Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5d55976a by security tracker role at 2024-03-25T08:12:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,53 @@
+CVE-2024-2863 (This vulnerability allows remote attackers to traverse paths
via file ...)
+ TODO: check
+CVE-2024-2862 (This vulnerability allows remote attackers to reset the
password of an ...)
+ TODO: check
+CVE-2024-29216 (Exposed IOCTL with insufficient access control issue exists in
cg6kwin ...)
+ TODO: check
+CVE-2024-29194 (OneUptime is a solution for monitoring and managing online
services. T ...)
+ TODO: check
+CVE-2024-29188 (WiX toolset lets developers create installers for Windows
Installer, t ...)
+ TODO: check
+CVE-2024-29187 (WiX toolset lets developers create installers for Windows
Installer, t ...)
+ TODO: check
+CVE-2024-29071 (HGW BL1500HM Ver 002.001.013 and earlier contains a use of
week creden ...)
+ TODO: check
+CVE-2024-29034 (CarrierWave is a solution for file uploads for Rails, Sinatra
and othe ...)
+ TODO: check
+CVE-2024-29009 (Cross-site request forgery (CSRF) vulnerability in
easy-popup-show all ...)
+ TODO: check
+CVE-2024-28041 (HGW BL1500HM Ver 002.001.013 and earlier allows a
network-adjacent una ...)
+ TODO: check
+CVE-2024-24899 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
+ TODO: check
+CVE-2024-24897 (Improper Neutralization of Special Elements used in a Command
('Comman ...)
+ TODO: check
+CVE-2024-24892 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
+ TODO: check
+CVE-2024-24890 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
+ TODO: check
+CVE-2024-21865 (HGW BL1500HM Ver 002.001.013 and earlier contains a use of
week creden ...)
+ TODO: check
+CVE-2024-21505 (Versions of the package web3-utils before 4.2.1 are vulnerable
to Prot ...)
+ TODO: check
+CVE-2024-1962 (The CM Download Manager WordPress plugin before 2.9.1 does not
have C ...)
+ TODO: check
+CVE-2024-1564 (The wp-schema-pro WordPress plugin before 2.7.16 does not
validate pos ...)
+ TODO: check
+CVE-2024-1232 (The CM Download Manager WordPress plugin before 2.9.0 does not
have C ...)
+ TODO: check
+CVE-2024-1231 (The CM Download Manager WordPress plugin before 2.9.0 does not
have C ...)
+ TODO: check
+CVE-2023-37886 (Missing Authorization vulnerability in InspiryThemes
RealHomes.This is ...)
+ TODO: check
+CVE-2023-37885 (Missing Authorization vulnerability in InspiryThemes
RealHomes.This is ...)
+ TODO: check
+CVE-2023-33923 (Missing Authorization vulnerability in HashThemes Viral News,
HashThem ...)
+ TODO: check
+CVE-2020-36826 (A vulnerability was found in AwesomestCode LiveBot. It has
been classi ...)
+ TODO: check
+CVE-2020-36825 (A vulnerability has been found in cyberaz0r WebRAT up to
20191222 and ...)
+ TODO: check
CVE-2024-27281 [RCE vulnerability with .rdoc_options in RDoc]
- ruby3.2 <unfixed>
- ruby3.1 <unfixed>
@@ -62,7 +112,7 @@ CVE-2018-25100 (The Mojolicious module before 7.66 for Perl
may leak cookies in
NOTE: https://github.com/mojolicious/mojo/pull/1192
NOTE: https://github.com/mojolicious/mojo/issues/1185
NOTE:
https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149
(v7.66)
-CVE-2024-30187 [possibility to reset password for suspended accounts]
+CVE-2024-30187 (Anope before 2.0.15 does not prevent resetting the password of
a suspe ...)
- anope 2.0.15-1
NOTE: https://github.com/anope/anope/issues/351
NOTE:
https://github.com/anope/anope/commit/2b7872139c40ea5b0ca96c1d6595b7d5f9fa60a5
(2.0.15)
@@ -1068,6 +1118,7 @@ CVE-2024-1145 (User enumeration vulnerability in
Devklan's Alma Blog that affect
CVE-2024-1144 (Improper access control vulnerability in Devklan's Alma Blog
that affe ...)
NOT-FOR-US: Devklan's Alma Blog
CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting
versions ...)
+ {DLA-3772-1 DLA-3771-1}
- python3.12 3.12.2-1
- python3.11 3.11.8-1
- python3.10 <unfixed>
@@ -1084,6 +1135,7 @@ CVE-2024-0450 (An issue was found in the CPython
`zipfile` module affecting vers
NOTE:
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
(v3.9.19)
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory`
class ...)
+ {DLA-3772-1}
- python3.12 3.12.1-1
- python3.11 3.11.8-1
- python3.10 <unfixed>
@@ -19756,7 +19808,7 @@ CVE-2023-49356 (A stack buffer overflow vulnerability
in MP3Gain v1.6.2 allows a
NOTE:
https://github.com/linzc21/bug-reports/blob/main/reports/mp3gain/1.6.2/stack-buffer-overflow/CVE-2023-49356.md
NOTE: Likely the same and duplicate of CVE-2018-10777 and covered by
the same fixes applied
CVE-2023-49088 (Cacti is an open source operational monitoring and fault
management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1
NOTE: Caused by an incomplete fix for CVE-2023-39515
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x
@@ -19766,7 +19818,7 @@ CVE-2023-49088 (Cacti is an open source operational
monitoring and fault managem
NOTE:
https://github.com/Cacti/cacti/commit/59e39b34f8f1d80b28d38a391d7aa6e7a3302f5b
(release/1.2.26)
NOTE:
https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59
(1.2.x)
CVE-2023-49085 (Cacti provides an operational monitoring and fault management
framewor ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
NOTE:
https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188
(release/1.2.26)
@@ -19885,12 +19937,12 @@ CVE-2023-49678
CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL
Injectio ...)
NOT-FOR-US: Job Portal
CVE-2023-49086 (Cacti is a robust performance and fault management framework
and a fro ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1 (bug #1059254)
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr
NOTE:
https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59
(1.2.x)
CVE-2023-49084 (Cacti is a robust performance and fault management framework
and a fro ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1 (bug #1059254)
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
NOTE:
https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188
(release/1.2.26)
@@ -33523,7 +33575,7 @@ CVE-2023-42669 (A vulnerability was found in Samba's
"rpcecho" development serve
[buster] - samba <ignored> (Domain controller functionality is EOLed,
see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2023-42669.html
CVE-2023-4091 (A vulnerability was discovered in Samba, where the flaw allows
SMB cli ...)
- {DSA-5525-1}
+ {DSA-5647-1 DSA-5525-1}
- samba 2:4.19.1+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2023-4091.html
NOTE: In scope for continued Samba support
@@ -38582,7 +38634,7 @@ CVE-2023-39514 (Cacti is an open source operational
monitoring and fault managem
NOTE:
https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
(release/1.2.25)
NOTE: Introduced by:
https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2
(release/1.2.17)
CVE-2023-39513 (Cacti is an open source operational monitoring and fault
management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.25+ds1-1
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2
NOTE: Initial fix (partially reverted):
https://github.com/Cacti/cacti/commit/976f44dd8dfb2410e0dba00de9c4bbca17ee8910
(release/1.2.25)
@@ -38641,7 +38693,7 @@ CVE-2023-39361 (Cacti is an open source operational
monitoring and fault managem
NOTE: but the patch still fixes multiple similar issues including one
present in earlier versions.
NOTE: Additional hardening with CVE-2023-39365.
CVE-2023-39360 (Cacti is an open source operational monitoring and fault
management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.25+ds1-1
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4
NOTE: Initial fix:
https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2
(release/1.2.25)
@@ -45164,7 +45216,7 @@ CVE-2023-3347 (A vulnerability was found in Samba's
SMB2 packet signing mechanis
[buster] - samba <not-affected> (Vulnerable code not present)
NOTE: https://www.samba.org/samba/security/CVE-2023-3347.html
CVE-2023-34968 (A path disclosure vulnerability was found in Samba. As part of
the Spo ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 -
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34968.html
@@ -45177,13 +45229,13 @@ CVE-2023-42464 (A Type Confusion vulnerability was
found in the Spotlight RPC fu
NOTE: Fixed by:
https://github.com/Netatalk/netatalk/commit/a0ee3c246ee9e082436192290610a4d812fc0b7f
(main)
NOTE: Fixed by:
https://github.com/Netatalk/netatalk/commit/f6364ef0e5f1b7de88c5e837434af8a5df4c4c75
(netatalk-3-1-17)
CVE-2023-34967 (A Type Confusion vulnerability was found in Samba's mdssvc RPC
service ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 -
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34967.html
NOTE: severity:unimportant for buster backwards, but we don't have
suite-specific severity annotations
CVE-2023-34966 (An infinite loop vulnerability was found in Samba's mdssvc RPC
service ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 -
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34966.html
@@ -56638,8 +56690,8 @@ CVE-2023-30482 (Auth. (contributor+) Stored Cross-Site
Scripting (XSS) vulnerabi
NOT-FOR-US: WordPress plugin
CVE-2023-30481 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
Alexey G ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-30480
- RESERVED
+CVE-2023-30480 (Missing Authorization vulnerability in Sparkle WP
Educenter.This issue ...)
+ TODO: check
CVE-2023-30479
RESERVED
CVE-2023-30478 (Cross-Site Request Forgery (CSRF) vulnerability in Tribulant
Newslette ...)
@@ -102730,7 +102782,7 @@ CVE-2022-42705 (A use-after-free in
res_pjsip_pubsub.c in Sangoma Asterisk 16.28
CVE-2022-42704 (A cross-site scripting (XSS) vulnerability in Employee Service
Center ...)
NOT-FOR-US: Employee Service Center
CVE-2022-3437 (A heap-based buffer overflow vulnerability was found in Samba
within t ...)
- {DSA-5287-1 DLA-3206-1}
+ {DSA-5647-1 DSA-5287-1 DLA-3206-1}
- samba 2:4.16.6+dfsg-1
- heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187)
NOTE: https://www.samba.org/samba/security/CVE-2022-3437.html
@@ -119735,8 +119787,8 @@ CVE-2018-25045 (Django REST framework (aka
django-rest-framework) before 3.9.1 a
{DSA-5186-1}
- djangorestframework 3.10.2-1
NOTE:
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
(3.9.1)
-CVE-2022-36407
- RESERVED
+CVE-2022-36407 (Insertion of Sensitive Information into Log File vulnerability
in Hita ...)
+ TODO: check
CVE-2022-36389 (Cross-Site Request Forgery (CSRF) vulnerability in WordPlus
Better Mes ...)
NOT-FOR-US: WordPress plugin
CVE-2022-36386 (Authenticated Arbitrary Code Execution vulnerability in Soflyy
Import ...)
@@ -126688,7 +126740,7 @@ CVE-2022-2129 (Out-of-bounds Write in GitHub
repository vim/vim prior to 8.2.)
CVE-2022-2128 (Unrestricted Upload of File with Dangerous Type in GitHub
repository p ...)
NOT-FOR-US: Trudesk
CVE-2022-2127 (An out-of-bounds read vulnerability was found in Samba due to
insuffic ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-2127.html
NOTE: In scope for continued Samba support
@@ -175868,7 +175920,7 @@ CVE-2021-42741
CVE-2021-42740 (The shell-quote package before 1.7.3 for Node.js allows
command inject ...)
- node-shell-quote 1.7.3+~1.7.1-1 (bug #998418)
NOTE:
https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
(1.7.3)
-CVE-2021-42739 (A heap-based buffer overflow flaw was found in the Linux
kernel FireDT ...)
+CVE-2021-42739 (The firewire subsystem in the Linux kernel through 5.14.13 has
a buffe ...)
{DSA-5096-1 DLA-2941-1 DLA-2843-1}
- linux 5.14.16-1
[bullseye] - linux 5.10.84-1
@@ -200115,8 +200167,8 @@ CVE-2021-33634 (iSulad uses the lcr+lxc runtime
(default) to run malicious image
NOT-FOR-US: OpenEuler lcr
CVE-2021-33633 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
NOT-FOR-US: openEuler aops-ceres
-CVE-2021-33632
- RESERVED
+CVE-2021-33632 (Time-of-check Time-of-use (TOCTOU) Race Condition
vulnerability in ope ...)
+ TODO: check
CVE-2021-33631 (Integer Overflow or Wraparound vulnerability in openEuler
kernel on Li ...)
- linux 6.1.4-1
[bullseye] - linux 5.10.178-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d55976a1e042c0466e5028e30db1e910a577c8b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d55976a1e042c0466e5028e30db1e910a577c8b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
