOR-US: Siemens @@ -5436,10 +8895,10 @@ CVE-2022-34771 RESERVED CVE-2022-34770 RESERVED -CVE-2022-34769 - RESERVED -CVE-2022-34768 - RESERVED +CVE-2022-34769 (Michlol - rashim web interface Insecure direct object references (IDOR ...) + NOT-FOR-US: Michlol +CVE-2022-34768 (Supersmart.me - Walk Through Performing unauthorized actions on other ...) + NOT-FOR-US: Supersmart.me CVE-2022-34767 (Web page which "wizardpwd.asp" ALLNET Router model WR0500AC is prone t ...) NOT-FOR-US: ALLNET CVE-2022-34766 @@ -5459,11 +8918,11 @@ CVE-2021-46826 CVE-2021-46825 (Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to ...) NOT-FOR-US: Symantec CVE-2022-33967 (squashfs filesystem implementation of U-Boot versions from v2020.10-rc ...) - - u-boot <unfixed> + - u-boot 2022.07+dfsg-1 [bullseye] - u-boot <no-dsa> (Minor issue) [buster] - u-boot <no-dsa> (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2022-June/487467.html - NOTE: https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44 + NOTE: https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44 (v2022.07-rc6) CVE-2022-2249 RESERVED CVE-2022-2248 @@ -5505,8 +8964,10 @@ CVE-2022-34751 CVE-2022-34750 (An issue was discovered in MediaWiki through 1.38.1. The lemma length ...) NOT-FOR-US: MediaWiki extension WikiBase CVE-2022-34749 (In mistune through 2.0.2, support of inline markup is implemented by u ...) - - mistune <unfixed> (bug #1016089) - NOTE: https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2 + - mistune 2.0.3-1 (bug #1016089) + [bullseye] - mistune <no-dsa> (Minor issue) + [buster] - mistune <no-dsa> (Minor issue) + NOTE: https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2 (v2.0.3) CVE-2022-34748 (A vulnerability has been identified in Simcenter Femap (All versions & ...) NOT-FOR-US: Siemens CVE-2022-34747 @@ -5531,16 +8992,16 @@ CVE-2022-34736 (The frame scheduling module has a null pointer dereference vulne NOT-FOR-US: Huawei CVE-2022-34735 (The frame scheduling module has a null pointer dereference vulnerabili ...) NOT-FOR-US: Huawei -CVE-2022-2245 - RESERVED +CVE-2022-2245 (The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check wh ...) + NOT-FOR-US: WordPress plugin CVE-2022-2244 (An improper authorization vulnerability in GitLab EE/CE affecting all ...) - gitlab <unfixed> CVE-2022-2243 (An access control vulnerability in GitLab EE/CE affecting all versions ...) - gitlab <unfixed> -CVE-2022-2242 - RESERVED -CVE-2022-2241 - RESERVED +CVE-2022-2242 (The KUKA SystemSoftware V/KSS in versions prior to 8.6.5 is prone to i ...) + NOT-FOR-US: Kuka +CVE-2022-2241 (The Featured Image from URL (FIFU) WordPress plugin before 4.0.0 does ...) + NOT-FOR-US: WordPress plugin CVE-2022-2240 (The Request a Quote WordPress plugin through 2.3.7 does not validate u ...) NOT-FOR-US: WordPress plugin CVE-2022-2239 (The Request a Quote WordPress plugin through 2.3.7 does not sanitise a ...) @@ -5591,7 +9052,7 @@ CVE-2022-2233 CVE-2022-2232 RESERVED CVE-2022-2231 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/8dae6ab4-7a7a-4716-a65c-9b090fa057b5 NOTE: https://github.com/vim/vim/commit/79481367a457951aabd9501b510fd7e3eb29c3d8 (v8.2.5169) NOTE: Crash in CLI tool, no security impact @@ -5650,72 +9111,72 @@ CVE-2022-34719 RESERVED CVE-2022-34718 RESERVED -CVE-2022-34717 - RESERVED -CVE-2022-34716 - RESERVED -CVE-2022-34715 - RESERVED -CVE-2022-34714 - RESERVED -CVE-2022-34713 - RESERVED -CVE-2022-34712 - RESERVED -CVE-2022-34711 - RESERVED -CVE-2022-34710 - RESERVED -CVE-2022-34709 - RESERVED -CVE-2022-34708 - RESERVED -CVE-2022-34707 - RESERVED -CVE-2022-34706 - RESERVED -CVE-2022-34705 - RESERVED -CVE-2022-34704 - RESERVED -CVE-2022-34703 - RESERVED -CVE-2022-34702 - RESERVED -CVE-2022-34701 - RESERVED +CVE-2022-34717 (Microsoft Office Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-34716 (.NET Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-34715 (Windows Network File System Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-34714 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-34712 (Windows Defender Credential Guard Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2022-34711 (Windows Defender Credential Guard Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2022-34710 (Windows Defender Credential Guard Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2022-34709 (Windows Defender Credential Guard Security Feature Bypass Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-34708 (Windows Kernel Information Disclosure Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-34707 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-34706 (Windows Local Security Authority (LSA) Elevation of Privilege Vulnerab ...) + NOT-FOR-US: Microsoft +CVE-2022-34705 (Windows Defender Credential Guard Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2022-34704 (Windows Defender Credential Guard Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2022-34703 (Windows Partition Management Driver Elevation of Privilege Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-34702 (Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-34701 (Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vuln ...) + NOT-FOR-US: Microsoft CVE-2022-34700 RESERVED -CVE-2022-34699 - RESERVED +CVE-2022-34699 (Windows Win32k Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-34698 RESERVED CVE-2022-34697 RESERVED -CVE-2022-34696 - RESERVED +CVE-2022-34696 (Windows Hyper-V Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-34695 RESERVED CVE-2022-34694 RESERVED CVE-2022-34693 RESERVED -CVE-2022-34692 - RESERVED -CVE-2022-34691 - RESERVED -CVE-2022-34690 - RESERVED +CVE-2022-34692 (Microsoft Exchange Information Disclosure Vulnerability. This CVE ID i ...) + NOT-FOR-US: Microsoft +CVE-2022-34691 (Active Directory Domain Services Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-34690 (Windows Fax Service Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-34689 RESERVED CVE-2022-34688 RESERVED -CVE-2022-34687 - RESERVED -CVE-2022-34686 - RESERVED -CVE-2022-34685 - RESERVED +CVE-2022-34687 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-34686 (Azure RTOS GUIX Studio Information Disclosure Vulnerability. This CVE ...) + NOT-FOR-US: Microsoft +CVE-2022-34685 (Azure RTOS GUIX Studio Information Disclosure Vulnerability. This CVE ...) + NOT-FOR-US: Microsoft CVE-2022-34684 RESERVED CVE-2022-34683 @@ -5762,10 +9223,10 @@ CVE-2022-34663 (A vulnerability has been identified in RUGGEDCOM ROS M2100 (All NOT-FOR-US: Siemens CVE-2022-34662 RESERVED -CVE-2022-34661 - RESERVED -CVE-2022-34660 - RESERVED +CVE-2022-34661 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) + NOT-FOR-US: Siemens +CVE-2022-34660 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) + NOT-FOR-US: Siemens CVE-2022-2225 (By using warp-cli subcommands (disable-ethernet, disable-wifi), it was ...) NOT-FOR-US: Cloudflare Warp CVE-2022-2224 (The WordPress plugin Gallery for Social Photo is vulnerable to Cross-S ...) @@ -5787,8 +9248,8 @@ CVE-2022-2217 (Cross-site Scripting (XSS) - Generic in GitHub repository ionicab NOT-FOR-US: Node parse-url CVE-2022-2216 (Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/pa ...) NOT-FOR-US: Node parse-url -CVE-2022-2215 - RESERVED +CVE-2022-2215 (The GiveWP WordPress plugin before 2.21.3 does not properly sanitise a ...) + NOT-FOR-US: WordPress plugin CVE-2020-36553 (Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Resta ...) NOT-FOR-US: Multi Restaurant Table Reservation System CVE-2020-36552 (Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Resta ...) @@ -5823,8 +9284,8 @@ CVE-2017-20110 (A vulnerability, which was classified as problematic, has been f NOT-FOR-US: Teleopti WFM CVE-2017-20109 (A vulnerability classified as problematic was found in Teleopti WFM up ...) NOT-FOR-US: Teleopti WFM -CVE-2022-34659 - RESERVED +CVE-2022-34659 (A vulnerability has been identified in Simcenter STAR-CCM+ (All versio ...) + NOT-FOR-US: Siemens CVE-2022-34647 RESERVED CVE-2022-34646 @@ -5897,8 +9358,8 @@ CVE-2022-34627 RESERVED CVE-2022-34626 RESERVED -CVE-2022-34625 - RESERVED +CVE-2022-34625 (Mealie1.0.0beta3 was discovered to contain a Server-Side Template Inje ...) + NOT-FOR-US: hay-kot/mealie CVE-2022-34624 RESERVED CVE-2022-34623 @@ -5909,10 +9370,10 @@ CVE-2022-34621 RESERVED CVE-2022-34620 RESERVED -CVE-2022-34619 - RESERVED -CVE-2022-34618 - RESERVED +CVE-2022-34619 (A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 all ...) + NOT-FOR-US: hay-kot/mealie +CVE-2022-34618 (A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 ...) + NOT-FOR-US: hay-kot/mealie CVE-2022-34617 RESERVED CVE-2022-34616 @@ -5921,8 +9382,8 @@ CVE-2022-34615 RESERVED CVE-2022-34614 RESERVED -CVE-2022-34613 - RESERVED +CVE-2022-34613 (Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability whic ...) + NOT-FOR-US: hay-kot/mealie CVE-2022-34612 (Rizin v0.4.0 and below was discovered to contain an integer overflow v ...) NOT-FOR-US: Rizin CVE-2022-34611 (A cross-site scripting (XSS) vulnerability in /index.php/?p=report of ...) @@ -6012,13 +9473,13 @@ CVE-2022-34570 (WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains CVE-2022-34569 RESERVED CVE-2022-34568 (SDL v1.2 was discovered to contain a use-after-free via the XFree func ...) - - libsdl1.2 <unfixed> + - libsdl1.2 1.2.15+dfsg2-8 (bug #1016352) [bullseye] - libsdl1.2 <no-dsa> (Minor issue) [buster] - libsdl1.2 <no-dsa> (Minor issue) NOTE: https://github.com/libsdl-org/SDL-1.2/issues/863 NOTE: https://github.com/libsdl-org/SDL-1.2/commit/d7e00208738a0bc6af302723fe64908ac35b777b -CVE-2022-34567 - RESERVED +CVE-2022-34567 (An issue in \Roaming\Mango\Plugins of University of Texas Multi-image ...) + NOT-FOR-US: Mango CVE-2022-34566 RESERVED CVE-2022-34565 @@ -6089,18 +9550,21 @@ CVE-2022-34533 RESERVED CVE-2022-34532 RESERVED -CVE-2022-34531 - RESERVED -CVE-2022-34530 - RESERVED +CVE-2022-34531 (DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE ...) + NOT-FOR-US: DedeCMS +CVE-2022-34530 (An issue in the login and reset password functionality of Backdrop CMS ...) + NOT-FOR-US: Backdrop CMS CVE-2022-34529 (WASM3 v0.5.0 was discovered to contain a segmentation fault via the co ...) NOT-FOR-US: WASM3 -CVE-2022-34528 - RESERVED -CVE-2022-34527 - RESERVED -CVE-2022-34526 - RESERVED +CVE-2022-34528 (D-Link DSL-3782 v1.03 and below was discovered to contain a stack over ...) + NOT-FOR-US: D-Link +CVE-2022-34527 (D-Link DSL-3782 v1.03 and below was discovered to contain a command in ...) + NOT-FOR-US: D-Link +CVE-2022-34526 (A stack overflow was discovered in the _TIFFVGetField function of Tiff ...) + - tiff 4.4.0-4 + [bullseye] - tiff <no-dsa> (Minor issue) + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/433 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990 CVE-2022-34525 RESERVED CVE-2022-34524 @@ -6112,7 +9576,7 @@ CVE-2022-34522 CVE-2022-34521 RESERVED CVE-2022-34520 (Radare2 v5.7.2 was discovered to contain a NULL pointer dereference vi ...) - - radare2 <unfixed> + - radare2 <unfixed> (bug #1016979) NOTE: https://github.com/radareorg/radare2/issues/20354 NOTE: https://github.com/radareorg/radare2/commit/fc285cecb8469f0262db0170bf6dd7c01d9b8ed5 (5.7.4) CVE-2022-34519 @@ -6148,12 +9612,14 @@ CVE-2022-34505 CVE-2022-34504 RESERVED CVE-2022-34503 (QPDF v8.4.2 was discovered to contain a heap buffer overflow via the f ...) - - qpdf <unfixed> (unimportant) + - qpdf 9.0.0-1 (unimportant) + NOTE: https://github.com/qpdf/qpdf/issues/701 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1201830#c5 NOTE: Negligible security impact CVE-2022-34502 (Radare2 v5.7.0 was discovered to contain a heap buffer overflow via th ...) - - radare2 <unfixed> + - radare2 <unfixed> (bug #1016979) NOTE: https://github.com/radareorg/radare2/issues/20336 - NOTE: https://github.com/radareorg/radare2/commit/b4ca66f5d4363d68a6379e5706353b3bde5104a4 + NOTE: https://github.com/radareorg/radare2/commit/b4ca66f5d4363d68a6379e5706353b3bde5104a4 (5.7.2) CVE-2022-34501 (The bin-collection package in PyPI before v0.1 included a code executi ...) NOT-FOR-US: bin-collection CVE-2022-34500 (The bin-collect package in PyPI before v0.1 included a code execution ...) @@ -6164,8 +9630,8 @@ CVE-2022-34498 RESERVED CVE-2022-34497 RESERVED -CVE-2022-34496 - RESERVED +CVE-2022-34496 (Hiby R3 PRO firmware v1.5 to v1.7 was discovered to contain a file upl ...) + NOT-FOR-US: Hiby R3 PRO firmware CVE-2022-34495 (rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel be ...) - linux 5.18.5-1 [bullseye] - linux <not-affected> (Vulnerable code not present) @@ -6190,19 +9656,19 @@ CVE-2022-2211 (A vulnerability was found in libguestfs. This issue occurs while NOTE: https://github.com/libguestfs/libguestfs-common/commit/35467027f657de76aca34b48a6f23e9608b23a57 NOTE: Documentation: https://github.com/libguestfs/libguestfs/commit/99844660b48ed809e37378262c65d63df6ce4a53 CVE-2022-2210 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/020845f8-f047-4072-af0f-3726fe1aea25 NOTE: https://github.com/vim/vim/commit/c101abff4c6756db4f5e740fde289decb9452efa (v8.2.5164) NOTE: Crash in CLI tool, no security impact CVE-2022-2209 REJECTED CVE-2022-2208 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.516 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/7bfe3d5b-568f-4c34-908f-a39909638cc1 NOTE: https://github.com/vim/vim/commit/cd38bb4d83c942c4bad596835c6766cbf32e5195 (v8.2.5163) NOTE: Crash in CLI tool, no security impact CVE-2022-2207 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) NOTE: https://huntr.dev/bounties/05bc6051-4dc3-483b-ae56-cf23346b97b9 NOTE: https://github.com/vim/vim/commit/0971c7a4e537ea120a6bb2195960be8d0815e97b (v8.2.5162) CVE-2022-34493 @@ -6214,7 +9680,7 @@ CVE-2022-34491 CVE-2022-34490 RESERVED CVE-2022-2206 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/01d01e74-55d0-4d9e-878e-79ba599be668 NOTE: https://github.com/vim/vim/commit/e178af5a586ea023622d460779fdcabbbfac0908 (v8.2.5160) NOTE: Crash in CLI tool, no security impact @@ -6381,7 +9847,7 @@ CVE-2022-34467 (A vulnerability has been identified in Mendix Excel Importer Mod NOT-FOR-US: Siemens CVE-2022-34466 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Siemens -CVE-2022-34465 (A vulnerability has been identified in Parasolid V33.1 (All versions), ...) +CVE-2022-34465 (A vulnerability has been identified in Parasolid V33.1 (All versions & ...) NOT-FOR-US: Siemens CVE-2022-34464 (A vulnerability has been identified in SICAM GridEdge Essential ARM (A ...) NOT-FOR-US: Siemens @@ -6593,8 +10059,8 @@ CVE-2022-34367 (Dell EMC Data Protection Central versions 19.1, 19.2, 19.3, 19.4 NOT-FOR-US: Dell CVE-2022-34366 RESERVED -CVE-2022-34365 - RESERVED +CVE-2022-34365 (WMS 3.7 contains a Path Traversal Vulnerability in Device API. An atta ...) + NOT-FOR-US: Dell CVE-2022-34364 RESERVED CVE-2022-34363 @@ -6669,8 +10135,8 @@ CVE-2022-34340 RESERVED CVE-2022-34339 RESERVED -CVE-2022-34338 - RESERVED +CVE-2022-34338 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could disclo ...) + NOT-FOR-US: IBM CVE-2022-34337 RESERVED CVE-2022-34336 @@ -6695,20 +10161,20 @@ CVE-2022-32284 (Use of insufficiently random values vulnerability exists in Vnet NOT-FOR-US: YOKOGAWA CVE-2022-2185 (A critical issue has been discovered in GitLab affecting all versions ...) - gitlab <unfixed> -CVE-2022-2184 - RESERVED +CVE-2022-2184 (The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a ...) + NOT-FOR-US: WordPress plugin CVE-2022-2183 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/d74ca3f9-380d-4c0a-b61c-11113cc98975 NOTE: https://github.com/vim/vim/commit/8eba2bd291b347e3008aa9e565652d51ad638cfa (v8.2.5151) NOTE: Crash in CLI tool, no security impact CVE-2022-2182 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/238d8650-3beb-4831-a8f7-6f0b597a6fb8 NOTE: https://github.com/vim/vim/commit/f7c7c3fad6d2135d558f3b36d0d1a943118aeb5e (v8.2.5150) NOTE: Crash in CLI tool, no security impact -CVE-2022-2181 - RESERVED +CVE-2022-2181 (The Advanced WordPress Reset WordPress plugin before 1.6 does not esca ...) + NOT-FOR-US: WordPress plugin CVE-2021-46824 (Cross Site Scripting (XSS) vulnerability in sourcecodester School File ...) NOT-FOR-US: sourcecodester School File Management System CVE-2022-34327 @@ -6751,12 +10217,12 @@ CVE-2022-34309 RESERVED CVE-2022-34308 RESERVED -CVE-2022-34307 - RESERVED +CVE-2022-34307 (IBM CICS TX 11.1 does not set the secure attribute on authorization to ...) + NOT-FOR-US: IBM CVE-2022-34306 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header in ...) NOT-FOR-US: IBM CVE-2022-34305 (In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 ...) - - tomcat9 <unfixed> (unimportant) + - tomcat9 9.0.65-1 (unimportant) - tomcat8 <removed> (unimportant) NOTE: https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k NOTE: https://github.com/apache/tomcat/commit/8b60af90b99945379c2d1003277e0cabc6776bac (9.0.65) @@ -6790,10 +10256,11 @@ CVE-2022-34296 (In Zalando Skipper before 0.13.218, a query predicate could be b NOT-FOR-US: Zalando Skipper CVE-2022-34295 (totd before 1.5.3 does not properly randomize mesg IDs. ...) NOT-FOR-US: totd -CVE-2022-34294 - RESERVED -CVE-2022-34293 - RESERVED +CVE-2022-34294 (totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DN ...) + NOT-FOR-US: totd +CVE-2022-34293 (wolfSSL before 5.4.0 allows remote attackers to cause a denial of serv ...) + - wolfssl <unfixed> (bug #1016981) + NOTE: http://www.openwall.com/lists/oss-security/2022/08/08/6 CVE-2022-34292 RESERVED CVE-2022-34291 (A vulnerability has been identified in PADS Standard/Plus Viewer (All ...) @@ -6838,8 +10305,8 @@ CVE-2022-34272 (A vulnerability has been identified in PADS Standard/Plus Viewer NOT-FOR-US: Siemens CVE-2022-34271 RESERVED -CVE-2022-2180 - RESERVED +CVE-2022-2180 (The GREYD.SUITE WordPress theme does not properly validate uploaded cu ...) + NOT-FOR-US: WordPress theme CVE-2022-2179 (The X-Frame-Options header in Rockwell Automation MicroLogix 1100/1400 ...) NOT-FOR-US: Rockwell CVE-2022-2178 @@ -6849,7 +10316,7 @@ CVE-2022-2177 CVE-2022-2176 RESERVED CVE-2022-2175 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/7f0481c2-8b57-4324-b47c-795d1ea67e55 NOTE: https://github.com/vim/vim/commit/6046aded8da002b08d380db29de2ba0268b6616e (v8.2.5148) NOTE: Crash in CLI tool, no security impact @@ -6859,10 +10326,10 @@ CVE-2022-2173 (The Advanced Database Cleaner WordPress plugin before 3.1.1 does NOT-FOR-US: WordPress plugin CVE-2022-2172 RESERVED -CVE-2022-2171 - RESERVED -CVE-2022-2170 - RESERVED +CVE-2022-2171 (The Progressive License WordPress plugin through 1.1.0 is lacking any ...) + NOT-FOR-US: WordPress plugin +CVE-2022-2170 (The Microsoft Advertising Universal Event Tracking (UET) WordPress plu ...) + NOT-FOR-US: WordPress plugin CVE-2022-2169 (The Loading Page with Loading Screen WordPress plugin before 1.0.83 do ...) NOT-FOR-US: WordPress plugin CVE-2022-2168 (The Download Manager WordPress plugin before 3.2.44 does not escape a ...) @@ -6886,16 +10353,16 @@ CVE-2022-34265 (An issue was discovered in Django 3.2 before 3.2.14 and 4.0 befo NOTE: https://github.com/django/django/commit/54eb8a374d5d98594b264e8ec22337819b37443c (main) NOTE: https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492 (4.0.6) NOTE: https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e (3.2.14) -CVE-2022-34264 - RESERVED -CVE-2022-34263 - RESERVED -CVE-2022-34262 - RESERVED -CVE-2022-34261 - RESERVED -CVE-2022-34260 - RESERVED +CVE-2022-34264 (Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update ...) + NOT-FOR-US: Adobe +CVE-2022-34263 (Adobe Illustrator versions 26.3.1 (and earlier) and 25.4.6 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-34262 (Adobe Illustrator versions 26.3.1 (and earlier) and 25.4.6 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-34261 (Adobe Illustrator versions 26.3.1 (and earlier) and 25.4.6 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-34260 (Adobe Illustrator versions 26.3.1 (and earlier) and 25.4.6 (and earlie ...) + NOT-FOR-US: Adobe CVE-2022-34259 RESERVED CVE-2022-34258 @@ -6944,8 +10411,8 @@ CVE-2022-34237 (Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005 NOT-FOR-US: Adobe CVE-2022-34236 (Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 ...) NOT-FOR-US: Adobe -CVE-2022-34235 - RESERVED +CVE-2022-34235 (Adobe Premiere Elements version 2020v20 (and earlier) is affected by a ...) + NOT-FOR-US: Adobe CVE-2022-34234 (Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 ...) NOT-FOR-US: Adobe CVE-2022-34233 (Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 ...) @@ -7154,8 +10621,8 @@ CVE-2022-2153 NOTE: https://git.kernel.org/linus/7ec37d1cbe17d8189d9562178d8b29167fe1c31a (5.18-rc1) NOTE: https://git.kernel.org/linus/00b5f37189d24ac3ed46cb7f11742094778c46ce (5.18-rc1) NOTE: https://git.kernel.org/linus/b1e34d325397a33d97d845e312d7cf2a8b646b44 (5.18-rc1) -CVE-2022-2152 - RESERVED +CVE-2022-2152 (The Duplicate Page and Post Plugin WordPress plugin through 2.7 does n ...) + NOT-FOR-US: WordPress plugin CVE-2022-2151 (The Best Contact Management Software WordPress plugin through 3.7.3 do ...) NOT-FOR-US: WordPress plugin CVE-2022-2150 @@ -7178,20 +10645,20 @@ CVE-2022-34166 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-si NOT-FOR-US: IBM CVE-2022-34165 RESERVED -CVE-2022-34164 - RESERVED -CVE-2022-34163 - RESERVED -CVE-2022-34162 - RESERVED -CVE-2022-34161 - RESERVED +CVE-2022-34164 (IBM CICS TX 11.1 could allow a local user to impersonate another legit ...) + NOT-FOR-US: IBM +CVE-2022-34163 (IBM CICS TX 11.1 is vulnerable to HTTP header injection, caused by imp ...) + NOT-FOR-US: IBM +CVE-2022-34162 (IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking ...) + NOT-FOR-US: IBM +CVE-2022-34161 (IBM CICS TX 11.1 is vulnerable to cross-site request forgery which cou ...) + NOT-FOR-US: IBM CVE-2022-34160 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTML injection ...) NOT-FOR-US: IBM CVE-2022-34159 RESERVED -CVE-2022-34158 - RESERVED +CVE-2022-34158 (A carefully crafted invocation on the Image plugin could trigger an CS ...) + - jspwiki <removed> CVE-2022-2143 (The affected product is vulnerable to two instances of command injecti ...) NOT-FOR-US: iView CVE-2022-2142 (The affected product is vulnerable to a SQL injection with high attack ...) @@ -7287,7 +10754,7 @@ CVE-2022-34117 RESERVED CVE-2022-34116 RESERVED -CVE-2022-34115 (Dataease v1.11.1 was discovered to contain a SQL injection vulnerabili ...) +CVE-2022-34115 (DataEase v1.11.1 was discovered to contain a arbitrary file write vuln ...) NOT-FOR-US: Dataease CVE-2022-34114 (Dataease v1.11.1 was discovered to contain a SQL injection vulnerabili ...) NOT-FOR-US: Dataease @@ -7448,16 +10915,16 @@ CVE-2022-34037 (An out-of-bounds read in the rewrite function at /modules/caddyh CVE-2022-34036 RESERVED CVE-2022-34035 (HTMLDoc v1.9.12 and below was discovered to contain a heap overflow vi ...) - - htmldoc <unfixed> (unimportant) + - htmldoc 1.9.12-1 (unimportant) NOTE: https://github.com/michaelrsweet/htmldoc/issues/426 - NOTE: https://github.com/michaelrsweet/htmldoc/commit/ee778252faebb721afba5a081dd6ad7eaf20eef3 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/ee778252faebb721afba5a081dd6ad7eaf20eef3 (v1.9.12) NOTE: Crash in CLI tool, no security impact CVE-2022-34034 RESERVED CVE-2022-34033 (HTMLDoc v1.9.15 was discovered to contain a heap overflow via (write_h ...) - - htmldoc <unfixed> (unimportant) + - htmldoc 1.9.12-1 (unimportant) NOTE: https://github.com/michaelrsweet/htmldoc/issues/425 - NOTE: https://github.com/michaelrsweet/htmldoc/commit/a0014be47d614220db111b360fb6170ef6f3937e + NOTE: https://github.com/michaelrsweet/htmldoc/commit/a0014be47d614220db111b360fb6170ef6f3937e (v1.9.12) CVE-2022-34032 (Nginx NJS v0.7.5 was discovered to contain a segmentation violation in ...) NOT-FOR-US: njs CVE-2022-34031 (Nginx NJS v0.7.5 was discovered to contain a segmentation violation vi ...) @@ -7537,8 +11004,8 @@ CVE-2022-33996 (Incorrect permission management in Devolutions Server before 202 NOT-FOR-US: Devolutions Server CVE-2022-33995 (A path traversal issue in entry attachments in Devolutions Remote Desk ...) NOT-FOR-US: Devolutions -CVE-2022-33994 - RESERVED +CVE-2022-33994 (The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by ...) + NOT-FOR-US: Gutenberg plugin for WordPress CVE-2017-20091 (A vulnerability was found in File Manager Plugin 3.0.1. It has been cl ...) NOT-FOR-US: WordPress plugin CVE-2017-20090 (A vulnerability was found in Global Content Blocks Plugin 2.1.5. It ha ...) @@ -7559,18 +11026,18 @@ CVE-2017-20083 (A vulnerability, which was classified as critical, was found in NOT-FOR-US: JUNG Smart Visu Server CVE-2017-20082 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: JUNG Smart Visu Server -CVE-2022-33993 - RESERVED -CVE-2022-33992 - RESERVED -CVE-2022-33991 - RESERVED -CVE-2022-33990 - RESERVED -CVE-2022-33989 - RESERVED -CVE-2022-33988 - RESERVED +CVE-2022-33993 (Misinterpretation of special domain name characters in DNRD (aka Domai ...) + NOT-FOR-US: dnrd +CVE-2022-33992 (DNRD (aka Domain Name Relay Daemon) 2.20.3 forwards and caches DNS que ...) + NOT-FOR-US: dnrd +CVE-2022-33991 (dproxy-nexgen (aka dproxy nexgen) forwards and caches DNS queries with ...) + NOT-FOR-US: dproxy +CVE-2022-33990 (Misinterpretation of special domain name characters in dproxy-nexgen ( ...) + NOT-FOR-US: dproxy +CVE-2022-33989 (dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selec ...) + NOT-FOR-US: dproxy +CVE-2022-33988 (dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID ...) + NOT-FOR-US: dproxy CVE-2022-33987 (The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allow ...) - node-got 11.8.3+~cs58.7.37-3 (bug #1013264) [bullseye] - node-got 11.8.1+~cs53.13.17-3+deb11u1 @@ -7617,7 +11084,7 @@ CVE-2022-33980 (Apache Commons Configuration performs variable interpolation, al - commons-configuration2 2.8.0-1 (bug #1014960) NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/5 CVE-2022-2129 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [stretch] - vim <postponed> (Minor issue) NOTE: https://huntr.dev/bounties/3aaf06e7-9ae1-454d-b8ca-8709c98e5352 NOTE: https://github.com/vim/vim/commit/d6211a52ab9f53b82f884561ed43d2fe4d24ff7d (v8.2.5126) @@ -7627,17 +11094,17 @@ CVE-2022-2127 RESERVED CVE-2022-2126 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) NOTE: https://huntr.dev/bounties/8d196d9b-3d10-41d2-9f70-8ef0d08c946e NOTE: https://github.com/vim/vim/commit/156d3911952d73b03d7420dc3540215247db0fe8 (v8.2.5123) CVE-2022-2125 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [stretch] - vim <postponed> (Minor issue) NOTE: https://huntr.dev/bounties/17dab24d-beec-464d-9a72-5b6b11283705 NOTE: https://github.com/vim/vim/commit/0e8e938d497260dd57be67b4966cb27a5f72376f (v8.2.5122) CVE-2022-2124 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) NOTE: https://huntr.dev/bounties/8e9e056d-f733-4540-98b6-414bf36e0b42 NOTE: https://github.com/vim/vim/commit/2f074f4685897ab7212e25931eeeb0212292829f (v8.2.5120) CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service when lda ...) @@ -7709,8 +11176,8 @@ CVE-2022-33957 RESERVED CVE-2022-33956 RESERVED -CVE-2022-33955 - RESERVED +CVE-2022-33955 (IBM CICS TX 11.1 could allow allow an attacker with physical access to ...) + NOT-FOR-US: IBM CVE-2022-33954 RESERVED CVE-2022-33953 (IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user wi ...) @@ -7784,9 +11251,12 @@ CVE-2022-26084 CVE-2022-2123 (The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF whi ...) NOT-FOR-US: WordPress plugin CVE-2022-2122 (DOS / potential heap overwrite in qtdemux using zlib decompression. In ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0003.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/92b5eb1da30fda054daf2f3d30bb4b806910b234 (1.20.3) CVE-2022-2121 (OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer derefer ...) - dcmtk <unfixed> (bug #1014044) [bullseye] - dcmtk <no-dsa> (Minor issue) @@ -7885,22 +11355,22 @@ CVE-2022-33933 RESERVED CVE-2022-33932 RESERVED -CVE-2022-33931 - RESERVED -CVE-2022-33930 - RESERVED -CVE-2022-33929 - RESERVED -CVE-2022-33928 - RESERVED -CVE-2022-33927 - RESERVED -CVE-2022-33926 - RESERVED -CVE-2022-33925 - RESERVED -CVE-2022-33924 - RESERVED +CVE-2022-33931 (Dell Wyse Management Suite 3.6.1 and below contains an Improper Access ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33930 (Dell Wyse Management Suite 3.6.1 and below contains Information Disclo ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33929 (Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross- ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33928 (Dell Wyse Management Suite 3.6.1 and below contains an Plain-text Pass ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33927 (Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33926 (Dell Wyse Management Suite 3.6.1 and below contains an improper access ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33925 (Dell Wyse Management Suite 3.6.1 and below contains an Improper Access ...) + NOT-FOR-US: Dell Wyse Management Suite +CVE-2022-33924 (Dell Wyse Management Suite 3.6.1 and below contains an Improper Access ...) + NOT-FOR-US: Dell Wyse Management Suite CVE-2022-33923 (Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Inj ...) NOT-FOR-US: Dell CVE-2022-33922 @@ -7913,12 +11383,12 @@ CVE-2022-33919 RESERVED CVE-2022-33918 RESERVED -CVE-2022-33917 - RESERVED +CVE-2022-33917 (An issue was discovered in the Arm Mali GPU Kernel Driver (Valhall r29 ...) + NOT-FOR-US: ARM Mali CVE-2022-2117 (The GiveWP plugin for WordPress is vulnerable to Sensitive Information ...) NOT-FOR-US: WordPress plugin -CVE-2022-2116 - RESERVED +CVE-2022-2116 (The Contact Form DB WordPress plugin before 1.8.0 does not sanitise an ...) + NOT-FOR-US: WordPress plugin CVE-2022-2115 (The Popup Anything WordPress plugin before 2.1.7 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2022-2114 (The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 ...) @@ -7988,8 +11458,8 @@ CVE-2022-33883 RESERVED CVE-2022-33882 RESERVED -CVE-2022-33881 - RESERVED +CVE-2022-33881 (Parsing a maliciously crafted PRT file can force Autodesk AutoCAD 2023 ...) + NOT-FOR-US: Autodesk CVE-2022-33311 RESERVED CVE-2022-33151 @@ -8298,8 +11768,7 @@ CVE-2022-2097 (AES OCB mode for 32-bit x86 platforms using the AES-NI assembly o NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=919925673d6c9cfed3c1085497f5dfbbed5fc431 (OpenSSL_1_1_1q) CVE-2022-2096 RESERVED -CVE-2022-2095 - RESERVED +CVE-2022-2095 (An improper access control check in GitLab CE/EE affecting all version ...) - gitlab <unfixed> CVE-2022-2094 RESERVED @@ -8341,8 +11810,10 @@ CVE-2022-33746 RESERVED CVE-2022-33745 (insufficient TLB flush for x86 PV guests in shadow mode For migration ...) - xen <unfixed> + [bullseye] - xen <postponed> (Minor issue, include in next security round) [buster] - xen <end-of-life> (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-408.html + NOTE: All versions of Xen with the XSA-401 fixes applied are vulnerable CVE-2022-33744 (Arm guests can cause Dom0 DoS via PV devices When mapping pages of gue ...) {DSA-5191-1} - linux 5.18.14-1 @@ -8393,48 +11864,48 @@ CVE-2022-2086 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: SourceCodester Bank Management System CVE-2022-33735 RESERVED -CVE-2022-33734 - RESERVED -CVE-2022-33733 - RESERVED -CVE-2022-33732 - RESERVED -CVE-2022-33731 - RESERVED -CVE-2022-33730 - RESERVED -CVE-2022-33729 - RESERVED -CVE-2022-33728 - RESERVED -CVE-2022-33727 - RESERVED -CVE-2022-33726 - RESERVED -CVE-2022-33725 - RESERVED -CVE-2022-33724 - RESERVED -CVE-2022-33723 - RESERVED -CVE-2022-33722 - RESERVED -CVE-2022-33721 - RESERVED -CVE-2022-33720 - RESERVED -CVE-2022-33719 - RESERVED -CVE-2022-33718 - RESERVED -CVE-2022-33717 - RESERVED -CVE-2022-33716 - RESERVED -CVE-2022-33715 - RESERVED -CVE-2022-33714 - RESERVED +CVE-2022-33734 (Sensitive information exposure in onCharacteristicChanged in Charm by ...) + NOT-FOR-US: Samsung +CVE-2022-33733 (Sensitive information exposure in onCharacteristicRead in Charm by Sam ...) + NOT-FOR-US: Samsung +CVE-2022-33732 (Improper access control vulnerability in Samsung Dex for PC prior to S ...) + NOT-FOR-US: Samsung +CVE-2022-33731 (Improper access control vulnerability in DesktopSystemUI prior to SMR ...) + NOT-FOR-US: Samsung +CVE-2022-33730 (Heap-based buffer overflow vulnerability in Samsung Dex for PC prior t ...) + NOT-FOR-US: Samsung +CVE-2022-33729 (Improper restriction of broadcasting Intent in ConfirmConnectActivity ...) + NOT-FOR-US: Samsung +CVE-2022-33728 (Exposure of sensitive information in Bluetooth prior to SMR Aug-2022 R ...) + NOT-FOR-US: Samsung +CVE-2022-33727 (A vulnerable code in onCreate of SecDevicePickerDialog prior to SMR Au ...) + NOT-FOR-US: Samsung +CVE-2022-33726 (Unprotected dynamic receiver in Samsung Galaxy Friends prior to SMR Au ...) + NOT-FOR-US: Samsung +CVE-2022-33725 (A vulnerability using PendingIntent in Knox VPN prior to SMR Aug-2022 ...) + NOT-FOR-US: Samsung +CVE-2022-33724 (Exposure of Sensitive Information in Samsung Dialer application?prior ...) + NOT-FOR-US: Samsung +CVE-2022-33723 (A vulnerable code in onCreate of BluetoothScanDialog prior to SMR Aug- ...) + NOT-FOR-US: Samsung +CVE-2022-33722 (Implicit Intent hijacking vulnerability in Smart View prior to SMR Aug ...) + NOT-FOR-US: Samsung +CVE-2022-33721 (A vulnerability using PendingIntent in DeX for PC prior to SMR Aug-202 ...) + NOT-FOR-US: Samsung +CVE-2022-33720 (Improper authentication vulnerability in AppLock prior to SMR Aug-2022 ...) + NOT-FOR-US: Samsung +CVE-2022-33719 (Improper input validation in baseband prior to SMR Aug-2022 Release 1 ...) + NOT-FOR-US: Samsung +CVE-2022-33718 (An improper access control vulnerability in Wi-Fi Service prior to SMR ...) + NOT-FOR-US: Samsung +CVE-2022-33717 (A missing input validation before memory read in SEM TA prior to SMR A ...) + NOT-FOR-US: Samsung +CVE-2022-33716 (An absence of variable initialization in ICCC TA prior to SMR Aug-2022 ...) + NOT-FOR-US: Samsung +CVE-2022-33715 (Improper access control and path traversal vulnerability in LauncherPr ...) + NOT-FOR-US: Samsung +CVE-2022-33714 (Improper access control vulnerability in SemWifiApBroadcastReceiver pr ...) + NOT-FOR-US: Samsung CVE-2022-33713 (Implicit Intent hijacking vulnerability in Samsung Cloud prior to vers ...) NOT-FOR-US: Samsung CVE-2022-33712 (Intent redirection vulnerability using implict intent in Camera prior ...) @@ -8521,8 +11992,8 @@ CVE-2022-33672 (Azure Site Recovery Elevation of Privilege Vulnerability. This C NOT-FOR-US: Microsoft CVE-2022-33671 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) NOT-FOR-US: Microsoft -CVE-2022-33670 - RESERVED +CVE-2022-33670 (Windows Partition Management Driver Elevation of Privilege Vulnerabili ...) + NOT-FOR-US: Microsoft CVE-2022-33669 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) NOT-FOR-US: Microsoft CVE-2022-33668 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) @@ -8563,14 +12034,14 @@ CVE-2022-33651 (Azure Site Recovery Elevation of Privilege Vulnerability. This C NOT-FOR-US: Microsoft CVE-2022-33650 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) NOT-FOR-US: Microsoft -CVE-2022-33649 - RESERVED -CVE-2022-33648 - RESERVED +CVE-2022-33649 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-33648 (Microsoft Excel Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-33647 RESERVED -CVE-2022-33646 - RESERVED +CVE-2022-33646 (Azure Batch Node Agent Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-33645 RESERVED CVE-2022-33644 (Xbox Live Save Service Elevation of Privilege Vulnerability. ...) @@ -8581,16 +12052,16 @@ CVE-2022-33642 (Azure Site Recovery Elevation of Privilege Vulnerability. This C NOT-FOR-US: Microsoft CVE-2022-33641 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) NOT-FOR-US: Microsoft -CVE-2022-33640 - RESERVED +CVE-2022-33640 (System Center Operations Manager: Open Management Infrastructure (OMI) ...) + NOT-FOR-US: Microsoft CVE-2022-33639 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-33638 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-33637 (Microsoft Defender for Endpoint Tampering Vulnerability. ...) NOT-FOR-US: Microsoft -CVE-2022-33636 - RESERVED +CVE-2022-33636 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-33635 RESERVED CVE-2022-33634 @@ -8599,8 +12070,8 @@ CVE-2022-33633 (Skype for Business and Lync Remote Code Execution Vulnerability. NOT-FOR-US: Skype for Business and Lync CVE-2022-33632 (Microsoft Office Security Feature Bypass Vulnerability. ...) NOT-FOR-US: Microsoft -CVE-2022-33631 - RESERVED +CVE-2022-33631 (Microsoft Excel Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-33630 RESERVED CVE-2022-33629 @@ -9559,8 +13030,8 @@ CVE-2022-33171 (** DISPUTED ** The findOne function in TypeORM before 0.3.0 can NOT-FOR-US: TypeORM CVE-2022-33170 RESERVED -CVE-2022-33169 - RESERVED +CVE-2022-33169 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerabl ...) + NOT-FOR-US: IBM CVE-2022-33168 RESERVED CVE-2022-33167 @@ -9581,8 +13052,8 @@ CVE-2022-33160 RESERVED CVE-2022-33159 RESERVED -CVE-2022-33158 - RESERVED +CVE-2022-33158 (Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulner ...) + NOT-FOR-US: Trend Micro CVE-2022-33157 (The libconnect extension before 7.0.8 and 8.x before 8.1.0 for TYPO3 a ...) NOT-FOR-US: TYPO3 extension CVE-2022-33156 (The matomo_integration (aka Matomo Integration) extension before 1.3.2 ...) @@ -9930,7 +13401,7 @@ CVE-2022-32992 (Online Tours And Travels Management System v1.0 was discovered t CVE-2022-32991 (Web Based Quiz System v1.0 was discovered to contain a SQL injection v ...) NOT-FOR-US: Web Based Quiz System CVE-2022-32990 (An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allow ...) - - gimp <unfixed> (unimportant) + - gimp 2.10.32-1 (unimportant) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/8230 NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/24c962b95e5c740dff7a87a1f0ccdbf6c0a8c21e (master) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/a842869247eb2cae2b40476b5d93f88d8b01aa27 (master) @@ -10097,12 +13568,12 @@ CVE-2022-32967 RESERVED CVE-2022-32966 RESERVED -CVE-2022-32965 - RESERVED -CVE-2022-32964 - RESERVED -CVE-2022-32963 - RESERVED +CVE-2022-32965 (OMICARD EDM has a hard-coded machine key. An unauthenticated remote at ...) + NOT-FOR-US: OMICARD EDM +CVE-2022-32964 (OMICARD EDM’s API function has insufficient validation for user ...) + NOT-FOR-US: OMICARD EDM +CVE-2022-32963 (OMICARD EDM’s mail file relay function has a path traversal vuln ...) + NOT-FOR-US: OMICARD EDM CVE-2022-32962 (HiCOS’ client-side citizen certificate component has a double fr ...) NOT-FOR-US: HICOS CVE-2022-32961 (HICOS’ client-side citizen digital certificate component has a s ...) @@ -10117,10 +13588,10 @@ CVE-2022-32588 RESERVED CVE-2022-32281 RESERVED -CVE-2022-2053 - RESERVED - - undertow <unfixed> +CVE-2022-2053 (When a POST request comes through AJP and the request exceeds the max- ...) + - undertow 2.2.18-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2095862 + NOTE: https://github.com/undertow-io/undertow/commit/10ad8964162162ce6d441e951cb9efcdaa585916 CVE-2022-2052 RESERVED CVE-2022-2051 @@ -10409,8 +13880,11 @@ CVE-2022-32818 RESERVED CVE-2022-32817 RESERVED -CVE-2022-32816 +CVE-2022-32816 [A UI spoofing issue was addressed with improved UI handling] RESERVED + - webkit2gtk 2.36.6-1 + - wpewebkit 2.36.6-1 + NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2 CVE-2022-32815 RESERVED CVE-2022-32814 @@ -10457,8 +13931,11 @@ CVE-2022-32794 RESERVED CVE-2022-32793 RESERVED -CVE-2022-32792 +CVE-2022-32792 [An out-of-bounds write issue was addressed with improved input validation] RESERVED + - webkit2gtk 2.36.6-1 + - wpewebkit 2.36.6-1 + NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2 CVE-2022-32791 RESERVED CVE-2022-32790 @@ -10506,13 +13983,17 @@ CVE-2022-26842 CVE-2022-2049 RESERVED CVE-2022-2048 (In Eclipse Jetty HTTP/2 server implementation, when encountering an in ...) + {DSA-5198-1} - jetty9 9.4.48-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j + NOTE: https://github.com/eclipse/jetty.project/issues/7935 CVE-2022-2047 (In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, a ...) + {DSA-5198-1} - jetty9 9.4.48-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q -CVE-2022-2046 - RESERVED + NOTE: https://github.com/eclipse/jetty.project/pull/8146 +CVE-2022-2046 (The Directorist WordPress plugin before 7.2.3 allows administrators to ...) + NOT-FOR-US: WordPress plugin CVE-2022-2045 RESERVED CVE-2022-2044 @@ -10520,7 +14001,7 @@ CVE-2022-2044 CVE-2022-2043 RESERVED CVE-2022-2042 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/8628b4cd-4055-4059-aed4-64f7fdc10eba NOTE: https://github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835 (v8.2.5072) NOTE: Crash in CLI tool, no security impact @@ -10558,32 +14039,38 @@ CVE-2022-32752 RESERVED CVE-2022-32751 RESERVED -CVE-2022-32750 - RESERVED +CVE-2022-32750 (IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) + NOT-FOR-US: IBM CVE-2022-32749 RESERVED CVE-2022-32748 RESERVED CVE-2022-32747 RESERVED -CVE-2022-32746 +CVE-2022-32746 [Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request] RESERVED - - samba <unfixed> + {DSA-5205-1} + - samba 2:4.16.4+dfsg-1 (bug #1016449) + [buster] - samba <no-dsa> (Minor issue; affects Samba as AD DC) NOTE: https://www.samba.org/samba/security/CVE-2022-32746.html -CVE-2022-32745 +CVE-2022-32745 [Samba AD users can crash the server process with an LDAP add or modify request] RESERVED - - samba <unfixed> + {DSA-5205-1} + - samba 2:4.16.4+dfsg-1 (bug #1016449) [buster] - samba <not-affected> (Only affects 4.13 and later) NOTE: https://www.samba.org/samba/security/CVE-2022-32745.html -CVE-2022-32744 +CVE-2022-32744 [Samba AD users can forge password change requests for any user] RESERVED - - samba <unfixed> + {DSA-5205-1} + - samba 2:4.16.4+dfsg-1 (bug #1016449) + [buster] - samba <no-dsa> (Minor issue; affects Samba as AD DC) NOTE: https://www.samba.org/samba/security/CVE-2022-32744.html CVE-2022-32743 RESERVED -CVE-2022-32742 +CVE-2022-32742 [Server memory information leak via SMB1] RESERVED - - samba <unfixed> + {DSA-5205-1} + - samba 2:4.16.4+dfsg-1 (bug #1016449) NOTE: https://www.samba.org/samba/security/CVE-2022-32742.html CVE-2022-32741 (Attacker is able to determine if the provided username exists (and it' ...) NOT-FOR-US: OTRS @@ -10598,8 +14085,8 @@ CVE-2022-32573 RESERVED CVE-2022-30605 RESERVED -CVE-2022-29886 - RESERVED +CVE-2022-29886 (An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5. ...) + NOT-FOR-US: ESTsoft Alyac CVE-2022-29517 RESERVED CVE-2022-29511 @@ -10996,8 +14483,8 @@ CVE-2022-28666 (Broken Access Control vulnerability in YIKES Inc. Custom Product NOT-FOR-US: WordPress plugin CVE-2022-28612 (Improper Access Control vulnerability leading to multiple Authenticate ...) NOT-FOR-US: WordPress plugin -CVE-2022-25649 - RESERVED +CVE-2022-25649 (Multiple Improper Access Control vulnerabilities in StoreApps Affiliat ...) + NOT-FOR-US: WooCommerce addon CVE-2022-2035 (A reflected cross-site scripting (XSS) vulnerability exists in the pla ...) NOT-FOR-US: SCORM Engine CVE-2022-2034 @@ -11006,9 +14493,11 @@ CVE-2022-2033 RESERVED CVE-2022-2032 (In Pandora FMS v7.0NG.761 and below, in the file manager section, the ...) NOT-FOR-US: Pandora FMS -CVE-2022-2031 +CVE-2022-2031 [Samba AD users can bypass certain restrictions associated with changing passwords] RESERVED - - samba <unfixed> + {DSA-5205-1} + - samba 2:4.16.4+dfsg-1 (bug #1016449) + [buster] - samba <no-dsa> (Minor issue; affects Samba as AD DC) NOTE: https://www.samba.org/samba/security/CVE-2022-2031.html CVE-2022-2030 (A directory traversal vulnerability caused by specific character seque ...) NOT-FOR-US: Zyxel @@ -11027,7 +14516,7 @@ CVE-2017-20051 (A vulnerability was found in InnoSetup Installer. It has been de CVE-2022-32548 RESERVED CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'double', ...) - - imagemagick <unfixed> + - imagemagick <unfixed> (bug #1016442) [bullseye] - imagemagick <ignored> (Minor issue) [buster] - imagemagick <ignored> (Minor issue) [stretch] - imagemagick <no-dsa> (Minor issue) @@ -11037,7 +14526,7 @@ CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'do NOTE: https://github.com/ImageMagick/ImageMagick/commit/eac8ce4d873f28bb6a46aa3a662fb196b49b95d0 (7.1.0-30) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b (6.9.12-45) CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the range ...) - - imagemagick <unfixed> + - imagemagick <unfixed> (bug #1016442) [bullseye] - imagemagick <ignored> (Minor issue) [buster] - imagemagick <ignored> (Minor issue) [stretch] - imagemagick <no-dsa> (Minor issue) @@ -11047,7 +14536,7 @@ CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the NOTE: https://github.com/ImageMagick/ImageMagick/commit/f221ea0fa3171f0f4fdf74ac9d81b203b9534c23 (7.1.0-29) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943 (6.9.12-44) CVE-2022-32545 (A vulnerability was found in ImageMagick, causing an outside the range ...) - - imagemagick <unfixed> + - imagemagick <unfixed> (bug #1016442) [bullseye] - imagemagick <ignored> (Minor issue) [buster] - imagemagick <ignored> (Minor issue) [stretch] - imagemagick <no-dsa> (Minor issue) @@ -11056,8 +14545,8 @@ CVE-2022-32545 (A vulnerability was found in ImageMagick, causing an outside the NOTE: https://github.com/ImageMagick/ImageMagick/pull/4963 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9c9a84cec4ab28ee0b57c2b9266d6fbe68183512 (7.1.0-28) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa (6.9.12-43) -CVE-2022-32543 - RESERVED +CVE-2022-32543 (An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5. ...) + NOT-FOR-US: ESTsoft Alyac CVE-2022-32542 RESERVED CVE-2022-32541 @@ -11314,7 +14803,7 @@ CVE-2022-30532 (In affected versions of Octopus Deploy, there is no logging of c CVE-2022-29890 (In affected versions of Octopus Server the help sidebar can be customi ...) NOT-FOR-US: Octopus Server CVE-2022-2000 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) @@ -11396,8 +14885,8 @@ CVE-2022-32431 RESERVED CVE-2022-32430 (An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers ...) NOT-FOR-US: Lin CMS -CVE-2022-32429 - RESERVED +CVE-2022-32429 (An authentication-bypass issue in the component http://MYDEVICEIP/cgi- ...) + NOT-FOR-US: Mega System Technologies Inc MSNSwitch CVE-2022-32428 RESERVED CVE-2022-32427 @@ -11667,18 +15156,25 @@ CVE-2022-32300 (YoudianCMS v9.5.0 was discovered to contain a SQL injection vuln CVE-2022-32299 (YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerabil ...) NOT-FOR-US: YoudianCMS CVE-2022-32298 (Toybox v0.8.7 was discovered to contain a NULL pointer dereference via ...) - - toybox <unfixed> + - toybox <not-affected> (Vulnerable code not uploaded yet) NOTE: https://github.com/landley/toybox/issues/346 + NOTE: Introduced by: https://github.com/landley/toybox/commit/a9d0e2386f5f494bb9b4e9d56f6b95b40d7579d4 (0.8.7) + NOTE: Fixed by: https://github.com/landley/toybox/commit/6d4847934fc0fe47a3254ce6c0396d197a780cf4 CVE-2022-32297 (Piwigo v12.2.0 was discovered to contain SQL injection vulnerability v ...) - piwigo <removed> CVE-2022-32295 (On Ampere Altra and AltraMax devices before SRP 1.09, the Altra refere ...) NOT-FOR-US: Ampere devices CVE-2022-32294 (Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-l ...) NOT-FOR-US: Zimbra -CVE-2022-32293 - RESERVED -CVE-2022-32292 - RESERVED +CVE-2022-32293 (In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HT ...) + - connman <unfixed> (bug #1016976) + NOTE: https://lore.kernel.org/connman/20220801080043.4861-1-wagi@monom.org/ + NOTE: https://lore.kernel.org/connman/20220801080043.4861-3-wagi@monom.org/ + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1200190 +CVE-2022-32292 (In ConnMan through 1.41, remote attackers able to send HTTP requests t ...) + - connman <unfixed> (bug #1016976) + NOTE: https://lore.kernel.org/connman/20220801080043.4861-5-wagi@monom.org/ + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1200189 CVE-2022-32291 (In Real Player through 20.1.0.312, attackers can execute arbitrary cod ...) NOT-FOR-US: Real Player CVE-2022-32290 (The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorre ...) @@ -11838,8 +15334,8 @@ CVE-2022-31472 (Browse restriction bypass vulnerability in Cabinet of Cybozu Gar NOT-FOR-US: Cybozu CVE-2022-29521 RESERVED -CVE-2022-29465 - RESERVED +CVE-2022-29465 (An out-of-bounds write vulnerability exists in the PSD Header processi ...) + NOT-FOR-US: Accusoft ImageGear CVE-2022-25958 RESERVED CVE-2022-1993 (Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. ...) @@ -11916,8 +15412,8 @@ CVE-2022-32247 (SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.3 NOT-FOR-US: SAP CVE-2022-32246 (SAP Busines Objects Business Intelligence Platform (Visual Difference ...) NOT-FOR-US: SAP -CVE-2022-32245 - RESERVED +CVE-2022-32245 (SAP BusinessObjects Business Intelligence Platform (Open Document) - v ...) + NOT-FOR-US: SAP CVE-2022-32244 RESERVED CVE-2022-32243 (When a user opens manipulated Scalable Vector Graphics (.svg, svg.x3d) ...) @@ -11988,6 +15484,10 @@ CVE-2022-32224 RESERVED - rails <unfixed> (bug #1016140) NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j + NOTE: Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main) + NOTE: Fixed by: https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176 (v6.1.6.1) + NOTE: Fixed by: https://github.com/rails/rails/commit/d28f278788b599c0a9f6e3ea437c6642eb56f16c (v6.0.5.1) + NOTE: Fixed by: https://github.com/rails/rails/commit/6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 (v5.2.8.1) CVE-2022-32223 (Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ...) - nodejs <not-affected> (Only affects Windows) NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223 @@ -12041,11 +15541,13 @@ CVE-2022-32209 (# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a NOTE: https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800 NOTE: https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d (v1.4.3) CVE-2022-32208 (When curl < 7.84.0 does FTP transfers secured by krb5, it handles m ...) + {DSA-5197-1} - curl 7.84.0-1 NOTE: https://curl.se/docs/CVE-2022-32208.html NOTE: Introduced by: https://github.com/curl/curl/commit/54967d2a3ab5559631407f7b7f67ef48c2dda6dd (curl-7_16_4) NOTE: Fixed by: https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09 (curl-7_84_0) CVE-2022-32207 (When curl < 7.84.0 saves cookies, alt-svc and hsts data to local fi ...) + {DSA-5197-1} - curl 7.84.0-1 [buster] - curl <not-affected> (Vulnerable code introduced later) [stretch] - curl <not-affected> (Vulnerable code introduced later) @@ -12053,11 +15555,13 @@ CVE-2022-32207 (When curl < 7.84.0 saves cookies, alt-svc and hsts data to lo NOTE: Introduced by: https://github.com/curl/curl/commit/b834890a3fa3f525cd8ef4e99554cdb4558d7e1b (curl-7_69_0) NOTE: Fixed by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) CVE-2022-32206 (curl < 7.84.0 supports "chained" HTTP compression algorithms, meani ...) + {DSA-5197-1} - curl 7.84.0-1 NOTE: https://curl.se/docs/CVE-2022-32206.html NOTE: Introduced by: https://github.com/curl/curl/commit/dbcced8e32b50c068ac297106f0502ee200a1ebd (curl-7_57_0) NOTE: Fixed by: https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2 (curl-7_84_0) CVE-2022-32205 (A malicious server can serve excessive amounts of `Set-Cookie:` header ...) + {DSA-5197-1} - curl 7.84.0-1 [buster] - curl <not-affected> (Vulnerable code introduced later) [stretch] - curl <not-affected> (Vulnerable code introduced later) @@ -12086,8 +15590,7 @@ CVE-2022-1974 - linux 5.17.11-1 NOTE: https://www.openwall.com/lists/oss-security/2022/06/05/1 NOTE: https://git.kernel.org/linus/da5c0f119203ad9728920456a0f52a6d850c01cd (5.18-rc6) -CVE-2022-1973 [fs/ntfs3: Fix invalid free in log_replay] - RESERVED +CVE-2022-1973 (A use-after-free flaw was found in the Linux kernel in log_replay in f ...) - linux 5.18.5-1 (unimportant) [bullseye] - linux <not-affected> (Vulnerable code not present) [buster] - linux <not-affected> (Vulnerable code not present) @@ -12114,7 +15617,7 @@ CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerabl NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b @@ -12165,8 +15668,17 @@ CVE-2022-32191 RESERVED CVE-2022-32190 RESERVED -CVE-2022-32189 - RESERVED +CVE-2022-32189 (A too-short encoded message can cause a panic in Float.GobDecode and R ...) + - golang-1.19 1.19-1 + - golang-1.18 1.18.5-1 + - golang-1.17 1.17.13-1 + - golang-1.15 <removed> + - golang-1.11 <removed> + NOTE: https://go.dev/issue/53871 + NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU + NOTE: https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66 (master, go1.19) + NOTE: https://github.com/golang/go/commit/9240558e4f342fc6e98fec22de17c04b45089349 (go1.18.5) + NOTE: https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102 (go1.17.13) CVE-2022-32188 RESERVED CVE-2022-32187 @@ -12251,11 +15763,10 @@ CVE-2022-32150 RESERVED CVE-2022-32149 RESERVED -CVE-2022-32148 - RESERVED +CVE-2022-32148 (Improper exposure of client IP addresses in net/http before Go 1.17.12 ...) - golang-1.19 1.19~rc1-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://github.com/golang/go/issues/53423 @@ -12290,11 +15801,10 @@ CVE-2022-30997 (Use of hard-coded credentials vulnerability exists in STARDOM FC NOT-FOR-US: Yokogawa Electric Corporation CVE-2022-29519 (Cleartext transmission of sensitive information vulnerability exists i ...) NOT-FOR-US: Yokogawa Electric Corporation -CVE-2022-1962 - RESERVED +CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before Go 1 ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53616 @@ -12323,10 +15833,10 @@ CVE-2022-1952 (The Free Booking Plugin for Hotels, Restaurant and Car Rental Wor NOT-FOR-US: WordPress plugin CVE-2022-1951 (The core plugin for kitestudio WordPress plugin before 2.3.1 does not ...) NOT-FOR-US: WordPress plugin -CVE-2022-1950 - RESERVED +CVE-2022-1950 (The Youzify WordPress plugin before 1.2.0 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. That mish ...) - - 389-ds-base <unfixed> + - 389-ds-base <unfixed> (bug #1016446) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781 NOTE: https://github.com/389ds/389-ds-base/issues/5170 CVE-2022-32135 @@ -13064,7 +16574,7 @@ CVE-2022-1943 (A flaw out of bounds memory write in the Linux kernel UDF file sy NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2086412 NOTE: Fixed by: https://git.kernel.org/linus/c1ad35dd0548ce947d97aaf92f7f2f9a202951cf (5.18-rc7) CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) @@ -13077,9 +16587,9 @@ CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration i NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ CVE-2022-1939 (The Allow svg files WordPress plugin before 1.1 does not properly vali ...) NOT-FOR-US: WordPress plugin -CVE-2022-1938 (The Awin Data Feed WordPress plugin through 1.6 does not sanitise and ...) +CVE-2022-1938 (The Awin Data Feed WordPress plugin before 1.8 does not sanitise and e ...) NOT-FOR-US: WordPress plugin -CVE-2022-1937 (The Awin Data Feed WordPress plugin through 1.6 does not sanitise and ...) +CVE-2022-1937 (The Awin Data Feed WordPress plugin before 1.8 does not sanitise and e ...) NOT-FOR-US: WordPress plugin CVE-2022-XXXX [Sanitizing and other XSS protections] - spip 4.1.2+dfsg-1 @@ -13150,14 +16660,14 @@ CVE-2022-1929 (An exponential ReDoS (Regular Expression Denial of Service) can b CVE-2022-1928 (Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gite ...) - gitea <removed> CVE-2022-1927 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/945107ef-0b27-41c7-a03c-db99def0e777 NOTE: https://github.com/vim/vim/commit/4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 (v8.2.5037) NOTE: Crash in CLI tool, no security impact CVE-2022-1926 (Integer Overflow or Wraparound in GitHub repository polonel/trudesk pr ...) NOT-FOR-US: Trudesk -CVE-2022-31793 - RESERVED +CVE-2022-31793 (do_request in request.c in muhttpd before 1.1.7 allows remote attacker ...) + NOT-FOR-US: Arris CVE-2022-31792 RESERVED CVE-2022-31791 @@ -13188,20 +16698,26 @@ CVE-2022-31782 (ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-ba NOTE: Only impact the ftbench in freetype2-demos CVE-2022-31781 (Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expressio ...) NOT-FOR-US: Apache Tapestry -CVE-2022-31780 - RESERVED -CVE-2022-31779 - RESERVED -CVE-2022-31778 - RESERVED +CVE-2022-31780 (Improper Input Validation vulnerability in HTTP/2 frame handling of Ap ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 +CVE-2022-31779 (Improper Input Validation vulnerability in HTTP/2 header parsing of Ap ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 +CVE-2022-31778 (Improper Input Validation vulnerability in handling the Transfer-Encod ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-31777 RESERVED -CVE-2022-31776 - RESERVED -CVE-2022-31775 - RESERVED -CVE-2022-31774 - RESERVED +CVE-2022-31776 (IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) + NOT-FOR-US: IBM +CVE-2022-31775 (IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) + NOT-FOR-US: IBM +CVE-2022-31774 (IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) + NOT-FOR-US: IBM CVE-2022-31773 RESERVED CVE-2022-31772 @@ -13223,29 +16739,47 @@ CVE-2022-31765 CVE-2022-31764 RESERVED CVE-2022-1925 (DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decom ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0002.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fafb028196c78062892261d4e042e646ef8e518b (1.20.3) CVE-2022-1924 (DOS / potential heap overwrite in mkv demuxing using lzo decompression ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0002.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fafb028196c78062892261d4e042e646ef8e518b (1.20.3) CVE-2022-1923 (DOS / potential heap overwrite in mkv demuxing using bzip decompressio ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0002.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fafb028196c78062892261d4e042e646ef8e518b (1.20.3) CVE-2022-1922 (DOS / potential heap overwrite in mkv demuxing using zlib decompressio ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0002.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fafb028196c78062892261d4e042e646ef8e518b (1.20.3) CVE-2022-1921 (Integer overflow in avidemux element in gst_avi_demux_invert function ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0d9ce6c9412006c7bf2aefd1992e7d6ba16e93b7 (1.20.3) CVE-2022-1920 (Integer overflow in matroskademux element in gst_matroska_demux_add_wv ...) - - gst-plugins-good1.0 <unfixed> + {DSA-5204-1 DLA-3069-1} + - gst-plugins-good1.0 1.20.3-1 + NOTE: https://gstreamer.freedesktop.org/security/sa-2022-0004.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/cf887f1b8e228bff6e19829e6d03995d70ad739d + NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 (1.20.3) CVE-2022-1919 (Use after free in Codecs in Google Chrome prior to 101.0.4951.41 allow ...) - firefox 101.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-20/#CVE-2022-1919 @@ -13277,8 +16811,8 @@ CVE-2022-1907 (Buffer Over-read in GitHub repository bfabiszewski/libmobi prior - libmobi 0.11+dfsg-1 (bug #1011971) NOTE: https://huntr.dev/bounties/4eb0fa3e-4480-4fb5-8ec0-fbcd71de6012 NOTE: https://github.com/bfabiszewski/libmobi/commit/1e0378e6f9e4ae415cedc9eb10850888897c5dba (v0.11) -CVE-2022-1906 - RESERVED +CVE-2022-1906 (The Copyright Proof WordPress plugin through 4.16 does not sanitise an ...) + NOT-FOR-US: WordPress plugin CVE-2022-1905 (The Events Made Easy WordPress plugin before 2.2.81 does not properly ...) NOT-FOR-US: WordPress plugin CVE-2022-1904 (The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does ...) @@ -13444,13 +16978,13 @@ CVE-2022-1899 (Out-of-bounds Read in GitHub repository radareorg/radare2 prior t NOTE: https://github.com/radareorg/radare2/commit/193f4fe01d7f626e2ea937450f2e0c4604420e9d CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea NOTE: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a (v8.2.5024) CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <postponed> (Minor issue) @@ -13580,14 +17114,14 @@ CVE-2022-31677 RESERVED CVE-2022-31676 RESERVED -CVE-2022-31675 - RESERVED -CVE-2022-31674 - RESERVED -CVE-2022-31673 - RESERVED -CVE-2022-31672 - RESERVED +CVE-2022-31675 (VMware vRealize Operations contains an authentication bypass vulnerabi ...) + NOT-FOR-US: VMware +CVE-2022-31674 (VMware vRealize Operations contains an information disclosure vulnerab ...) + NOT-FOR-US: VMware +CVE-2022-31673 (VMware vRealize Operations contains an information disclosure vulnerab ...) + NOT-FOR-US: VMware +CVE-2022-31672 (VMware vRealize Operations contains a privilege escalation vulnerabili ...) + NOT-FOR-US: VMware CVE-2022-31671 RESERVED CVE-2022-31670 @@ -13600,26 +17134,26 @@ CVE-2022-31667 RESERVED CVE-2022-31666 RESERVED -CVE-2022-31665 - RESERVED -CVE-2022-31664 - RESERVED -CVE-2022-31663 - RESERVED -CVE-2022-31662 - RESERVED -CVE-2022-31661 - RESERVED -CVE-2022-31660 - RESERVED -CVE-2022-31659 - RESERVED -CVE-2022-31658 - RESERVED -CVE-2022-31657 - RESERVED -CVE-2022-31656 - RESERVED +CVE-2022-31665 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31664 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31663 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31662 (VMware Workspace ONE Access, Identity Manager, Connectors and vRealize ...) + NOT-FOR-US: VMware +CVE-2022-31661 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31660 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31659 (VMware Workspace ONE Access and Identity Manager contain a remote code ...) + NOT-FOR-US: VMware +CVE-2022-31658 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware +CVE-2022-31657 (VMware Workspace ONE Access and Identity Manager contain a URL injecti ...) + NOT-FOR-US: VMware +CVE-2022-31656 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...) + NOT-FOR-US: VMware CVE-2022-31655 (VMware vRealize Log Insight in versions prior to 8.8.2 contain a store ...) NOT-FOR-US: VMware CVE-2022-31654 (VMware vRealize Log Insight in versions prior to 8.8.2 contain a store ...) @@ -13685,7 +17219,7 @@ CVE-2022-31629 CVE-2022-31628 RESERVED CVE-2022-31627 (In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as fi ...) - - php8.1 <unfixed> + - php8.1 <unfixed> (bug #1016972) - php7.4 <not-affected> (Only affects 8.1 and later) - php7.3 <not-affected> (Only affects 8.1 and later) NOTE: Fixed in 8.1.8 @@ -13776,7 +17310,7 @@ CVE-2022-31619 (A vulnerability has been identified in Teamcenter V12.4 (All ver CVE-2022-1887 RESERVED CVE-2022-1886 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/fa0ad526-b608-45b3-9ebc-f2b607834d6a NOTE: https://github.com/vim/vim/commit/2a585c85013be22f59f184d49612074fd9b115d7 (v8.2.5016) NOTE: Crash in CLI tool, no security impact @@ -13804,16 +17338,34 @@ CVE-2022-1878 RESERVED CVE-2022-1877 RESERVED -CVE-2022-31618 - RESERVED +CVE-2022-31618 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) + NOT-FOR-US: NVIDIA CVE-2022-31617 RESERVED CVE-2022-31616 RESERVED CVE-2022-31615 RESERVED -CVE-2022-31614 - RESERVED + - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) + [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615) + [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) + [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) + [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) + [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619) + [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) + NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 + - nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620) + [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621) +CVE-2022-31614 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) + NOT-FOR-US: NVIDIA CVE-2022-31613 RESERVED CVE-2022-31612 @@ -13822,12 +17374,48 @@ CVE-2022-31611 RESERVED CVE-2022-31610 RESERVED -CVE-2022-31609 - RESERVED +CVE-2022-31609 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) + NOT-FOR-US: NVIDIA CVE-2022-31608 RESERVED + - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) + [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615) + [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) + [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) + [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) + [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619) + [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) + NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 + - nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620) + [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621) CVE-2022-31607 RESERVED + - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) + [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615) + [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) + [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) + [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) + [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619) + [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) + NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 + - nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620) + [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621) CVE-2022-31606 RESERVED CVE-2022-31605 (NVFLARE, versions prior to 2.1.2, contains a vulnerability in its util ...) @@ -13972,7 +17560,7 @@ CVE-2022-1852 (A NULL pointer dereference flaw was found in the Linux kernelR NOTE: https://git.kernel.org/linus/fee060cd52d69c114b62d1a2948ea9648b5131f9 CVE-2022-1851 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d @@ -14560,8 +18148,8 @@ CVE-2022-31323 RESERVED CVE-2022-31322 RESERVED -CVE-2022-31321 - RESERVED +CVE-2022-31321 (The foldername parameter in Bolt 5.1.7 was discovered to have incorrec ...) + NOT-FOR-US: Bolt CMS CVE-2022-31320 RESERVED CVE-2022-31319 @@ -14648,8 +18236,8 @@ CVE-2022-31281 RESERVED CVE-2022-31280 RESERVED -CVE-2022-31279 (Laravel 9.1.8, when processing attacker-controlled data for deserializ ...) - NOT-FOR-US: Laravel +CVE-2022-31279 + REJECTED CVE-2022-31278 RESERVED CVE-2022-31277 (Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay at ...) @@ -14878,8 +18466,8 @@ CVE-2022-1801 (The Very Simple Contact Form WordPress plugin before 11.6 exposes NOT-FOR-US: WordPress plugin CVE-2022-1800 (The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 ...) NOT-FOR-US: WordPress plugin -CVE-2022-1799 - RESERVED +CVE-2022-1799 (Incorrect signature trust exists within Google Play services SDK play- ...) + NOT-FOR-US: Google Play CVE-2022-1798 RESERVED CVE-2022-31215 (In certain Goverlan products, the Windows Firewall is temporarily turn ...) @@ -14932,58 +18520,61 @@ CVE-2022-31199 RESERVED CVE-2022-1797 (A malformed Class 3 common industrial protocol message with a cached c ...) NOT-FOR-US: Rockwell Automation -CVE-2022-31198 - RESERVED -CVE-2022-31197 - RESERVED +CVE-2022-31198 (OpenZeppelin Contracts is a library for secure smart contract developm ...) + NOT-FOR-US: OpenZeppelin +CVE-2022-31197 (PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to conn ...) + - libpgjava 42.4.1-1 (bug #1016662) + NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2 + NOTE: https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637 (REL42.4.1-rc1) CVE-2022-31196 RESERVED -CVE-2022-31195 - RESERVED -CVE-2022-31194 - RESERVED -CVE-2022-31193 - RESERVED -CVE-2022-31192 - RESERVED -CVE-2022-31191 - RESERVED -CVE-2022-31190 - RESERVED -CVE-2022-31189 - RESERVED -CVE-2022-31188 - RESERVED +CVE-2022-31195 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31194 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31193 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31192 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31191 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31190 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31189 (DSpace open source software is a repository application which provides ...) + NOT-FOR-US: DSpace +CVE-2022-31188 (CVAT is an opensource interactive video and image annotation tool for ...) + NOT-FOR-US: cvat-ai/cvat CVE-2022-31187 RESERVED -CVE-2022-31186 - RESERVED -CVE-2022-31185 - RESERVED -CVE-2022-31184 - RESERVED -CVE-2022-31183 - RESERVED -CVE-2022-31182 - RESERVED -CVE-2022-31181 - RESERVED -CVE-2022-31180 - RESERVED -CVE-2022-31179 - RESERVED -CVE-2022-31178 - RESERVED -CVE-2022-31177 - RESERVED +CVE-2022-31186 (NextAuth.js is a complete open source authentication solution for Next ...) + NOT-FOR-US: NextAuth.js +CVE-2022-31185 (mprweb is a hosting platform for the makedeb Package Repository. Email ...) + NOT-FOR-US: makedeb/mprweb +CVE-2022-31184 (Discourse is the an open source discussion platform. In affected versi ...) + NOT-FOR-US: Discourse +CVE-2022-31183 (fs2 is a compositional, streaming I/O library for Scala. When establis ...) + NOT-FOR-US: typelevel/fs2 +CVE-2022-31182 (Discourse is the an open source discussion platform. In affected versi ...) + NOT-FOR-US: Discourse +CVE-2022-31181 (PrestaShop is an Open Source e-commerce platform. In versions from 1.6 ...) + NOT-FOR-US: PrestaShop +CVE-2022-31180 (Shescape is a simple shell escape package for JavaScript. Affected ver ...) + NOT-FOR-US: Node shescape +CVE-2022-31179 (Shescape is a simple shell escape package for JavaScript. Versions pri ...) + NOT-FOR-US: Node shescape +CVE-2022-31178 (eLabFTW is an electronic lab notebook manager for research teams. A vu ...) + NOT-FOR-US: eLabFTW +CVE-2022-31177 (Flask-AppBuilder is an application development framework built on top ...) + - flask-appbuilder <not-affected> (Fixed with initial upload to Debian) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc CVE-2022-31176 RESERVED -CVE-2022-31175 - RESERVED +CVE-2022-31175 (CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vu ...) + NOT-FOR-US: ckeditor5-{markdown-gfm,html-support,html-embed} CKEditor 5 packages CVE-2022-31174 RESERVED -CVE-2022-31173 - RESERVED +CVE-2022-31173 (Juniper is a GraphQL server library for Rust. Affected versions of Jun ...) + NOT-FOR-US: graphql-rust/juniper CVE-2022-31172 (OpenZeppelin Contracts is a library for smart contract development. Ve ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2022-31171 @@ -15005,15 +18596,18 @@ CVE-2022-31164 (Tovy is a a staff management system for Roblox groups. A vulnera CVE-2022-31163 (TZInfo is a Ruby library that provides access to time zone data and al ...) - ruby-tzinfo 2.0.4-2 NOTE: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx - NOTE: https://github.com/tzinfo/tzinfo/commit/b98c32efd61289fe6f00a50ab8061e95962ea983 + NOTE: https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf (v0.3.61) + NOTE: https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7 (v1.2.10) CVE-2022-31162 (Slack Morphism is an async client library for Rust. Prior to 0.41.0, i ...) NOT-FOR-US: Slack Morphism CVE-2022-31161 (Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived ...) NOT-FOR-US: Roxy-WI CVE-2022-31160 (jQuery UI is a curated set of user interface interactions, effects, wi ...) - jqueryui 1.13.2+dfsg-1 (bug #1015982) + [bullseye] - jqueryui <no-dsa> (Minor issue) + [buster] - jqueryui <no-dsa> (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 - NOTE: https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 + NOTE: https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 (1.13.2) CVE-2022-31159 (The AWS SDK for Java enables Java developers to work with Amazon Web S ...) NOT-FOR-US: AWS SDK for Java CVE-2022-31158 (LTI 1.3 Tool Library is a library used for building IMS-certified LTI ...) @@ -15023,10 +18617,10 @@ CVE-2022-31157 (LTI 1.3 Tool Library is a library used for building IMS-certifie CVE-2022-31156 (Gradle is a build tool. Dependency verification is a security feature ...) - gradle <not-affected> (Vulnerable node not yet uploaded; introduced in 6.2) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j -CVE-2022-31155 - RESERVED -CVE-2022-31154 - RESERVED +CVE-2022-31155 (Sourcegraph is an opensource code search and navigation engine. In Sou ...) + NOT-FOR-US: Sourcegraph +CVE-2022-31154 (Sourcegraph is an opensource code search and navigation engine. It is ...) + NOT-FOR-US: Sourcegraph CVE-2022-31153 (OpenZeppelin Contracts for Cairo is a library for contract development ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2022-31152 @@ -15043,8 +18637,8 @@ CVE-2022-31150 (undici is an HTTP/1.1 client, written from scratch for Node.js. NOTE: https://github.com/nodejs/undici/releases/tag/v5.8.0 CVE-2022-31149 RESERVED -CVE-2022-31148 - RESERVED +CVE-2022-31148 (Shopware is an open source e-commerce software. In versions from 5.7.0 ...) + NOT-FOR-US: Shopware CVE-2022-31147 (The jQuery Validation Plugin (jquery-validation) provides drop-in vali ...) NOT-FOR-US: jquery-validation CVE-2022-31146 (Wasmtime is a standalone runtime for WebAssembly. There is a bug in th ...) @@ -15077,8 +18671,8 @@ CVE-2022-31134 (Zulip is an open-source team collaboration tool. Zulip Server ve NOT-FOR-US: Zulip CVE-2022-31133 (HumHub is an Open Source Enterprise Social Network. Affected versions ...) NOT-FOR-US: HumHub -CVE-2022-31132 - RESERVED +CVE-2022-31132 (Nextcloud Mail is an email application for the nextcloud personal clou ...) + NOT-FOR-US: Nextcloud Mail CVE-2022-31131 (Nextcloud mail is a Mail app for the Nextcloud home server product. Ve ...) NOT-FOR-US: Nextcloud Mail app CVE-2022-31130 @@ -15090,8 +18684,8 @@ CVE-2022-31129 (moment is a JavaScript date library for parsing, validating, man NOTE: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 (2.29.4) NOTE: https://github.com/moment/moment/pull/6015#issuecomment-1152961973 NOTE: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g -CVE-2022-31128 - RESERVED +CVE-2022-31128 (Tuleap is a Free & Open Source Suite to improve management of soft ...) + NOT-FOR-US: Tuleap CVE-2022-31127 (NextAuth.js is a complete open source authentication solution for Next ...) NOT-FOR-US: NextAuth.js CVE-2022-31126 (Roxy-wi is an open source web interface for managing Haproxy, Nginx, A ...) @@ -15106,12 +18700,12 @@ CVE-2022-31122 RESERVED CVE-2022-31121 (Hyperledger Fabric is a permissioned distributed ledger framework. In ...) NOT-FOR-US: Hyperledger Fabric -CVE-2022-31120 - RESERVED -CVE-2022-31119 - RESERVED -CVE-2022-31118 - RESERVED +CVE-2022-31120 (Nextcloud server is an open source personal cloud solution. The audit ...) + - nextcloud-server <itp> (bug #941708) +CVE-2022-31119 (Nextcloud Mail is an email application for the nextcloud personal clou ...) + NOT-FOR-US: Nextcloud Mail +CVE-2022-31118 (Nextcloud server is an open source personal cloud solution. In affecte ...) + - nextcloud-server <itp> (bug #941708) CVE-2022-31117 (UltraJSON is a fast JSON encoder and decoder written in pure C with bi ...) - ujson 5.4.0-1 [bullseye] - ujson <no-dsa> (Minor issue) @@ -15136,8 +18730,8 @@ CVE-2022-31111 (Frontier is Substrate's Ethereum compatibility layer. In affecte NOT-FOR-US: Frontier CVE-2022-31110 (RSSHub is an open source, extensible RSS feed generator. In commits pr ...) NOT-FOR-US: RSSHub -CVE-2022-31109 - RESERVED +CVE-2022-31109 (laminas-diactoros is a PHP package containing implementations of the P ...) + NOT-FOR-US: laminas-diactoros CVE-2022-31108 (Mermaid is a JavaScript based diagramming and charting tool that uses ...) - node-mermaid <unfixed> (bug #1014540) [bullseye] - node-mermaid <no-dsa> (Minor issue) @@ -15222,7 +18816,7 @@ CVE-2022-31082 (GLPI is a Free Asset and IT Management Software package, Data ce - glpi <removed> (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2022-31081 (HTTP::Daemon is a simple http server class written in perl. Versions p ...) - - libhttp-daemon-perl <unfixed> (bug #1014808) + - libhttp-daemon-perl 6.14-1.1 (bug #1014808) [bullseye] - libhttp-daemon-perl <no-dsa> (Minor issue) [buster] - libhttp-daemon-perl <no-dsa> (Minor issue) NOTE: https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf @@ -15349,10 +18943,11 @@ CVE-2022-31033 (The Mechanize library is used for automating interaction with we CVE-2022-31032 (Tuleap is a Free & Open Source Suite to improve management of soft ...) NOT-FOR-US: Tuleap CVE-2022-31031 (PJSIP is a free and open source multimedia communication library writt ...) + - asterisk <unfixed> (bug #1017004) - pjproject <removed> + - ring <unfixed> (bug #1017005) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj NOTE: https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202 - TODO: check impact for src:asterisk and src:ring and update entry CVE-2022-31030 (containerd is an open source container runtime. A bug was found in the ...) {DSA-5162-1} - containerd 1.6.6~ds1-1 @@ -15419,17 +19014,17 @@ CVE-2022-31005 (Vapor is an HTTP web framework for Swift. Users of Vapor prior t CVE-2022-31004 (CVEProject/cve-services is an open source project used to operate the ...) NOT-FOR-US: CVEProject/cve-services CVE-2022-31003 (Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Age ...) - - sofia-sip <unfixed> + - sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-3 (bug #1016974) [stretch] - sofia-sip <postponed> (Minor issue) NOTE: https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp NOTE: https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9 (v1.13.8) CVE-2022-31002 (Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Age ...) - - sofia-sip <unfixed> + - sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-3 (bug #1016974) [stretch] - sofia-sip <postponed> (Minor issue) NOTE: https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm NOTE: https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba (v1.13.8) CVE-2022-31001 (Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Age ...) - - sofia-sip <unfixed> + - sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-3 (bug #1016974) [stretch] - sofia-sip <postponed> (Minor issue) NOTE: https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-79jq-hh82-cv9g NOTE: https://github.com/freeswitch/sofia-sip/commit/a99804b336d0e16d26ab7119d56184d2d7110a36 (v1.13.8) @@ -15480,12 +19075,13 @@ CVE-2022-30977 CVE-2022-29496 (A stack-based buffer overflow vulnerability exists in the BlynkConsole ...) NOT-FOR-US: BlynkConsole CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/f6739b58-49f9-4056-a843-bf76bbc1253e NOTE: https://github.com/vim/vim/commit/28d032cc688ccfda18c5bbcab8b50aba6e18cde5 (v8.2.4979) NOTE: Crash in CLI tool, no security impact CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc NOTE: https://github.com/gpac/gpac/commit/c535bad50d5812d27ee5b22b54371bddec411514 @@ -15517,7 +19113,7 @@ CVE-2022-1786 (A use-after-free flaw was found in the Linux kernel’s io_ur NOTE: https://www.openwall.com/lists/oss-security/2022/05/24/4 NOTE: https://www.openwall.com/lists/oss-security/2022/05/28/1 CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. ...) - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) @@ -15543,7 +19139,8 @@ CVE-2022-1777 (The Filr WordPress plugin before 1.2.2.1 does not have authorisat CVE-2022-1776 (The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress p ...) NOT-FOR-US: WordPress plugin CVE-2022-30976 (GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcsl ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2179 NOTE: https://github.com/gpac/gpac/commit/915e2cba715f36b7cc29e28888117831ca143d78 @@ -15568,7 +19165,7 @@ CVE-2022-1773 (The WP Athletics WordPress plugin through 1.1.7 does not sanitise CVE-2022-1772 (The Google Places Reviews WordPress plugin before 2.0.0 does not prope ...) NOT-FOR-US: WordPress plugin CVE-2022-1771 (Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/faa74175-5317-4b71-a363-dfc39094ecbb NOTE: https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8 (v8.2.4975) NOTE: Crash in CLI tool, no security impact @@ -15580,7 +19177,7 @@ CVE-2022-30973 (We failed to apply the fix for CVE-2022-30126 to the 1.x branch CVE-2022-1770 (Improper Privilege Management in GitHub repository polonel/trudesk pri ...) NOT-FOR-US: Trudesk CVE-2022-1769 (Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/522076b2-96cb-4df6-a504-e6e2f64c171c NOTE: https://github.com/vim/vim/commit/4748c4bd64610cf943a431d215bb1aad51f8d0b4 (v8.2.4974) NOTE: Crash in CLI tool, no security impact @@ -15606,7 +19203,7 @@ CVE-2022-1759 (The RB Internal Links WordPress plugin through 2.0.16 does not ha NOT-FOR-US: WordPress plugin CVE-2022-1758 (The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not ...) NOT-FOR-US: WordPress plugin -CVE-2022-1757 (The Pagebar WordPress plugin through 2.65 does not have CSRF check in ...) +CVE-2022-1757 (The pagebar WordPress plugin before 2.70 does not have CSRF check in p ...) NOT-FOR-US: WordPress plugin CVE-2022-1756 (The Newsletter WordPress plugin before 7.4.5 does not sanitize and esc ...) NOT-FOR-US: WordPress plugin @@ -15836,7 +19433,7 @@ CVE-2022-1736 NOTE: Not treated as a security issue in Debian, whether to start the daemon or not is ultimately NOTE: up to the local admin CVE-2022-1735 (Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/c9f85608-ff11-48e4-933d-53d1759d44d9 NOTE: https://github.com/vim/vim/commit/7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 (v8.2.4969) NOTE: Crash in CLI tool, no security impact @@ -15847,7 +19444,7 @@ CVE-2022-1734 (A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in d NOTE: https://git.kernel.org/linus/d270453a0d9ec10bb8a802a142fb1b3601a83098 (5.18-rc6) NOTE: Support for Marvell NFC devices (CONFIG_NFC_MRVL) not enabled CVE-2022-1733 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/6ff03b27-472b-4bef-a2bf-410fae65ff0a NOTE: https://github.com/vim/vim/commit/60ae0e71490c97f2871a6344aca61cacf220f813 (v8.2.4968) NOTE: Crash in CLI tool, no security impact @@ -15874,7 +19471,7 @@ CVE-2022-1726 (Bootstrap Tables XSS vulnerability with Table Export plug-in when NOTE: https://github.com/wenzhixin/bootstrap-table/commit/66ef886d5d325777c8727274c9e018f9c17bc0b9 (1.20.2) NOTE: NOTE: Only supported for trusted users/behind auth, see README.debian.security CVE-2022-1725 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.495 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/4363cf07-233e-4d0a-a1d5-c731a400525c NOTE: https://github.com/vim/vim/commit/b62dc5e7825bc195efe3041d5b3a9f1528359e1c (v8.2.4959) NOTE: Negligible security impact; crash in CLI tool @@ -15888,7 +19485,7 @@ CVE-2022-1721 (Path Traversal in WellKnownServlet in GitHub repository jgraph/dr NOT-FOR-US: jgraph/drawio CVE-2022-1720 (Buffer Over-read in function grab_file_name in GitHub repository vim/v ...) {DLA-3053-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/5ccfb386-7eb9-46e5-98e5-243ea4b358a8 @@ -16187,12 +19784,12 @@ CVE-2022-30793 RESERVED CVE-2022-30790 (Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2 ...) [experimental] - u-boot 2022.07~rc4+dfsg-1 - - u-boot <unfixed> (bug #1014470) + - u-boot 2022.07+dfsg-1 (bug #1014470) [bullseye] - u-boot <no-dsa> (Minor issue) [buster] - u-boot <no-dsa> (Minor issue) [stretch] - u-boot <no-dsa> (Minor issue) NOTE: https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/ - NOTE: Fixed by: https://source.denx.de/u-boot/u-boot/-/commit/b85d130ea0cac152c21ec38ac9417b31d41b5552 (v2022.07-rc4~4) + NOTE: Fixed by: https://source.denx.de/u-boot/u-boot/-/commit/b85d130ea0cac152c21ec38ac9417b31d41b5552 (v2022.07-rc4) CVE-2022-30789 (A crafted NTFS image can cause a heap-based buffer overflow in ntfs_ch ...) {DSA-5160-1 DLA-3055-1} - ntfs-3g 1:2022.5.17-1 (bug #1011770) @@ -16265,10 +19862,10 @@ CVE-2022-30780 (Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause NOTE: https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service NOTE: https://redmine.lighttpd.net/issues/3059 NOTE: Fixed by: https://github.com/lighttpd/lighttpd1.4/commit/b03b86f47b0d5a553137f081fadc482b4af1372d (lighttpd-1.4.59) -CVE-2022-30779 (Laravel 9.1.8, when processing attacker-controlled data for deserializ ...) - NOT-FOR-US: Disputed Laravel issue -CVE-2022-30778 (Laravel 9.1.8, when processing attacker-controlled data for deserializ ...) - NOT-FOR-US: Disputed Laravel issue +CVE-2022-30779 + REJECTED +CVE-2022-30778 + REJECTED CVE-2022-30777 (Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from param ...) NOT-FOR-US: Parallels H-Sphere CVE-2022-30776 (atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter ...) @@ -16291,7 +19888,7 @@ CVE-2022-30768 RESERVED CVE-2022-30767 (nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and throu ...) [experimental] - u-boot 2022.07~rc4+dfsg-1 - - u-boot <unfixed> (bug #1014471) + - u-boot 2022.07+dfsg-1 (bug #1014471) [bullseye] - u-boot <ignored> (Minor issue) [buster] - u-boot <not-affected> (Incorrect fix for CVE-2019-14196 not applied) [stretch] - u-boot <not-affected> (Incorrect fix for CVE-2019-14196 not applied) @@ -16330,10 +19927,16 @@ CVE-2022-30701 (An uncontrolled search path element vulnerability in Trend Micro NOT-FOR-US: Trend Micro CVE-2022-30700 (An incorrect permission assignment vulnerability in Trend Micro Apex O ...) NOT-FOR-US: Trend Micro -CVE-2022-30699 - RESERVED -CVE-2022-30698 - RESERVED +CVE-2022-30699 (NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable ...) + - unbound 1.16.2-1 (bug #1016493) + [bullseye] - unbound <no-dsa> (Minor issue) + NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt + NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2) +CVE-2022-30698 (NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable t ...) + - unbound 1.16.2-1 (bug #1016493) + [bullseye] - unbound <no-dsa> (Minor issue) + NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt + NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2) CVE-2022-30697 (Local privilege escalation due to insecure folder permissions. The fol ...) NOT-FOR-US: Acronis CVE-2022-30696 (Local privilege escalation due to a DLL hijacking vulnerability. The f ...) @@ -16499,11 +20102,10 @@ CVE-2022-30637 RESERVED CVE-2022-30636 RESERVED -CVE-2022-30635 - RESERVED +CVE-2022-30635 (Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.1 ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53615 @@ -16521,52 +20123,47 @@ CVE-2022-30634 (Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1. NOTE: https://go.dev/issue/52561 NOTE: https://github.com/golang/go/commit/32dedaa69e22f1a058ae90b9484fd4c3b46fbcbf (go1.18.3) NOTE: https://github.com/golang/go/commit/2be03d789de905a4b050ff5f3a51b724e1b09494 (go1.17.11) -CVE-2022-30633 - RESERVED +CVE-2022-30633 (Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53611 NOTE: https://github.com/golang/go/commit/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 (go1.19rc2) NOTE: https://github.com/golang/go/commit/2924ced71d16297320e8ff18829c2038e6ad8d9b (go1.18.4) NOTE: https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827 (go1.17.12) -CVE-2022-30632 - RESERVED +CVE-2022-30632 (Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53416 NOTE: https://github.com/golang/go/commit/ac68c6c683409f98250d34ad282b9e1b0c9095ef (go1.19rc2) NOTE: https://github.com/golang/go/commit/5ebd862b1714dad1544bd10a24c47cdb53ad7f46 (go1.18.4) NOTE: https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df (go1.17.12) -CVE-2022-30631 - RESERVED +CVE-2022-30631 (Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17. ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53168 NOTE: https://github.com/golang/go/commit/b2b8872c876201eac2d0707276c6999ff3eb185e (go1.19rc2) NOTE: https://github.com/golang/go/commit/8e27a8ac4c001c27713810b75925aa3794049c48 (go1.18.4) NOTE: https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 (go1.17.12) -CVE-2022-30630 - RESERVED +CVE-2022-30630 (Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18. ...) - golang-1.19 1.19~rc2-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53415 NOTE: https://github.com/golang/go/commit/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 (go1.19rc2) NOTE: https://github.com/golang/go/commit/315e80d293b684ac2902819e58f618f1b5a14d49 (go1.18.4) NOTE: https://github.com/golang/go/commit/8c1d8c836270615cfb5b229932269048ef59ac07 (go1.17.12) -CVE-2022-30629 - RESERVED +CVE-2022-30629 (Non-random values for ticket_age_add in session tickets in crypto/tls ...) - golang-1.18 1.18.3-1 - golang-1.17 1.17.11-1 - golang-1.15 <removed> @@ -16611,19 +20208,18 @@ CVE-2022-28704 (Improper access control vulnerability in Rakuten Casa version AP NOT-FOR-US: Rakuten Casa CVE-2022-26834 (Improper access control vulnerability in Rakuten Casa version AP_F_V1_ ...) NOT-FOR-US: Rakuten Casa -CVE-2022-1705 - RESERVED +CVE-2022-1705 (Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 cli ...) - golang-1.19 1.19~rc1-1 - golang-1.18 1.18.4-1 - - golang-1.17 <unfixed> + - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> NOTE: https://go.dev/issue/53188 NOTE: https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f (go1.19rc1) NOTE: https://github.com/golang/go/commit/222ee24a0046ae61679f4d97967e3b4058a3b90e (go1.18.4) NOTE: https://github.com/golang/go/commit/d13431c37ab62f9755f705731536ff74e7165b08 (go1.17.12) -CVE-2022-1704 - RESERVED +CVE-2022-1704 (Due to an XML external entity reference, the software parses XML in th ...) + NOT-FOR-US: Ignition CVE-2022-1703 (Improper neutralization of special elements in the SonicWall SSL-VPN S ...) NOT-FOR-US: SonicWall CVE-2022-1702 (SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier ver ...) @@ -16632,8 +20228,8 @@ CVE-2022-1701 (SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlie NOT-FOR-US: SonicWall CVE-2022-1700 RESERVED -CVE-2022-30616 - RESERVED +CVE-2022-30616 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow ...) + NOT-FOR-US: IBM CVE-2022-30615 RESERVED CVE-2022-30614 @@ -16765,8 +20361,7 @@ CVE-2022-30582 RESERVED CVE-2022-30581 RESERVED -CVE-2022-30580 - RESERVED +CVE-2022-30580 (Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 ...) - golang-1.18 <not-affected> (Only affects Go on Windows) - golang-1.17 <not-affected> (Only affects Go on Windows) - golang-1.15 <not-affected> (Only affects Go on Windows) @@ -16784,14 +20379,14 @@ CVE-2022-30576 RESERVED CVE-2022-30575 RESERVED -CVE-2022-30574 - RESERVED -CVE-2022-30573 - RESERVED -CVE-2022-30572 - RESERVED -CVE-2022-30571 - RESERVED +CVE-2022-30574 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) + NOT-FOR-US: TIBCO +CVE-2022-30573 (The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community ...) + NOT-FOR-US: TIBCO +CVE-2022-30572 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) + NOT-FOR-US: TIBCO +CVE-2022-30571 (The iWay Service Manager Console component of TIBCO Software Inc.'s TI ...) + NOT-FOR-US: TIBCO CVE-2022-30570 (The Column Based Security component of TIBCO Software Inc.'s TIBCO Dat ...) NOT-FOR-US: TIBCO CVE-2022-30569 @@ -16856,7 +20451,7 @@ CVE-2022-30553 RESERVED CVE-2022-30552 (Das U-Boot 2022.01 has a Buffer Overflow. ...) [experimental] - u-boot 2022.07~rc4+dfsg-1 - - u-boot <unfixed> (bug #1014470) + - u-boot 2022.07+dfsg-1 (bug #1014470) [bullseye] - u-boot <no-dsa> (Minor issue) [buster] - u-boot <no-dsa> (Minor issue) [stretch] - u-boot <no-dsa> (Minor issue) @@ -16865,7 +20460,9 @@ CVE-2022-30552 (Das U-Boot 2022.01 has a Buffer Overflow. ...) CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause ...) NOT-FOR-US: OPC UA Legacy Java Stack CVE-2022-30550 (An issue was discovered in the auth component in Dovecot 2.2 and 2.3 b ...) - - dovecot <unfixed> + - dovecot 1:2.3.19.1+dfsg1-2 (bug #1016351) + [bullseye] - dovecot <no-dsa> (Minor issue) + [buster] - dovecot <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/9 NOTE: https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 NOTE: https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b @@ -16877,7 +20474,7 @@ CVE-2022-1676 CVE-2022-1675 RESERVED CVE-2022-1674 (NULL Pointer Dereference in function vim_regexec_string at regexp.c:27 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/a74ba4a4-7a39-4a22-bde3-d2f8ee07b385 NOTE: https://github.com/vim/vim/commit/a59f2dfd0cf9ee1a584d3de5b7c2d47648e79060 (v8.2.4938) NOTE: Negligible security impact; crash in CLI tool @@ -16928,8 +20525,13 @@ CVE-2022-26844 RESERVED CVE-2022-26374 RESERVED -CVE-2022-26373 +CVE-2022-26373 [Post-Barrier Return Stack Buffer Predictions (PBRSB)] RESERVED + {DSA-5207-1} + - linux 5.18.16-1 + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00706.html + NOTE: https://git.kernel.org/linus/2b1299322016731d56807aa49254a5ea3080b6b3 + NOTE: https://git.kernel.org/linus/ba6e31af2be96c4d0536f2152ed6f7b6c11bca47 CVE-2022-26344 RESERVED CVE-2022-25976 @@ -17089,7 +20691,7 @@ CVE-2022-1631 (Users Account Pre-Takeover or Users Account Takeover. in GitHub r CVE-2022-1630 (The WP-EMail WordPress plugin before 2.69.0 does not protect its log d ...) NOT-FOR-US: WordPress plugin CVE-2022-1629 (Buffer Over-read in function find_next_quote in GitHub repository vim/ ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/e26d08d4-1886-41f0-9af4-f3e1bf3d52ee NOTE: https://github.com/vim/vim/commit/53a70289c2712808e6d4e88927e03cac01b470dd (v8.2.4925) NOTE: Crash in CLI tool, no security impact @@ -17487,7 +21089,7 @@ CVE-2022-1622 (LibTIFF master branch has an out-of-bounds read in LZWDecode in l NOTE: https://gitlab.com/libtiff/libtiff/-/issues/410 CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repository vim ...) {DLA-3011-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb @@ -17500,13 +21102,13 @@ CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_u NOTE: https://github.com/admesh/admesh/issues/28 NOTE: https://github.com/admesh/admesh/commit/e84d8353f1347e1f26f0a95770d92ba14e6ede38 CVE-2022-1620 (NULL Pointer Dereference in function vim_regexec_string at regexp.c:27 ...) - - vim <unfixed> (unimportant) + - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/7a4c59f3-fcc0-4496-995d-5ca6acd2da51 NOTE: https://github.com/vim/vim/commit/8e4b76da1d7e987d43ca960dfbc372d1c617466f (v8.2.4901) NOTE: Crash in CLI tool, no security impact CVE-2022-1619 (Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub r ...) {DLA-3011-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/b3200483-624e-4c76-a070-e246f62a7450 @@ -17546,24 +21148,27 @@ CVE-2022-30325 (An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devi NOT-FOR-US: TRENDnet CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were im ...) - nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but build depends a shared deb) -CVE-2022-30323 (HashiCorp go-getter through 2.0.2 does not safely perform downloads (i ...) +CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) + [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) -CVE-2022-30322 (HashiCorp go-getter through 2.0.2 does not safely perform downloads (i ...) +CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) + [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) -CVE-2022-30321 (HashiCorp go-getter through 2.0.2 does not safely perform downloads (i ...) +CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) + [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) CVE-2022-1616 (Use after free in append_command in GitHub repository vim/vim prior to ...) {DLA-3011-1} - - vim <unfixed> (bug #1015984) + - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/40f1d75f-fb2f-4281-b585-a41017f217e2 @@ -17664,8 +21269,8 @@ CVE-2022-1602 RESERVED CVE-2022-1601 RESERVED -CVE-2022-1600 - RESERVED +CVE-2022-1600 (The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visit ...) + NOT-FOR-US: WordPress plugin CVE-2022-1599 (The Admin Management Xtended WordPress plugin before 2.4.5 does not ha ...) NOT-FOR-US: WordPress plugin CVE-2022-1598 (The WPQA Builder WordPress plugin before 5.4 which is a companion to t ...) @@ -17712,8 +21317,8 @@ CVE-2022-30287 (Horde Groupware Webmail Edition through 5.2.22 allows a reflecti NOTE: Fixed by: https://github.com/horde/turba/commit/3bccab322af4ae96d5925f0ce9f9af0978af924b (v4.2.26) CVE-2022-30286 (pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 ...) NOT-FOR-US: pyscriptjs -CVE-2022-30285 - RESERVED +CVE-2022-30285 (In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash ...) + NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-30284 (** DISPUTED ** In the python-libnmap package through 0.7.2 for Python, ...) NOTE: Bogus python-libnmap issue CVE-2022-30283 @@ -17779,8 +21384,8 @@ CVE-2022-1586 (An out-of-bounds read vulnerability was discovered in the PCRE2 l [stretch] - pcre2 <no-dsa> (Minor issue) NOTE: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a (pcre2-10.40) NOTE: https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c (pcre2-10.40) -CVE-2022-1585 - RESERVED +CVE-2022-1585 (The Project Source Code Download WordPress plugin through 1.0.0 does n ...) + NOT-FOR-US: WordPress plugin CVE-2022-30259 RESERVED CVE-2022-30258 @@ -17979,14 +21584,14 @@ CVE-2022-30199 RESERVED CVE-2022-30198 RESERVED -CVE-2022-30197 - RESERVED +CVE-2022-30197 (Windows Kernel Information Disclosure Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft CVE-2022-30196 RESERVED CVE-2022-30195 RESERVED -CVE-2022-30194 - RESERVED +CVE-2022-30194 (Windows WebBrowser Control Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-30193 (AV1 Video Extension Remote Code Execution Vulnerability. This CVE ID i ...) NOT-FOR-US: Microsoft CVE-2022-30192 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) @@ -18021,10 +21626,10 @@ CVE-2022-30178 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This NOT-FOR-US: Microsoft CVE-2022-30177 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) NOT-FOR-US: Microsoft -CVE-2022-30176 - RESERVED -CVE-2022-30175 - RESERVED +CVE-2022-30176 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-30175 (Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft CVE-2022-30174 (Microsoft Office Remote Code Execution Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-30173 (Microsoft Excel Remote Code Execution Vulnerability. ...) @@ -18085,8 +21690,8 @@ CVE-2022-30146 (Windows Lightweight Directory Access Protocol (LDAP) Remote Code NOT-FOR-US: Microsoft CVE-2022-30145 (Windows Encrypting File System (EFS) Remote Code Execution Vulnerabili ...) NOT-FOR-US: Microsoft -CVE-2022-30144 - RESERVED +CVE-2022-30144 (Windows Bluetooth Service Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft CVE-2022-30143 (Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execu ...) NOT-FOR-US: Microsoft CVE-2022-30142 (Windows File History Remote Code Execution Vulnerability. ...) @@ -18105,10 +21710,10 @@ CVE-2022-30136 (Windows Network File System Remote Code Execution Vulnerability. NOT-FOR-US: Microsoft CVE-2022-30135 (Windows Media Center Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft -CVE-2022-30134 - RESERVED -CVE-2022-30133 - RESERVED +CVE-2022-30134 (Microsoft Exchange Information Disclosure Vulnerability. This CVE ID i ...) + NOT-FOR-US: Microsoft +CVE-2022-30133 (Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerabil ...) + NOT-FOR-US: Microsoft CVE-2022-30132 (Windows Container Manager Service Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2022-30131 (Windows Container Isolation FS Filter Driver Elevation of Privilege Vu ...) @@ -18133,8 +21738,8 @@ CVE-2022-1563 RESERVED CVE-2022-1562 (The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploade ...) NOT-FOR-US: WordPress plugin -CVE-2022-1561 - RESERVED +CVE-2022-1561 (Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions ...) + NOT-FOR-US: Lura Project CVE-2022-1560 (The Amministrazione Aperta WordPress plugin before 3.8 does not valida ...) NOT-FOR-US: WordPress plugin CVE-2022-1559 (The Clipr WordPress plugin through 1.2.3 does not sanitise and escape ...) @@ -18278,8 +21883,8 @@ CVE-2022-30085 RESERVED CVE-2022-30084 RESERVED -CVE-2022-30083 - RESERVED +CVE-2022-30083 (EllieGrid Android Application version 3.4.1 is vulnerable to Code Inje ...) + NOT-FOR-US: EllieGrid Android Application CVE-2022-30082 RESERVED CVE-2022-30081 @@ -18311,7 +21916,7 @@ CVE-2022-30069 CVE-2022-30068 RESERVED CVE-2022-30067 (GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a ...) - - gimp <unfixed> (unimportant) + - gimp 2.10.32-1 (unimportant) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/8120 NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/4f99f1fcfd892ead19831b5adcd38a99d71214b6 (master) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/8cd6d05232795ac31076013db1c6be3dc67e8e09 (gimp-2-10) @@ -18786,12 +22391,13 @@ CVE-2022-29902 CVE-2022-1526 (A vulnerability, which was classified as problematic, was found in Eml ...) NOT-FOR-US: Emlog Pro CVE-2022-29901 (Intel microprocessor generations 6 to 8 are affected by a new Spectre ...) + {DSA-5207-1} - linux 5.18.14-1 NOTE: https://comsec.ethz.ch/research/microarch/retbleed/ NOTE: https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html -CVE-2022-29900 (AMD microprocessor families 15h to 18h are affected by a new Spectre v ...) - {DSA-5184-1} +CVE-2022-29900 (Mis-trained branch predictions for return instructions may allow arbit ...) + {DSA-5207-1 DSA-5184-1} - linux 5.18.14-1 - xen <unfixed> [buster] - xen <end-of-life> (DSA 4677-1) @@ -19217,10 +22823,10 @@ CVE-2022-1470 (The Ultimate WooCommerce CSV Importer WordPress plugin through 2. NOT-FOR-US: WordPress plugin CVE-2022-1469 (The FiboSearch WordPress plugin before 1.17.0 does not sanitise and es ...) NOT-FOR-US: WordPress plugin -CVE-2022-29808 - RESERVED -CVE-2022-29807 - RESERVED +CVE-2022-29808 (In Quest KACE Systems Management Appliance (SMA) through 12.0, predict ...) + NOT-FOR-US: Quest KACE System Management Appliance +CVE-2022-29807 (A SQL injection vulnerability exists within Quest KACE Systems Managem ...) + NOT-FOR-US: Quest KACE System Management Appliance CVE-2022-29806 (ZoneMinder before 1.36.13 allows remote code execution via an invalid ...) - zoneminder 1.36.13+dfsg1-1 (unimportant) NOTE: https://forums.zoneminder.com/viewtopic.php?t=31638 @@ -19228,8 +22834,7 @@ CVE-2022-29806 (ZoneMinder before 1.36.13 allows remote code execution via an in NOTE: Only supported for trusted users/behind auth, see README.debian.security CVE-2022-29805 RESERVED -CVE-2022-29804 - RESERVED +CVE-2022-29804 (Incorrect conversion of certain invalid paths to valid, absolute paths ...) - golang-1.18 <not-affected> (Only affects Go on Windows) - golang-1.17 <not-affected> (Only affects Go on Windows) - golang-1.15 <not-affected> (Only affects Go on Windows) @@ -19759,7 +23364,8 @@ CVE-2022-29594 (eG Agent before 7.2 has weak file permissions that enable escala CVE-2022-29593 (relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1. ...) NOT-FOR-US: Dingtian CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used third-part ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2175 NOTE: https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb @@ -19833,6 +23439,7 @@ CVE-2022-29582 (In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after [stretch] - linux <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/4 NOTE: https://git.kernel.org/linus/e677edbcabee849bfdd43f1602bccbecf736a646 + NOTE: https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/ CVE-2022-29578 (Meridian Cooperative Utility Software versions 22.02 and 22.03 allows ...) NOT-FOR-US: Meridian Cooperative Utility Software CVE-2022-29577 (OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE ...) @@ -19950,7 +23557,7 @@ CVE-2022-29539 (resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command CVE-2022-29538 (RESI Gemini-Net Web 4.2 is affected by Improper Access Control in auth ...) NOT-FOR-US: RESI Gemini-Net CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a hea ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <no-dsa> (Minor issue) [stretch] - gpac <end-of-life> (No longer supported in LTS) @@ -20078,7 +23685,7 @@ CVE-2022-1393 (The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle fie NOT-FOR-US: WordPress plugin CVE-2022-1392 (The Videos sync PDF WordPress plugin through 1.7.4 does not validate t ...) NOT-FOR-US: WordPress plugin -CVE-2022-1391 (The Cab fare calculator WordPress plugin through 1.0.3 does not valida ...) +CVE-2022-1391 (The Cab fare calculator WordPress plugin before 1.0.4 does not validat ...) NOT-FOR-US: WordPress plugin CVE-2022-1390 (The Admin Word Count Column WordPress plugin through 2.2 does not vali ...) NOT-FOR-US: WordPress plugin @@ -20487,14 +24094,14 @@ CVE-2022-29342 CVE-2022-29341 RESERVED CVE-2022-29340 (GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vul ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) [bullseye] - gpac <ignored> (Minor issue) [buster] - gpac <ignored> (Minor issue) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0 NOTE: https://github.com/gpac/gpac/issues/2163 CVE-2022-29339 (In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) [bullseye] - gpac <ignored> (Minor issue) [buster] - gpac <ignored> (Minor issue) [stretch] - gpac <end-of-life> (No longer supported in LTS) @@ -20806,7 +24413,7 @@ CVE-2022-29244 (npm pack ignores root-level .gitignore and .npmignore file exclu CVE-2022-29243 (Nextcloud Server is the file server software for Nextcloud, a self-hos ...) - nextcloud-server <itp> (bug #941708) CVE-2022-29242 (GOST engine is a reference implementation of the Russian GOST crypto a ...) - - libengine-gost-openssl1.1 <unfixed> (bug #1012512) + - libengine-gost-openssl1.1 <removed> (bug #1012512) [bullseye] - libengine-gost-openssl1.1 <no-dsa> (Minor issue) [buster] - libengine-gost-openssl1.1 <no-dsa> (Minor issue) - libengine-gost-openssl <not-affected> (Fixed with initial upload to the archive) @@ -21058,7 +24665,7 @@ CVE-2022-1334 (The WP YouTube Live WordPress plugin before 1.8.3 does not valida CVE-2022-1333 (Mattermost Playbooks plugin v1.24.0 and earlier fails to properly chec ...) NOT-FOR-US: Mattermost Playbooks plugin CVE-2015-20107 (In Python (aka CPython) through 3.10.4, the mailcap module does not ad ...) - - python3.10 <unfixed> + - python3.10 3.10.6-1 - python3.9 <unfixed> [bullseye] - python3.9 <no-dsa> (Minor issue) - python3.7 <removed> @@ -21088,9 +24695,15 @@ CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL inje NOTE: https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134 (master) NOTE: https://git.openldap.org/openldap/openldap/-/commit/40f3ae4f5c9a8baf75b237220f62c436a571d66e (OPENLDAP_REL_ENG_2_5_12) NOTE: back-sql backend to slapd is enabled but considered experimental upstream. -CVE-2022-29154 - RESERVED -CVE-2022-29153 (HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF. ...) +CVE-2022-29154 (An issue was discovered in rsync before 3.2.5 that allows malicious re ...) + - rsync <unfixed> (bug #1016543) + [bullseye] - rsync <no-dsa> (Minor issue; for untrusted remote sending hosts additional protective measures can be taken) + NOTE: https://www.openwall.com/lists/oss-security/2022/08/02/1 + NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871 (v3.2.5pre1) + NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=7e5424b806e8eea053016268ad186276e9083b77 (v3.2.5pre1) + NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=3d7015afa223494e3318495c2f5de9cb49229da9 (v3.2.5pre1) + NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=2f7c583143bc6e80902139c23d9d7283f88fbc6a (v3.2.5pre1) +CVE-2022-29153 (HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11. ...) - consul <unfixed> (bug #1015218) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an ...) @@ -21217,8 +24830,8 @@ CVE-2022-29092 (Dell SupportAssist Client Consumer versions (3.11.0 and versions NOT-FOR-US: Dell SupportAssist CVE-2022-29091 (Dell Unity, Dell UnityVSA, and Dell UnityXT versions prior to 5.2.0.0. ...) NOT-FOR-US: Dell -CVE-2022-29090 - RESERVED +CVE-2022-29090 (Dell Wyse Management Suite 3.6.1 and below contains a Sensitive Data E ...) + NOT-FOR-US: Dell Wyse Management Suite CVE-2022-29089 RESERVED CVE-2022-29088 @@ -21231,8 +24844,8 @@ CVE-2022-29085 (Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5 NOT-FOR-US: Dell CVE-2022-29084 (Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5 ...) NOT-FOR-US: Dell -CVE-2022-29083 - RESERVED +CVE-2022-29083 (Prior Dell BIOS versions contain an Improper Authentication vulnerabil ...) + NOT-FOR-US: Dell CVE-2022-29082 (Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0 ...) NOT-FOR-US: EMC CVE-2022-1332 (One of the API in Mattermost version 6.4.1 and earlier fails to proper ...) @@ -21254,16 +24867,16 @@ CVE-2022-1328 (Buffer Overflow in uudecoder in Mutt affecting all versions start NOTE: https://gitlab.com/muttmua/mutt/-/issues/404 NOTE: https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 NOTE: https://gitlab.com/neomutt/neomutt/-/commit/ee7cb4e461c1cdf0ac14817b03687d5908b85f84 -CVE-2022-1327 (The Image Gallery - Grid Gallery WordPress plugin through 1.1.1 does n ...) +CVE-2022-1327 (The Image Gallery WordPress plugin before 1.1.6 does not sanitize and ...) NOT-FOR-US: WordPress plugin CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not saniti ...) NOT-FOR-US: WordPress plugin CVE-2022-1325 RESERVED -CVE-2022-1324 - RESERVED -CVE-2022-1323 - RESERVED +CVE-2022-1324 (The Event Timeline WordPress plugin through 1.1.5 does not sanitize an ...) + NOT-FOR-US: WordPress plugin +CVE-2022-1323 (The Discy WordPress theme before 5.0 lacks authorization checks then p ...) + NOT-FOR-US: WordPress theme CVE-2022-1322 RESERVED CVE-2022-1321 (The miniOrange's Google Authenticator WordPress plugin before 5.5.6 do ...) @@ -21295,8 +24908,8 @@ CVE-2022-29073 RESERVED CVE-2022-29072 (** DISPUTED ** 7-Zip through 21.07 on Windows allows privilege escalat ...) NOT-FOR-US: 7-Zip on Windows -CVE-2022-29071 - RESERVED +CVE-2022-29071 (This advisory documents an internally found vulnerability in the on pr ...) + NOT-FOR-US: Arista CVE-2022-29070 RESERVED CVE-2022-29069 @@ -21313,7 +24926,7 @@ CVE-2022-29064 RESERVED CVE-2022-1319 RESERVED - - undertow <unfixed> + - undertow 2.2.17-1 (bug #1016448) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2073890 CVE-2022-1318 (Hills ComNav version 3002-19 suffers from a weak communication channel ...) NOT-FOR-US: Hills ComNav @@ -21478,8 +25091,8 @@ CVE-2022-1295 (Prototype Pollution in GitHub repository alvarotrigo/fullpage.js NOT-FOR-US: fullpage.js CVE-2022-1294 (The IMDB info box WordPress plugin through 2.0 does not sanitize and e ...) NOT-FOR-US: WordPress plugin -CVE-2022-1293 - RESERVED +CVE-2022-1293 (The embedded neutralization of Script-Related HTML Tag, was by-passed ...) + NOT-FOR-US: Ercom citadel CVE-2022-1292 (The c_rehash script does not properly sanitise shell metacharacters to ...) {DSA-5139-1 DLA-3008-1} - openssl 1.1.1o-1 @@ -21834,10 +25447,10 @@ CVE-2022-28883 RESERVED CVE-2022-28882 RESERVED -CVE-2022-28881 - RESERVED -CVE-2022-28880 - RESERVED +CVE-2022-28881 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atl ...) + NOT-FOR-US: F-Secure +CVE-2022-28880 (A Denial-of-Service vulnerability was discovered in the F-Secure Atlan ...) + NOT-FOR-US: F-Secure CVE-2022-28879 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atl ...) NOT-FOR-US: F-Secure CVE-2022-28878 (A Denial-of-Service vulnerability was discovered in the F-Secure Atlan ...) @@ -22004,7 +25617,7 @@ CVE-2022-28801 RESERVED CVE-2022-28800 RESERVED -CVE-2022-28799 (The TikTok application before 27.7.3 for Android allows account takeov ...) +CVE-2022-28799 (The TikTok application before 23.7.3 for Android allows account takeov ...) NOT-FOR-US: TikTok Android app CVE-2022-28798 RESERVED @@ -22088,20 +25701,20 @@ CVE-2022-28758 RESERVED CVE-2022-28757 RESERVED -CVE-2022-28756 - RESERVED -CVE-2022-28755 - RESERVED -CVE-2022-28754 - RESERVED -CVE-2022-28753 - RESERVED +CVE-2022-28756 (The Zoom Client for Meetings for macOS (Standard and for IT Admin) sta ...) + NOT-FOR-US: Zoom +CVE-2022-28755 (The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Wind ...) + NOT-FOR-US: Zoom +CVE-2022-28754 (Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 ...) + NOT-FOR-US: Zoom +CVE-2022-28753 (Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 ...) + NOT-FOR-US: Zoom CVE-2022-28752 RESERVED CVE-2022-28751 RESERVED -CVE-2022-28750 - RESERVED +CVE-2022-28750 (Zoom On-Premise Meeting Connector Zone Controller (ZC) before version ...) + NOT-FOR-US: Zoom CVE-2022-28749 (Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 ...) NOT-FOR-US: Zoom CVE-2022-28748 @@ -22124,7 +25737,7 @@ CVE-2022-28740 RESERVED CVE-2022-28739 (There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, ...) - ruby3.0 3.0.4-1 (bug #1009956) - - ruby2.7 <unfixed> (bug #1009957) + - ruby2.7 <removed> (bug #1009957) [bullseye] - ruby2.7 <postponed> (Minor issue, fix with next Ruby security release) - ruby2.5 <removed> [buster] - ruby2.5 <postponed> (Minor issue, fix with next Ruby security release) @@ -22183,12 +25796,12 @@ CVE-2022-28733 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 -CVE-2022-28732 - RESERVED -CVE-2022-28731 - RESERVED -CVE-2022-28730 - RESERVED +CVE-2022-28732 (A carefully crafted request on WeblogPlugin could trigger an XSS vulne ...) + - jspwiki <removed> +CVE-2022-28731 (A carefully crafted request on UserPreferences.jsp could trigger an CS ...) + - jspwiki <removed> +CVE-2022-28730 (A carefully crafted request on AJAXPreview.jsp could trigger an XSS vu ...) + - jspwiki <removed> CVE-2022-28729 RESERVED CVE-2022-28728 @@ -22227,8 +25840,8 @@ CVE-2022-28686 RESERVED CVE-2022-28685 RESERVED -CVE-2022-28684 - RESERVED +CVE-2022-28684 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: DevExpress CVE-2022-28683 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2022-28682 (This vulnerability allows remote attackers to execute arbitrary code o ...) @@ -22259,14 +25872,14 @@ CVE-2022-28670 (This vulnerability allows remote attackers to disclose sensitive NOT-FOR-US: Foxit CVE-2022-28669 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit -CVE-2022-28668 - RESERVED +CVE-2022-28668 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer CVE-2022-28667 RESERVED -CVE-2022-28665 - RESERVED -CVE-2022-28664 - RESERVED +CVE-2022-28665 (A memory corruption vulnerability exists in the httpd unescape functio ...) + NOT-FOR-US: FreshTomato +CVE-2022-28664 (A memory corruption vulnerability exists in the httpd unescape functio ...) + NOT-FOR-US: FreshTomato CVE-2022-28611 RESERVED CVE-2022-28126 @@ -22281,8 +25894,8 @@ CVE-2022-27639 RESERVED CVE-2022-27638 RESERVED -CVE-2022-27631 - RESERVED +CVE-2022-27631 (A memory corruption vulnerability exists in the httpd unescape functio ...) + NOT-FOR-US: DD-WRT CVE-2022-27499 RESERVED CVE-2022-27234 @@ -22307,8 +25920,8 @@ CVE-2022-26509 RESERVED CVE-2022-26508 RESERVED -CVE-2022-26376 - RESERVED +CVE-2022-26376 (A memory corruption vulnerability exists in the httpd unescape functio ...) + NOT-FOR-US: Asuswrt CVE-2022-26369 RESERVED CVE-2022-26367 @@ -22342,8 +25955,8 @@ CVE-2022-1279 (A vulnerability in the encryption implementation of EBICS message NOT-FOR-US: ebics-java CVE-2022-1278 RESERVED -CVE-2022-1277 - RESERVED +CVE-2022-1277 (Inavitas Solar Log product has an unauthenticated SQL Injection vulner ...) + NOT-FOR-US: Inavitas Solar Log CVE-2022-1276 (Out-of-bounds Read in mrb_get_args in GitHub repository mruby/mruby pr ...) - mruby <not-affected> (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/6ea041d1-e2aa-472c-bf3e-da5fa8726c25 @@ -22358,7 +25971,7 @@ CVE-2022-1272 RESERVED CVE-2022-1270 RESERVED -CVE-2022-1269 (The Fast Flow WordPress plugin before 1.2.11 does not sanitise and esc ...) +CVE-2022-1269 (The Fast Flow WordPress plugin before 1.2.12 does not sanitise and esc ...) NOT-FOR-US: WordPress plugin CVE-2022-1268 (The Donate Extra WordPress plugin through 2.02 does not sanitise and e ...) NOT-FOR-US: WordPress plugin @@ -22536,28 +26149,28 @@ CVE-2022-28638 RESERVED CVE-2022-28637 RESERVED -CVE-2022-28636 - RESERVED -CVE-2022-28635 - RESERVED -CVE-2022-28634 - RESERVED -CVE-2022-28633 - RESERVED -CVE-2022-28632 - RESERVED -CVE-2022-28631 - RESERVED -CVE-2022-28630 - RESERVED -CVE-2022-28629 - RESERVED -CVE-2022-28628 - RESERVED -CVE-2022-28627 - RESERVED -CVE-2022-28626 - RESERVED +CVE-2022-28636 (A potential local arbitrary code execution and a local denial of servi ...) + NOT-FOR-US: HPE +CVE-2022-28635 (A potential local arbitrary code execution and a local denial of servi ...) + NOT-FOR-US: HPE +CVE-2022-28634 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE +CVE-2022-28633 (A local disclosure of sensitive information and a local unauthorized d ...) + NOT-FOR-US: HPE +CVE-2022-28632 (A potential arbitrary code execution and a denial of service (DoS) vul ...) + NOT-FOR-US: HPE +CVE-2022-28631 (A potential arbitrary code execution and a denial of service (DoS) vul ...) + NOT-FOR-US: HPE +CVE-2022-28630 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE +CVE-2022-28629 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE +CVE-2022-28628 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE +CVE-2022-28627 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE +CVE-2022-28626 (A local arbitrary code execution vulnerability was discovered in HPE I ...) + NOT-FOR-US: HPE CVE-2022-28625 RESERVED CVE-2022-28624 (A potential security vulnerability has been identified in certain HPE ...) @@ -22609,6 +26222,7 @@ CVE-2022-1228 (The Opensea WordPress plugin before 1.0.3 does not sanitize and e CVE-2022-1227 (A privilege escalation flaw was found in Podman. This flaw allows an a ...) - libpod 3.4.7+ds1-1 - golang-github-containers-psgo 1.7.1+ds1-1 + [bullseye] - golang-github-containers-psgo <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368 NOTE: https://github.com/containers/psgo/pull/92 NOTE: https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443 (v1.7.2) @@ -22621,7 +26235,8 @@ CVE-2022-1224 (Improper Authorization in GitHub repository phpipam/phpipam prior CVE-2022-1223 (Improper Access Control in GitHub repository phpipam/phpipam prior to ...) - phpipam <itp> (bug #731713) CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV. ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/f8cb85b8-7ff3-47f1-a9a6-7080eb371a3d NOTE: https://github.com/gpac/gpac/commit/7f060bbb72966cae80d6fee338d0b07fa3fc06e1 @@ -23513,8 +27128,8 @@ CVE-2022-1192 (The Turn off all comments WordPress plugin through 1.0 does not s NOT-FOR-US: WordPress plugin CVE-2021-46779 RESERVED -CVE-2021-46778 - RESERVED +CVE-2021-46778 (Execution unit scheduler contention may lead to a side channel vulnera ...) + NOT-FOR-US: AMD CVE-2021-46777 RESERVED CVE-2021-46776 @@ -23721,10 +27336,9 @@ CVE-2022-1185 (A denial of service vulnerability when rendering RDoc files in Gi - gitlab <unfixed> CVE-2022-1184 RESERVED - {DSA-5173-1} - - linux 5.18.5-1 - [bullseye] - linux 5.10.127-1 + - linux <unfixed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070205 + NOTE: https://git.kernel.org/linus/65f8ea4cd57dbd46ea13b41dc8bac03176b04233 CVE-2022-1183 (On vulnerable configurations, the named daemon may, in some circumstan ...) - bind9 1:9.18.3-1 [bullseye] - bind9 <not-affected> (Vulnerable code not present) @@ -23752,7 +27366,7 @@ CVE-2022-1174 (A potential DoS vulnerability was discovered in Gitlab CE/EE vers CVE-2022-1173 (stored xss in GitHub repository getgrav/grav prior to 1.7.33. ...) NOT-FOR-US: Grav CMS CVE-2022-1172 (Null Pointer Dereference Caused Segmentation Fault in GitHub repositor ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) [bullseye] - gpac <ignored> (Minor issue) [buster] - gpac <ignored> (Minor issue) [stretch] - gpac <end-of-life> (No longer supported in LTS) @@ -24009,8 +27623,7 @@ CVE-2022-28161 (An information exposure through log file vulnerability in Brocad NOT-FOR-US: Brocade SANnav CVE-2022-1159 (Rockwell Automation Studio 5000 Logix Designer (all versions) are vuln ...) NOT-FOR-US: Rockwell Automation -CVE-2022-1158 - RESERVED +CVE-2022-1158 (A flaw was found in KVM. When updating a guest's page table entry, vm_ ...) {DSA-5127-1} - linux 5.17.3-1 [buster] - linux <not-affected> (Vulnerable code not present) @@ -24098,15 +27711,16 @@ CVE-2022-28133 (Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier do NOT-FOR-US: Jenkins plugin CVE-2022-28132 RESERVED -CVE-2022-28131 - RESERVED +CVE-2022-28131 (Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17. ...) - golang-1.18 1.18.4-1 - golang-1.15 <removed> - golang-1.11 <removed> CVE-2022-28130 RESERVED -CVE-2022-28129 - RESERVED +CVE-2022-28129 (Improper Input Validation vulnerability in HTTP/1.1 header parsing of ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-1148 (Improper authorization in GitLab Pages included with GitLab CE/EE affe ...) - gitlab <unfixed> CVE-2022-1147 @@ -24665,8 +28279,8 @@ CVE-2022-27946 (NETGEAR R8500 1.0.2.158 devices allow remote authenticated users NOT-FOR-US: NETGEAR CVE-2022-27945 (NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to ex ...) NOT-FOR-US: NETGEAR -CVE-2022-27944 - RESERVED +CVE-2022-27944 (Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an e ...) + NOT-FOR-US: Foxit PDF Reader CVE-2022-27943 (libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in ...) - gcc-12 <unfixed> (unimportant) NOTE: Negligible security impact @@ -24835,8 +28449,8 @@ CVE-2022-27882 (slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer s NOT-FOR-US: slaacd from OpenBSD CVE-2022-27881 (engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buff ...) NOT-FOR-US: slaacd from OpenBSD -CVE-2022-27873 - RESERVED +CVE-2022-27873 (An attacker can force the victim’s device to perform arbitrary H ...) + NOT-FOR-US: Autodesk CVE-2022-27872 (A maliciously crafted PDF file may be used to dereference a pointer fo ...) NOT-FOR-US: Autodesk CVE-2022-27871 (Autodesk AutoCAD product suite, Revit, Design Review and Navisworks re ...) @@ -24849,12 +28463,12 @@ CVE-2022-27868 (A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be u NOT-FOR-US: Autodesk CVE-2022-27867 (A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 20 ...) NOT-FOR-US: Autodesk -CVE-2022-27866 - RESERVED -CVE-2022-27865 - RESERVED -CVE-2022-27864 - RESERVED +CVE-2022-27866 (A maliciously crafted TIFF file when consumed through DesignReview.exe ...) + NOT-FOR-US: Autodesk +CVE-2022-27865 (A maliciously crafted TGA or PCX file may be used to write beyond the ...) + NOT-FOR-US: Autodesk +CVE-2022-27864 (A Double Free vulnerability allows remote attackers to execute arbitra ...) + NOT-FOR-US: Autodesk CVE-2022-27186 RESERVED CVE-2022-27177 (A Python format string issue leading to information disclosure and pot ...) @@ -25126,27 +28740,29 @@ CVE-2022-27784 (Adobe After Effects versions 22.2.1 (and earlier) and 18.4.5 (an NOT-FOR-US: Adobe CVE-2022-27783 (Adobe After Effects versions 22.2.1 (and earlier) and 18.4.5 (and earl ...) NOT-FOR-US: Adobe -CVE-2022-27660 - RESERVED -CVE-2022-27633 - RESERVED -CVE-2022-27630 - RESERVED -CVE-2022-27185 - RESERVED -CVE-2022-27178 - RESERVED -CVE-2022-26346 - RESERVED +CVE-2022-27660 (A denial of service vulnerability exists in the confctl_set_guest_wlan ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-27633 (An information disclosure vulnerability exists in the confctl_get_gues ...) + NOT-FOR-US: TCL LinkHub Mesh Wifi +CVE-2022-27630 (An information disclosure vulnerability exists in the confctl_get_mast ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-27185 (A denial of service vulnerability exists in the confctl_set_master_wla ...) + NOT-FOR-US: TCL LinkHub Mesh Wifi +CVE-2022-27178 (A denial of service vulnerability exists in the confctl_set_wan_cfg fu ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-26346 (A denial of service vulnerability exists in the ucloud_del_node functi ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-1060 RESERVED CVE-2022-27782 (libcurl would reuse a previously created connection even when a TLS or ...) + {DSA-5197-1} - curl 7.83.1-1 NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/5 NOTE: https://curl.se/docs/CVE-2022-27782.html NOTE: Fixed by: https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c (curl-7_83_1) NOTE: Fixed by: https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 (curl-7_83_1) CVE-2022-27781 (libcurl provides the `CURLOPT_CERTINFO` option to allow applications t ...) + {DSA-5197-1} - curl 7.83.1-1 NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/4 NOTE: https://curl.se/docs/CVE-2022-27781.html @@ -25179,7 +28795,7 @@ CVE-2022-27778 (A use of incorrectly resolved name vulnerability fixed in 7.83.1 NOTE: https://curl.se/docs/CVE-2022-27778.html NOTE: Fixed by: https://github.com/curl/curl/commit/8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3 (curl-7_83_1) CVE-2022-27777 (A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5. ...) - - rails <unfixed> + - rails <unfixed> (bug #1016982) NOTE: https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534 NOTE: Fixed by: https://github.com/rails/rails/commit/123f42a573f7fcbf391885c135ca809f21615180 (v6.1.5.1) NOTE: Regression fix: https://github.com/rails/rails/commit/7c2da9e51c5c02643f30d83aaad3ed5062adcad8 (6.1.6) @@ -25188,10 +28804,12 @@ CVE-2022-27777 (A XSS Vulnerability in Action View tag helpers >= 5.2.0 and & NOTE: Fixed by: https://github.com/rails/rails/commit/1278c0f0b4a18ea199f92b666b8b94954a74c20b (v5.2.7.1) NOTE: Regression fix: https://github.com/rails/rails/commit/a1b8a9b5e5a905d0aeabf532e3f6b74116d5cce6 (v5.2.8) CVE-2022-27776 (A insufficiently protected credentials vulnerability in fixed in curl ...) + {DSA-5197-1} - curl 7.83.0-1 (bug #1010252) NOTE: https://curl.se/docs/CVE-2022-27776.html NOTE: Fixed by: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 (curl-7_83_0) CVE-2022-27775 (An information disclosure vulnerability exists in curl 7.65.0 to 7.82. ...) + {DSA-5197-1} - curl 7.83.0-1 (bug #1010253) [buster] - curl <not-affected> (Vulnerable code introduced later) [stretch] - curl <not-affected> (Vulnerable code introduced later) @@ -25199,6 +28817,7 @@ CVE-2022-27775 (An information disclosure vulnerability exists in curl 7.65.0 to NOTE: Introduced by: https://github.com/curl/curl/commit/2d0e9b40d3237b1450cbbfbcb996da244d964898 (curl-7_65_0) NOTE: Fixed by: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705 (curl-7_83_0) CVE-2022-27774 (An insufficiently protected credentials vulnerability exists in curl 4 ...) + {DSA-5197-1} - curl 7.83.0-1 (bug #1010254) NOTE: https://curl.se/docs/CVE-2022-27774.html NOTE: Fixed by: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 (curl-7_83_0) @@ -25478,7 +29097,8 @@ CVE-2022-27651 (A flaw was found in buildah where containers were incorrectly st NOTE: https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b (v1.25.1) NOTE: https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h CVE-2022-27650 (A flaw was found in crun where containers were incorrectly started wit ...) - - crun <unfixed> (bug #1009881) + - crun 1.5+dfsg-1 (bug #1009881) + [bullseye] - crun <no-dsa> (Minor issue) NOTE: https://github.com/containers/crun/commit/b847d146d496c9d7beba166fd595488e85488562 (1.4.4) CVE-2022-27649 (A flaw was found in Podman, where containers were started incorrectly ...) - libpod 3.4.6+ds1-1 @@ -25570,18 +29190,18 @@ CVE-2022-27623 RESERVED CVE-2022-27622 RESERVED -CVE-2022-27621 - RESERVED -CVE-2022-27620 - RESERVED -CVE-2022-27619 - RESERVED -CVE-2022-27618 - RESERVED -CVE-2022-27617 - RESERVED -CVE-2022-27616 - RESERVED +CVE-2022-27621 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) + NOT-FOR-US: Synology DiskStation Manager +CVE-2022-27620 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) + NOT-FOR-US: Synology DiskStation Manager +CVE-2022-27619 (Cleartext transmission of sensitive information vulnerability in authe ...) + NOT-FOR-US: Synology Note Station Client +CVE-2022-27618 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) + NOT-FOR-US: Synology DiskStation Manager +CVE-2022-27617 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) + NOT-FOR-US: Synology DiskStation Manager +CVE-2022-27616 (Improper neutralization of special elements used in an OS command ('OS ...) + NOT-FOR-US: Synology DiskStation Manager CVE-2022-27615 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) NOT-FOR-US: Synology CVE-2022-27614 (Exposure of sensitive information to an unauthorized actor vulnerabili ...) @@ -25710,8 +29330,8 @@ CVE-2022-27553 RESERVED CVE-2022-27552 RESERVED -CVE-2022-27551 - RESERVED +CVE-2022-27551 (HCL Launch could allow an authenticated user to obtain sensitive infor ...) + NOT-FOR-US: HCL CVE-2022-27550 RESERVED CVE-2022-27549 (HCL Launch may store certain data for recurring activities in a plain ...) @@ -25745,8 +29365,8 @@ CVE-2022-27536 (Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can - golang-1.17 <not-affected> (MacOS-specific) NOTE: https://groups.google.com/g/golang-announce/c/oecdBNLOml8 NOTE: https://go.dev/issue/51759 -CVE-2022-27535 - RESERVED +CVE-2022-27535 (Kaspersky VPN Secure Connection for Windows version up to 21.5 was vul ...) + NOT-FOR-US: Kaspersky VPN Secure Connection for Windows CVE-2022-27534 (Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security ...) NOT-FOR-US: Kaspersky CVE-2022-27533 @@ -25861,8 +29481,8 @@ CVE-2022-27486 RESERVED CVE-2022-27485 RESERVED -CVE-2022-27484 - RESERVED +CVE-2022-27484 (A unverified password change in Fortinet FortiADC version 6.2.0 throug ...) + NOT-FOR-US: FortiGuard CVE-2022-27483 (A improper neutralization of special elements used in an os command (' ...) NOT-FOR-US: Fortinet CVE-2022-27482 @@ -26047,7 +29667,7 @@ CVE-2022-27421 (Chamilo LMS v1.11.13 lacks validation on the user modification f CVE-2022-27420 (Hospital Management System v1.0 was discovered to contain a SQL inject ...) NOT-FOR-US: Hospital Management System CVE-2022-27419 (rtl_433 21.12 was discovered to contain a stack overflow in the functi ...) - [experimental] - rtl-433 21.12+git20220718+ds-2 + [experimental] - rtl-433 21.12+git20220718+ds-1 - rtl-433 21.12+git20220718+ds-2 (bug #1009788) [bullseye] - rtl-433 <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/merbanan/rtl_433/issues/2012 @@ -26245,7 +29865,7 @@ CVE-2022-27361 RESERVED CVE-2022-27360 (SpringBlade v3.2.0 and below was discovered to contain a SQL injection ...) NOT-FOR-US: SpringBlade -CVE-2022-27359 (Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointe ...) +CVE-2022-27359 (Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a th ...) NOT-FOR-US: Foxit PDF Reader CVE-2022-27358 RESERVED @@ -26473,7 +30093,8 @@ CVE-2022-1037 (The EXMAGE WordPress plugin before 1.0.7 does to ensure that imag CVE-2022-1036 (Able to create an account with long password leads to memory corruptio ...) NOT-FOR-US: microweber CVE-2022-1035 (Segmentation Fault caused by MP4Box -lsr in GitHub repository gpac/gpa ...) - - gpac <unfixed> + - gpac <unfixed> (bug #1016443) + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/851942a4-1d64-4553-8fdc-9fccd167864b NOTE: https://github.com/gpac/gpac/commit/3718d583c6ade191dc7979c64f48c001ca6f0243 @@ -26493,8 +30114,8 @@ CVE-2022-27257 (A PHP Local File Inclusion vulneraility in the default Redbasic NOT-FOR-US: Redbasic theme for Hubzilla CVE-2022-27256 (A PHP Local File inclusion vulnerability in the Redbasic theme for Hub ...) NOT-FOR-US: Redbasic theme for Hubzilla -CVE-2022-27255 - RESERVED +CVE-2022-27255 (In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function th ...) + NOT-FOR-US: Realtek eCos RSDK CVE-2022-27254 (The remote keyless system on Honda Civic 2018 vehicles sends the same ...) NOT-FOR-US: Honda CVE-2022-27253 @@ -26608,8 +30229,7 @@ CVE-2022-1014 (The WP Contacts Manager WordPress plugin through 2.2.4 fails to p NOT-FOR-US: WordPress plugin CVE-2022-1013 (The Personal Dictionary WordPress plugin before 1.3.4 fails to properl ...) NOT-FOR-US: WordPress plugin -CVE-2022-1012 - RESERVED +CVE-2022-1012 (A memory leak problem was found in the TCP source port generation algo ...) {DSA-5173-1 DSA-5161-1 DLA-3065-1} - linux 5.17.11-1 [bullseye] - linux 5.10.127-1 @@ -26921,8 +30541,8 @@ CVE-2022-27169 (An information disclosure vulnerability exists in the OAS Engine NOT-FOR-US: Open Automation Software CVE-2022-27167 (Privilege escalation vulnerability in Windows products of ESET, spol. ...) NOT-FOR-US: ESET -CVE-2022-27166 - RESERVED +CVE-2022-27166 (A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS ...) + - jspwiki <removed> CVE-2022-26511 (WPS Presentation 11.8.0.5745 insecurely load d3dx9_41.dll when opening ...) NOT-FOR-US: WPS Presentation CVE-2022-26510 (A firmware update vulnerability exists in the iburn firmware checks fu ...) @@ -27033,21 +30653,25 @@ CVE-2022-27149 REJECTED CVE-2022-27148 (GPAC mp4box 1.1.0-DEV-rev1663-g881c6a94a-master is vulnerable to Integ ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2067 NOTE: https://github.com/gpac/gpac/commit/0cd19f4db70615d707e0e6202933c2ea0c1d36df (v2.0.0) CVE-2022-27147 (GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a use-after-free v ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2109 NOTE: https://github.com/gpac/gpac/commit/9723dd0955894f2cb7be13b94cf7a47f2754b893 (v2.0.0) CVE-2022-27146 (GPAC mp4box 1.1.0-DEV-rev1759-geb2d1e6dd-has a heap-buffer-overflow vu ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2120 NOTE: https://github.com/gpac/gpac/commit/f0a41d178a2dc5ac185506d9fa0b0a58356b16f7 (v2.0.0) CVE-2022-27145 (GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a stack-overflow v ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/commit/d7daa8aeb6df4b6c3ec102622e1599279310a19e (v2.0.0) NOTE: https://github.com/gpac/gpac/issues/2108 @@ -27437,8 +31061,8 @@ CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRow [buster] - phpliteadmin 1.9.7.1-2+deb10u1 NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows -CVE-2022-26979 - RESERVED +CVE-2022-26979 (Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NU ...) + NOT-FOR-US: Foxit PDF Reader CVE-2022-26978 (Barco Control Room Management Suite web application, which is part of ...) NOT-FOR-US: Barco Control Room Management Suite CVE-2022-26977 (Barco Control Room Management Suite web application, which is part of ...) @@ -27518,8 +31142,9 @@ CVE-2022-0936 (Cross-site Scripting (XSS) - Stored in GitHub repository autolab/ NOT-FOR-US: Autolab CVE-2022-26946 RESERVED -CVE-2022-26945 (HashiCorp go-getter before 2.0.2 allows Command Injection. ...) +CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) + [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) @@ -27765,7 +31390,7 @@ CVE-2022-0920 (The Salon booking system Free and Pro WordPress plugins before 7. CVE-2022-0919 (The Salon booking system Free and pro WordPress plugins before 7.6.3 d ...) NOT-FOR-US: WordPress plugin CVE-2022-0918 (A vulnerability was discovered in the 389 Directory Server that allows ...) - - 389-ds-base <unfixed> + - 389-ds-base <unfixed> (bug #1016445) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2055815 NOTE: https://github.com/389ds/389-ds-base/issues/5242 NOTE: https://github.com/389ds/389-ds-base/commit/caad47ab207d7c5d61521ec4d33091db559c315a (master) @@ -27902,8 +31527,8 @@ CVE-2022-26425 RESERVED CVE-2022-26421 RESERVED -CVE-2022-26342 - RESERVED +CVE-2022-26342 (A buffer overflow vulnerability exists in the confsrv ucloud_set_node_ ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-26076 RESERVED CVE-2022-26062 @@ -27912,10 +31537,10 @@ CVE-2022-26052 RESERVED CVE-2022-26032 RESERVED -CVE-2022-26009 - RESERVED -CVE-2022-25996 - RESERVED +CVE-2022-26009 (A stack-based buffer overflow vulnerability exists in the confsrv uclo ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-25996 (A stack-based buffer overflow vulnerability exists in the confsrv addT ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-25987 RESERVED CVE-2022-25915 (Improper access control vulnerability in ELECOM LAN routers (WRC-1167G ...) @@ -28517,7 +32142,7 @@ CVE-2022-26564 (HotelDruid Hotel Management Software v3.0.3 contains a cross-sit CVE-2022-26563 RESERVED CVE-2022-26562 (An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 ...) - - kopanocore <unfixed> + - kopanocore <unfixed> (bug #1016973) CVE-2022-26561 RESERVED CVE-2022-26560 @@ -28810,46 +32435,46 @@ CVE-2022-26447 RESERVED CVE-2022-26446 RESERVED -CVE-2022-26445 - RESERVED -CVE-2022-26444 - RESERVED -CVE-2022-26443 - RESERVED -CVE-2022-26442 - RESERVED -CVE-2022-26441 - RESERVED -CVE-2022-26440 - RESERVED -CVE-2022-26439 - RESERVED -CVE-2022-26438 - RESERVED -CVE-2022-26437 - RESERVED -CVE-2022-26436 - RESERVED -CVE-2022-26435 - RESERVED -CVE-2022-26434 - RESERVED -CVE-2022-26433 - RESERVED -CVE-2022-26432 - RESERVED -CVE-2022-26431 - RESERVED -CVE-2022-26430 - RESERVED -CVE-2022-26429 - RESERVED -CVE-2022-26428 - RESERVED -CVE-2022-26427 - RESERVED -CVE-2022-26426 - RESERVED +CVE-2022-26445 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26444 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26443 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26442 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26441 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26440 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26439 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26438 (In wifi driver, there is a possible out of bounds write due to a missi ...) + NOT-FOR-US: MediaTek +CVE-2022-26437 (In httpclient, there is a possible out of bounds write due to uninitia ...) + NOT-FOR-US: MediaTek +CVE-2022-26436 (In emi mpu, there is a possible out of bounds read due to a missing bo ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26435 (In mailbox, there is a possible out of bounds write due to type confus ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26434 (In mailbox, there is a possible out of bounds write due to a missing b ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26433 (In mailbox, there is a possible out of bounds write due to type confus ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26432 (In mailbox, there is a possible out of bounds write due to a missing b ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26431 (In mailbox, there is a possible out of bounds write due to a missing b ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26430 (In mailbox, there is a possible out of bounds write due to type confus ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26429 (In cta, there is a possible way to write permission usage records of a ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26428 (In video codec, there is a possible memory corruption due to a race co ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26427 (In camera isp, there is a possible out of bounds write due to a missin ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-26426 (In camera isp, there is a possible out of bounds write due to a missin ...) + NOT-FOR-US: MediaTek driver for Android CVE-2022-26418 RESERVED CVE-2022-26416 @@ -29332,12 +32957,12 @@ CVE-2022-26312 RESERVED CVE-2022-26311 (Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to ...) NOT-FOR-US: Couchbase Operator -CVE-2022-26310 - RESERVED -CVE-2022-26309 - RESERVED -CVE-2022-26308 - RESERVED +CVE-2022-26310 (Pandora FMS v7.0NG.760 and below allows an improper authorization in U ...) + NOT-FOR-US: Pandora FMS +CVE-2022-26309 (Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk opera ...) + NOT-FOR-US: Pandora FMS +CVE-2022-26308 (Pandora FMS v7.0NG.760 and below allows an improper access control in ...) + NOT-FOR-US: Pandora FMS CVE-2022-26307 (LibreOffice supports the storage of passwords for web connections in t ...) - libreoffice 1:7.3.3~rc1-2 [bullseye] - libreoffice <no-dsa> (Minor issue) @@ -30122,8 +33747,8 @@ CVE-2022-25975 RESERVED CVE-2022-25974 RESERVED -CVE-2022-25973 - RESERVED +CVE-2022-25973 (All versions of package mc-kill-port are vulnerable to Arbitrary Comma ...) + NOT-FOR-US: Node mc-kill-port CVE-2022-25971 RESERVED CVE-2022-25970 @@ -30216,8 +33841,8 @@ CVE-2022-25910 RESERVED CVE-2022-25908 RESERVED -CVE-2022-25907 - RESERVED +CVE-2022-25907 (The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Poll ...) + NOT-FOR-US: voodoocreation/ts-deepmerge CVE-2022-25906 RESERVED CVE-2022-25904 @@ -30290,8 +33915,8 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...) - angular.js <unfixed> NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781 -CVE-2022-25867 - RESERVED +CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are vulnerable to ...) + NOT-FOR-US: socket.io-client-java CVE-2022-25866 (The package czproject/git-php before 4.0.3 are vulnerable to Command I ...) NOT-FOR-US: git-php CVE-2022-25865 (The package workspace-tools before 0.18.4 are vulnerable to Command In ...) @@ -30308,9 +33933,10 @@ CVE-2022-25859 RESERVED CVE-2022-25858 (The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vuln ...) - node-terser 4.8.1-1 + [bullseye] - node-terser <no-dsa> (Minor issue) NOTE: https://snyk.io/vuln/SNYK-JS-TERSER-2806366 - NOTE: https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b - NOTE: https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012 + NOTE: https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b (v5.14.2) + NOTE: https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012 (v4.8.1) CVE-2022-25857 RESERVED CVE-2022-25856 (The package github.com/argoproj/argo-events/sensors/artifacts before 1 ...) @@ -30424,8 +34050,8 @@ CVE-2022-25171 RESERVED CVE-2022-24913 RESERVED -CVE-2022-24912 - RESERVED +CVE-2022-24912 (The package github.com/runatlantis/atlantis/server/controllers/events ...) + NOT-FOR-US: github.com/runatlantis/atlantis CVE-2022-24909 RESERVED CVE-2022-24441 @@ -30545,8 +34171,8 @@ CVE-2022-21189 (The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4. NOT-FOR-US: dexie CVE-2022-21187 (The package libvcs before 0.11.1 are vulnerable to Command Injection v ...) NOT-FOR-US: libvcs -CVE-2022-21186 - RESERVED +CVE-2022-21186 (The package @acrontum/filesystem-template before 0.0.2 are vulnerable ...) + NOT-FOR-US: acrontum/filesystem-template CVE-2022-21169 RESERVED CVE-2022-21167 (All versions of package masuit.tools.core are vulnerable to Arbitrary ...) @@ -30726,8 +34352,8 @@ CVE-2022-25795 (A maliciously crafted PDF file can be used to dereference for a NOT-FOR-US: Autodesk CVE-2022-25794 (An Out-Of-Bounds Read Vulnerability in Autodesk FBX Review version 1.5 ...) NOT-FOR-US: Autodesk -CVE-2022-25793 - RESERVED +CVE-2022-25793 (A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, ...) + NOT-FOR-US: Autodesk CVE-2022-25792 (A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2 ...) NOT-FOR-US: Autodesk CVE-2022-25791 (A Memory Corruption vulnerability for DWF and DWFX files in Autodesk A ...) @@ -30778,8 +34404,10 @@ CVE-2022-25769 RESERVED CVE-2022-25768 RESERVED -CVE-2022-25763 - RESERVED +CVE-2022-25763 (Improper Input Validation vulnerability in HTTP/2 request validation o ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-21182 (A privilege escalation vulnerability exists in the router configuratio ...) NOT-FOR-US: InHand Networks InRouter302 CVE-2022-0734 (A cross-site scripting vulnerability was identified in the CGI program ...) @@ -31041,6 +34669,8 @@ CVE-2022-21209 (The affected product is vulnerable to an out-of-bounds read whil CVE-2022-0730 (Under certain ldap conditions, Cacti authentication can be bypassed wi ...) {DLA-2965-1} - cacti 1.2.20+ds1-1 (bug #1008693) + [bullseye] - cacti <no-dsa> (Minor issue) + [buster] - cacti <no-dsa> (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/4562 NOTE: https://github.com/Cacti/cacti/commit/1386bdbf7f845a32e24ac9415f3ebb7932e77fe7 (1.2.x) NOTE: https://github.com/Cacti/cacti/commit/8694bf28edad723585915a97b95fbf5b1816a02b (1.2.x) @@ -31725,7 +35355,7 @@ CVE-2022-25375 (An issue was discovered in drivers/usb/gadget/function/rndis.c i NOTE: https://github.com/szymonh/rndis-co NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/1 NOTE: https://git.kernel.org/linus/38ea1eac7d88072bbffb630e2b3db83ca649b826 (5.17-rc4) -CVE-2022-25374 (HashiCorp Terraform Enterprise before 202202-1 inserts Sensitive Infor ...) +CVE-2022-25374 (HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v2 ...) NOT-FOR-US: HashiCorp Terraform Enterprise CVE-2022-25373 (Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in ...) NOT-FOR-US: Zoho ManageEngine @@ -32025,6 +35655,7 @@ CVE-2022-0671 (A flaw was found in vscode-xml in versions prior to 0.19.0. Schem CVE-2022-0670 (A flaw was found in Openstack manilla owning a Ceph File system "share ...) - ceph 16.2.10+ds-1 (bug #1016069) NOTE: https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/ + NOTE: https://docs.ceph.com/en/latest/security/CVE-2022-0670/ CVE-2022-0669 RESERVED {DSA-5130-1} @@ -32065,9 +35696,8 @@ CVE-2022-0657 (The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress p CVE-2022-0656 (The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not v ...) NOT-FOR-US: WordPress plugin CVE-2022-26520 (** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the ...) + {DSA-5196-1} - libpgjava 42.3.3-1 - [bullseye] - libpgjava <no-dsa> (Requires control over connection properties) - [buster] - libpgjava <no-dsa> (Requires control over connection properties) [stretch] - libpgjava <no-dsa> (Requires control over connection properties) NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 NOTE: https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064 (REL42.3.3-rc1) @@ -32407,8 +36037,8 @@ CVE-2022-25169 (The BPG parser in versions of Apache Tika before 1.28.2 and 2.4. [bullseye] - tika <no-dsa> (Minor issue) [buster] - tika <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/4 -CVE-2022-25168 - RESERVED +CVE-2022-25168 (Apache Hadoop's FileUtil.unTar(File, File) API does not escape the inp ...) + - hadoop <itp> (bug #793644) CVE-2022-25167 (Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote c ...) NOT-FOR-US: Apache Flume CVE-2022-24435 (Cross-site scripting vulnerability in phpUploader v1.2 and earlier all ...) @@ -32622,8 +36252,8 @@ CVE-2022-0600 (The Conference Scheduler WordPress plugin before 2.4.3 does not s NOT-FOR-US: WordPress plugin CVE-2022-0599 (The Mapping Multiple URLs Redirect Same Page WordPress plugin through ...) NOT-FOR-US: WordPress plugin -CVE-2022-0598 - RESERVED +CVE-2022-0598 (The Login with phone number WordPress plugin before 1.3.8 does not san ...) + NOT-FOR-US: WordPress plugin CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...) NOT-FOR-US: microweber CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...) @@ -33184,14 +36814,14 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent ad - php-crypt-gpg 1.6.7-1 (bug #1005921) [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) -CVE-2022-24952 - RESERVED -CVE-2022-24951 - RESERVED -CVE-2022-24950 - RESERVED -CVE-2022-24949 - RESERVED +CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal Terminal pr ...) + - eternal-terminal <itp> (bug #861635) +CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 6.2.0 whi ...) + - eternal-terminal <itp> (bug #861635) +CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 6.2.0 tha ...) + - eternal-terminal <itp> (bug #861635) +CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal prior to ver ...) + - eternal-terminal <itp> (bug #861635) CVE-2022-24948 (A carefully crafted user preferences for submission could trigger an X ...) - jspwiki <removed> CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF attacks, wh ...) @@ -33264,17 +36894,17 @@ CVE-2022-24920 RESERVED CVE-2022-24919 (An authenticated user can create a link with reflected Javascript code ...) {DLA-2980-1} - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 NOTE: https://support.zabbix.com/browse/ZBX-20680 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1) CVE-2022-24918 (An authenticated user can create a link with reflected Javascript code ...) - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 [stretch] - zabbix <not-affected> (The vulnerable code was introduced later) NOTE: https://support.zabbix.com/browse/ZBX-20680 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1) CVE-2022-24917 (An authenticated user can create a link with reflected Javascript code ...) {DLA-2980-1} - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 NOTE: https://support.zabbix.com/browse/ZBX-20680 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1) CVE-2022-24911 @@ -33543,28 +37173,40 @@ CVE-2022-24811 (Combodi iTop is a web based IT Service Management tool. Prior to NOT-FOR-US: Combodi CVE-2022-24810 [A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24809 [A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24808 [A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24807 [A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24806 [Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24805 [A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access] RESERVED - - net-snmp <unfixed> (bug #1016139) + - net-snmp 5.9.3+dfsg-1 (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) + NOTE: https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1) + NOTE: https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1) CVE-2022-24804 (Discourse is an open source platform for community discussion. In stab ...) NOT-FOR-US: Discourse CVE-2022-24803 (Asciidoctor-include-ext is Asciidoctor’s standard include proces ...) @@ -33604,7 +37246,7 @@ CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing NOT-FOR-US: Express OpenID Connect CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk <unfixed> (bug #1014976) + - asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> - ring <unfixed> (bug #1014998) @@ -33612,7 +37254,7 @@ CVE-2022-24793 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a CVE-2022-24792 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk <unfixed> (bug #1014976) + - asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> - ring <unfixed> (unimportant) @@ -33637,7 +37279,7 @@ CVE-2022-24788 (Vyper is a pythonic Smart Contract Language for the ethereum vir CVE-2022-24787 (Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual M ...) NOT-FOR-US: Vyper CVE-2022-24786 (PJSIP is a free and open source multimedia communication library writt ...) - - asterisk <unfixed> (bug #1014976) + - asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> [stretch] - pjproject <not-affected> (Vulnerable code not present) @@ -33670,6 +37312,8 @@ CVE-2022-24777 (grpc-swift is the Swift language implementation of gRPC, a remot NOT-FOR-US: grpc-swift CVE-2022-24776 (Flask-AppBuilder is an application development framework, built on top ...) - flask-appbuilder <not-affected> (Fixed before initial upload to archive) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-2ccw-7px8-vmpf + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/pull/1804 CVE-2022-24775 (guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ...) - php-guzzlehttp-psr7 1.8.5-1 (bug #1008236) [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u1 @@ -33728,7 +37372,7 @@ CVE-2022-24765 (Git for Windows is a fork of Git containing Windows-specific pat NOTE: https://github.blog/2022-04-12-git-security-vulnerability-announced/ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-2962-1} - - asterisk <unfixed> (bug #1014976) + - asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <unfixed> - ring <unfixed> (bug #1014998) @@ -33736,7 +37380,7 @@ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk <unfixed> (bug #1014976) + - asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> - ring <unfixed> (bug #1014998) @@ -33856,11 +37500,13 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 NOTE: https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0) @@ -34043,17 +37689,17 @@ CVE-2022-24689 (An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. NOT-FOR-US: DSK DSKNet CVE-2022-24688 (An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The T ...) NOT-FOR-US: DSK DSKNet -CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, a ...) +CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, a ...) - consul <unfixed> (bug #1006487) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/ CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...) - nomad <unfixed> NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 -CVE-2022-24685 (HashiCorp Nomad and Nomad Enterprise 1.x before 1.0.17, 1.1.x before 1 ...) +CVE-2022-24685 (HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow i ...) - nomad <unfixed> NOTE: https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 NOTE: https://github.com/hashicorp/nomad/issues/12038 -CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.1 ...) +CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and ...) - nomad <unfixed> NOTE: https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 NOTE: https://github.com/hashicorp/nomad/issues/12039 @@ -34173,27 +37819,29 @@ CVE-2022-0532 (An incorrect sysctls validation vulnerability was found in CRI-O CVE-2022-0531 (The Migration, Backup, Staging WordPress plugin before 0.9.70 does not ...) NOT-FOR-US: WordPress plugin CVE-2022-0530 (A flaw was found in Unzip. The vulnerability occurs during the convers ...) - - unzip <unfixed> (bug #1010355) + {DSA-5202-1} + - unzip 6.0-27 (bug #1010355) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051395 NOTE: https://github.com/ByteHackr/unzip_poc NOTE: Unclear status, checking with upstream CVE-2022-0529 (A flaw was found in Unzip. The vulnerability occurs during the convers ...) - - unzip <unfixed> (bug #1010355) + {DSA-5202-1} + - unzip 6.0-27 (bug #1010355) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051402 NOTE: https://github.com/ByteHackr/unzip_poc NOTE: Unclear status, checking with upstream -CVE-2021-46681 - RESERVED -CVE-2021-46680 - RESERVED -CVE-2021-46679 - RESERVED -CVE-2021-46678 - RESERVED -CVE-2021-46677 - RESERVED -CVE-2021-46676 - RESERVED +CVE-2021-46681 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS +CVE-2021-46680 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS +CVE-2021-46679 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS +CVE-2021-46678 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS +CVE-2021-46677 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS +CVE-2021-46676 (A XSS vulnerability exist in Pandora FMS version 756 and below, that a ...) + NOT-FOR-US: Pandora FMS CVE-2022-24668 (A program using swift-nio-http2 is vulnerable to a denial of service a ...) NOT-FOR-US: swift-nio-http2 CVE-2022-24667 (A program using swift-nio-http2 is vulnerable to a denial of service a ...) @@ -34263,8 +37911,8 @@ CVE-2022-24656 (HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By p NOT-FOR-US: HexoEditor CVE-2022-24655 (A stack overflow vulnerability exists in the upnpd service in Netgear ...) NOT-FOR-US: Netgear -CVE-2022-24654 - RESERVED +CVE-2022-24654 (Authenticated stored cross-site scripting (XSS) vulnerability in "Fiel ...) + NOT-FOR-US: Intelbras ATA 200 CVE-2022-24653 RESERVED CVE-2022-24652 (sentcms 4.0.x allows remote attackers to cause arbitrary file uploads ...) @@ -34432,28 +38080,33 @@ CVE-2022-24579 RESERVED CVE-2022-24578 (GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_AddStrin ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/1691cca3-ab54-4259-856b-751be2395b11/ NOTE: https://github.com/gpac/gpac/commit/b5741da08e88e8dcc8da0a7669b92405b9862850 (v2.0.0) CVE-2022-24577 (GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/0758b3a2-8ff2-45fc-8543-7633d605d24e/ NOTE: https://github.com/gpac/gpac/commit/586e817dcd531bb3e75438390f1f753cfe6e940a (v2.0.0) CVE-2022-24576 (GPAC 1.0.1 is affected by Use After Free through MP4Box. ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2061 NOTE: https://huntr.dev/bounties/011ac07c-6139-4f43-b745-424143e60ac7/ NOTE: https://github.com/gpac/gpac/commit/96699aabae042f8f55cf8a85fa5758e3db752bae (v2.0.0) CVE-2022-24575 (GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2058 NOTE: https://huntr.dev/bounties/1d9bf402-f756-4583-9a1d-436722609c1e/ NOTE: https://github.com/gpac/gpac/commit/b13e9986aa1134c764b0d84f0f66328429b9c2eb (v2.0.0) CVE-2022-24574 (GPAC 1.0.1 is affected by a NULL pointer dereference in gf_dump_vrml_f ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://huntr.dev/bounties/a08437cc-25aa-4116-8069-816f78a2247c/ NOTE: https://github.com/gpac/gpac/issues/2055 @@ -34572,8 +38225,8 @@ CVE-2022-24518 (Azure Site Recovery Elevation of Privilege Vulnerability. This C NOT-FOR-US: Microsoft CVE-2022-24517 (Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID i ...) NOT-FOR-US: Microsoft -CVE-2022-24516 - RESERVED +CVE-2022-24516 (Microsoft Exchange Server Elevation of Privilege Vulnerability. This C ...) + NOT-FOR-US: Microsoft CVE-2022-24515 (Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID ...) NOT-FOR-US: Microsoft CVE-2022-24514 @@ -34650,8 +38303,8 @@ CVE-2022-24479 (Connected User Experiences and Telemetry Elevation of Privilege NOT-FOR-US: Microsoft CVE-2022-24478 RESERVED -CVE-2022-24477 - RESERVED +CVE-2022-24477 (Microsoft Exchange Server Elevation of Privilege Vulnerability. This C ...) + NOT-FOR-US: Microsoft CVE-2022-24476 RESERVED CVE-2022-24475 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) @@ -34894,6 +38547,9 @@ CVE-2022-21795 RESERVED CVE-2022-21233 RESERVED + - intel-microcode <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220809 CVE-2022-21128 (Insufficient control flow management in the Intel(R) Advisor software ...) NOT-FOR-US: Intel CVE-2022-0492 (A vulnerability was found in the Linux kernel’s cgroup_release_a ...) @@ -35018,7 +38674,7 @@ CVE-2022-24350 RESERVED CVE-2022-24349 (An authenticated user can create a link with reflected XSS payload for ...) {DLA-2980-1} - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 NOTE: https://support.zabbix.com/browse/ZBX-20680 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1) CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal ...) @@ -36215,56 +39871,56 @@ CVE-2022-24031 (An issue was discovered in NvmExpressDxe in Insyde InsydeH2O wit NOT-FOR-US: Insyde CVE-2022-24030 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) NOT-FOR-US: Insyde -CVE-2022-24029 - RESERVED -CVE-2022-24028 - RESERVED -CVE-2022-24027 - RESERVED -CVE-2022-24026 - RESERVED -CVE-2022-24025 - RESERVED -CVE-2022-24024 - RESERVED -CVE-2022-24023 - RESERVED -CVE-2022-24022 - RESERVED -CVE-2022-24021 - RESERVED -CVE-2022-24020 - RESERVED -CVE-2022-24019 - RESERVED -CVE-2022-24018 - RESERVED -CVE-2022-24017 - RESERVED -CVE-2022-24016 - RESERVED -CVE-2022-24015 - RESERVED -CVE-2022-24014 - RESERVED -CVE-2022-24013 - RESERVED -CVE-2022-24012 - RESERVED -CVE-2022-24011 - RESERVED -CVE-2022-24010 - RESERVED -CVE-2022-24009 - RESERVED -CVE-2022-24008 - RESERVED -CVE-2022-24007 - RESERVED -CVE-2022-24006 - RESERVED -CVE-2022-24005 - RESERVED +CVE-2022-24029 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24028 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24027 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24026 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24025 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24024 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24023 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24022 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24021 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24020 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24019 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24018 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24017 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24016 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24015 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24014 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24013 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24012 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24011 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24010 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24009 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24008 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24007 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24006 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-24005 (A buffer overflow vulnerability exists in the GetValue functionality o ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-0387 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) NOT-FOR-US: livehelperchat CVE-2022-0386 (A post-auth SQL injection vulnerability in the Mail Manager potentiall ...) @@ -36525,8 +40181,8 @@ CVE-2022-23975 (Cross-Site Request Forgery (CSRF) in Access Demo Importer <= NOT-FOR-US: Access Demo Importer CVE-2022-23974 (In 0.9.3 or older versions of Apache Pinot segment upload path allowed ...) NOT-FOR-US: Apache Pinot -CVE-2022-23103 - RESERVED +CVE-2022-23103 (A stack-based buffer overflow vulnerability exists in the confsrv conf ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-0383 (The WP Review Slider WordPress plugin before 11.0 does not sanitise an ...) NOT-FOR-US: WordPress plugin CVE-2022-0382 (An information leak flaw was found due to uninitialized memory in the ...) @@ -36774,20 +40430,20 @@ CVE-2022-23925 (Potential vulnerabilities have been identified in the system BIO NOT-FOR-US: HP CVE-2022-23924 (Potential vulnerabilities have been identified in the system BIOS of c ...) NOT-FOR-US: HP -CVE-2022-23919 - RESERVED -CVE-2022-23918 - RESERVED -CVE-2022-23399 - RESERVED -CVE-2022-22144 - RESERVED -CVE-2022-22140 - RESERVED -CVE-2022-21201 - RESERVED -CVE-2022-21178 - RESERVED +CVE-2022-23919 (A stack-based buffer overflow vulnerability exists in the confsrv set_ ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-23918 (A stack-based buffer overflow vulnerability exists in the confsrv set_ ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-23399 (A stack-based buffer overflow vulnerability exists in the confsrv set_ ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-22144 (A hard-coded password vulnerability exists in the libcommonprod.so pro ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-22140 (An os command injection vulnerability exists in the confsrv ucloud_add ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-21201 (A stack-based buffer overflow vulnerability exists in the confers uclo ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi +CVE-2022-21178 (An os command injection vulnerability exists in the confsrv ucloud_add ...) + NOT-FOR-US: TCL LinkHub Mesh Wi-Fi CVE-2022-0355 (Exposure of Sensitive Information to an Unauthorized Actor in NPM simp ...) NOT-FOR-US: simple-get nodejs module CVE-2022-0354 (A vulnerability was reported in Lenovo System Update that could allow ...) @@ -37294,9 +40950,9 @@ CVE-2022-0340 RESERVED CVE-2021-4209 RESERVED + {DLA-3070-1} - gnutls28 3.7.3-2 [bullseye] - gnutls28 3.7.1-5+deb11u1 - [buster] - gnutls28 <no-dsa> (Minor issue) [stretch] - gnutls28 <postponed> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044156 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1306 @@ -37725,8 +41381,8 @@ CVE-2022-23735 RESERVED CVE-2022-23734 RESERVED -CVE-2022-23733 - RESERVED +CVE-2022-23733 (A stored XSS vulnerability was identified in GitHub Enterprise Server ...) + NOT-FOR-US: Github Enterprise Server CVE-2022-23732 (A path traversal vulnerability was identified in GitHub Enterprise Ser ...) NOT-FOR-US: Github Enterprise Server CVE-2022-23731 (V8 javascript engine (heap vulnerability) can cause privilege escalati ...) @@ -38390,8 +42046,8 @@ CVE-2022-23444 RESERVED CVE-2022-23443 (An improper access control in Fortinet FortiSOAR before 7.2.0 allows u ...) NOT-FOR-US: FortiGuard -CVE-2022-23442 - RESERVED +CVE-2022-23442 (An improper access control vulnerability [CWE-284] in FortiOS versions ...) + NOT-FOR-US: FortiGuard CVE-2022-23441 (A use of hard-coded cryptographic key vulnerability [CWE-321] in Forti ...) NOT-FOR-US: Fortinet CVE-2022-23440 (A use of hard-coded cryptographic key vulnerability [CWE-321] in the r ...) @@ -38401,7 +42057,7 @@ CVE-2022-23439 CVE-2022-23438 (An improper neutralization of input during web page generation ('Cross ...) NOT-FOR-US: Fortinet CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...) - - libxerces2-java <unfixed> + - libxerces2-java <unfixed> (bug #1016975) [bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete) [buster] - libxerces2-java <postponed> (revisit when/if fix is complete) [stretch] - libxerces2-java <postponed> (revisit when/if fix is complete) @@ -38940,13 +42596,13 @@ CVE-2021-46350 (There is an Assertion 'ecma_is_value_object (value)' failed at j NOTE: https://github.com/jerryscript-project/jerryscript/pull/4953 NOTE: https://github.com/jerryscript-project/jerryscript/issues/4936 CVE-2021-46349 (There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECM ...) - - iotjs <unfixed> (bug #1004288) + - iotjs <removed> (bug #1004288) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954 NOTE: https://github.com/jerryscript-project/jerryscript/issues/4937 CVE-2021-46348 (There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' fa ...) - - iotjs <unfixed> (bug #1004288) + - iotjs <removed> (bug #1004288) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4961 @@ -38956,7 +42612,7 @@ CVE-2021-46347 (There is an Assertion 'ecma_object_check_class_name_is_object (o NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954 NOTE: https://github.com/jerryscript-project/jerryscript/issues/4938 CVE-2021-46346 (There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustme ...) - - iotjs <unfixed> (bug #1004288) + - iotjs <removed> (bug #1004288) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4955 @@ -38980,7 +42636,7 @@ CVE-2021-46342 (There is an Assertion 'ecma_is_lexical_environment (obj_p) || !e CVE-2021-46341 RESERVED CVE-2021-46340 (There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY ...) - - iotjs <unfixed> (bug #1004288) + - iotjs <removed> (bug #1004288) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4964 @@ -38989,7 +42645,7 @@ CVE-2021-46339 (There is an Assertion 'lit_is_valid_cesu8_string (string_p, stri NOTE: Not considered a security issue by iotjs project NOTE: https://github.com/jerryscript-project/jerryscript/issues/4935 CVE-2021-46338 (There is an Assertion 'ecma_is_lexical_environment (object_p)' failed ...) - - iotjs <unfixed> (bug #1004288) + - iotjs <removed> (bug #1004288) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4943 @@ -39328,8 +42984,8 @@ CVE-2022-23240 RESERVED CVE-2022-23239 RESERVED -CVE-2022-23238 - RESERVED +CVE-2022-23238 (Linux deployments of StorageGRID (formerly StorageGRID Webscale) versi ...) + NOT-FOR-US: StorageGRID (formerly StorageGRID Webscale) CVE-2022-23237 (E-Series SANtricity OS Controller Software 11.x versions through 11.70 ...) NOT-FOR-US: E-Series SANtricity OS Controller Software CVE-2022-23236 (E-Series SANtricity OS Controller Software versions 11.40 through 11.7 ...) @@ -39398,8 +43054,8 @@ CVE-2022-0229 (The miniOrange's Google Authenticator WordPress plugin before 5.5 NOT-FOR-US: WordPress plugin CVE-2022-0228 (The Popup Builder WordPress plugin before 4.0.7 does not validate and ...) NOT-FOR-US: WordPress plugin -CVE-2021-46304 - RESERVED +CVE-2021-46304 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O ...) + NOT-FOR-US: Siemens CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local ...) {DSA-5050-1} - linux 5.15.15-1 @@ -39752,17 +43408,17 @@ CVE-2022-23135 (There is a directory traversal vulnerability in some home gatewa NOT-FOR-US: ZTE CVE-2022-23134 (After the initial setup process, some steps of setup.php file are reac ...) {DLA-2914-1} - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 NOTE: https://support.zabbix.com/browse/ZBX-20384 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df (5.0.19rc2) CVE-2022-23133 (An authenticated user can create a hosts group from the configuration ...) - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 [stretch] - zabbix <not-affected> (Vulnerable code introduced later, and reverted with the fix) NOTE: https://support.zabbix.com/browse/ZBX-20388 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/74b8716a73c324e6cdbdda1de434e7872740a908 (5.0.19rc1) NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3 (4.4.0alpha3) CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability i ...) - - zabbix <unfixed> + - zabbix 1:6.0.7+dfsg-2 [stretch] - zabbix <not-affected> (Not using RPM or DAC_OVERRIDE in Debian installs, zbx_ipc_service_init_env() not present) NOTE: https://support.zabbix.com/browse/ZBX-20341 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac (5.0.18) @@ -40176,14 +43832,14 @@ CVE-2022-23006 RESERVED CVE-2022-23005 RESERVED -CVE-2022-23004 - RESERVED -CVE-2022-23003 - RESERVED -CVE-2022-23002 - RESERVED -CVE-2022-23001 - RESERVED +CVE-2022-23004 (When computing a shared secret or point multiplication on the NIST P-2 ...) + NOT-FOR-US: Western Digital +CVE-2022-23003 (When computing a shared secret or point multiplication on the NIST P-2 ...) + NOT-FOR-US: Western Digital +CVE-2022-23002 (When compressing or decompressing a point on the NIST P-256 elliptic c ...) + NOT-FOR-US: Western Digital +CVE-2022-23001 (When compressing or decompressing elliptic curve points using the Swee ...) + NOT-FOR-US: Western Digital CVE-2022-23000 (The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a ...) NOT-FOR-US: Western Digital CVE-2022-22999 (Western Digital My Cloud devices are vulnerable to a cross side script ...) @@ -40234,8 +43890,8 @@ CVE-2021-4204 [eBPF Improper Input Validation Vulnerability] [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/4 -CVE-2022-22983 - RESERVED +CVE-2022-22983 (VMware Workstation (16.x prior to 16.2.4) contains an unprotected stor ...) + NOT-FOR-US: VMware CVE-2022-22982 (The vCenter Server contains a server-side request forgery (SSRF) vulne ...) NOT-FOR-US: VMWare CVE-2022-22981 @@ -40260,10 +43916,12 @@ CVE-2022-22972 (VMware Workspace ONE Access, Identity Manager and vRealize Autom NOT-FOR-US: VMware CVE-2022-22971 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...) - libspring-java <unfixed> + [buster] - libspring-java <end-of-life> (No longer supported in LTS) [stretch] - libspring-java <end-of-life> (No longer supported in LTS) NOTE: https://tanzu.vmware.com/security/cve-2022-22971 CVE-2022-22970 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...) - libspring-java <unfixed> + [buster] - libspring-java <end-of-life> (No longer supported in LTS) [stretch] - libspring-java <end-of-life> (No longer supported in LTS) NOTE: https://tanzu.vmware.com/security/cve-2022-22970 CVE-2022-22969 (<Issue Description> Spring Security OAuth versions 2.5.x prior t ...) @@ -40445,37 +44103,37 @@ CVE-2022-22897 CVE-2022-22896 RESERVED CVE-2022-22895 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4850 NOTE: https://github.com/jerryscript-project/jerryscript/issues/4882 CVE-2022-22894 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4890 NOTE: https://github.com/jerryscript-project/jerryscript/pull/4899 CVE-2022-22893 (Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_lo ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4901 NOTE: https://github.com/jerryscript-project/jerryscript/pull/4945 CVE-2022-22892 (There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_valu ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4872 NOTE: https://github.com/jerryscript-project/jerryscript/pull/4878 CVE-2022-22891 (Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via e ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4871 NOTE: https://github.com/jerryscript-project/jerryscript/pull/4885 CVE-2022-22890 (There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT &am ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4849 @@ -40483,7 +44141,7 @@ CVE-2022-22890 (There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESE CVE-2022-22889 RESERVED CVE-2022-22888 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...) - - iotjs <unfixed> (bug #1004298) + - iotjs <removed> (bug #1004298) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4877 @@ -40858,7 +44516,7 @@ CVE-2021-46172 CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference in se ...) NOT-FOR-US: Modex CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917 @@ -41873,6 +45531,7 @@ CVE-2022-22577 (An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 t NOTE: https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508 (v6.0.4.8) NOTE: https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809 (v5.2.7.1) CVE-2022-22576 (An improper authentication vulnerability exists in curl 7.33.0 to and ...) + {DSA-5197-1} - curl 7.83.0-1 (bug #1010295) NOTE: https://curl.se/docs/CVE-2022-22576.html NOTE: Fixed by: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 (curl-7_83_0) @@ -42202,8 +45861,8 @@ CVE-2022-22507 RESERVED CVE-2022-22506 RESERVED -CVE-2022-22505 - RESERVED +CVE-2022-22505 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 contains a v ...) + NOT-FOR-US: IBM CVE-2022-22504 RESERVED CVE-2022-22503 @@ -42232,8 +45891,8 @@ CVE-2022-22492 RESERVED CVE-2022-22491 RESERVED -CVE-2022-22490 - RESERVED +CVE-2022-22490 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow ...) + NOT-FOR-US: IBM CVE-2022-22489 RESERVED CVE-2022-22488 @@ -42390,8 +46049,8 @@ CVE-2022-22413 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vul NOT-FOR-US: IBM CVE-2022-22412 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow ...) NOT-FOR-US: IBM -CVE-2022-22411 - RESERVED +CVE-2022-22411 (IBM Spectrum Scale Data Access Services (DAS) 5.1.3.1 could allow an a ...) + NOT-FOR-US: IBM CVE-2022-22410 (IBM Watson Query with Cloud Pak for Data as a Service could allow an a ...) NOT-FOR-US: IBM CVE-2022-22409 @@ -42474,8 +46133,8 @@ CVE-2022-22371 RESERVED CVE-2022-22370 (IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 ...) NOT-FOR-US: IBM -CVE-2022-22369 - RESERVED +CVE-2022-22369 (IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwri ...) + NOT-FOR-US: IBM CVE-2022-22368 (IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cry ...) NOT-FOR-US: IBM CVE-2022-22367 (IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 co ...) @@ -42544,8 +46203,8 @@ CVE-2022-22336 (IBM Sterling External Authentication Server and IBM Sterling Sec NOT-FOR-US: IBM CVE-2022-22335 RESERVED -CVE-2022-22334 - RESERVED +CVE-2022-22334 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow ...) + NOT-FOR-US: IBM CVE-2022-22333 (IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 and IBM Sterli ...) NOT-FOR-US: IBM CVE-2022-22332 (IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker ...) @@ -42560,8 +46219,8 @@ CVE-2022-22328 (IBM SterlingPartner Engagement Manager 6.2.0 could allow a malic NOT-FOR-US: IBM CVE-2022-22327 (IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker ...) NOT-FOR-US: IBM -CVE-2022-22326 - RESERVED +CVE-2022-22326 (IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) + NOT-FOR-US: IBM CVE-2022-22325 (IBM MQ (IBM MQ for HPE NonStop 8.1.0) can inadvertently disclose sensi ...) NOT-FOR-US: IBM CVE-2022-22324 @@ -42618,8 +46277,8 @@ CVE-2022-22301 (An improper neutralization of special elements used in an OS Com NOT-FOR-US: FortiGuard CVE-2022-22300 (A improper handling of insufficient permissions or privileges in Forti ...) NOT-FOR-US: FortiGuard -CVE-2022-22299 - RESERVED +CVE-2022-22299 (A format string vulnerability [CWE-134] in the command line interprete ...) + NOT-FOR-US: FortiNet CVE-2022-22298 RESERVED CVE-2022-22297 @@ -42640,6 +46299,8 @@ CVE-2022-0085 (Server-Side Request Forgery (SSRF) in GitHub repository dompdf/do CVE-2022-0084 RESERVED - jboss-xnio <unfixed> (bug #1013280) + [bullseye] - jboss-xnio <no-dsa> (Minor issue) + [buster] - jboss-xnio <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2064226 CVE-2021-46129 RESERVED @@ -43330,8 +46991,8 @@ CVE-2022-22282 (SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earli NOT-FOR-US: SonicWall CVE-2022-22281 (A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender W ...) NOT-FOR-US: SonicWall -CVE-2022-22280 - RESERVED +CVE-2022-22280 (Improper Neutralization of Special Elements used in an SQL Command lea ...) + NOT-FOR-US: Sonicwall CVE-2022-22279 (** UNSUPPORTED WHEN ASSIGNED ** A post-authentication arbitrary file r ...) NOT-FOR-US: Sonicwall CVE-2022-22278 (A vulnerability in SonicOS CFS (Content filtering service) returns a l ...) @@ -43495,8 +47156,8 @@ CVE-2022-0030 RESERVED CVE-2022-0029 RESERVED -CVE-2022-0028 - RESERVED +CVE-2022-0028 (A PAN-OS URL filtering policy misconfiguration could allow a network-b ...) + NOT-FOR-US: Palo Alto Networks CVE-2022-0027 (An improper authorization vulnerability in Palo Alto Network Cortex XS ...) NOT-FOR-US: Palo Alto Networks software CVE-2022-0026 (A local privilege escalation (PE) vulnerability exists in Palo Alto Ne ...) @@ -43803,6 +47464,7 @@ CVE-2021-45832 (A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13. NOTE: Negligible security impact, malicous scientific data has more issues than a crash... CVE-2021-45831 (A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Bo ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1990 NOTE: https://github.com/gpac/gpac/commit/4613a35362e15a6df90453bd632d083645e5a765 (v2.0.0) @@ -45610,11 +49272,13 @@ CVE-2021-45293 (A Denial of Service vulnerability exists in Binaryen 103 due to NOTE: Crash in CLI tool, no security impact CVE-2021-45292 (The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to c ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1958 NOTE: https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6 (v2.0.0) CVE-2021-45291 (The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cau ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1955 NOTE: https://github.com/gpac/gpac/commit/a07c64979af592aad56bc175157b7397e43fa9cc (v2.0.0) @@ -45626,11 +49290,13 @@ CVE-2021-45290 (A Denial of Service vulnerability exits in Binaryen 103 due to a NOTE: Crash in CLI tool, no security impact CVE-2021-45289 (A vulnerability exists in GPAC 1.0.1 due to an omission of security-re ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1972 NOTE: https://github.com/gpac/gpac/commit/5e1f084e0c6ad2736c9913715c4abb57c554209d (v2.0.0) CVE-2021-45288 (A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1956 NOTE: https://github.com/gpac/gpac/commit/9bbce9634cba1128aa4b96d590be578ae3ce80b3 (v2.0.0) @@ -45676,11 +49342,13 @@ CVE-2021-45268 (** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability NOT-FOR-US: Backdrop CMS CVE-2021-45267 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1965 NOTE: https://github.com/gpac/gpac/commit/29f31f431b18278b94c659452562e8a027436487 (v2.0.0) CVE-2021-45266 (A null pointer dereference vulnerability exists in gpac 1.1.0 via the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1985 NOTE: https://github.com/gpac/gpac/commit/76b9e3f578a056fee07a4b317f5b36a83d01810e (v2.0.0) @@ -45690,11 +49358,13 @@ CVE-2021-45264 RESERVED CVE-2021-45263 (An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_dele ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1975 NOTE: https://github.com/gpac/gpac/commit/b232648da3b111a0efe500501ee8ca8f32b616e9 (v2.0.0) CVE-2021-45262 (An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_comma ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1980 NOTE: https://github.com/gpac/gpac/commit/ef86a8eba3b166b885dec219066dd3a47501e03a (v2.0.0) @@ -45941,10 +49611,10 @@ CVE-2022-21982 RESERVED CVE-2022-21981 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) NOT-FOR-US: Microsoft -CVE-2022-21980 - RESERVED -CVE-2022-21979 - RESERVED +CVE-2022-21980 (Microsoft Exchange Server Elevation of Privilege Vulnerability. This C ...) + NOT-FOR-US: Microsoft +CVE-2022-21979 (Microsoft Exchange Information Disclosure Vulnerability. This CVE ID i ...) + NOT-FOR-US: Microsoft CVE-2022-21978 (Microsoft Exchange Server Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-21977 (Media Foundation Information Disclosure Vulnerability. This CVE ID is ...) @@ -47098,53 +50768,63 @@ CVE-2021-44928 RESERVED CVE-2021-44927 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1960 NOTE: https://github.com/gpac/gpac/commit/eaea647cc7dec7b452c17e72f4ce46be35348c92 (v2.0.0) CVE-2021-44926 (A null pointer dereference vulnerability exists in gpac 1.1.0-DEV in t ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1961 NOTE: https://github.com/gpac/gpac/commit/f73da86bf32992f62b9ff2b9c9e853e3c97edf8e (v2.0.0) CVE-2021-44925 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1967 NOTE: https://github.com/gpac/gpac/commit/a5a8dbcdd95666f763fe59ab65154ae9271a18f2 (v2.0.0) CVE-2021-44924 (An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log func ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1959 NOTE: https://github.com/gpac/gpac/commit/e2acb1511d1e69115141ea3080afd1cce6a15497 (v2.0.0) CVE-2021-44923 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1962 NOTE: https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229 (v2.0.0) CVE-2021-44922 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the B ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1969 NOTE: https://github.com/gpac/gpac/issues/1968 NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a (v2.0.0) CVE-2021-44921 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1964 NOTE: https://github.com/gpac/gpac/commit/5b4a6417a90223f1ef6c0b41b055716f7bfbbca2 (v2.0.0) CVE-2021-44920 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1957 NOTE: https://github.com/gpac/gpac/commit/339fe399e7c8eab748bab76e9e6a9da7e117eeb4 (v2.0.0) CVE-2021-44919 (A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_a ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1963 NOTE: https://github.com/gpac/gpac/issues/1962 NOTE: https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229 (v2.0.0) CVE-2021-44918 (A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the g ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1968 NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a (v2.0.0) @@ -47828,8 +51508,8 @@ CVE-2021-44722 RESERVED CVE-2021-44721 RESERVED -CVE-2021-44720 - RESERVED +CVE-2021-44720 (In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the a ...) + NOT-FOR-US: Ivanti CVE-2021-44719 (Docker Desktop 4.3.0 has Incorrect Access Control. ...) NOT-FOR-US: Docker Desktop on MacOS CVE-2021-44718 @@ -48044,8 +51724,11 @@ CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow NOTE: https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/ NOTE: Introduced by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/b88f1ce91a610a4e491a4ad6352183791e78afac (2.39.2) NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/19ebba03117aefc9d0312f675f3a210ffdcc4907 (2.42.9) + NOTE: Tests: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/449441210921c8ed417b0c4d5edbccd2d57e23f8 CVE-2021-44647 (Lua v5.4.3 and above are affected by SEGV by type confusion in funcnam ...) - lua5.4 5.4.4-1 (bug #1004189) + [bullseye] - lua5.4 <no-dsa> (Minor issue) - lua5.3 <not-affected> (Specific to 5.4) - lua5.2 <not-affected> (Specific to 5.4) - lua5.1 <not-affected> (Specific to 5.4) @@ -49277,16 +52960,16 @@ CVE-2021-44232 (SAF-T Framework Transaction SAFTN_G allows an attacker to exploi NOT-FOR-US: SAP CVE-2021-44231 (Internally used text extraction reports allow an attacker to inject co ...) NOT-FOR-US: SAP -CVE-2022-21792 - RESERVED -CVE-2022-21791 - RESERVED -CVE-2022-21790 - RESERVED -CVE-2022-21789 - RESERVED -CVE-2022-21788 - RESERVED +CVE-2022-21792 (In camera isp, there is a possible out of bounds write due to a missin ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-21791 (In camera isp, there is a possible out of bounds read due to a missing ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-21790 (In camera isp, there is a possible out of bounds read due to a missing ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-21789 (In audio ipi, there is a possible memory corruption due to a race cond ...) + NOT-FOR-US: MediaTek driver for Android +CVE-2022-21788 (In scp, there is a possible undefined behavior due to incorrect error ...) + NOT-FOR-US: MediaTek driver for Android CVE-2022-21787 (In audio DSP, there is a possible out of bounds write due to a missing ...) NOT-FOR-US: MediaTek driver for Android CVE-2022-21786 (In audio DSP, there is a possible memory corruption due to improper ca ...) @@ -50059,7 +53742,9 @@ CVE-2021-3979 [ceph: Ceph volume does not honour osd_dmcrypt_key_size] [buster] - ceph <no-dsa> (Minor issue) [stretch] - ceph <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/5 - NOTE: https://github.com/ceph/ceph/commit/47c33179f9a15ae95cc1579a421be89378602656 + NOTE: https://tracker.ceph.com/issues/54006 + NOTE: https://github.com/ceph/ceph/commit/47c33179f9a15ae95cc1579a421be89378602656 (main) + NOTE: https://github.com/ceph/ceph/commit/f69339e00f582ec64b843ff58b66817975fca0d7 (v16.2.8) CVE-2021-44034 RESERVED CVE-2021-44033 (In Ionic Identity Vault before 5.0.5, the protection mechanism for inv ...) @@ -50302,7 +53987,7 @@ CVE-2022-21726 (Tensorflow is an Open Source Machine Learning Framework. The imp CVE-2022-21725 (Tensorflow is an Open Source Machine Learning Framework. The estimator ...) - tensorflow <itp> (bug #804612) CVE-2022-21724 (pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was foun ...) - {DLA-3018-1} + {DSA-5196-1 DLA-3018-1} - libpgjava 42.3.2-1 NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 NOTE: https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2) @@ -51199,7 +54884,7 @@ CVE-2022-21571 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2022-21570 (Vulnerability in the Oracle Coherence product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2022-21569 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21568 (Vulnerability in the Oracle iReceivables product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2022-21567 (Vulnerability in the Oracle Workflow product of Oracle E-Business Suit ...) @@ -51225,13 +54910,13 @@ CVE-2022-21558 (Vulnerability in the Oracle Crystal Ball product of Oracle Const CVE-2022-21557 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2022-21556 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21555 (Vulnerability in the MySQL Shell for VS Code product of Oracle MySQL ( ...) NOT-FOR-US: MySQL Shell for VS Code CVE-2022-21554 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.36-dfsg-1 CVE-2022-21553 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21552 (Vulnerability in the Oracle WebCenter Content product of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2022-21551 (Vulnerability in Oracle GoldenGate (component: Oracle GoldenGate). The ...) @@ -51244,7 +54929,7 @@ CVE-2022-21549 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E CVE-2022-21548 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2022-21547 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21546 RESERVED CVE-2022-21545 (Vulnerability in the Oracle iRecruitment product of Oracle E-Business ...) @@ -51266,41 +54951,41 @@ CVE-2022-21540 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-11 11.0.16+8-1 - openjdk-17 17.0.4+8-1 CVE-2022-21539 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21538 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21537 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21536 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-21535 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) NOT-FOR-US: MySQL Shell CVE-2022-21534 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21533 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2022-21532 (Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of ...) NOT-FOR-US: Oracle CVE-2022-21531 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21530 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21529 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21528 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21527 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21526 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21525 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21524 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2022-21523 (Vulnerability in the Oracle BI Publisher product of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2022-21522 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21521 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2022-21520 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) @@ -51310,12 +54995,12 @@ CVE-2022-21519 (Vulnerability in the MySQL Cluster product of Oracle MySQL (comp CVE-2022-21518 (Vulnerability in the Oracle Health Sciences Data Management Workbench ...) NOT-FOR-US: Oracle CVE-2022-21517 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21516 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-21515 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 <removed> - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21514 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2022-21513 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...) @@ -51327,7 +55012,7 @@ CVE-2022-21511 (Vulnerability in the Oracle Database - Enterprise Edition Recove CVE-2022-21510 (Vulnerability in the Oracle Database - Enterprise Edition Sharding com ...) NOT-FOR-US: Oracle CVE-2022-21509 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21508 (Vulnerability in Oracle Essbase (component: Security and Provisioning) ...) NOT-FOR-US: Oracle CVE-2022-21507 @@ -51336,7 +55021,9 @@ CVE-2022-21506 RESERVED CVE-2022-21505 RESERVED - - linux <unfixed> + - linux 5.18.16-1 + [bullseye] - linux 5.10.136-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2022/07/19/4 NOTE: https://git.kernel.org/linus/543ce63b664e2c2f9533d089a4664b559c3e6b5b (v5.19-rc8) CVE-2022-21504 (The code in UEK6 U3 was missing an appropiate file descriptor count to ...) @@ -51452,7 +55139,7 @@ CVE-2022-21457 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21456 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2022-21455 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 <unfixed> (bug #1015789) + - mysql-8.0 8.0.30-1 (bug #1015789) CVE-2022-21454 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 <removed> - mysql-8.0 8.0.29-1 @@ -52795,8 +56482,8 @@ CVE-2021-43505 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in Sso NOT-FOR-US: Sourcecodester Simple Client Management System CVE-2021-43504 RESERVED -CVE-2021-43503 (A Remote Code Execution (RCE) vulnerability exists in h laravel 5.8.38 ...) - NOTE: Disputed Laravel issue +CVE-2021-43503 + REJECTED CVE-2021-43502 RESERVED CVE-2021-43501 @@ -52898,7 +56585,7 @@ CVE-2021-43455 (An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via CVE-2021-43454 (An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.3 ...) NOT-FOR-US: AnyTXT Searcher for Windows CVE-2021-43453 (A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4808 @@ -53846,8 +57533,8 @@ CVE-2022-20916 (A vulnerability in the web-based management interface of Cisco I NOT-FOR-US: Cisco CVE-2022-20915 RESERVED -CVE-2022-20914 - RESERVED +CVE-2022-20914 (A vulnerability in the External RESTful Services (ERS) API of Cisco Id ...) + NOT-FOR-US: Cisco CVE-2022-20913 (A vulnerability in Cisco Nexus Dashboard could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2022-20912 (Multiple vulnerabilities in the web-based management interface of Cisc ...) @@ -53936,14 +57623,14 @@ CVE-2022-20871 RESERVED CVE-2022-20870 RESERVED -CVE-2022-20869 - RESERVED +CVE-2022-20869 (A vulnerability in the web-based management interface of Cisco BroadWo ...) + NOT-FOR-US: Cisco CVE-2022-20868 RESERVED CVE-2022-20867 RESERVED -CVE-2022-20866 - RESERVED +CVE-2022-20866 (A vulnerability in the handling of RSA keys on devices running Cisco A ...) + NOT-FOR-US: Cisco CVE-2022-20865 RESERVED CVE-2022-20864 @@ -53970,8 +57657,8 @@ CVE-2022-20854 RESERVED CVE-2022-20853 RESERVED -CVE-2022-20852 - RESERVED +CVE-2022-20852 (Multiple vulnerabilities in the web interface of Cisco Webex Meetings ...) + NOT-FOR-US: Cisco CVE-2022-20851 RESERVED CVE-2022-20850 @@ -53990,10 +57677,10 @@ CVE-2022-20844 RESERVED CVE-2022-20843 RESERVED -CVE-2022-20842 - RESERVED -CVE-2022-20841 - RESERVED +CVE-2022-20842 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco +CVE-2022-20841 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco CVE-2022-20840 RESERVED CVE-2022-20839 @@ -54020,8 +57707,8 @@ CVE-2022-20829 (A vulnerability in the packaging of Cisco Adaptive Security Devi NOT-FOR-US: Cisco CVE-2022-20828 (A vulnerability in the CLI parser of Cisco FirePOWER Software for Adap ...) NOT-FOR-US: Cisco -CVE-2022-20827 - RESERVED +CVE-2022-20827 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco CVE-2022-20826 RESERVED CVE-2022-20825 (A vulnerability in the web-based management interface of Cisco Small B ...) @@ -54034,16 +57721,16 @@ CVE-2022-20822 RESERVED CVE-2022-20821 (A vulnerability in the health check RPM of Cisco IOS XR Software could ...) NOT-FOR-US: Cisco -CVE-2022-20820 - RESERVED +CVE-2022-20820 (Multiple vulnerabilities in the web interface of Cisco Webex Meetings ...) + NOT-FOR-US: Cisco CVE-2022-20819 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2022-20818 RESERVED CVE-2022-20817 (A vulnerability in Cisco Unified IP Phones could allow an unauthentica ...) NOT-FOR-US: Cisco -CVE-2022-20816 - RESERVED +CVE-2022-20816 (A vulnerability in the web-based management interface of Cisco Unified ...) + NOT-FOR-US: Cisco CVE-2022-20815 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2022-20814 @@ -54096,8 +57783,7 @@ CVE-2022-20794 (Multiple vulnerabilities in the web engine of Cisco TelePresence NOT-FOR-US: Cisco CVE-2022-20793 RESERVED -CVE-2022-20792 - RESERVED +CVE-2022-20792 (A vulnerability in the regex module used by the signature database loa ...) {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 @@ -54271,8 +57957,8 @@ CVE-2022-20715 (A vulnerability in the remote access SSL VPN features of Cisco A NOT-FOR-US: Cisco CVE-2022-20714 (A vulnerability in the data plane microcode of Lightspeed-Plus line ca ...) NOT-FOR-US: Cisco -CVE-2022-20713 - RESERVED +CVE-2022-20713 (A vulnerability in the Clientless SSL VPN (WebVPN) component of Cisco ...) + NOT-FOR-US: Cisco CVE-2022-20712 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) NOT-FOR-US: Cisco Small Business RV Series Routers CVE-2022-20711 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) @@ -54621,9 +58307,9 @@ CVE-2021-43181 (In JetBrains Hub before 2021.1.13690, stored XSS is possible. .. CVE-2021-43180 (In JetBrains Hub before 2021.1.13690, information disclosure via avata ...) NOT-FOR-US: JetBrains Hub CVE-2021-43179 - RESERVED + REJECTED CVE-2021-43178 - RESERVED + REJECTED CVE-2021-43177 (As a result of an incomplete fix for CVE-2015-7225, in versions of dev ...) - ruby-devise-two-factor 4.0.2-1 (bug #1009636) NOTE: https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp @@ -55415,7 +59101,7 @@ CVE-2021-42865 CVE-2021-42864 RESERVED CVE-2021-42863 (A buffer overflow in ecma_builtin_typedarray_prototype_filter() in Jer ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4793 @@ -55707,10 +59393,10 @@ CVE-2021-42753 (An improper limitation of a pathname to a restricted directory ( NOT-FOR-US: FortiGuard CVE-2021-42752 (A improper neutralization of input during web page generation ('cross- ...) NOT-FOR-US: FortiGuard -CVE-2021-42751 - RESERVED -CVE-2021-42750 - RESERVED +CVE-2021-42751 (A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoa ...) + NOT-FOR-US: ThingsBoard +CVE-2021-42750 (A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoa ...) + NOT-FOR-US: ThingsBoard CVE-2021-42749 (In Beaver Themer, attackers can bypass conditional logic controls (for ...) NOT-FOR-US: Beaver CVE-2021-42748 (In Beaver Builder through 2.5.0.3, attackers can bypass the visibility ...) @@ -56737,24 +60423,24 @@ CVE-2022-20410 RESERVED CVE-2022-20409 RESERVED -CVE-2022-20408 - RESERVED -CVE-2022-20407 - RESERVED -CVE-2022-20406 - RESERVED -CVE-2022-20405 - RESERVED -CVE-2022-20404 - RESERVED -CVE-2022-20403 - RESERVED -CVE-2022-20402 - RESERVED -CVE-2022-20401 - RESERVED -CVE-2022-20400 - RESERVED +CVE-2022-20408 (Product: AndroidVersions: Android kernelAndroid ID: A-204782372Referen ...) + NOT-FOR-US: Android +CVE-2022-20407 (Product: AndroidVersions: Android kernelAndroid ID: A-210916981Referen ...) + NOT-FOR-US: Android +CVE-2022-20406 (Product: AndroidVersions: Android kernelAndroid ID: A-184676385Referen ...) + NOT-FOR-US: Android +CVE-2022-20405 (Product: AndroidVersions: Android kernelAndroid ID: A-216363416Referen ...) + NOT-FOR-US: Android +CVE-2022-20404 (Product: AndroidVersions: Android kernelAndroid ID: A-205714161Referen ...) + NOT-FOR-US: Android +CVE-2022-20403 (Product: AndroidVersions: Android kernelAndroid ID: A-207975764Referen ...) + NOT-FOR-US: Android +CVE-2022-20402 (Product: AndroidVersions: Android kernelAndroid ID: A-218701042Referen ...) + NOT-FOR-US: Android +CVE-2022-20401 (In SAEMM_RetrievEPLMNList of SAEMM_ContextManagement.c, there is a pos ...) + NOT-FOR-US: Android +CVE-2022-20400 (In cd_CodeMsg of cd_codec.c, there is a possible out of bounds write d ...) + NOT-FOR-US: Android CVE-2022-20399 RESERVED CVE-2022-20398 @@ -56785,302 +60471,307 @@ CVE-2022-20386 RESERVED CVE-2022-20385 RESERVED -CVE-2022-20384 - RESERVED -CVE-2022-20383 - RESERVED -CVE-2022-20382 - RESERVED -CVE-2022-20381 - RESERVED -CVE-2022-20380 - RESERVED -CVE-2022-20379 - RESERVED -CVE-2022-20378 - RESERVED -CVE-2022-20377 - RESERVED -CVE-2022-20376 - RESERVED -CVE-2022-20375 - RESERVED -CVE-2022-20374 - RESERVED -CVE-2022-20373 - RESERVED -CVE-2022-20372 - RESERVED -CVE-2022-20371 - RESERVED -CVE-2022-20370 - RESERVED -CVE-2022-20369 - RESERVED -CVE-2022-20368 - RESERVED -CVE-2022-20367 - RESERVED -CVE-2022-20366 - RESERVED -CVE-2022-20365 - RESERVED +CVE-2022-20384 (Product: AndroidVersions: Android kernelAndroid ID: A-211727306Referen ...) + NOT-FOR-US: Android +CVE-2022-20383 (In AllocateInternalBuffers of g3aa_buffer_allocator.cc, there is a pos ...) + NOT-FOR-US: Android +CVE-2022-20382 (In (TBD) of (TBD), there is a possible out of bounds write due to kern ...) + NOT-FOR-US: Android +CVE-2022-20381 (Product: AndroidVersions: Android kernelAndroid ID: A-188935887Referen ...) + NOT-FOR-US: Android +CVE-2022-20380 (Product: AndroidVersions: Android kernelAndroid ID: A-212625740Referen ...) + NOT-FOR-US: Android +CVE-2022-20379 (In lwis_buffer_alloc of lwis_buffer.c, there is a possible arbitrary c ...) + NOT-FOR-US: Android +CVE-2022-20378 (Product: AndroidVersions: Android kernelAndroid ID: A-234657153Referen ...) + NOT-FOR-US: Android +CVE-2022-20377 (In TBD of keymaster_ipc.cpp, there is a possible to force gatekeeper, ...) + NOT-FOR-US: Android +CVE-2022-20376 (In trusty_log_seq_start of trusty-log.c, there is a possible use after ...) + NOT-FOR-US: Android +CVE-2022-20375 (In LteRrcNrProAsnDecode of LteRrcNr_Codec.c, there is a possible out o ...) + NOT-FOR-US: Android +CVE-2022-20374 (On specific devices, there is a possible bypass of configuration integ ...) + NOT-FOR-US: Android +CVE-2022-20373 (In st21nfc_loc_set_polaritymode of fc/st21nfc.c, there is a possible u ...) + NOT-FOR-US: Android +CVE-2022-20372 (In exynos5_i2c_irq of (TBD), there is a possible out of bounds write d ...) + NOT-FOR-US: Android +CVE-2022-20371 (In dm_bow_dtr and related functions of dm-bow.c, there is a possible u ...) + NOT-FOR-US: Android +CVE-2022-20370 (Product: AndroidVersions: Android kernelAndroid ID: A-215730643Referen ...) + NOT-FOR-US: Android +CVE-2022-20369 (In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bou ...) + - linux 5.17.3-1 + [bullseye] - linux 5.10.113-1 + NOTE: https://git.kernel.org/linus/8310ca94075e784bbb06593cd6c068ee6b6e4ca6 (5.18-rc1) +CVE-2022-20368 (Product: AndroidVersions: Android kernelAndroid ID: A-224546354Referen ...) + - linux 5.16.18-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/c700525fcc06b05adfea78039de02628af79e07a (5.17) +CVE-2022-20367 (In construct_transaction of lwis_ioctl.c, there is a possible out of b ...) + NOT-FOR-US: Android +CVE-2022-20366 (In ioctl_dpm_clk_update of lwis_ioctl.c, there is a possible out of bo ...) + NOT-FOR-US: Android +CVE-2022-20365 (Product: AndroidVersions: Android kernelAndroid ID: A-229632566Referen ...) + NOT-FOR-US: Android CVE-2022-20364 RESERVED CVE-2022-20363 RESERVED -CVE-2022-20362 - RESERVED -CVE-2022-20361 - RESERVED -CVE-2022-20360 - RESERVED +CVE-2022-20362 (In Bluetooth, there is a possible out of bounds write due to an intege ...) + NOT-FOR-US: Android +CVE-2022-20361 (In btif_dm_auth_cmpl_evt of btif_dm.cc, there is a possible vulnerabil ...) + NOT-FOR-US: Android +CVE-2022-20360 (In setChecked of SecureNfcPreferenceController.java, there is a missin ...) + NOT-FOR-US: Android CVE-2022-20359 - RESERVED -CVE-2022-20358 - RESERVED -CVE-2022-20357 - RESERVED -CVE-2022-20356 - RESERVED -CVE-2022-20355 - RESERVED -CVE-2022-20354 - RESERVED -CVE-2022-20353 - RESERVED -CVE-2022-20352 - RESERVED + REJECTED +CVE-2022-20358 (In startSync of AbstractThreadedSyncAdapter.java, there is a possible ...) + NOT-FOR-US: Android +CVE-2022-20357 (In writeToParcel of SurfaceControl.cpp, there is a possible informatio ...) + NOT-FOR-US: Android +CVE-2022-20356 (In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, th ...) + NOT-FOR-US: Android +CVE-2022-20355 (In get of PacProxyService.java, there is a possible system service cra ...) + NOT-FOR-US: Android +CVE-2022-20354 (In onDefaultNetworkChanged of Vpn.java, there is a possible way to dis ...) + NOT-FOR-US: Android +CVE-2022-20353 (In onSaveRingtone of DefaultRingtonePreference.java, there is a possib ...) + NOT-FOR-US: Android +CVE-2022-20352 (In addProviderRequestListener of LocationManagerService.java, there is ...) + NOT-FOR-US: Android CVE-2022-20351 RESERVED -CVE-2022-20350 - RESERVED -CVE-2022-20349 - RESERVED -CVE-2022-20348 - RESERVED -CVE-2022-20347 - RESERVED -CVE-2022-20346 - RESERVED -CVE-2022-20345 - RESERVED -CVE-2022-20344 - RESERVED +CVE-2022-20350 (In onCreate of NotificationAccessConfirmationActivity.java, there is a ...) + NOT-FOR-US: Android +CVE-2022-20349 (In WifiScanningPreferenceController and BluetoothScanningPreferenceCon ...) + NOT-FOR-US: Android +CVE-2022-20348 (In updateState of LocationServicesWifiScanningPreferenceController.jav ...) + NOT-FOR-US: Android +CVE-2022-20347 (In onAttach of ConnectedDeviceDashboardFragment.java, there is a possi ...) + NOT-FOR-US: Android +CVE-2022-20346 (In updateAudioTrackInfoFromESDS_MPEG4Audio of MPEG4Extractor.cpp, ther ...) + NOT-FOR-US: Android +CVE-2022-20345 (In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bo ...) + NOT-FOR-US: Android +CVE-2022-20344 (In stealReceiveChannel of EventThread.cpp, there is a possible way to ...) + NOT-FOR-US: Android CVE-2022-20343 RESERVED -CVE-2022-20342 - RESERVED -CVE-2022-20341 - RESERVED -CVE-2022-20340 - RESERVED -CVE-2022-20339 - RESERVED -CVE-2022-20338 - RESERVED +CVE-2022-20342 (In WiFi, there is a possible disclosure of WiFi password to the end us ...) + NOT-FOR-US: Android +CVE-2022-20341 (In ConnectivityService, there is a possible bypass of network permissi ...) + NOT-FOR-US: Android +CVE-2022-20340 (In SELinux policy, there is a possible way of inferring which websites ...) + NOT-FOR-US: Android +CVE-2022-20339 (In Android, there is a possible access of network neighbor table infor ...) + NOT-FOR-US: Android +CVE-2022-20338 (In Core Utilities, there is a possible way to craft a malformed Uri ob ...) + NOT-FOR-US: Android CVE-2022-20337 RESERVED -CVE-2022-20336 - RESERVED -CVE-2022-20335 - RESERVED -CVE-2022-20334 - RESERVED -CVE-2022-20333 - RESERVED -CVE-2022-20332 - RESERVED -CVE-2022-20331 - RESERVED -CVE-2022-20330 - RESERVED -CVE-2022-20329 - RESERVED -CVE-2022-20328 - RESERVED -CVE-2022-20327 - RESERVED -CVE-2022-20326 - RESERVED -CVE-2022-20325 - RESERVED -CVE-2022-20324 - RESERVED -CVE-2022-20323 - RESERVED -CVE-2022-20322 - RESERVED -CVE-2022-20321 - RESERVED -CVE-2022-20320 - RESERVED -CVE-2022-20319 - RESERVED -CVE-2022-20318 - RESERVED -CVE-2022-20317 - RESERVED -CVE-2022-20316 - RESERVED -CVE-2022-20315 - RESERVED -CVE-2022-20314 - RESERVED -CVE-2022-20313 - RESERVED -CVE-2022-20312 - RESERVED -CVE-2022-20311 - RESERVED -CVE-2022-20310 - RESERVED -CVE-2022-20309 - RESERVED -CVE-2022-20308 - RESERVED -CVE-2022-20307 - RESERVED -CVE-2022-20306 - RESERVED -CVE-2022-20305 - RESERVED -CVE-2022-20304 - RESERVED -CVE-2022-20303 - RESERVED -CVE-2022-20302 - RESERVED -CVE-2022-20301 - RESERVED -CVE-2022-20300 - RESERVED -CVE-2022-20299 - RESERVED -CVE-2022-20298 - RESERVED -CVE-2022-20297 - RESERVED -CVE-2022-20296 - RESERVED -CVE-2022-20295 - RESERVED -CVE-2022-20294 - RESERVED -CVE-2022-20293 - RESERVED -CVE-2022-20292 - RESERVED -CVE-2022-20291 - RESERVED -CVE-2022-20290 - RESERVED -CVE-2022-20289 - RESERVED -CVE-2022-20288 - RESERVED -CVE-2022-20287 - RESERVED -CVE-2022-20286 - RESERVED -CVE-2022-20285 - RESERVED -CVE-2022-20284 - RESERVED -CVE-2022-20283 - RESERVED -CVE-2022-20282 - RESERVED -CVE-2022-20281 - RESERVED -CVE-2022-20280 - RESERVED -CVE-2022-20279 - RESERVED -CVE-2022-20278 - RESERVED -CVE-2022-20277 - RESERVED -CVE-2022-20276 - RESERVED -CVE-2022-20275 - RESERVED -CVE-2022-20274 - RESERVED -CVE-2022-20273 - RESERVED -CVE-2022-20272 - RESERVED -CVE-2022-20271 - RESERVED -CVE-2022-20270 - RESERVED -CVE-2022-20269 - RESERVED -CVE-2022-20268 - RESERVED -CVE-2022-20267 - RESERVED -CVE-2022-20266 - RESERVED -CVE-2022-20265 - RESERVED +CVE-2022-20336 (In Settings, there is a possible installed application disclosure due ...) + NOT-FOR-US: Android +CVE-2022-20335 (In Wifi Slice, there is a possible way to adjust Wi-Fi settings even w ...) + NOT-FOR-US: Android +CVE-2022-20334 (In Bluetooth, there are possible process crashes due to dereferencing ...) + NOT-FOR-US: Android +CVE-2022-20333 (In Bluetooth, there is a possible crash due to a missing null check. T ...) + NOT-FOR-US: Android +CVE-2022-20332 (In PackageManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20331 (In the Framework, there is a possible way to enable a work profile wit ...) + NOT-FOR-US: Android +CVE-2022-20330 (In Bluetooth, there is a possible way to connect or disconnect bluetoo ...) + NOT-FOR-US: Android +CVE-2022-20329 (In Wifi, there is a possible way to enable Wifi without permissions du ...) + NOT-FOR-US: Android +CVE-2022-20328 (In PackageManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20327 (In Wi-Fi, there is a possible way to retrieve the WiFi SSID without lo ...) + NOT-FOR-US: Android +CVE-2022-20326 (In Telephony, there is a possible disclosure of SIM identifiers due to ...) + NOT-FOR-US: Android +CVE-2022-20325 (In Media, there is a possible code execution due to a use after free. ...) + NOT-FOR-US: Android +CVE-2022-20324 (In Framework, there is a possible way to determine whether an app is i ...) + NOT-FOR-US: Android +CVE-2022-20323 (In PackageManager, there is a possible package installation disclosure ...) + NOT-FOR-US: Android +CVE-2022-20322 (In PackageManager, there is a possible installed package disclosure du ...) + NOT-FOR-US: Android +CVE-2022-20321 (In Settings, there is a possible way for an application without permis ...) + NOT-FOR-US: Android +CVE-2022-20320 (In ActivityManager, there is a possible way to determine whether an ap ...) + NOT-FOR-US: Android +CVE-2022-20319 (In DreamServices, there is a possible way to launch arbitrary protecte ...) + NOT-FOR-US: Android +CVE-2022-20318 (In PackageInstaller, there is a possible way to determine whether an a ...) + NOT-FOR-US: Android +CVE-2022-20317 (In SystemUI, there is a possible way to unexpectedly enable the extern ...) + NOT-FOR-US: Android +CVE-2022-20316 (In ContentResolver, there is a possible way to determine whether an ap ...) + NOT-FOR-US: Android +CVE-2022-20315 (In ActivityManager, there is a possible disclosure of installed packag ...) + NOT-FOR-US: Android +CVE-2022-20314 (In KeyChain, there is a possible spoof keychain chooser activity reque ...) + NOT-FOR-US: Android +CVE-2022-20313 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: Android +CVE-2022-20312 (In WifiP2pManager, there is a possible toobtain WiFi P2P MAC address w ...) + NOT-FOR-US: Android +CVE-2022-20311 (In Telecomm, there is a possible disclosure of registered self managed ...) + NOT-FOR-US: Android +CVE-2022-20310 (In Telecomm, there is a possible disclosure of registered self managed ...) + NOT-FOR-US: Android +CVE-2022-20309 (In PackageInstaller, there is a possible way to determine whether an a ...) + NOT-FOR-US: Android +CVE-2022-20308 (In hostapd, there is a possible insecure configuration due to an insec ...) + NOT-FOR-US: Android (treating this android specific even hostapd mentioned, insecure configuration on Android) +CVE-2022-20307 (In AlarmManagerService, there is a possible way to determine whether a ...) + NOT-FOR-US: Android +CVE-2022-20306 (In Camera Provider HAL, there is a possible memory corruption due to a ...) + NOT-FOR-US: Android +CVE-2022-20305 (In ContentService, there is a possible disclosure of available account ...) + NOT-FOR-US: Android +CVE-2022-20304 (In Content, there is a possible way to determinate the user's account ...) + NOT-FOR-US: Android +CVE-2022-20303 (In ContentService, there is a possible way to determine if an account ...) + NOT-FOR-US: Android +CVE-2022-20302 (In Settings, there is a possible way to bypass factory reset protectio ...) + NOT-FOR-US: Android +CVE-2022-20301 (In Content, there is a possible way to check if an account exists on t ...) + NOT-FOR-US: Android +CVE-2022-20300 (In Content, there is a possible way to check if the given account exis ...) + NOT-FOR-US: Android +CVE-2022-20299 (In ContentService, there is a possible way to check if the given accou ...) + NOT-FOR-US: Android +CVE-2022-20298 (In ContentService, there is a possible way to check if an account exis ...) + NOT-FOR-US: Android +CVE-2022-20297 (In Settings, there is a possible way to bypass factory reset protectio ...) + NOT-FOR-US: Android +CVE-2022-20296 (In ContentService, there is a possible way to check if an account exis ...) + NOT-FOR-US: Android +CVE-2022-20295 (In ContentService, there is a possible way to check if an account exis ...) + NOT-FOR-US: Android +CVE-2022-20294 (In Content, there is a possible way to learn about an account present ...) + NOT-FOR-US: Android +CVE-2022-20293 (In LauncherApps, there is a possible way to determine whether an app i ...) + NOT-FOR-US: Android +CVE-2022-20292 (In Settings, there is a possible way to bypass factory reset protectio ...) + NOT-FOR-US: Android +CVE-2022-20291 (In AppOpsService, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20290 (In Midi, there is a possible way to learn about private midi devices d ...) + NOT-FOR-US: Android +CVE-2022-20289 (In PackageInstaller, there is a possible way to determine whether an a ...) + NOT-FOR-US: Android +CVE-2022-20288 (In AppSearchManagerService, there is a possible way to determine wheth ...) + NOT-FOR-US: Android +CVE-2022-20287 (In AppSearchManagerService, there is a possible way to determine wheth ...) + NOT-FOR-US: Android +CVE-2022-20286 (In Connectivity, there is a possible bypass the restriction of startin ...) + NOT-FOR-US: Android +CVE-2022-20285 (In PackageManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20284 (In Telephony, there is a possible information disclosure due to a miss ...) + NOT-FOR-US: Android +CVE-2022-20283 (In Bluetooth, there is a possible out of bounds write due to an intege ...) + NOT-FOR-US: Android +CVE-2022-20282 (In AppWidget, there is a possible way to start an activity from the ba ...) + NOT-FOR-US: Android +CVE-2022-20281 (In Core, there is a possible way to start an activity from the backgro ...) + NOT-FOR-US: Android +CVE-2022-20280 (In MMSProvider, there is a possible read of protected data due to impr ...) + NOT-FOR-US: Android +CVE-2022-20279 (In DevicePolicyManager, there is a possible way to determine whether a ...) + NOT-FOR-US: Android +CVE-2022-20278 (In Accounts, there is a possible way to write sensitive information to ...) + NOT-FOR-US: Android +CVE-2022-20277 (In DevicePolicyManager, there is a possible way to determine whether a ...) + NOT-FOR-US: Android +CVE-2022-20276 (In DevicePolicyManager, there is a possible way to determine whether a ...) + NOT-FOR-US: Android +CVE-2022-20275 (In DevicePolicyManager, there is a possible way to determine whether a ...) + NOT-FOR-US: Android +CVE-2022-20274 (In Keyguard, there is a missing permission check. This could lead to l ...) + NOT-FOR-US: Android +CVE-2022-20273 (In Bluetooth, there is a possible out of bounds read due to a heap buf ...) + NOT-FOR-US: Android +CVE-2022-20272 (In PermissionController, there is a possible misunderstanding about th ...) + NOT-FOR-US: Android +CVE-2022-20271 (In PermissionController, there is a possible way to grant some permiss ...) + NOT-FOR-US: Android +CVE-2022-20270 (In Content, there is a possible way to learn gmail account name on the ...) + NOT-FOR-US: Android +CVE-2022-20269 (In Bluetooth, there is a possible out of bounds write due to an incorr ...) + NOT-FOR-US: Android +CVE-2022-20268 (In RestrictionsManager, there is a possible way to send a broadcast th ...) + NOT-FOR-US: Android +CVE-2022-20267 (In bluetooth, there is a possible way to enable or disable bluetooth c ...) + NOT-FOR-US: Android +CVE-2022-20266 (In Companion, there is a possible way to keep a service running with e ...) + NOT-FOR-US: Android +CVE-2022-20265 (In Settings, there is a possible way to bypass factory reset permissio ...) + NOT-FOR-US: Android CVE-2022-20264 RESERVED -CVE-2022-20263 - RESERVED -CVE-2022-20262 - RESERVED -CVE-2022-20261 - RESERVED -CVE-2022-20260 - RESERVED -CVE-2022-20259 - RESERVED -CVE-2022-20258 - RESERVED -CVE-2022-20257 - RESERVED -CVE-2022-20256 - RESERVED -CVE-2022-20255 - RESERVED -CVE-2022-20254 - RESERVED -CVE-2022-20253 - RESERVED -CVE-2022-20252 - RESERVED -CVE-2022-20251 - RESERVED -CVE-2022-20250 - RESERVED -CVE-2022-20249 - RESERVED -CVE-2022-20248 - RESERVED -CVE-2022-20247 - RESERVED -CVE-2022-20246 - RESERVED -CVE-2022-20245 - RESERVED -CVE-2022-20244 - RESERVED -CVE-2022-20243 - RESERVED -CVE-2022-20242 - RESERVED -CVE-2022-20241 - RESERVED +CVE-2022-20263 (In ActivityManager, there is a way to read process state for other use ...) + NOT-FOR-US: Android +CVE-2022-20262 (In ActivityManager, there is a possible way to check another process's ...) + NOT-FOR-US: Android +CVE-2022-20261 (In LocationManager, there is a possible way to get location informatio ...) + NOT-FOR-US: Android +CVE-2022-20260 (In the Phone app, there is a possible crash loop due to resource exhau ...) + NOT-FOR-US: Android +CVE-2022-20259 (In Telephony, there is a possible leak of ICCID and EID due to a missi ...) + NOT-FOR-US: Android +CVE-2022-20258 (In Bluetooth, there is a possible way to bypass compiler exploit mitig ...) + NOT-FOR-US: Android +CVE-2022-20257 (In Bluetooth, there is a possible way to pair a display only device wi ...) + NOT-FOR-US: Android +CVE-2022-20256 (In the Audio HAL, there is a possible out of bounds write due to a rac ...) + NOT-FOR-US: Android +CVE-2022-20255 (In SettingsProvider, there is a possible way to read or change the def ...) + NOT-FOR-US: Android +CVE-2022-20254 (In Wi-Fi, there is a permissions bypass. This could lead to local esca ...) + NOT-FOR-US: Android +CVE-2022-20253 (In Bluetooth, there is a possible cleanup failure due to an uncaught e ...) + NOT-FOR-US: Android +CVE-2022-20252 (In PackageManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20251 (In LocaleManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20250 (In Messaging, there is a possible way to attach files to a message wit ...) + NOT-FOR-US: Android +CVE-2022-20249 (In LocaleManager, there is a possible way to determine whether an app ...) + NOT-FOR-US: Android +CVE-2022-20248 (In Settings, there is a possible way to connect to an open network byp ...) + NOT-FOR-US: Android +CVE-2022-20247 (In Media, there is a possible out of bounds read due to a heap buffer ...) + NOT-FOR-US: Android +CVE-2022-20246 (In WindowManager, there is a possible bypass of the restrictions for s ...) + NOT-FOR-US: Android +CVE-2022-20245 (In WindowManager, there is a possible method to create a recording of ...) + NOT-FOR-US: Android +CVE-2022-20244 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: Android +CVE-2022-20243 (In Core Utilities, there is a possible log information disclosure. Thi ...) + NOT-FOR-US: Android +CVE-2022-20242 (In Telephony, there is a possible way to determine whether an app is i ...) + NOT-FOR-US: Android +CVE-2022-20241 (In Messaging, there is a possible way to attach a private file to an S ...) + NOT-FOR-US: Android CVE-2022-20240 RESERVED -CVE-2022-20239 - RESERVED +CVE-2022-20239 ('remap_pfn_range' here may map out of size kernel memory (for example, ...) + NOT-FOR-US: Unisoc CVE-2022-20238 ('remap_pfn_range' here may map out of size kernel memory (for example, ...) NOT-FOR-US: Unisoc -CVE-2022-20237 - RESERVED +CVE-2022-20237 (In BuildDevIDResponse of miscdatabuilder.cpp, there is a possible out ...) + NOT-FOR-US: Android CVE-2022-20236 (A drm driver have oob problem, could cause the system crash or EOPProd ...) NOT-FOR-US: Unisoc CVE-2022-20235 @@ -57194,8 +60885,8 @@ CVE-2022-20182 (In handle_ramdump of pixel_loader.c, there is a possible way to NOT-FOR-US: Google Pixel CVE-2022-20181 (Product: AndroidVersions: Android kernelAndroid ID: A-210936609Referen ...) NOT-FOR-US: Google Pixel -CVE-2022-20180 - RESERVED +CVE-2022-20180 (In several functions of mali_gralloc_reference.cpp, there is a possibl ...) + NOT-FOR-US: Android CVE-2022-20179 (Product: AndroidVersions: Android kernelAndroid ID: A-211683760Referen ...) NOT-FOR-US: Google Pixel CVE-2022-20178 (In ioctl_dpm_qos_update and ioctl_event_control_set of (TBD), there is ...) @@ -57242,8 +60933,9 @@ CVE-2022-20160 (Product: AndroidVersions: Android kernelAndroid ID: A-210083655R NOT-FOR-US: Google Pixel CVE-2022-20159 (In asn1_ec_pkey_parse of acropora/crypto/asn1_common.c, there is a pos ...) NOT-FOR-US: Google Pixel -CVE-2022-20158 - RESERVED +CVE-2022-20158 (In bdi_put and bdi_unregister of backing-dev.c, there is a possible me ...) + - linux <unfixed> + NOTE: https://source.android.com/security/bulletin/pixel/2022-08-01 CVE-2022-20157 RESERVED CVE-2022-20156 (In unflatten of GraphicBuffer.cpp, there is a possible arbitrary code ...) @@ -58884,8 +62576,9 @@ CVE-2021-3860 (JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), i NOT-FOR-US: JFrog Artifactory CVE-2021-3859 RESERVED - - undertow <unfixed> (bug #1015983) + - undertow 2.2.16-1 (bug #1015983) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2010378 + NOTE: https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2 CVE-2021-42008 (The decode_data function in drivers/net/hamradio/6pack.c in the Linux ...) {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 @@ -59013,7 +62706,7 @@ CVE-2021-41961 CVE-2021-41960 RESERVED CVE-2021-41959 (JerryScript Git version 14ff5bf does not sufficiently track and releas ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4781 @@ -59047,6 +62740,7 @@ CVE-2021-41946 (In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scri NOT-FOR-US: FiberHome VDSL2 Modem CVE-2021-41945 (Encode OSS httpx < 0.23.0 is affected by improper input validation ...) - httpx 0.23.0-1 (bug #1010336) + [bullseye] - httpx <no-dsa> (Minor issue) NOTE: https://gist.github.com/lebr0nli/4edb76bbd3b5ff993cf44f2fbce5e571 NOTE: https://github.com/encode/httpx/discussions/1831 NOTE: https://github.com/encode/httpx/issues/2184 @@ -59582,7 +63276,7 @@ CVE-2021-41753 (A denial-of-service attack in WPA2, and WPA3-SAE authentication CVE-2021-41752 (Stack overflow vulnerability in Jerryscript before commit e1ce7dd72712 ...) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4779 CVE-2021-41751 (Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:9 ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4797 @@ -59751,12 +63445,12 @@ CVE-2021-41685 CVE-2021-41684 RESERVED CVE-2021-41683 (There is a stack-overflow at ecma-helpers.c:326 in ecma_get_lex_env_ty ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4745 CVE-2021-41682 (There is a heap-use-after-free at ecma-helpers-string.c:1940 in ecma_c ...) - - iotjs <unfixed> (bug #1015219) + - iotjs <removed> (bug #1015219) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4747 @@ -59901,8 +63595,8 @@ CVE-2021-41617 (sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-def NOTE: https://www.openwall.com/lists/oss-security/2021/09/26/1 NOTE: https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455 NOTE: https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde -CVE-2021-41615 - RESERVED +CVE-2021-41615 (websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy bec ...) + NOT-FOR-US: GoAhead Web Server CVE-2021-41614 RESERVED CVE-2021-41613 @@ -60052,7 +63746,9 @@ CVE-2021-41557 (Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cros NOT-FOR-US: Sofico CVE-2021-41556 (sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an ou ...) - squirrel3 <unfixed> (bug #1016212) - NOTE: https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 + [bullseye] - squirrel3 <no-dsa> (Minor issue) + [buster] - squirrel3 <no-dsa> (Minor issue) + NOTE: https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 (v3.2) NOTE: https://blog.sonarsource.com/squirrel-vm-sandbox-escape/ CVE-2021-41555 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a ...) NOT-FOR-US: ARCHIBUS Web Central @@ -60292,6 +63988,7 @@ CVE-2021-41459 (There is a stack buffer overflow in MP4Box v1.0.1 at src/filters NOTE: Fixed by: https://github.com/gpac/gpac/commit/7d4538e104f2b3ff6a65a41394795654e6972339 (v2.0.0) CVE-2021-41458 (In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/e ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1910 NOTE: https://github.com/gpac/gpac/commit/74695dea7278e78af3db467e586233fe8773c07e (v2.0.0) @@ -60427,6 +64124,7 @@ CVE-2021-41397 RESERVED CVE-2021-41396 (Live555 through 1.08 does not handle socket connections properly. A hu ...) - liblivemedia <removed> + [buster] - liblivemedia <ignored> (Minor issue) CVE-2021-41395 (Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to contro ...) NOT-FOR-US: Teleport CVE-2021-41394 (Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x b ...) @@ -60750,7 +64448,6 @@ CVE-2021-41266 (Minio console is a graphical user interface for the for MinIO op CVE-2021-41265 (Flask-AppBuilder is a development framework built on top of Flask. Ver ...) - flask-appbuilder <not-affected> (Fixed before initial upload to archive) NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q - NOTE: https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4 NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc (3.3.4) CVE-2021-41264 (OpenZeppelin Contracts is a library for smart contract development. In ...) NOT-FOR-US: OpenZeppelin Contracts @@ -61013,6 +64710,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0) CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions ...) @@ -61384,6 +65082,7 @@ CVE-2021-41040 (In Eclipse Wakaama, ever since its inception until 2021-01-14, t NOT-FOR-US: Eclipse Wakaama CVE-2021-41039 (In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client conn ...) - mosquitto <unfixed> (bug #1001028) + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced later) [stretch] - mosquitto <not-affected> (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314 @@ -61600,12 +65299,14 @@ CVE-2021-40945 RESERVED CVE-2021-40944 (In GPAC MP4Box 1.1.0, there is a Null pointer reference in the functio ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1906 NOTE: https://github.com/gpac/gpac/commit/44fdc3d972c31c56efe73e1a3b63438d46087652 (v2.0.0) CVE-2021-40943 (In Bento4 1.6.0-638, there is a null pointer reference in the function ...) NOT-FOR-US: Bento4 CVE-2021-40942 (In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1908 NOTE: https://github.com/gpac/gpac/commit/da37ec8582266983d0ec4b7550ec907401ec441e (v2.0.0) CVE-2021-40941 (In Bento4 1.6.0-638, there is an allocator is out of memory in the fun ...) @@ -62415,18 +66116,22 @@ CVE-2021-40610 (Emlog Pro v 1.0.4 cross-site scripting (XSS) in Emlog Pro backgr NOT-FOR-US: emlog CVE-2021-40609 (The GetHintFormat function in GPAC 1.0.1 allows attackers to cause a d ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1894 NOTE: https://github.com/gpac/gpac/commit/86c1566f040b2b84c72afcb6cbd444c5aff56cfe (v2.0.0) CVE-2021-40608 (The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers t ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1883 NOTE: https://github.com/gpac/gpac/commit/b09c75dc2d4bf68ac447daa71e72365aa30231a9 (v2.0.0) CVE-2021-40607 (The schm_box_size function in GPAC 1.0.1 allows attackers to cause a d ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1879 NOTE: https://github.com/gpac/gpac/commit/f19668964bf422cf5a63e4dbe1d3c6c75edadcbb (v2.0.0) CVE-2021-40606 (The gf_bs_write_data function in GPAC 1.0.1 allows attackers to cause ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/1885 NOTE: https://github.com/gpac/gpac/commit/f5a038e6893019ee471b6a57490cf7a495673816 (v2.0.0) CVE-2021-40605 @@ -62457,6 +66162,7 @@ CVE-2021-40593 RESERVED CVE-2021-40592 (GPAC version before commit 71460d72ec07df766dab0a4d52687529f3efcf0a (v ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a (v2.0.0) NOTE: https://github.com/gpac/gpac/issues/1876 @@ -62494,76 +66200,91 @@ CVE-2021-40577 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sour NOT-FOR-US: Sourcecodester CVE-2021-40576 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnera ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1904 NOTE: https://github.com/gpac/gpac/commit/ad18ece95fa064efc0995c4ab2c985f77fb166ec (v2.0.0) CVE-2021-40575 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnera ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1905 NOTE: https://github.com/gpac/gpac/commit/5f2c2a16d30229b6241f02fa28e3d6b810d64858 (v2.0.0) CVE-2021-40574 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1897 NOTE: https://github.com/gpac/gpac/commit/30ac5e5236b790accd1f25347eebf2dc8c6c1bcb (v2.0.0) CVE-2021-40573 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1891 NOTE: https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a (v2.0.0) CVE-2021-40572 (The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_fi ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1893 NOTE: https://github.com/gpac/gpac/commit/7bb1b4a4dd23c885f9db9f577dfe79ecc5433109 (v2.0.0) CVE-2021-40571 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1895 NOTE: https://github.com/gpac/gpac/commit/a69b567b8c95c72f9560c873c5ab348be058f340 (v2.0.0) CVE-2021-40570 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1899 NOTE: https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302 (v2.0.0) CVE-2021-40569 (The binary MP4Box in Gpac through 1.0.1 has a double-free vulnerabilit ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1890 NOTE: https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a (v2.0.0) CVE-2021-40568 (A buffer overflow vulnerability exists in Gpac through 1.0.1 via a mal ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1900 NOTE: https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30 (v2.0.0) CVE-2021-40567 (Segmentation fault vulnerability exists in Gpac through 1.0.1 via the ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1889 NOTE: https://github.com/gpac/gpac/commit/f5a038e6893019ee471b6a57490cf7a495673816 (v2.0.0) CVE-2021-40566 (A Segmentation fault casued by heap use after free vulnerability exist ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1887 NOTE: https://github.com/gpac/gpac/commit/96047e0e6166407c40cc19f4e94fb35cd7624391 (v2.0.0) CVE-2021-40565 (A Segmentation fault caused by a null pointer dereference vulnerabilit ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1902 NOTE: https://github.com/gpac/gpac/commit/893fb99b606eebfae46cde151846a980e689039b (v2.0.0) CVE-2021-40564 (A Segmentation fault caused by null pointer dereference vulnerability ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1898 NOTE: https://github.com/gpac/gpac/commit/cf6771c857eb9a290e2c19ddacfdd3ed98b27618 (v2.0.0) CVE-2021-40563 (A Segmentation fault exists casued by null pointer dereference exists ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1892 NOTE: https://github.com/gpac/gpac/commit/5ce0c906ed8599d218036b18b78e8126a496f137 (v2.0.0) CVE-2021-40562 (A Segmentation fault caused by a floating point exception exists in Gp ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1901 NOTE: https://github.com/gpac/gpac/commit/5dd71c7201a3e5cf40732d585bfb21c906c171d3 (v2.0.0) @@ -62573,6 +66294,7 @@ CVE-2021-40560 RESERVED CVE-2021-40559 (A null pointer deference vulnerability exists in gpac through 1.0.1 vi ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1886 NOTE: https://github.com/gpac/gpac/commit/70607fc71a671cf48a05e013a4e411429373dce7 (v2.0.0) @@ -62686,7 +66408,8 @@ CVE-2021-3774 (Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 vers CVE-2021-3773 (A flaw in netfilter could allow a network-connected attacker to infer ...) NOTE: https://www.openwall.com/lists/oss-security/2021/09/08/3 NOTE: https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html - TODO: fill in tracking details + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189897 + NOTE: No code changes necessary/needed, firewall rules are reponsibility of local admin CVE-2021-3772 (A flaw was found in the Linux SCTP stack. A blind attacker may be able ...) {DSA-5096-1 DLA-2941-1} - linux 5.14.16-1 @@ -63935,8 +67658,8 @@ CVE-2021-40042 (There is a release of invalid pointer vulnerability in some Huaw NOT-FOR-US: Huawei CVE-2021-40041 (There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI WS318n pr ...) NOT-FOR-US: Huawei -CVE-2021-40040 - RESERVED +CVE-2021-40040 (Vulnerability of writing data to an arbitrary address in the HW_KEYMAS ...) + NOT-FOR-US: Huawei CVE-2021-40039 (There is a Null pointer dereference vulnerability in the camera module ...) NOT-FOR-US: Huawei CVE-2021-40038 (There is a Double free vulnerability in the AOD module in smartphones. ...) @@ -63947,16 +67670,16 @@ CVE-2021-40036 (The bone voice ID TA has a memory overwrite vulnerability. Succe NOT-FOR-US: Huawei CVE-2021-40035 (There is a Buffer overflow vulnerability due to a boundary error with ...) NOT-FOR-US: Huawei -CVE-2021-40034 - RESERVED +CVE-2021-40034 (The video framework has the memory overwriting vulnerability caused by ...) + NOT-FOR-US: Huawei CVE-2021-40033 (There is an information exposure vulnerability on several Huawei Produ ...) NOT-FOR-US: Huawei CVE-2021-40032 (The bone voice ID TA has a vulnerability in information management,Suc ...) NOT-FOR-US: Huawei CVE-2021-40031 (There is a Null pointer dereference vulnerability in the camera module ...) NOT-FOR-US: Huawei -CVE-2021-40030 - RESERVED +CVE-2021-40030 (The My HUAWEI app has a defect in the design. Successful exploitation ...) + NOT-FOR-US: Huawei CVE-2021-40029 (There is a Buffer overflow vulnerability due to a boundary error with ...) NOT-FOR-US: Huawei CVE-2021-40028 (The eID module has an out-of-bounds memory write vulnerability,Success ...) @@ -64691,8 +68414,8 @@ CVE-2021-39698 (In aio_poll_complete_work of aio.c, there is a possible memory c NOTE: https://source.android.com/security/bulletin/2022-03-01 CVE-2021-39697 (In checkFileUriDestination of DownloadProvider.java, there is a possib ...) NOT-FOR-US: Android -CVE-2021-39696 - RESERVED +CVE-2021-39696 (In Task.java, there is a possible escalation of privilege due to a con ...) + NOT-FOR-US: Android CVE-2021-39695 (In createOrUpdate of BasePermission.java, there is a possible permissi ...) NOT-FOR-US: Android CVE-2021-39694 (In parse of RoleParser.java, there is a possible way for default apps ...) @@ -67501,7 +71224,7 @@ CVE-2021-3700 (A use-after-free vulnerability was found in usbredir in versions NOTE: https://gitlab.freedesktop.org/spice/usbredir/-/commit/03c519ff5831ba75120e00ebebbf1d5a1f7220ab (usbredir-0.11.0) CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4. ...) {DLA-3057-1} - - request-tracker5 <unfixed> (bug #995167) + - request-tracker5 5.0.3+dfsg-1 (bug #995167) - request-tracker4 4.4.4+dfsg-3 (bug #995175) [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1 [buster] - request-tracker4 4.4.3-2+deb10u1 @@ -69999,6 +73722,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content [bullseye] - ckeditor <no-dsa> (Minor issue) [buster] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 @@ -70896,9 +74620,8 @@ CVE-2021-37300 RESERVED CVE-2021-37299 RESERVED -CVE-2021-37298 (Laravel v5.1 was discovered to contain a deserialization vulnerability ...) - - php-laravel-framework <unfixed> (bug #1014830) - NOTE: https://github.com/Stakcery/happywd/issues/1 +CVE-2021-37298 + REJECTED CVE-2021-37297 RESERVED CVE-2021-37296 @@ -71250,8 +74973,10 @@ CVE-2021-37159 (hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 NOTE: https://www.spinics.net/lists/linux-usb/msg202228.html -CVE-2021-37150 - RESERVED +CVE-2021-37150 (Improper Input Validation vulnerability in header parsing of Apache Tr ...) + {DSA-5206-1} + - trafficserver 9.1.3+ds-1 + NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2021-37149 (Improper Input Validation vulnerability in header parsing of Apache Tr ...) {DSA-5153-1} - trafficserver 9.1.1+ds-1 @@ -71911,8 +75636,8 @@ CVE-2021-36863 RESERVED CVE-2021-36862 RESERVED -CVE-2021-36861 - RESERVED +CVE-2021-36861 (Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Sta ...) + NOT-FOR-US: WordPress plugin CVE-2021-36860 RESERVED CVE-2021-36859 @@ -72965,6 +76690,7 @@ CVE-2021-36418 RESERVED CVE-2021-36417 (A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in th ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1846 NOTE: https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30 (v2.0.0) @@ -72974,6 +76700,7 @@ CVE-2021-36415 RESERVED CVE-2021-36414 (A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1840 NOTE: https://github.com/gpac/gpac/commit/6007c7145eb0fcd29fe05b6e5983a065b42c6b21 (v2.0.0) @@ -72981,6 +76708,7 @@ CVE-2021-36413 RESERVED CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) - gpac 2.0.0+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1838 NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e (v2.0.0) @@ -74283,7 +78011,7 @@ CVE-2021-3630 (An out-of-bounds write vulnerability was found in DjVuLibre in DJ NOTE: https://sourceforge.net/p/djvu/bugs/302/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/7b0ef20690e08f1fe124aebbf42f6310e2f40f81/ CVE-2021-3629 (A flaw was found in Undertow. A potential security issue in flow contr ...) - - undertow <unfixed> + - undertow 2.2.12-1 (bug #1016448) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1977362 NOTE: Make sure to also address followup tracked as CVE-2022-1259: NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2072339 @@ -77152,12 +80880,7 @@ CVE-2021-34688 (iDrive RemotePC before 7.6.48 on Windows allows information disc CVE-2021-34687 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) NOT-FOR-US: iDrive RemotePC CVE-2021-3601 - RESERVED - - openssl1.0 <removed> - [stretch] - openssl1.0 <ignored> (Minor issue, upstream does not want to change the behavior in this old version) - - openssl 1.1.0b-2 - NOTE: Only affects 1.0.2 - NOTE: https://github.com/openssl/openssl/issues/5236 + REJECTED CVE-2021-34686 RESERVED CVE-2021-34685 (UploadService in Hitachi Vantara Pentaho Business Analytics through 9. ...) @@ -77202,7 +80925,7 @@ CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionalit NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/e2667ae1a3ff8a9fce730e61129868b326abb3f5 (2.5) NOTE: Introduced by https://github.com/AcademySoftwareFoundation/openexr/commit/9f011ae9ce9b1ca03521ff76e7659d34ee830344 (v2.0.0) CVE-2021-3597 (A flaw was found in undertow. The HTTP2SourceChannel fails to write th ...) - - undertow <unfixed> (bug #989861) + - undertow 2.2.10-1 (bug #989861) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1970930 CVE-2021-34674 RESERVED @@ -77772,6 +81495,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension al NOT-FOR-US: Eclipse Theia CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic se ...) - mosquitto <unfixed> (bug #993400) + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced later) [stretch] - mosquitto <not-affected> (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324 @@ -79170,6 +82894,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc - ckeditor 4.16.0+dfsg-2 [buster] - ckeditor <no-dsa> (Minor issue) - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser NOTE: https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed @@ -79638,11 +83363,14 @@ CVE-2021-33657 (There is a heap overflow problem in video/SDL_pixels.c in SDL (S NOTE: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9 (release-2.0.20) CVE-2021-33656 (When setting font with malicous data by ioctl cmd PIO_FONT,kernel will ...) - linux 5.14.6-1 + [bullseye] - linux 5.10.127-1 NOTE: https://git.kernel.org/linus/ff2047fb755d4415ec3c70ac799889371151796d (v5.12-rc1) CVE-2021-33655 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO, ...) {DSA-5191-1} - linux 5.18.14-1 - NOTE: https://git.kernel.org/linus/086ff84617185393a0bbf25830c4f36412a7d3f4 (5.19-rc7) + NOTE: https://git.kernel.org/linus/65a01e601dbba8b7a51a2677811f70f783766682 (5.19-rc7) + NOTE: https://git.kernel.org/linus/e64242caef18b4a5840b0e7a9bff37abd4f4f933 (5.19-rc7) + NOTE: https://git.kernel.org/linus/6c11df58fd1ac0aefcb3b227f72769272b939e56 (5.19-rc7) CVE-2021-33654 (When performing the initialization operation of the Split operator, if ...) NOT-FOR-US: Mindspore deep learning CVE-2021-33653 (When performing the derivation shape operation of the SpaceToBatch ope ...) @@ -79659,14 +83387,14 @@ CVE-2021-33648 (When performing the inference shape operation of Affine, Concat, NOT-FOR-US: Mindspore deep learning CVE-2021-33647 (When performing the inference shape operation of the Tile operator, if ...) NOT-FOR-US: Mindspore deep learning -CVE-2021-33646 - RESERVED -CVE-2021-33645 - RESERVED -CVE-2021-33644 - RESERVED -CVE-2021-33643 - RESERVED +CVE-2021-33646 (The th_read() function doesn’t free a variable t->th_buf.gnu_ ...) + NOT-FOR-US: Huawei OpenEuler OS +CVE-2021-33645 (The th_read() function doesn’t free a variable t->th_buf.gnu_ ...) + NOT-FOR-US: Huawei OpenEuler OS +CVE-2021-33644 (An attacker who submits a crafted tar file with size in header struct ...) + NOT-FOR-US: Huawei OpenEuler OS +CVE-2021-33643 (An attacker who submits a crafted tar file with size in header struct ...) + NOT-FOR-US: Huawei OpenEuler OS CVE-2021-33642 RESERVED CVE-2021-33641 @@ -80151,7 +83879,7 @@ CVE-2021-33465 (An issue was discovered in yasm version 1.3.0. There is a NULL p NOTE: https://github.com/yasm/yasm/issues/173 NOTE: Crash in CLI tool, no security impact CVE-2021-33464 (An issue was discovered in yasm version 1.3.0. There is a heap-buffer- ...) - - yasm <unfixed> + - yasm <unfixed> (bug #1016353) [bullseye] - yasm <no-dsa> (Minor issue) [buster] - yasm <no-dsa> (Minor issue) NOTE: https://github.com/yasm/yasm/issues/164 @@ -80695,10 +84423,19 @@ CVE-2021-33238 RESERVED CVE-2021-33237 RESERVED -CVE-2021-33236 - RESERVED -CVE-2021-33235 - RESERVED +CVE-2021-33236 (Buffer Overflow vulnerability in write_header in htmldoc through 1.9.1 ...) + - htmldoc 1.9.12-1 (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/425 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/a0014be47d614220db111b360fb6170ef6f3937e (v1.9.12) + NOTE: Crash in CLI tool, no security impact + NOTE: Duplicate CVE of CVE-2022-34033 + TODO: clarify duplicate assignment with assigning CNA +CVE-2021-33235 (Buffer overflow vulnerability in write_node in htmldoc through 1.9.11 ...) + - htmldoc 1.9.12-1 (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/426 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/ee778252faebb721afba5a081dd6ad7eaf20eef3 (v1.9.12) + NOTE: Duplicate assignment of CVE-2022-34035 + TODO: clarify duplicate assignment with assigning CNA CVE-2021-33234 RESERVED CVE-2021-33233 @@ -81924,8 +85661,8 @@ CVE-2021-32773 (Racket is a general-purpose programming language and an ecosyste NOTE: https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c CVE-2021-32772 (Poddycast is a podcast app made with Electron. Prior to version 0.8.1, ...) NOT-FOR-US: Poddycast -CVE-2021-32771 - RESERVED +CVE-2021-32771 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) + NOT-FOR-US: Contiki-NG CVE-2021-32770 (Gatsby is a framework for building websites. The gatsby-source-wordpre ...) NOT-FOR-US: Gatsby CVE-2021-32769 (Micronaut is a JVM-based, full stack Java framework designed for build ...) @@ -83238,6 +86975,7 @@ CVE-2021-32272 (An issue was discovered in faad2 before 2.10.0. A heap-buffer-ov NOTE: https://github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24 (2_10_0) CVE-2021-32271 (An issue was discovered in gpac through 20200801. A stack-buffer-overf ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/commit/71f1d75eaf71f47944ddbd9356fb498ca252b19a (v1.0.1) NOTE: https://github.com/gpac/gpac/issues/1575 @@ -83255,6 +86993,7 @@ CVE-2021-32269 (An issue was discovered in gpac through 20200801. A NULL pointer NOTE: https://github.com/gpac/gpac/commit/fc4d8f594acfd97fc750403cca734671bb623afc (v1.0.1) CVE-2021-32268 (Buffer overflow vulnerability in function gf_fprintf in os_file.c in g ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1587 NOTE: https://github.com/gpac/gpac/commit/388ecce75d05e11fc8496aa4857b91245007d26e (v1.0.1) @@ -83934,7 +87673,7 @@ CVE-2021-32027 (A flaw was found in postgresql in versions before 13.3, before 1 - postgresql-9.6 <removed> NOTE: https://www.postgresql.org/about/news/postgresql-133-127-1112-1017-and-9622-released-2210/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=467395bfdf33f1ccf67ca388ffdcc927271544cb (REL_13_3) -CVE-2018-25014 (A flaw was found in libwebp in versions before 1.0.1. An unitialized v ...) +CVE-2018-25014 (A use of uninitialized value was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496 @@ -87476,26 +91215,26 @@ CVE-2020-36322 (An issue was discovered in the FUSE filesystem implementation in {DSA-5096-1 DLA-2941-1 DLA-2689-1} - linux 5.10.9-1 NOTE: https://git.kernel.org/linus/5d069dbe8aaf2a197142558b6fb2978189ba3454 -CVE-2018-25013 (A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...) +CVE-2018-25013 (A heap-based buffer overflow was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9417 NOTE: https://chromium.googlesource.com/webm/libwebp/+/907208f97ead639bd521cf355a2f203f462eade6 -CVE-2018-25012 (A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...) +CVE-2018-25012 (A heap-based buffer overflow was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9123 NOTE: https://chromium.googlesource.com/webm/libwebp/+/95fd65070662e01cc9170c4444f5c0859a710097%5E%21/ -CVE-2018-25011 (A flaw was found in libwebp in versions before 1.0.1. A heap-based buf ...) +CVE-2018-25011 (A heap-based buffer overflow was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9119 -CVE-2018-25010 (A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...) +CVE-2018-25010 (A heap-based buffer overflow was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9105 NOTE: https://chromium.googlesource.com/webm/libwebp/+/1344a2e947c749d231141a295327e5b99b444d63%5E%21/#F0 -CVE-2018-25009 (A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...) +CVE-2018-25009 (A heap-based buffer overflow was found in libwebp in versions before 1 ...) {DSA-4930-1 DLA-2677-1} - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9100 @@ -87912,6 +91651,9 @@ CVE-2021-30560 (Use after free in Blink XSLT in Google Chrome prior to 91.0.4472 - chromium 93.0.4577.82-1 (bug #990079) [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) + - libxslt 1.1.35-1 + NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1219209 + NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 (v1.1.35) CVE-2021-30559 (Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.164 a ...) - chromium 93.0.4577.82-1 (bug #990079) [buster] - chromium <end-of-life> (see DSA 5046) @@ -91766,10 +95508,10 @@ CVE-2021-29120 RESERVED CVE-2021-29119 RESERVED -CVE-2021-29118 - RESERVED -CVE-2021-29117 - RESERVED +CVE-2021-29118 (An out-of-bounds read vulnerability exists when parsing a specially cr ...) + NOT-FOR-US: Esri ArcReader +CVE-2021-29117 (A use-after-free vulnerability when parsing a specially crafted file i ...) + NOT-FOR-US: Esri ArcReader CVE-2021-29116 (A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Serve ...) NOT-FOR-US: Esri ArcGIS Server CVE-2021-29115 (An information disclosure vulnerability in the ArcGIS Service Director ...) @@ -91778,8 +95520,8 @@ CVE-2021-29114 (A SQL injection vulnerability in feature services provided by Es NOT-FOR-US: Esri ArcGIS CVE-2021-29113 (A remote file inclusion vulnerability in the ArcGIS Server help docume ...) NOT-FOR-US: ArcGIS Server -CVE-2021-29112 - RESERVED +CVE-2021-29112 (An out-of-bounds read vulnerability exists when parsing a specially cr ...) + NOT-FOR-US: Esri ArcReader CVE-2021-29111 RESERVED CVE-2021-29110 (Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may ...) @@ -93307,8 +97049,8 @@ CVE-2021-28513 RESERVED CVE-2021-28512 RESERVED -CVE-2021-28511 - RESERVED +CVE-2021-28511 (This advisory documents the impact of an internally found vulnerabilit ...) + NOT-FOR-US: Arista CVE-2021-28510 RESERVED CVE-2021-28509 (This advisory documents the impact of an internally found vulnerabilit ...) @@ -95105,8 +98847,8 @@ CVE-2021-27799 (ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator - zint 2.9.1-1.1 (bug #983610) NOTE: https://sourceforge.net/p/zint/tickets/218/ NOTE: https://sourceforge.net/p/zint/code/ci/7f8c8114f31c09a986597e0ba63a49f96150368a/ -CVE-2021-27798 - RESERVED +CVE-2021-27798 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability in Brocade Fabric OS v ...) + NOT-FOR-US: Brocade CVE-2021-27797 (Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all v ...) NOT-FOR-US: Brocade CVE-2021-27796 (A vulnerability in Brocade Fabric OS versions before Brocade Fabric OS ...) @@ -95131,8 +98873,8 @@ CVE-2021-27787 RESERVED CVE-2021-27786 (Cross-origin resource sharing (CORS) enables browsers to perform cross ...) NOT-FOR-US: HCL -CVE-2021-27785 - RESERVED +CVE-2021-27785 (HCL Commerce's Remote Store server could allow a local attacker to obt ...) + NOT-FOR-US: HCL Commerce's Remote Store server CVE-2021-27784 RESERVED CVE-2021-27783 (User generated PPKG file for Bulk Enroll may have unencrypted sensitiv ...) @@ -98852,6 +102594,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4 [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <postponed> (Fix along next DLA) - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 CVE-2021-26270 @@ -99038,29 +102781,29 @@ CVE-2021-26201 (The Login Panel of CASAP Automated Enrollment System 1.0 is vuln CVE-2021-26200 (The user area for Library System 1.0 is vulnerable to SQL injection wh ...) NOT-FOR-US: Library System CVE-2021-26199 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4056 CVE-2021-26198 (An issue was discovered in JerryScript 2.4.0. There is a SEVG in ecma_ ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4402 CVE-2021-26197 (An issue was discovered in JerryScript 2.4.0. There is a SEGV in main_ ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4403 CVE-2021-26196 RESERVED CVE-2021-26195 (An issue was discovered in JerryScript 2.4.0. There is a heap-buffer-o ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4442 CVE-2021-26194 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4445 @@ -99562,7 +103305,7 @@ CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and NOT-FOR-US: Talkyard CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) NOT-FOR-US: Talkyard -CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...) +CVE-2021-25979 (Apostrophe CMS versions prior to 3.3.1 did not invalidate existing log ...) NOT-FOR-US: Apostrophe CMS CVE-2021-25978 (Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stor ...) NOT-FOR-US: Apostrophe CMS @@ -100327,7 +104070,7 @@ CVE-2021-25745 (A security issue was discovered in ingress-nginx where a user th CVE-2021-25744 RESERVED CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...) - - kubernetes <unfixed> + - kubernetes <unfixed> (bug #1016441) [bullseye] - kubernetes <no-dsa> (Minor issue) NOTE: https://github.com/kubernetes/kubernetes/issues/101695 CVE-2021-25742 (A security issue was discovered in ingress-nginx where a user that can ...) @@ -105628,7 +109371,7 @@ CVE-2021-23452 (This affects all versions of package x-assign. The global proto CVE-2021-23451 (The package otp-generator before 3.0.0 are vulnerable to Insecure Rand ...) NOT-FOR-US: Node otp-generator CVE-2021-23450 (All versions of package dojo are vulnerable to Prototype Pollution via ...) - - dojo <unfixed> (bug #1014785) + - dojo 1.17.2+dfsg1-1 (bug #1014785) [bullseye] - dojo <no-dsa> (Minor issue) [buster] - dojo <no-dsa> (Minor issue) NOTE: https://github.com/advisories/GHSA-m8gw-hjpr-rjv7 @@ -105799,8 +109542,11 @@ CVE-2021-23387 (The package trailing-slash before 2.0.1 are vulnerable to Open R NOT-FOR-US: Node trailing-slash CVE-2021-23386 (This affects the package dns-packet before 5.2.2. It creates buffers w ...) NOT-FOR-US: Node dns-packet -CVE-2021-23385 - RESERVED +CVE-2021-23385 (This affects all versions of package Flask-Security. When using the ge ...) + - flask-security <unfixed> + [bullseye] - flask-security <no-dsa> (Minor issue) + [buster] - flask-security <no-dsa> (Minor issue) + NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to ...) NOT-FOR-US: Node koa-remove-trailing-slashes before CVE-2021-23383 (The package handlebars before 4.7.7 are vulnerable to Prototype Pollut ...) @@ -106726,22 +110472,20 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserver < ...) NOT-FOR-US: revive-adserver CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...) - {DLA-2773-1} + {DSA-5197-1 DLA-2773-1} - curl 7.79.1-1 - [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22947.html NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0) CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...) - {DLA-2773-1} + {DSA-5197-1 DLA-2773-1} - curl 7.79.1-1 - [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22946.html NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0) CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 c ...) + {DSA-5197-1} - curl 7.79.1-1 - [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <not-affected> (Vulnerable code introduced later) [stretch] - curl <not-affected> (Vulnerable code introduced later) NOTE: https://curl.se/docs/CVE-2021-22945.html @@ -106812,9 +110556,8 @@ CVE-2021-22925 (curl supports the `-t` command line option, known as `CURLOPT_TE NOTE: CVE is assigned because previous attempt to address CVE-2021-22898 resulted to be NOTE: insufficient and the security vulnerability remained. CVE-2021-22924 (libcurl keeps previously used connections in a connection pool for sub ...) - {DLA-2734-1} + {DSA-5197-1 DLA-2734-1} - curl 7.79.1-1 (bug #991492) - [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22924.html NOTE: Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4) @@ -106898,9 +110641,8 @@ CVE-2021-22900 (A vulnerability allowed multiple unrestricted uploads in Pulse C CVE-2021-22899 (A command injection vulnerability exists in Pulse Connect Secure befor ...) NOT-FOR-US: Pulse Connect Secure CVE-2021-22898 (curl 7.7 through 7.76.1 suffers from an information disclosure when th ...) - {DLA-2734-1} + {DSA-5197-1 DLA-2734-1} - curl 7.79.1-1 (bug #989228) - [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22898.html NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (7.7) @@ -108360,8 +112102,8 @@ CVE-2021-22291 RESERVED CVE-2021-22290 RESERVED -CVE-2021-22289 - RESERVED +CVE-2021-22289 (Improper Input Validation vulnerability in the project upload mechanis ...) + NOT-FOR-US: B&R Automation Studio CVE-2021-22288 (Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 ...) NOT-FOR-US: ABB CVE-2021-22287 @@ -108903,6 +112645,7 @@ CVE-2021-22061 RESERVED CVE-2021-22060 (In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...) - libspring-java <unfixed> + [buster] - libspring-java <end-of-life> (No longer supported in LTS) [stretch] - libspring-java <end-of-life> (EOL'd for stretch) NOTE: follow-up to CVE-2021-22096 NOTE: https://tanzu.vmware.com/security/cve-2021-22060 @@ -109274,7 +113017,7 @@ CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPol [buster] - dxflib <no-dsa> (Minor issue) [stretch] - dxflib <no-dsa> (Minor issue) - horizon-eda <unfixed> (bug #1010348) - - librecad <unfixed> (bug #1010349) + - librecad <unfixed> (unimportant; bug #1010349) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346 NOTE: https://github.com/qcad/qcad/commit/1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8 CVE-2021-21896 (A directory traversal vulnerability exists in the Web Manager FsBrowse ...) @@ -117984,7 +121727,7 @@ CVE-2020-29659 (A buffer overflow in the web server of Flexense DupScout Enterpr CVE-2020-29658 (Zoho ManageEngine Application Control Plus before 100523 has an insecu ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...) - - iotjs <unfixed> (bug #977736; unimportant) + - iotjs <removed> (bug #977736; unimportant) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244 NOTE: Does not affect code built in into the library CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U Download Ma ...) @@ -122917,12 +126660,12 @@ CVE-2020-28455 (This affects all versions of package markdown-it-toc. The title NOT-FOR-US: Node markdown-it-toc CVE-2020-28454 RESERVED -CVE-2020-28453 - RESERVED +CVE-2020-28453 (This affects all versions of package npos-tesseract. The injection poi ...) + NOT-FOR-US: Node npos-tesseract CVE-2020-28452 (This affects the package com.softwaremill.akka-http-session:core_2.12 ...) NOT-FOR-US: akka-http-session -CVE-2020-28451 - RESERVED +CVE-2020-28451 (This affects the package image-tiler before 2.0.2. ...) + NOT-FOR-US: Node image-tiler CVE-2020-28450 (This affects all versions of package decal. The vulnerability is in th ...) NOT-FOR-US: Node decal CVE-2020-28449 (This affects all versions of package decal. The vulnerability is in th ...) @@ -122949,16 +126692,16 @@ CVE-2020-28439 (This affects all versions of package corenlp-js-prefab. The inje NOT-FOR-US: corenlp-js-prefab CVE-2020-28438 (This affects all versions of package deferred-exec. The injection poin ...) NOT-FOR-US: Node deferred-exec -CVE-2020-28437 - RESERVED +CVE-2020-28437 (This affects all versions of package heroku-env. The injection point i ...) + NOT-FOR-US: Node heroku-env CVE-2020-28436 (This affects all versions of package google-cloudstorage-commands. ...) NOT-FOR-US: Node google-cloudstorage-commands CVE-2020-28435 (This affects all versions of package ffmpeg-sdk. The injection point i ...) NOT-FOR-US: Node ffmpeg-sdk -CVE-2020-28434 - RESERVED -CVE-2020-28433 - RESERVED +CVE-2020-28434 (This affects all versions of package gitblame. The injection point is ...) + NOT-FOR-US: Node gitblame +CVE-2020-28433 (This affects all versions of package node-latex-pdf. ...) + NOT-FOR-US: node-latex-pdf CVE-2020-28432 REJECTED CVE-2020-28431 @@ -122973,12 +126716,12 @@ CVE-2020-28427 RESERVED CVE-2020-28426 (All versions of package kill-process-on-port are vulnerable to Command ...) NOT-FOR-US: Node kill-process-on-port -CVE-2020-28425 - RESERVED -CVE-2020-28424 - RESERVED -CVE-2020-28423 - RESERVED +CVE-2020-28425 (This affects all versions of package curljs. ...) + NOT-FOR-US: Node curljs +CVE-2020-28424 (This affects all versions of package s3-kilatstorage. ...) + NOT-FOR-US: Node s3-kilatstorage +CVE-2020-28423 (This affects all versions of package monorepo-build. ...) + NOT-FOR-US: Node monorepo-build CVE-2020-28422 (All versions of package git-archive are vulnerable to Command Injectio ...) NOT-FOR-US: Node git-archive CVE-2020-28421 (CA Unified Infrastructure Management 20.1 and earlier contains a vulne ...) @@ -123106,7 +126849,7 @@ CVE-2020-28368 (Xen through 4.14.x allows guest OS administrators to obtain sens - xen 4.14.0+80-gd101b417b7-1 [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-351.html -CVE-2020-28367 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. ...) +CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and Go 1.1 ...) {DLA-2460-1} - golang-1.15 1.15.5-1 - golang-1.11 <removed> @@ -123356,8 +127099,8 @@ CVE-2021-0977 (In phNxpNHal_DtaUpdate of phNxpNciHal_dta.cc, there is a possible NOT-FOR-US: Android CVE-2021-0976 (In toBARK of floor0.c, there is a possible out of bounds read due to a ...) NOT-FOR-US: Android -CVE-2021-0975 - RESERVED +CVE-2021-0975 (In USB Manager, there is a possible way to determine whether an app is ...) + NOT-FOR-US: Android CVE-2021-0974 RESERVED CVE-2021-0973 (In isFileUri of UriUtil.java, there is a possible way to bypass ignori ...) @@ -123496,6 +127239,8 @@ CVE-2021-0920 (In unix_scm_to_skb of af_unix.c, there is a possible use after fr [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/cbcf01128d0a92e131bd09f1688fe032480b65ca NOTE: https://source.android.com/security/bulletin/2021-11-01 + NOTE: https://googleprojectzero.blogspot.com/2022/08/the-quantum-state-of-linux-kernel.html + NOTE: https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-0920.html CVE-2021-0919 (In getService of IServiceManager.cpp, there is a possible unhandled ex ...) NOT-FOR-US: Android CVE-2021-0918 (In gatt_process_notification of gatt_cl.cc, there is a possible out of ...) @@ -123864,10 +127609,10 @@ CVE-2021-0737 RESERVED CVE-2021-0736 RESERVED -CVE-2021-0735 - RESERVED -CVE-2021-0734 - RESERVED +CVE-2021-0735 (In PackageManager, there is a possible way to get information about in ...) + NOT-FOR-US: Android +CVE-2021-0734 (In Settings, there is a possible way to determine whether an app is in ...) + NOT-FOR-US: Android CVE-2021-0733 RESERVED CVE-2021-0732 @@ -124313,7 +128058,7 @@ CVE-2021-0520 (In several functions of MemoryFileSystem.cpp and related files, t NOT-FOR-US: Android media framework CVE-2021-0519 (In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of b ...) NOT-FOR-US: Google Play -CVE-2021-0518 (In handleSendStatusChangeBroadcast of WifiDisplayAdapter.java, there i ...) +CVE-2021-0518 (In Wi-Fi, there is a possible leak of location-sensitive data due to a ...) NOT-FOR-US: Android CVE-2021-0517 (In updateCapabilities of ConnectivityService.java, there is a possible ...) NOT-FOR-US: Android @@ -126635,7 +130380,7 @@ CVE-2018-21269 (checkpath in OpenRC through 0.42.1 might allow local users to ta [stretch] - openrc <no-dsa> (Minor issue) NOTE: https://github.com/OpenRC/openrc/issues/201 NOTE: http://michael.orlitzky.com/cves/cve-2018-21269.xhtml - NOTE: https://github.com/OpenRC/openrc/commit/b6fef599bf8493480664b766040fa9b0d4b1e335 + NOTE: https://github.com/OpenRC/openrc/commit/b6fef599bf8493480664b766040fa9b0d4b1e335 (0.43) CVE-2020-27734 RESERVED CVE-2020-27733 (Zoho ManageEngine Applications Manager before 14 build 14880 allows an ...) @@ -132749,6 +136494,7 @@ CVE-2020-25428 RESERVED CVE-2020-25427 (A Null pointer dereference vulnerability exits in MP4Box - GPAC versio ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1406 NOTE: https://github.com/gpac/gpac/commit/8e585e623b1d666b4ef736ed609264639cb27701 (v0.8.1) @@ -134143,6 +137889,7 @@ CVE-2020-24830 RESERVED CVE-2020-24829 (An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. It ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1422 NOTE: https://github.com/gpac/gpac/commit/8c5e847185d74462d674ee7d28fb46c29dae6dd2 @@ -135339,7 +139086,7 @@ CVE-2020-24346 (njs through 0.4.3, used in NGINX, has a use-after-free in njs_js CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumption via ...) NOTE: Disputed JerryScript issue CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...) - - iotjs <unfixed> (bug #988213) + - iotjs <removed> (bug #988213) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976 @@ -136270,11 +140017,17 @@ CVE-2020-23917 CVE-2020-23916 RESERVED CVE-2020-23915 (An issue was discovered in cpp-peglib through v0.1.12. peg::resolve_es ...) - TODO: retroarch and salmon embed peglib, check if it's actually a security issue + - retroarch <unfixed> (unimportant) + NOTE: peglib.h is not compiled in Debian builds + - salmon <not-affected> (Vulnerable code never in a released Debian version) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/b3b29ce8f3acf3a32733d930105a17d7b0ba347e NOTE: https://github.com/yhirose/cpp-peglib/issues/122 CVE-2020-23914 (An issue was discovered in cpp-peglib through v0.1.12. A NULL pointer ...) - TODO: retroarch and salmon embed peglib, check if it's actually a security issue + - retroarch <unfixed> (unimportant) + NOTE: peglib.h is not compiled in Debian builds + - salmon <not-affected> (Vulnerable code never in a released Debian version) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yhirose/cpp-peglib/commit/0061f393de54cf0326621c079dc2988336d1ebb3 NOTE: https://github.com/yhirose/cpp-peglib/issues/121 CVE-2020-23913 @@ -136878,8 +140631,8 @@ CVE-2020-23624 RESERVED CVE-2020-23623 RESERVED -CVE-2020-23622 - RESERVED +CVE-2020-23622 (** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thli ...) + NOT-FOR-US: 4thline/cling CVE-2020-23621 (The Java Remote Management Interface of all versions of SVI MS Managem ...) NOT-FOR-US: Squire Remote Management Interface CVE-2020-23620 (The Java Remote Management Interface of all versions of Orlansoft ERP ...) @@ -137477,27 +141230,27 @@ CVE-2020-23325 CVE-2020-23324 RESERVED CVE-2020-23323 (There is a heap-buffer-overflow at re-parser.c in re_parse_char_escape ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3871 CVE-2020-23322 (There is an Assertion in 'context_p->token.type == LEXER_RIGHT_BRAC ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3869 CVE-2020-23321 (There is a heap-buffer-overflow at lit-strings.c:431 in lit_read_code_ ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3870 CVE-2020-23320 (There is an Assertion in 'context_p->next_scanner_info_p->type = ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3835 CVE-2020-23319 (There is an Assertion in '(flags >> CBC_STACK_ADJUST_SHIFT) > ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3834 @@ -137510,44 +141263,44 @@ CVE-2020-23316 CVE-2020-23315 (There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYieldReg ...) NOT-FOR-US: Microsoft CVE-2020-23314 (There is an Assertion 'block_found' failed at js-parser-statm.c:2003 p ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3825 CVE-2020-23313 (There is an Assertion 'scope_stack_p > context_p->scope_stack_p' ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3823 CVE-2020-23312 (There is an Assertion 'context.status_flags & PARSER_SCANNING_SUCC ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3824 CVE-2020-23311 (There is an Assertion 'context_p->token.type == LEXER_RIGHT_BRACE | ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3822 CVE-2020-23310 (There is an Assertion 'context_p->next_scanner_info_p->type == S ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3821 CVE-2020-23309 (There is an Assertion 'context_p->stack_depth == context_p->cont ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3820 CVE-2020-23308 (There is an Assertion 'context_p->stack_top_uint8 == LEXER_EXPRESSI ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3819 CVE-2020-23307 RESERVED CVE-2020-23306 (There is a stack-overflow at ecma-regexp-object.c:535 in ecma_regexp_m ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3753 @@ -137556,12 +141309,12 @@ CVE-2020-23305 CVE-2020-23304 RESERVED CVE-2020-23303 (There is a heap-buffer-overflow at jmem-poolman.c:165 in jmem_pools_co ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3749 CVE-2020-23302 (There is a heap-use-after-free at ecma-helpers-string.c:772 in ecma_re ...) - - iotjs <unfixed> (bug #989991) + - iotjs <removed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) [buster] - iotjs <no-dsa> (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3748 @@ -137635,6 +141388,7 @@ CVE-2020-23270 RESERVED CVE-2020-23269 (An issue was discovered in gpac 0.8.0. The stbl_GetSampleSize function ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1482 NOTE: fixed by fixes for related bugs, no specific commit identified upstream @@ -137644,6 +141398,7 @@ CVE-2020-23268 RESERVED CVE-2020-23267 (An issue was discovered in gpac 0.8.0. The gf_hinter_track_process fun ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1479 NOTE: fixed by fixes for related bugs, no specific commit identified upstream @@ -137651,6 +141406,7 @@ CVE-2020-23267 (An issue was discovered in gpac 0.8.0. The gf_hinter_track_proce NOTE: https://github.com/gpac/gpac/commit/b286aa0cdc0cb781e96430c8777d38f066a2c9f9 (v0.9.0, v0.8.1) CVE-2020-23266 (An issue was discovered in gpac 0.8.0. The OD_ReadUTF8String function ...) - gpac 1.0.1+dfsg1-2 + [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/commit/47d8bc5b3ddeed6d775197ebefae7c94a45d9bf2 (v0.9.0, v0.8.1) NOTE: https://github.com/gpac/gpac/issues/1481 @@ -141157,10 +144913,10 @@ CVE-2020-21644 RESERVED CVE-2020-21643 RESERVED -CVE-2020-21642 - RESERVED -CVE-2020-21641 - RESERVED +CVE-2020-21642 (Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropuse ...) + NOT-FOR-US: ManageEngine Analytics Plus +CVE-2020-21641 (Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho Manage ...) + NOT-FOR-US: ManageEngine Analytics Plus CVE-2020-21640 RESERVED CVE-2020-21639 (Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to contain a cros ...) @@ -141810,8 +145566,10 @@ CVE-2020-21367 RESERVED CVE-2020-21366 RESERVED -CVE-2020-21365 - RESERVED +CVE-2020-21365 (Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows ...) + - wkhtmltopdf 0.12.6-1 + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/commit/2a5f25077895fb075812c0f599326f079a59d6cf (0.12.6) + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 CVE-2020-21364 RESERVED CVE-2020-21363 (An arbitrary file deletion vulnerability exists within Maccms10. ...) @@ -157854,7 +161612,7 @@ CVE-2020-14360 (A flaw was found in the X.Org Server before version 1.20.10. An {DSA-4803-1 DLA-2486-1} - xorg-server 2:1.20.10-1 (bug #976216) NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b -CVE-2020-14359 (A vulnerability was found in all versions of keycloak, where on using ...) +CVE-2020-14359 (A vulnerability was found in all versions of Keycloak Gatekeeper, wher ...) NOT-FOR-US: Keycloak CVE-2020-14358 REJECTED @@ -159832,7 +163590,7 @@ CVE-2020-13693 (An unauthenticated privilege-escalation issue exists in the bbPr NOT-FOR-US: bbPress plugin for WordPress CVE-2020-13692 (PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. ...) - libpgjava 42.2.12-2 (low; bug #962828) - [buster] - libpgjava <no-dsa> (Minor issue) + [buster] - libpgjava 42.2.5-2+deb10u1 [stretch] - libpgjava <no-dsa> (Minor issue) [jessie] - libpgjava <no-dsa> (Minor issue) NOTE: https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 @@ -163501,6 +167259,7 @@ CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow i CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...) - re2c <unfixed> (unimportant) NOTE: https://github.com/skvadrik/re2c/issues/219 + NOTE: Fixed by: https://github.com/skvadrik/re2c/commit/5fffb1870181d6179118586e21ed2889b8b4abc8 NOTE: https://www.openwall.com/lists/oss-security/2020/04/27/2 NOTE: Crash im CLI tool, no security impact CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the Task ...) @@ -175143,10 +178902,14 @@ CVE-2020-8288 (The `specializedRendering` function in Rocket.Chat server before NOT-FOR-US: Rocket.Chat CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two co ...) {DSA-4826-1} + - http-parser 2.9.4-5 (bug #1016690) + [bullseye] - http-parser <no-dsa> (Minor issue) + [buster] - http-parser <no-dsa> (Minor issue) - nodejs 12.20.1~dfsg-1 (bug #979364) [stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/release/v10.23.1/ NOTE: https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e (v10.23.1) + NOTE: https://github.com/nodejs/http-parser/pull/530/ CVE-2020-8286 (curl 7.41.0 through 7.73.0 is vulnerable to an improper check for cert ...) {DSA-4881-1 DLA-2500-1} - curl 7.74.0-1 (bug #977161) @@ -176534,8 +180297,8 @@ CVE-2020-7797 RESERVED CVE-2020-7796 (Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF whe ...) NOT-FOR-US: Zimbra Collaboration Suite (ZCS) -CVE-2020-7795 - RESERVED +CVE-2020-7795 (The package get-npm-package-version before 1.0.7 are vulnerable to Com ...) + NOT-FOR-US: Node get-npm-package-version CVE-2020-7794 (This affects all versions of package buns. The injection point is loca ...) NOT-FOR-US: Node buns CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...) @@ -176821,7 +180584,7 @@ CVE-2020-7678 (This affects all versions of package node-import. The "params" ar CVE-2020-7677 (This affects the package thenify before 3.3.1. The name argument provi ...) - node-thenify 3.3.1-1 NOTE: https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690 - NOTE: https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a + NOTE: https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a (3.3.1) CVE-2020-7676 (angular.js prior to 1.8.0 allows cross site scripting. The regex-based ...) - angular.js 1.8.0-1 [buster] - angular.js <no-dsa> (Minor issue; can be fixed via point release) @@ -193288,8 +197051,8 @@ CVE-2020-1756 RESERVED CVE-2020-1755 RESERVED -CVE-2020-1754 - RESERVED +CVE-2020-1754 (In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the gra ...) + - moodle <removed> CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x version ...) {DSA-4950-1} - ansible 2.9.16+dfsg-1 @@ -193562,8 +197325,8 @@ CVE-2020-1693 (A flaw was found in Spacewalk up to version 2.9 where it was vuln NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2020-1692 (Moodle before version 3.7.2 is vulnerable to information exposure of s ...) - moodle <removed> -CVE-2020-1691 - RESERVED +CVE-2020-1691 (In Moodle 3.8, messages required extra sanitizing before updating the ...) + - moodle <removed> CVE-2020-1690 (An improper authorization flaw was discovered in openstack-selinux's a ...) NOT-FOR-US: openstack-selinux CVE-2019-19364 (A weak malicious user can escalate its privilege whenever CatalystProd ...) @@ -193613,7 +197376,7 @@ CVE-2019-19344 (There is a use-after-free issue in all samba 4.9.x versions befo [jessie] - samba <not-affected> (Only affects Samba 4.9 onwards) NOTE: https://www.samba.org/samba/security/CVE-2019-19344.html CVE-2019-19343 (A flaw was found in Undertow when using Remoting as shipped in Red Hat ...) - - undertow <unfixed> (bug #948024; unimportant) + - undertow 2.0.25-1 (bug #948024; unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780445 NOTE: Issue affects both Undertow and rmeoting, but for adressing the immediate NOTE: issue only af fix via remoting (https://issues.redhat.com/browse/REM3-347) @@ -222651,7 +226414,7 @@ CVE-2019-10945 (An issue was discovered in Joomla! before 3.9.5. The Media Manag NOT-FOR-US: Joomla! CVE-2019-10944 RESERVED -CVE-2019-10943 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...) +CVE-2019-10943 (A vulnerability has been identified in SIMATIC Drive Controller family ...) NOT-FOR-US: Siemens CVE-2019-10942 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens @@ -224583,7 +228346,7 @@ CVE-2019-10206 (ansible-playbook -k and ansible cli tools, all versions 2.8.x be CVE-2019-10205 (A flaw was found in the way Red Hat Quay stores robot account tokens i ...) NOT-FOR-US: Red Hat Quay CVE-2019-10204 - RESERVED + REJECTED CVE-2019-10203 (PowerDNS Authoritative daemon , pdns versions 4.0.x before 4.0.9, 4.1. ...) - pdns 4.2.0-1 (low; bug #970729) [buster] - pdns 4.1.6-3+deb10u1 @@ -237436,6 +241199,9 @@ CVE-2019-5815 (Type confusion in xsltNumberFormatGetMultipleLevel prior to libxs {DSA-4500-1} - chromium 74.0.3729.108-1 [stretch] - chromium <end-of-life> (see DSA 4562) + - libxslt 1.1.34-2 + NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=930663 + NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b (v1.1.34-rc2) CVE-2019-5814 (Insufficient policy enforcement in Blink in Google Chrome prior to 74. ...) {DSA-4500-1} - chromium 74.0.3729.108-1 @@ -258147,6 +261913,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a [stretch] - ckeditor <ignored> (Minor issue, XSS through direct copy/paste by victim, no identified patch) [jessie] - ckeditor <ignored> (Minor issue) - ckeditor3 <unfixed> (low; bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) - fckeditor <removed> CVE-2018-17959 @@ -261780,9 +265547,9 @@ CVE-2018-16559 (A vulnerability has been identified in SIMATIC S7-1500 CPU (All NOT-FOR-US: Siemens CVE-2018-16558 (A vulnerability has been identified in SIMATIC S7-1500 CPU (All versio ...) NOT-FOR-US: Siemens -CVE-2018-16557 (A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and ...) +CVE-2018-16557 (A vulnerability has been identified in SIMATIC S7-400 DP V7 CPU family ...) NOT-FOR-US: Siemens -CVE-2018-16556 (A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and ...) +CVE-2018-16556 (A vulnerability has been identified in SIMATIC S7-400 DP V7 CPU family ...) NOT-FOR-US: Siemens CVE-2018-16555 (A vulnerability has been identified in SCALANCE S602 (All versions < ...) NOT-FOR-US: Siemens @@ -277183,17 +280950,17 @@ CVE-2018-10870 (redhat-certification does not properly sanitize paths in rhcertS NOT-FOR-US: Red Hat Certification CVE-2018-10869 (redhat-certification does not properly restrict files that can be down ...) NOT-FOR-US: Red Hat Certification -CVE-2018-10868 (It has been discovered that redhat-certification does not properly lim ...) +CVE-2018-10868 (redhat-certification 7 does not properly restrict the number of recurs ...) NOT-FOR-US: Red Hat Certification -CVE-2018-10867 (It has been discovered that redhat-certification does not restrict fil ...) +CVE-2018-10867 (Files are accessible without restrictions from the /update/results pag ...) NOT-FOR-US: Red Hat Certification -CVE-2018-10866 (It has been discovered that redhat-certification does not perform an a ...) +CVE-2018-10866 (It was discovered that the /configuration view of redhat-certification ...) NOT-FOR-US: Red Hat Certification -CVE-2018-10865 (It has been discovered that redhat-certification does not perform an a ...) +CVE-2018-10865 (It was discovered that the /configuration view of redhat-certification ...) NOT-FOR-US: Red Hat Certification CVE-2018-10864 (An uncontrolled resource consumption flaw has been discovered in redha ...) NOT-FOR-US: Red Hat Certification -CVE-2018-10863 (It has been discovered that redhat-certification is not properly confi ...) +CVE-2018-10863 (It was discovered that redhat-certification 7 is not properly configur ...) NOT-FOR-US: Red Hat Certification CVE-2018-10862 (WildFly Core before version 6.0.0.Alpha3 does not properly validate fi ...) - wildfly <itp> (bug #752018) @@ -304022,7 +307789,7 @@ CVE-2017-17531 (gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before l - global 6.6.1-1 (unimportant; bug #884912) [stretch] - global 6.5.6-2+deb9u1 NOTE: https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/#L269 -CVE-2017-17530 (common/help.c in Geomview 1.9.5 does not validate strings before launc ...) +CVE-2017-17530 (** DISPUTED ** common/help.c in Geomview 1.9.5 does not validate strin ...) - geomview <unfixed> (unimportant) NOTE: https://sources.debian.org/src/geomview/1.9.5-1/src/bin/geomview/common/help.c/?hl=51#L83 CVE-2017-17529 (af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings ...) @@ -305412,7 +309179,7 @@ CVE-2018-1078 (OpenDayLight version Carbon SR3 and earlier contain a vulnerabili CVE-2018-1077 (Spacewalk 2.6 contains an API which has an XXE flaw allowing for the d ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2018-1076 - RESERVED + REJECTED CVE-2018-1075 (ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered passwo ...) NOT-FOR-US: ovirt-engine CVE-2018-1074 (ovirt-engine API and administration web portal before versions 4.2.2.5 ...) @@ -314567,7 +318334,7 @@ CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and ol CVE-2017-15123 (A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, ...) NOT-FOR-US: CloudForms CVE-2017-15122 - RESERVED + REJECTED CVE-2017-15121 (A non-privileged user is able to mount a fuse filesystem on RHEL 6 or ...) - linux 3.11.5-1 [wheezy] - linux <ignored> (Too much work to backport) @@ -314625,7 +318392,7 @@ CVE-2017-15111 (keycloak-httpd-client-install versions before 0.8 insecurely cre CVE-2017-15110 (In Moodle 3.x, students can find out email addresses of other students ...) - moodle <removed> CVE-2017-15109 - RESERVED + REJECTED CVE-2017-15108 (spice-vdagent up to and including 0.17.0 does not properly escape save ...) {DLA-2524-1} - spice-vdagent 0.18.0-1 (bug #883238) @@ -314643,7 +318410,7 @@ CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in Dns NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=cd7df612b14ec1bf831a966ccaf076be0dae7404 NOTE: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be CVE-2017-15106 - RESERVED + REJECTED CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated wildcard-sy ...) {DLA-1676-1 DLA-1264-1} - unbound 1.7.1-1 (bug #887733) @@ -323695,7 +327462,7 @@ CVE-2017-12153 (A security flaw was discovered in the nl80211_set_rekey_data() f NOTE: https://marc.info/?t=150525503100001&r=1&w=2 NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 CVE-2017-12152 - RESERVED + REJECTED CVE-2017-12151 (A flaw was found in the way samba client before samba 4.4.16, samba 4. ...) {DSA-3983-1} - samba 2:4.6.7+dfsg-2 @@ -337897,7 +341664,7 @@ CVE-2017-7529 (Nginx versions since 0.5.6 up to and including 1.13.2 are vulnera CVE-2017-7528 (Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 i ...) NOT-FOR-US: Ansible Tower CVE-2017-7527 - RESERVED + REJECTED CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-channel a ...) {DSA-3960-1 DSA-3901-1 DLA-1080-1 DLA-1015-1} - libgcrypt20 1.7.8-1 @@ -353119,7 +356886,7 @@ CVE-2017-2659 (It was found that dropbear before version 2013.59 with GSSAPI lea CVE-2017-2658 (It was discovered that the Dashbuilder login page as used in Red Hat J ...) NOT-FOR-US: JBoss BPMS CVE-2017-2657 - RESERVED + REJECTED CVE-2017-2656 REJECTED CVE-2017-2655 @@ -353200,7 +356967,7 @@ CVE-2017-2633 (An out-of-bounds memory access issue was found in Quick Emulator CVE-2017-2632 (A logic error in valid_role() in CloudForms role validation before 5.7 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-2631 - RESERVED + REJECTED CVE-2017-2630 (A stack buffer overflow flaw was found in the Quick Emulator (QEMU) be ...) - qemu 1:2.8+dfsg-3 (bug #855227) [jessie] - qemu <not-affected> (Vulnerable code introduced in v2.8.0-rc0) @@ -353331,7 +357098,7 @@ CVE-2017-2598 (Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mo - jenkins <removed> NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2597 - RESERVED + REJECTED CVE-2017-2596 (The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux ...) {DSA-3791-1} - linux 4.9.13-1 @@ -353343,7 +357110,7 @@ CVE-2017-2595 (It was found that the log file viewer in Red Hat JBoss Enterprise CVE-2017-2594 (hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, ...) NOT-FOR-US: hawtio CVE-2017-2593 - RESERVED + REJECTED CVE-2017-2592 (python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulner ...) - python-oslo.middleware 3.19.0-3 (bug #852742) NOTE: https://launchpad.net/bugs/1628031 @@ -353359,7 +357126,7 @@ CVE-2017-2590 (A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-dis CVE-2017-2589 (It was discovered that the hawtio servlet 1.4 uses a single HttpClient ...) NOT-FOR-US: hawtio CVE-2017-2588 - RESERVED + REJECTED CVE-2017-2587 (A memory allocation vulnerability was found in netpbm before 10.61. A ...) - netpbm-free <not-affected> (vulnerable code not present) NOTE: Debian uses an old fork of netpbm @@ -374556,7 +378323,7 @@ CVE-2016-4983 (A postinstall script in the dovecot rpm allows local users to rea CVE-2016-4982 (authd sets weak permissions for /etc/ident.key, which allows local use ...) NOT-FOR-US: authd CVE-2016-4981 - RESERVED + REJECTED CVE-2016-4980 (A password generation weakness exists in xquest through 2016-06-13. ...) NOT-FOR-US: Red Hat xguest kiosk mode CVE-2016-4979 (The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_s ...) @@ -378374,7 +382141,13 @@ CVE-2016-3710 (The VGA module in QEMU improperly performs bounds checking on ban NOTE: http://xenbits.xen.org/xsa/advisory-179.html NOTE: mitigation: run HVM in stubdomains, PV, default video card not vulnerable, i386-only CVE-2016-3709 (Possible cross-site scripting vulnerability in libxml after commit 960 ...) - TODO: check + - libxml2 2.9.12+dfsg-3 + [bullseye] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 <no-dsa> (Minor issue) + NOTE: https://mail.gnome.org/archives/xml/2018-January/msg00010.html + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769760 + NOTE: Introduced by: https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588 (v2.9.2-rc1)c + NOTE: Fixed by: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f (v2.9.11) CVE-2016-3708 (Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and ...) NOT-FOR-US: OpenShiftEnterprise / Red Hat CVE-2016-3707 (The icmp_check_sysrq function in net/ipv4/icmp.c in the kernel.org pro ...) @@ -379910,8 +383683,8 @@ CVE-2016-3099 (mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise [jessie] - libapache2-mod-nss <not-affected> (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss <not-affected> (Vulnerability introduced in 1.0.11) NOTE: Introduced in https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.10.11) -CVE-2016-3098 - RESERVED +CVE-2016-3098 (Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 ...) + NOT-FOR-US: administrate CVE-2016-3097 (Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat ...) NOT-FOR-US: spacewalk-java CVE-2016-3096 (The create_script function in the lxc_container module in Ansible befo ...) @@ -426890,6 +430663,7 @@ CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin be [wheezy] - ckeditor <not-affected> (Preview plugin not yet present) [squeeze] - ckeditor <not-affected> (Preview plugin not yet present) - ckeditor3 <unfixed> (bug #1015217) + [buster] - ckeditor3 <end-of-life> (No longer supported in LTS) [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch) NOTE: https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706 (v3.6.x) NOTE: https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a (v4.4.3) diff --git a/data/DLA/list b/data/DLA/list index 58194dd71c..54f9469472 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,18 @@ +[11 Aug 2022] DLA-3072-1 postgresql-11 - security update + {CVE-2022-2625} + [buster] - postgresql-11 11.17-0+deb10u1 +[11 Aug 2022] DLA-3071-1 libtirpc - security update + {CVE-2021-46828} + [buster] - libtirpc 1.1.4-0.4+deb10u1 +[11 Aug 2022] DLA-3070-1 gnutls28 - security update + {CVE-2021-4209 CVE-2022-2509} + [buster] - gnutls28 3.6.7-4+deb10u9 +[09 Aug 2022] DLA-3069-1 gst-plugins-good1.0 - security update + {CVE-2022-1920 CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122} + [buster] - gst-plugins-good1.0 1.14.4-1+deb10u2 +[04 Aug 2022] DLA-3068-1 xorg-server - security update + {CVE-2022-2319 CVE-2022-2320} + [buster] - xorg-server 2:1.20.4-1+deb10u5 [01 Jul 2022] DLA-3067-1 stretch-lts - end-of-life NOTE: end of security support for stretch-lts [01 Jul 2022] DLA-3066-1 isync - security update diff --git a/data/DSA/list b/data/DSA/list index 72fe5518bc..eae46a3cc8 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,44 @@ +[15 Aug 2022] DSA-5207-1 linux - security update + {CVE-2022-2585 CVE-2022-2586 CVE-2022-2588 CVE-2022-26373 CVE-2022-29900 CVE-2022-29901 CVE-2022-36879 CVE-2022-36946} + [bullseye] - linux 5.10.136-1 +[12 Aug 2022] DSA-5206-1 trafficserver - security update + {CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31778 CVE-2022-31779 CVE-2022-31780} + [bullseye] - trafficserver 8.1.5+ds-1~deb11u1 +[11 Aug 2022] DSA-5205-1 samba - security update + {CVE-2022-2031 CVE-2022-32742 CVE-2022-32744 CVE-2022-32745 CVE-2022-32746} + [bullseye] - samba 2:4.13.13+dfsg-1~deb11u5 +[09 Aug 2022] DSA-5204-1 gst-plugins-good1.0 - security update + {CVE-2022-1920 CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122} + [bullseye] - gst-plugins-good1.0 1.18.4-2+deb11u1 +[08 Aug 2022] DSA-5203-1 gnutls28 - security update + {CVE-2022-2509} + [bullseye] - gnutls28 3.7.1-5+deb11u2 +[08 Aug 2022] DSA-5202-1 unzip - security update + {CVE-2022-0529 CVE-2022-0530} + [bullseye] - unzip 6.0-26+deb11u1 +[07 Aug 2022] DSA-5201-1 chromium - security update + {CVE-2022-2603 CVE-2022-2604 CVE-2022-2605 CVE-2022-2606 CVE-2022-2607 CVE-2022-2608 CVE-2022-2609 CVE-2022-2610 CVE-2022-2611 CVE-2022-2612 CVE-2022-2613 CVE-2022-2614 CVE-2022-2615 CVE-2022-2616 CVE-2022-2617 CVE-2022-2618 CVE-2022-2619 CVE-2022-2620 CVE-2022-2621 CVE-2022-2622 CVE-2022-2623 CVE-2022-2624} + [bullseye] - chromium 104.0.5112.79-1~deb11u1 +[07 Aug 2022] DSA-5200-1 libtirpc - security update + {CVE-2021-46828} + [bullseye] - libtirpc 1.3.1-1+deb11u1 +[06 Aug 2022] DSA-5199-1 xorg-server - security update + {CVE-2022-2319 CVE-2022-2320} + [bullseye] - xorg-server 2:1.20.11-1+deb11u2 +[02 Aug 2022] DSA-5198-1 jetty9 - security update + {CVE-2022-2047 CVE-2022-2048} + [bullseye] - jetty9 9.4.39-3+deb11u1 +[01 Aug 2022] DSA-5197-1 curl - security update + {CVE-2021-22898 CVE-2021-22924 CVE-2021-22945 CVE-2021-22946 CVE-2021-22947 CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208} + [bullseye] - curl 7.74.0-1.3+deb11u2 +[31 Jul 2022] DSA-5196-1 libpgjava - security update + {CVE-2022-21724 CVE-2022-26520} + [buster] - libpgjava 42.2.5-2+deb10u1 + [bullseye] - libpgjava 42.2.15-1+deb11u1 +[30 Jul 2022] DSA-5195-1 thunderbird - security update + {CVE-2022-36318 CVE-2022-36319} + [buster] - thunderbird 1:91.12.0-1~deb10u1 + [bullseye] - thunderbird 1:91.12.0-1~deb11u1 [29 Jul 2022] DSA-5194-1 booth - security update {CVE-2022-2553} [buster] - booth 1.0-162-g27f917f-2+deb10u1 @@ -73,7 +114,7 @@ [buster] - gnupg2 2.2.12-1+deb10u2 [bullseye] - gnupg2 2.2.27-2+deb11u2 [03 Jul 2022] DSA-5173-1 linux - security update - {CVE-2021-4197 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1048 CVE-2022-1184 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1204 CVE-2022-1205 CVE-2022-1353 CVE-2022-1419 CVE-2022-1516 CVE-2022-1652 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-23960 CVE-2022-26490 CVE-2022-27666 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-29581 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981} + {CVE-2021-4197 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1048 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1204 CVE-2022-1205 CVE-2022-1353 CVE-2022-1419 CVE-2022-1516 CVE-2022-1652 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-23960 CVE-2022-26490 CVE-2022-27666 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-29581 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981} [buster] - linux 4.19.249-2 [29 Jun 2022] DSA-5172-1 firefox-esr - security update {CVE-2022-2200 CVE-2022-31744 CVE-2022-34468 CVE-2022-34470 CVE-2022-34472 CVE-2022-34479 CVE-2022-34481 CVE-2022-34484} diff --git a/data/config.json b/data/config.json index fa0f97f618..b96a201e46 100644 --- a/data/config.json +++ b/data/config.json @@ -81,7 +81,7 @@ "buster-proposed-updates" ] }, - "architectures": [ "amd64", "arm64", "armel", "armhf", "i386", "mips", "mips64el", "mipsel", "ppc64el", "s390x" ], + "architectures": [ "amd64", "arm64", "armhf", "i386" ], "release": "oldstable" }, "bullseye": { diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 7cded1164e..fe09cca69e 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,22 +12,98 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -NOTE: stretch->buster LTS transition in progress during 2022-07 -NOTE: only add packages planned for the next buster point release -NOTE: https://lists.debian.org/debian-lts/2022/07/msg00025.html - NOTE: IMPORTANT: during 2022-08, make sure you do NOT conflict with a NOTE: IMPORTANT: prepared upload for buster's last point release, see: NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian.org@packages.debian.org;tag=pu -- -apache2 (Roberto C. Sánchez) +apache2 + NOTE: 20220811: Programming language: C. NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto) + NOTE: 20220809: Package is in oldstable-proposed-updates and will be in final buster point release (roberto) +-- +asterisk (Markus Koschany) + NOTE: 20220810: Programming language: C. +-- +curl (Markus Koschany) + NOTE: 20220802: Programming language: C. +-- +epiphany-browser (Emilio) + NOTE: 20220811: Programming language: C. +-- +freecad + NOTE: 20220815: Programming language: Python. + NOTE: 20220815: Not all of the vulnerable os.system calls exist in the buster version. (lamby) +-- +jetty9 (Markus Koschany) + NOTE: 20220802: Programming language: Java. +-- +kicad + NOTE: 20220811: Programming language: C++. +-- +kopanocore (Andreas Rönnquist) + NOTE: 20220801: Programming language: C++. + NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- linux (Ben Hutchings) -- -rustc (Emilio) - NOTE: 20220614: backporting toolchain (rust, llvm...) for Firefox 102 ESR (pochu) - NOTE: 20220712: bullseye backports done, wip on buster updates (pochu) +maven-shared-utils + NOTE: 20220813: Programming language: Java + NOTE: 20220813: VCS: https://salsa.debian.org/java-team/maven-shared-utils + NOTE: 20220813: Maintainer notes: Markus is active in the Java team + NOTE: 20220813: Special attention: Relatively high popcon + NOTE: 20220813: Patch is relatively high. Please check, whether it can safely be applied (Anton) +-- +mediawiki (Markus Koschany) + NOTE: 20220810: Programming language: PHP. +-- +ndpi (Anton) + NOTE: 20220801: Programming language: C. +-- +net-snmp + NOTE: 20220816: Programming language: C. +-- +netatalk + NOTE: 20220816: Programming language: C. +-- +nodejs + NOTE: 20220801: Programming language: JavaScript. + NOTE: 20220801: one of the upstream fixes doesn't address the security issue +-- +php-horde-mime-viewer + NOTE: 20220816: Programming language: PHP. +-- +php-horde-turba + NOTE: 20220816: Programming language: PHP. +-- +puma (Abhijith PA) + NOTE: 20220801: Programming language: Ruby. +-- +qemu (Abhijith PA) + NOTE: 20220802: Programming language: C. + NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and + NOTE: 20220802: wcan now be released as DLA instead. The updated packages are/were running fine in a buster ganeti cluster. (jmm) + NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) +-- +rsync (Stefano Rivera) + NOTE: 20220811: Programming language: C. + NOTE: 20220811: All patches should be applied. If it is too disruptive - evaluate the CVE`s severity (Anton) +-- +salt + NOTE: 20220814: Programming language: Python + NOTE: 20220814: Packages is not in the supported packages by us. + NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues + NOTE: 20220814: without backporting a newer verion. (Anton) +-- +schroot (carnil) + NOTE: 20220813: Programming language: C++ + NOTE: 20220813: VCS: https://salsa.debian.org/debian/schroot/ + NOTE: 20220813: Maintainer notes: Maintainer prepares o-o-stable updates + NOTE: 20220813: Debian security team will release DSA and DLA +-- +zlib (Emilio) + NOTE: 20220813: Programming language: C + NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/ + NOTE: 20220813: Special attention: Very high popcon. Please test carefully! -- diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 4434287df0..eb821354dc 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -12,53 +12,37 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -asterisk --- -curl (apo) +asterisk (apo) -- epiphany-browser + Emilio prepared a debdiff for review -- freecad (aron) -- -gst-plugins-good1.0 --- -jetty +gdk-pixbuf -- kicad (jmm) -- -kopanocore/oldstable --- -librecad --- -libpgjava (apo) - NOTE: 20220711: libscram-java is missing in bullseye-security. I am currently - NOTE: 20220711: waiting for #1014409 being resolved. --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point - releases to more recent v4.19.y and v5.10.y versions ---- -ndpi/oldstable + releases to more recent v5.10.y versions +-- +maven-shared-utils -- net-snmp -- netatalk open regression with MacOS, tentative patch not yet merged upstream -- -nodejs/stable --- -nodejs/oldstable - one of the upstream fixes doesn't address the security issue +nodejs -- php-horde-mime-viewer -- php-horde-turba -- -puma/oldstable --- rails -- -rpki-client/stable +rpki-client new 7.6 release required libretls, which isn't in Bullseye -- ruby-rack @@ -67,18 +51,16 @@ ruby-tzinfo -- salt -- -samba +schroot (carnil) -- -slurm-llnl/oldstable +sofia-sip -- sox patch needed for CVE-2021-40426, check with upstream -- -thunderbird +webkit2gtk (berto) -- -unzip - unclear information, initial report indicates writable memory corruption, but - some identified patch is just for a NULL deref, needs more clarification +wpewebkit (berto) -- -xorg-server +zlib (carnil) -- diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index 912a6e6e99..c321b127db 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -218,3 +218,23 @@ CVE-2021-45910 [buster] - gif2apng 1.9+srconly-2+deb10u1 CVE-2021-45909 [buster] - gif2apng 1.9+srconly-2+deb10u1 +CVE-2022-28736 + [buster] - grub2 2.06-3~deb10u1 +CVE-2022-28735 + [buster] - grub2 2.06-3~deb10u1 +CVE-2022-28734 + [buster] - grub2 2.06-3~deb10u1 +CVE-2022-28733 + [buster] - grub2 2.06-3~deb10u1 +CVE-2021-3697 + [buster] - grub2 2.06-3~deb10u1 +CVE-2021-3696 + [buster] - grub2 2.06-3~deb10u1 +CVE-2021-3695 + [buster] - grub2 2.06-3~deb10u1 +CVE-2022-31607 + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 +CVE-2022-31608 + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 +CVE-2022-31615 + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index 0cce5a7a0d..677abbbcef 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -38,3 +38,29 @@ CVE-2021-45910 [bullseye] - gif2apng 1.9+srconly-3+deb11u1 CVE-2021-45909 [bullseye] - gif2apng 1.9+srconly-3+deb11u1 +CVE-2022-31081 + [bullseye] - libhttp-daemon-perl 6.12-1+deb11u1 +CVE-2022-31213 + [bullseye] - dbus-broker 26-1+deb11u2 +CVE-2022-28736 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2022-28735 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2022-28734 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2022-28733 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2021-3697 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2021-3696 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2021-3695 + [bullseye] - grub2 2.06-3~deb11u1 +CVE-2022-31607 + [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 +CVE-2022-31608 + [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 +CVE-2022-31615 + [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 +CVE-2021-3502 + [bullseye] - avahi 0.8-5+deb11u1 diff --git a/data/packages/removed-packages b/data/packages/removed-packages index 210993b454..531b763103 100644 --- a/data/packages/removed-packages +++ b/data/packages/removed-packages @@ -820,3 +820,108 @@ opentmpfiles php8.0 rust-rand-core-0.3 ansible-base +389-admin +acccheck +aolserver4 +banshee +bareftp +biomaj-watcher +blam +burn +cbrpager +cfengine2 +chromium-browser +comix +common-lisp-controller +conkeror +consolekit +dansguardian +django-celery +dotlrn +ekg +ekiga +emacs25 +flower +fso-datad +fso-deviced +fso-frameworkd +fso-gsmd +fso-usaged +getmail4 +gnash +gnats +gnome-exe-thumbnailer +gnome-orca +gnome-vfs +gnome-xcf-thumbnailer +gns3 +gnugk +gquilt +gxine +hunspell-en-us +hyperestraier +ibid +ike +ipsec-tools +irssi-plugin-otr +jquery-jplayer +kde-baseapps +kdewebdev +libbson +libgnumail-java +libidn2-0 +libkdcraw +libpam-sshauth +libpam4j +librdmacm +libsocialweb +libxfcegui4 +linux-4.19 +linux-latest-4.19 +linuxdcpp +llvm-toolchain-3.7 +lucene2 +mail-notification +mat +memcachedb +mixmaster +mon +mono-reference-assemblies +monotone +not-yet-commons-ssl +nufw +nvidia-graphics-drivers-legacy-304xx +obnam +opal +openacs +opensaml2 +opensips +owl +pavuk +phonefsod +plexus-utils +ptlib +pxz +pybliographer +python-django-openstack-auth +python-django-piston +reportbug-ng +rhn-client-tools +rhnsd +rssh +ruby-rack-protection +srtp +swift-plugin-s3 +synaesthesia +systemd-shim +tau +thrift-compiler +tk8.5 +tomboy +unbound1.9 +uzbl +wagon2 +webkitkde +xvt +yarssr +zonecheck diff --git a/doc/DLA.template b/doc/DLA.template index ce4ddd0740..fecb7f21fd 100644 --- a/doc/DLA.template +++ b/doc/DLA.template @@ -9,14 +9,14 @@ $SPACEDDATE https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : $PACKAGE -Version : $stretch_VERSION +Version : $buster_VERSION CVE ID : $CVE Debian Bug : $BUGNUM $TEXT -For Debian 9 stretch, this problem has been fixed in version -$stretch_VERSION. +For Debian 10 buster, this problem has been fixed in version +$buster_VERSION. We recommend that you upgrade your $PACKAGE packages. diff --git a/doc/DSA.template b/doc/DSA.template index 419c564b0c..ea38bed0d2 100644 --- a/doc/DSA.template +++ b/doc/DSA.template @@ -14,9 +14,6 @@ Debian Bug : $BUGNUM $TEXT -For the oldstable distribution ($OLDSTABLE), this problem has been fixed -in version $$OLDSTABLE_VERSION. - For the stable distribution ($STABLE), this problem has been fixed in version $$STABLE_VERSION. diff --git a/doc/security-team.d.o/index b/doc/security-team.d.o/index index b956e1677d..befc5a4df9 100644 --- a/doc/security-team.d.o/index +++ b/doc/security-team.d.o/index @@ -1,11 +1,9 @@ <table style="margin: 0 auto 0 auto;width: 100%;text-align:center;"> <tbody> - <tr><th>buster 10</th><th>bullseye 11</th><th>bookworm 12</th><th>sid</th></tr> - <tr><th>buster-security</th><th>bullseye-security</th><th>testing</th><th>unstable</th></tr> + <tr><th>bullseye 11</th><th>bookworm 12</th><th>sid</th></tr> + <tr><th>bullseye-security</th><th>testing</th><th>unstable</th></tr> <tr> <td valign="top"> - <a href="https://security-tracker.debian.org/tracker/status/release/oldstable">Vulnerable Packages</a><br\> - </td><td valign="top"> <a href="https://security-tracker.debian.org/tracker/status/release/stable">Vulnerable Packages</a><br\> </td><td valign="top"> <a href="https://security-tracker.debian.org/tracker/status/release/testing">Vulnerable Packages</a><br\> @@ -13,8 +11,6 @@ <a href="https://security-tracker.debian.org/tracker/status/release/unstable">Vulnerable Packages</a><br\> </td></tr> <tr><td valign="top"> - <a href="https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/next-oldstable-point-update.txt">Next (oldstable) point update</a><br\> - </td><td valign="top"> <a href="https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/next-point-update.txt">Next point update</a><br\> </td><td valign="top"> Next point update<br\> diff --git a/static/distributions.json b/static/distributions.json index 3b3e70c470..3ad929c739 100644 --- a/static/distributions.json +++ b/static/distributions.json @@ -16,8 +16,8 @@ }, "buster": { "major-version": "10", - "support": "security", - "contact": "team@security.debian.org" + "support": "lts", + "contact": "debian-lts@lists.debian.org" }, "bullseye": { "major-version": "11", diff --git a/templates/lts-no-dsa.txt b/templates/lts-no-dsa.txt index dfc2bc5881..41827574bc 100644 --- a/templates/lts-no-dsa.txt +++ b/templates/lts-no-dsa.txt @@ -1,12 +1,12 @@ Content-Type: text/plain; charset=utf-8 To: {{ to }} Cc: {{ cc }} -Subject: About the security issues affecting {{ package }} in Stretch +Subject: About the security issues affecting {{ package }} in Buster Dear maintainer(s), The Debian LTS team recently reviewed the security issue(s) affecting your -package in Stretch: +package in Buster: {%- if cve -%} {% for entry in cve %} https://security-tracker.debian.org/tracker/{{ entry }} @@ -15,10 +15,10 @@ https://security-tracker.debian.org/tracker/{{ entry }} https://security-tracker.debian.org/tracker/source-package/{{ package }} {%- endif %} -We decided that we would not prepare a stretch security update (usually +We decided that we would not prepare a buster security update (usually because the security impact is low and that we concentrate our limited resources on higher severity issues and on the most widely used packages). -That said the stretch users would most certainly benefit from a fixed +That said the buster users would most certainly benefit from a fixed package. If you want to work on such an update, you're welcome to do so. Please diff --git a/templates/lts-update-planned-minor.txt b/templates/lts-update-planned-minor.txt index 61b704418f..f82626ca8a 100644 --- a/templates/lts-update-planned-minor.txt +++ b/templates/lts-update-planned-minor.txt @@ -1,10 +1,10 @@ Content-Type: text/plain; charset=utf-8 To: {{ to }} Cc: {{ cc }} -Subject: Stretch update of {{ package }} (minor security issues)? +Subject: Buster update of {{ package }} (minor security issues)? The Debian LTS team recently reviewed the security issue(s) affecting your -package in Stretch: +package in Buster: {%- if cve -%} {% for entry in cve %} https://security-tracker.debian.org/tracker/{{ entry }} @@ -17,7 +17,7 @@ We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that -the stretch users would most certainly benefit from a fixed package. +the buster users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing diff --git a/templates/lts-update-planned.txt b/templates/lts-update-planned.txt index 21f820755b..58dbd7b11e 100644 --- a/templates/lts-update-planned.txt +++ b/templates/lts-update-planned.txt @@ -1,12 +1,12 @@ Content-Type: text/plain; charset=utf-8 To: {{ to }} Cc: {{ cc }} -Subject: Stretch update of {{ package }}? +Subject: Buster update of {{ package }}? Dear maintainer(s), The Debian LTS team would like to fix the security issues which are -currently open in the Stretch version of {{ package }}: +currently open in the Buster version of {{ package }}: {%- if cve -%} {% for entry in cve %} https://security-tracker.debian.org/tracker/{{ entry }} |