Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker

author: Jeremiah C. Foster <jeremiah@jeremiahfoster.com> 2022-01-03 08:53:46 -0500
committer: Jeremiah C. Foster <jeremiah@jeremiahfoster.com> 2022-01-03 08:53:46 -0500
commit: 570c0801878eefca17fd3b9c2db900fda1b64421 (patch)
tree: ac7ed2e222f06e987c8187a80eb38379f9346008
parent: c42e2b6f46d270a079a3869b0307130172444d3b (diff)
parent: a84a3b4e9865af15f2ae498c5f42c96130e539a3 (diff)
4 files changed, 40 insertions, 7 deletions
diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index a7c38f1214..f42e79b4aa 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -1,3 +1,9 @@
+CVE-2021-XXXX [XSS vulnerability via HTML messages with malicious CSS content]
+	- roundcube <unfixed> (bug #1003027)
+	NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2)
+	NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13)
+	NOTE: https://roundcube.net/news/2021/12/30/update-1.5.2-released
+	NOTE: https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
 CVE-2021-45984
 	RESERVED
 CVE-2021-45983
@@ -51,6 +57,7 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor
 	- expat <unfixed> (bug #1002994)
 	[bullseye] - expat <no-dsa> (Minor issue; can be fixed via point release)
 	[buster] - expat <no-dsa> (Minor issue; can be fixed via point release)
+	[stretch] - expat <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexpat/libexpat/issues/531
 	NOTE: https://github.com/libexpat/libexpat/pull/534
 CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...)
@@ -104,6 +111,7 @@ CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds wr
 CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...)
 	- ghostscript 9.55.0~dfsg-1
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
+	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703902
 	NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...)
 	- assimp 5.1.1~ds0-1
@@ -224,6 +232,8 @@ CVE-2021-45919
 	RESERVED
 CVE-2021-4190 (Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of  ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-22.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17811
 CVE-2021-4189 [ftplib should not use the host from the PASV response]
@@ -327,26 +337,38 @@ CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4.
 	NOT-FOR-US: Stormshield Network Security (SNS)
 CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...)
 	- wireshark 3.6.0-1
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-16.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17737
 CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3 ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745
 CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754
 CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-19.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17755
 CVE-2021-4182 (Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-20.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17801
 CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3. ...)
 	- wireshark <unfixed>
+	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429
 CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...)
@@ -1268,6 +1290,8 @@ CVE-2021-45464
 	RESERVED
 CVE-2021-45463 (GEGL before 0.4.34, as used (for example) in GIMP before 2.10.30, allo ...)
 	- gegl 1:0.4.34-1 (bug #1002661)
+	[bullseye] - gegl <no-dsa> (Minor issue)
+	[buster] - gegl <no-dsa> (Minor issue)
 	[stretch] - gegl <no-dsa> (Minor issue; can be fixed later)
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b (GEGL_0_4_34)
 	NOTE: Followup: https://gitlab.gnome.org/GNOME/gegl/-/commit/2172cf7e8d7e8891ae2053d6eef213d5bef939cb (GEGL_0_4_34)
@@ -21986,7 +22010,7 @@ CVE-2021-23203
 CVE-2021-23184
 	RESERVED
 CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...)
-	- openvswitch <unfixed> (bug #991308)
+	- openvswitch 2.15.0+ds1-10 (bug #991308)
 	[bullseye] - openvswitch <no-dsa> (Minor issue)
 	[buster] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11)
 	[stretch] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11)
@@ -48615,8 +48639,8 @@ CVE-2021-25996
 	RESERVED
 CVE-2021-25995
 	RESERVED
-CVE-2021-25994
-	RESERVED
+CVE-2021-25994 (In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Head ...)
+	TODO: check
 CVE-2021-25993 (In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected b ...)
 	TODO: check
 CVE-2021-25992
@@ -48641,8 +48665,8 @@ CVE-2021-25983 (In Factor (App Framework &amp; Headless CMS) forum plugin, versi
 	NOT-FOR-US: Factor (App Framework & Headless CMS)
 CVE-2021-25982 (In Factor (App Framework &amp; Headless CMS) forum plugin, versions 1. ...)
 	NOT-FOR-US: Factor (App Framework & Headless CMS)
-CVE-2021-25981
-	RESERVED
+CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev ve ...)
+	NOT-FOR-US: Talkyard
 CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...)
 	NOT-FOR-US: Talkyard
 CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...)
diff --git a/data/CVE/2022.list b/data/CVE/2022.list
index 8f3f417af1..b009786bcc 100644
--- a/data/CVE/2022.list
+++ b/data/CVE/2022.list
@@ -1,3 +1,7 @@
+CVE-2022-0083
+	RESERVED
+CVE-2022-0082
+	RESERVED
 CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...)
 	- dolibarr <removed>
 CVE-2022-0081
@@ -6,8 +10,8 @@ CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
 	- mruby <unfixed>
 	NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/
 	NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6
-CVE-2022-0079
-	RESERVED
+CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...)
+	NOT-FOR-US: showdoc
 CVE-2022-0078
 	RESERVED
 CVE-2022-22292
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 24aad7e8f4..2cbc2914b5 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -24,6 +24,8 @@ apng2gif
   NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie
   NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk)
 --
+clamav (Emilio)
+--
 condor (Anton)
   NOTE: 20211216: full details embargoed
   NOTE: 20211227: the fix is out and now available; cf:
@@ -102,6 +104,7 @@ thunderbird (Emilio)
   NOTE: 20211122: blocked on toolchain backports (pochu)
   NOTE: 20211206: progressing on the toolchain front (pochu)
   NOTE: 20211220: backport in progress, making it build with python3.5 (pochu)
+  NOTE: 20210103: DSA released, DLA will follow today (pochu)
 --
 vim (Anton)
   NOTE: 20211203: adding here as it's in the ela-needed as well
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index 6d3b23915a..0aaff74514 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -27,6 +27,8 @@ condor
 --
 faad2/oldstable (jmm)
 --
+ghostscript
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
author	Jeremiah C. Foster <jeremiah@jeremiahfoster.com>	2022-01-03 08:53:46 -0500
committer	Jeremiah C. Foster <jeremiah@jeremiahfoster.com>	2022-01-03 08:53:46 -0500
commit	570c0801878eefca17fd3b9c2db900fda1b64421 (patch)
tree	ac7ed2e222f06e987c8187a80eb38379f9346008
parent	c42e2b6f46d270a079a3869b0307130172444d3b (diff)
parent	a84a3b4e9865af15f2ae498c5f42c96130e539a3 (diff)