From 21fe653a692a527ddd04e19de264c3dc0689e207 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20M=C3=BChlenhoff?= <jmm@debian.org>
Date: Fri, 23 Sep 2022 14:31:49 +0200
Subject: bullseye triage

---
 data/CVE/list | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'data/CVE/list')

diff --git a/data/CVE/list b/data/CVE/list
index 1b5b36a5dd..806ce92511 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -52,6 +52,7 @@ CVE-2022-3266
 	RESERVED
 CVE-2022-41322 (In Kitty before 0.26.2, insufficient validation in the desktop notific ...)
 	- kitty <unfixed>
+	[bullseye] - kitty <no-dsa> (Minor issue)
 	NOTE: https://github.com/kovidgoyal/kitty/commit/f05783e64d5fa62e1aed603e8d69aced5e49824f (v0.26.2)
 CVE-2022-41318 [Buffer Over Read in SSPI and SMB Authentication]
 	RESERVED
@@ -2777,6 +2778,7 @@ CVE-2022-40147
 	RESERVED
 CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...)
 	- batik <unfixed>
+	[bullseye] - batik <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3
 	NOTE: https://issues.apache.org/jira/browse/BATIK-1335
 	NOTE: http://svn.apache.org/viewvc?view=revision&revision=1903910
@@ -5774,9 +5776,9 @@ CVE-2022-38863 (Certain The MPlayer Project products are vulnerable to Buffer Ov
 	NOTE: Crash in CLI tool, no security impact
 CVE-2022-38862 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...)
 	- mplayer <unfixed>
+	[bullseye] - mplayer <no-dsa> (Minor issue)
 	NOTE: https://trac.mplayerhq.hu/ticket/2400
 	NOTE: https://trac.mplayerhq.hu/ticket/2404
-	TODO: check, unclear if fixed, upstream cannot reproduce
 CVE-2022-38861 (The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory  ...)
 	- mplayer <unfixed>
 	NOTE: https://trac.mplayerhq.hu/ticket/2407
@@ -5799,9 +5801,10 @@ CVE-2022-38856 (Certain The MPlayer Project products are vulnerable to Buffer Ov
 	NOTE: https://trac.mplayerhq.hu/ticket/2395
 	TODO: Fixed by other fixes, but not pin pointed upstream, try to isolate revision to fix issue
 CVE-2022-38855 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...)
-	- mplayer <unfixed>
+	- mplayer <unfixed> (unimportant)
 	NOTE: https://trac.mplayerhq.hu/ticket/2392
 	NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/2f6e69e59e2614acdde5505b049c48f80a3d0eb7 (r38384)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2022-38854
 	RESERVED
 CVE-2022-38853 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...)
@@ -6518,6 +6521,7 @@ CVE-2022-38649
 	RESERVED
 CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...)
 	- batik <unfixed>
+	[bullseye] - batik <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4
 	NOTE: https://issues.apache.org/jira/browse/BATIK-1333
 	NOTE: http://svn.apache.org/viewvc?view=revision&revision=1903625
@@ -7244,6 +7248,7 @@ CVE-2020-36592
 	RESERVED
 CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...)
 	- batik <unfixed>
+	[bullseye] - batik <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2
 	NOTE: https://issues.apache.org/jira/browse/BATIK-1331
 	NOTE: http://svn.apache.org/viewvc?view=revision&revision=1903462
@@ -16174,6 +16179,7 @@ CVE-2022-35020 (Advancecomp v2.3 was discovered to contain a heap buffer overflo
 	NOTE: Crash in CLI tool, no security impact
 CVE-2022-35019 (Advancecomp v2.3 was discovered to contain a segmentation fault. ...)
 	- advancecomp <unfixed> (bug #1019592)
+	[bullseye] - advancecomp <no-dsa> (Minor issue)
 	[buster] - advancecomp <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35019.md
 CVE-2022-35018 (Advancecomp v2.3 was discovered to contain a segmentation fault. ...)
@@ -16787,6 +16793,7 @@ CVE-2022-2256 (A Stored Cross-site scripting (XSS) vulnerability was found in ke
 CVE-2022-2255 (A vulnerability was found in mod_wsgi. The X-Client-IP header is not r ...)
 	{DLA-3111-1}
 	- mod-wsgi 4.9.0-1.1 (bug #1016476)
+	[bullseye] - mod-wsgi <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100563
 	NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 (4.9.3)
 	NOTE: WSGITrustedProxies and vulnerable code introduced in https://github.com/GrahamDumpleton/mod_wsgi/commit/543fc33c23b4cb5e623d574b7efbf85c8dedb396 (4.4.10)
@@ -27160,6 +27167,7 @@ CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979. ..
 	NOTE: Crash in CLI tool, no security impact
 CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. ...)
 	- gpac <unfixed> (bug #1016443)
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc
@@ -31464,6 +31472,7 @@ CVE-2022-29593 (relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmwar
 	NOT-FOR-US: Dingtian
 CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used third-part ...)
 	- gpac <unfixed> (bug #1016443)
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2175
@@ -32978,6 +32987,7 @@ CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not s
 	NOT-FOR-US: WordPress plugin
 CVE-2022-1325 (A flaw was found in Clmg, where with the help of a maliciously crafted ...)
 	- cimg <unfixed> (bug #1018941)
+	[bullseye] - cimg <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2074549
 	NOTE: https://github.com/GreycLab/CImg/commit/619cb58dd90b4e03ac68286c70ed98acbefd1c90 (v3.1.0)
 	NOTE: https://github.com/GreycLab/CImg/issues/343
@@ -34342,6 +34352,7 @@ CVE-2022-1223 (Improper Access Control in GitHub repository phpipam/phpipam prio
 	- phpipam <itp> (bug #731713)
 CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV. ...)
 	- gpac <unfixed> (bug #1016443)
+	[bullseye] - gpac <no-dsa> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	[stretch] - gpac <end-of-life> (No longer supported in LTS)
 	NOTE: https://huntr.dev/bounties/f8cb85b8-7ff3-47f1-a9a6-7080eb371a3d
@@ -65176,12 +65187,14 @@ CVE-2021-43306 (An exponential ReDoS (Regular Expression Denial of Service) can
 	NOT-FOR-US: Node jquery-validation
 CVE-2021-43305 (Heap buffer overflow in Clickhouse's LZ4 compression codec when parsin ...)
 	- clickhouse <unfixed> (bug #1008216)
+	[bullseye] - clickhouse <no-dsa> (Minor issue)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 	NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
 CVE-2021-43304 (Heap buffer overflow in Clickhouse's LZ4 compression codec when parsin ...)
 	- clickhouse <unfixed> (bug #1008216)
+	[bullseye] - clickhouse <no-dsa> (Minor issue)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
@@ -69564,12 +69577,14 @@ CVE-2021-42389 (Divide-by-zero in Clickhouse's Delta compression codec when pars
 	NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
 CVE-2021-42388 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec when par ...)
 	- clickhouse <unfixed> (bug #1008216)
+	[bullseye] - clickhouse <no-dsa> (Minor issue)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 	NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
 CVE-2021-42387 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec when par ...)
 	- clickhouse <unfixed> (bug #1008216)
+	[bullseye] - clickhouse <no-dsa> (Minor issue)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
 	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
@@ -74258,12 +74273,12 @@ CVE-2021-40649 (In Connx Version 6.2.0.1269 (20210623), a cookie can be issued b
 	NOT-FOR-US: Connx
 CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the previous  ...)
 	- man2html <unfixed>
+	[bullseye] - man2html <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
-	TODO: check details
 CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file will ove ...)
 	- man2html <unfixed>
+	[bullseye] - man2html <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
-	TODO: check details
 CVE-2021-40646
 	RESERVED
 CVE-2021-40645 (An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/ ...)
-- 
cgit v1.2.3