[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs

Salvatore Bonaccorso (@carnil) Wed, 29 Mar 2023 13:15:21 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
2cefb2a8 by Salvatore Bonaccorso at 2023-03-29T22:14:34+02:00
Process some NFUs

- - - - -
ec239d84 by Salvatore Bonaccorso at 2023-03-29T22:14:36+02:00
Add two new python-redis CVEs

- - - - -
da1f3991 by Salvatore Bonaccorso at 2023-03-29T22:14:37+02:00
Add CVE-2023-26923/musescore

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -245,9 +245,9 @@ CVE-2023-1687 (A vulnerability classified as problematic 
has been found in Sourc
 CVE-2023-1686 (A vulnerability was found in SourceCodester Young Entrepreneur 
E-Negos ...)
        NOT-FOR-US: SourceCodester Young Entrepreneur E-Negosyo System
 CVE-2023-1685 (A vulnerability was found in HadSky up to 7.11.8. It has been 
declared ...)
-       TODO: check
+       NOT-FOR-US: HadSky
 CVE-2023-1684 (A vulnerability was found in HadSky 7.7.16. It has been 
classified as  ...)
-       TODO: check
+       NOT-FOR-US: HadSky
 CVE-2023-1683 (A vulnerability was found in Xunrui CMS 4.61 and classified as 
problem ...)
        NOT-FOR-US: Xunrui CMS
 CVE-2023-1682 (A vulnerability has been found in Xunrui CMS 4.61 and 
classified as pr ...)
@@ -526,9 +526,16 @@ CVE-2023-1638 (A vulnerability was found in IObit Malware 
Fighter 9.4.0.776. It
 CVE-2018-25083 (The pullit package before 1.4.0 for Node.js allows OS Command 
Injectio ...)
        TODO: check
 CVE-2023-28859 (redis-py through 4.5.3 leaves a connection open after 
canceling an asy ...)
-       TODO: check
+       - python-redis <not-affected> (Incomplete fix for CVE-2023-28858 not 
applied)
+       NOTE: https://github.com/redis/redis-py/issues/2665
+       NOTE: https://github.com/redis/redis-py/pull/2641
 CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, 
leaves a ...)
-       TODO: check
+       - python-redis <unfixed>
+       NOTE: https://github.com/redis/redis-py/issues/2624
+       NOTE: https://github.com/redis/redis-py/pull/2641
+       NOTE: https://openai.com/blog/march-20-chatgpt-outage
+       NOTE: When fixing this issue make sure to apply complete fixes (cf. 
CVE-2023-28859
+       NOTE: CVE entry) to not open CVE-2023-28859.
 CVE-2023-1637 (A flaw that boot CPU could be vulnerable for the speculative 
execution ...)
        - linux 5.17.3-1
        [bullseye] - linux 5.10.113-1
@@ -1243,7 +1250,7 @@ CVE-2023-28639
 CVE-2023-28638 (Snappier is a high performance C# implementation of the Snappy 
compres ...)
        TODO: check
 CVE-2023-28637 (DataEase is an open source data visualization analysis tool. 
In Dataea ...)
-       TODO: check
+       NOT-FOR-US: DataEase
 CVE-2023-28636
        RESERVED
 CVE-2023-28635
@@ -3088,9 +3095,9 @@ CVE-2023-28105 (go-used-util has commonly used utility 
functions for Go. Version
 CVE-2023-28104 (`silverstripe/graphql` serves Silverstripe data as GraphQL 
representat ...)
        NOT-FOR-US: silverstripe/graphql
 CVE-2023-28103 (matrix-react-sdk is a Matrix chat protocol SDK for React 
Javascript. I ...)
-       TODO: check
+       NOT-FOR-US: Node matrix-react-sdk
 CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. 
In disco ...)
-       TODO: check
+       NOT-FOR-US: discordrb
 CVE-2023-28101 (Flatpak is a system for building, distributing, and running 
sandboxed  ...)
        - flatpak 1.14.4-1 (bug #1033098)
        [bullseye] - flatpak <no-dsa> (Minor issue)
@@ -5751,13 +5758,13 @@ CVE-2023-27234 (A Cross-Site Request Forgery (CSRF) in 
/Sys/index.html of Jizhic
 CVE-2023-27233
        RESERVED
 CVE-2023-27232 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to 
contain a com ...)
-       TODO: check
+       NOT-FOR-US: TOTOLINK
 CVE-2023-27231 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to 
contain a com ...)
-       TODO: check
+       NOT-FOR-US: TOTOLINK
 CVE-2023-27230
        RESERVED
 CVE-2023-27229 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to 
contain a com ...)
-       TODO: check
+       NOT-FOR-US: TOTOLINK
 CVE-2023-27228
        RESERVED
 CVE-2023-27227
@@ -6390,7 +6397,8 @@ CVE-2023-26925
 CVE-2023-26924 (LLVM a0dab4950 has a segmentation fault in 
mlir::outlineSingleBlockReg ...)
        TODO: check
 CVE-2023-26923 (Musescore 3.0 to 4.0.1 has a stack buffer overflow 
vulnerability that  ...)
-       TODO: check
+       - musescore <unfixed>
+       NOTE: https://github.com/musescore/MuseScore/issues/16346
 CVE-2023-26922 (SQL injection vulnerability found in Varisicte matrix-gui v.2 
allows a ...)
        NOT-FOR-US: Varisicte
 CVE-2023-26921



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs

Reply via email to