diff options
author | Jeremiah C. Foster <jeremiah@jeremiahfoster.com> | 2022-01-03 08:53:46 -0500 |
---|---|---|
committer | Jeremiah C. Foster <jeremiah@jeremiahfoster.com> | 2022-01-03 08:53:46 -0500 |
commit | 570c0801878eefca17fd3b9c2db900fda1b64421 (patch) | |
tree | ac7ed2e222f06e987c8187a80eb38379f9346008 | |
parent | c42e2b6f46d270a079a3869b0307130172444d3b (diff) | |
parent | a84a3b4e9865af15f2ae498c5f42c96130e539a3 (diff) |
Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker
-rw-r--r-- | data/CVE/2021.list | 34 | ||||
-rw-r--r-- | data/CVE/2022.list | 8 | ||||
-rw-r--r-- | data/dla-needed.txt | 3 | ||||
-rw-r--r-- | data/dsa-needed.txt | 2 |
4 files changed, 40 insertions, 7 deletions
diff --git a/data/CVE/2021.list b/data/CVE/2021.list index a7c38f1214..f42e79b4aa 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -1,3 +1,9 @@ +CVE-2021-XXXX [XSS vulnerability via HTML messages with malicious CSS content] + - roundcube <unfixed> (bug #1003027) + NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2) + NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13) + NOTE: https://roundcube.net/news/2021/12/30/update-1.5.2-released + NOTE: https://roundcube.net/news/2021/12/30/security-update-1.4.13-released CVE-2021-45984 RESERVED CVE-2021-45983 @@ -51,6 +57,7 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor - expat <unfixed> (bug #1002994) [bullseye] - expat <no-dsa> (Minor issue; can be fixed via point release) [buster] - expat <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - expat <no-dsa> (Minor issue) NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...) @@ -104,6 +111,7 @@ CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds wr CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...) - ghostscript 9.55.0~dfsg-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703902 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) - assimp 5.1.1~ds0-1 @@ -224,6 +232,8 @@ CVE-2021-45919 RESERVED CVE-2021-4190 (Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-22.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17811 CVE-2021-4189 [ftplib should not use the host from the PASV response] @@ -327,26 +337,38 @@ CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4. NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...) - wireshark 3.6.0-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-16.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17737 CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3 ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745 CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754 CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-19.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17755 CVE-2021-4182 (Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-20.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17801 CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3. ...) - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429 CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...) @@ -1268,6 +1290,8 @@ CVE-2021-45464 RESERVED CVE-2021-45463 (GEGL before 0.4.34, as used (for example) in GIMP before 2.10.30, allo ...) - gegl 1:0.4.34-1 (bug #1002661) + [bullseye] - gegl <no-dsa> (Minor issue) + [buster] - gegl <no-dsa> (Minor issue) [stretch] - gegl <no-dsa> (Minor issue; can be fixed later) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b (GEGL_0_4_34) NOTE: Followup: https://gitlab.gnome.org/GNOME/gegl/-/commit/2172cf7e8d7e8891ae2053d6eef213d5bef939cb (GEGL_0_4_34) @@ -21986,7 +22010,7 @@ CVE-2021-23203 CVE-2021-23184 RESERVED CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...) - - openvswitch <unfixed> (bug #991308) + - openvswitch 2.15.0+ds1-10 (bug #991308) [bullseye] - openvswitch <no-dsa> (Minor issue) [buster] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) [stretch] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) @@ -48615,8 +48639,8 @@ CVE-2021-25996 RESERVED CVE-2021-25995 RESERVED -CVE-2021-25994 - RESERVED +CVE-2021-25994 (In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Head ...) + TODO: check CVE-2021-25993 (In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected b ...) TODO: check CVE-2021-25992 @@ -48641,8 +48665,8 @@ CVE-2021-25983 (In Factor (App Framework & Headless CMS) forum plugin, versi NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25982 (In Factor (App Framework & Headless CMS) forum plugin, versions 1. ...) NOT-FOR-US: Factor (App Framework & Headless CMS) -CVE-2021-25981 - RESERVED +CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev ve ...) + NOT-FOR-US: Talkyard CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) NOT-FOR-US: Talkyard CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...) diff --git a/data/CVE/2022.list b/data/CVE/2022.list index 8f3f417af1..b009786bcc 100644 --- a/data/CVE/2022.list +++ b/data/CVE/2022.list @@ -1,3 +1,7 @@ +CVE-2022-0083 + RESERVED +CVE-2022-0082 + RESERVED CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) - dolibarr <removed> CVE-2022-0081 @@ -6,8 +10,8 @@ CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - mruby <unfixed> NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 -CVE-2022-0079 - RESERVED +CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) + NOT-FOR-US: showdoc CVE-2022-0078 RESERVED CVE-2022-22292 diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 24aad7e8f4..2cbc2914b5 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -24,6 +24,8 @@ apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk) -- +clamav (Emilio) +-- condor (Anton) NOTE: 20211216: full details embargoed NOTE: 20211227: the fix is out and now available; cf: @@ -102,6 +104,7 @@ thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) NOTE: 20211220: backport in progress, making it build with python3.5 (pochu) + NOTE: 20210103: DSA released, DLA will follow today (pochu) -- vim (Anton) NOTE: 20211203: adding here as it's in the ela-needed as well diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 6d3b23915a..0aaff74514 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -27,6 +27,8 @@ condor -- faad2/oldstable (jmm) -- +ghostscript +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. |