Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5598bb2e by security tracker role at 2024-09-14T20:12:07+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,9 @@
+CVE-2024-8862 (A vulnerability, which was classified as critical, has been
found in h ...)
+ TODO: check
+CVE-2024-6482 (The Login with phone number plugin for WordPress is vulnerable
to priv ...)
+ TODO: check
+CVE-2023-3410 (The Bricks theme for WordPress is vulnerable to Stored
Cross-Site Scri ...)
+ TODO: check
CVE-2024-8768
NOT-FOR-US: vLLM
CVE-2024-8797 (The WP Booking System \u2013 Booking Calendar plugin for
WordPress is ...)
@@ -48264,10 +48270,12 @@ CVE-2024-31080 (A heap-based buffer over-read
vulnerability was found in the X.o
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html
CVE-2024-27983 (An attacker can make the Node.js HTTP/2 server completely
unavailable ...)
+ {DLA-3886-1}
- nodejs 18.20.1+dfsg-1 (bug #1068347)
NOTE:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
NOTE: Fixed by:
https://github.com/nodejs/node/commit/0fb816dbccde955cd24acc1b16497a91fab507c8
(v18.20.1)
CVE-2024-27982 (The team has identified a critical vulnerability in the http
server of ...)
+ {DLA-3886-1}
- nodejs 18.20.1+dfsg-1 (bug #1068347)
NOTE:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
NOTE: Fixed by:
https://github.com/nodejs/node/commit/5d4d5848cf557fba6dc0bfdd020471ea607950ca
(v18.20.1)
@@ -59425,7 +59433,7 @@ CVE-2024-26594 (In the Linux kernel, the following
vulnerability has been resolv
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE:
https://git.kernel.org/linus/92e470163d96df8db6c4fa0f484e4a229edb903d (6.8-rc1)
CVE-2024-22025 (A vulnerability in Node.js has been identified, allowing for a
Denial ...)
- {DLA-3776-1}
+ {DLA-3886-1 DLA-3776-1}
- nodejs 18.19.1+dfsg-1
NOTE: https://nodejs.org/en/blog/release/v18.19.1
NOTE:
https://github.com/nodejs/node/commit/f31d47e135973746c4f490d5eb635eded8bb3dda
(v18.x)
@@ -61095,7 +61103,7 @@ CVE-2024-21891 (Node.js depends on multiple built-in
utility functions to normal
- nodejs <not-affected> (Only affects 20.x and later)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#multiple-permission-model-bypasses-due-to-improper-path-traversal-sequence-sanitization-cve-2024-21891---medium
CVE-2023-46809 (Node.js versions which bundle an unpatched version of OpenSSL
or run a ...)
- {DLA-3776-1}
+ {DLA-3886-1 DLA-3776-1}
- nodejs 18.19.1+dfsg-1 (bug #1064055)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium
NOTE:
https://github.com/nodejs/node/commit/d3d357ab096884f10f5d2f164149727eea875635
(v18.x)
@@ -61109,6 +61117,7 @@ CVE-2024-21896 (The permission model protects itself
against path traversal atta
- nodejs <not-affected> (Only affects 20.x and later)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#path-traversal-by-monkey-patching-buffer-internals-cve-2024-21896---high
CVE-2024-22019 (A vulnerability in Node.js HTTP servers allows an attacker to
send a s ...)
+ {DLA-3886-1}
- nodejs 18.19.1+dfsg-1 (bug #1064055)
[buster] - nodejs <not-affected> (Vulnerable code not present)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high
@@ -94275,7 +94284,7 @@ CVE-2023-33242 (Crypto wallets implementing the
Lindell17 TSS protocol might all
CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol
might allow ...)
NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol
CVE-2023-32559 (A privilege escalation vulnerability exists in the
experimental policy ...)
- {DSA-5589-1}
+ {DSA-5589-1 DLA-3886-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
[buster] - nodejs <not-affected> (v10.x doesn't support policy
manifests)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
@@ -108000,12 +108009,12 @@ CVE-2023-30592
CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated
attacker ...)
NOT-FOR-US: NodeBB
CVE-2023-30590 (The generateKeys() API function returned from
crypto.createDiffieHellm ...)
- {DSA-5589-1 DLA-3776-1}
+ {DSA-5589-1 DLA-3886-1 DLA-3776-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
NOTE: Fixed by:
https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85
(v16.x)
CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not
strictly ...)
- {DSA-5589-1}
+ {DSA-5589-1 DLA-3886-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- llhttp <itp> (bug #977716)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5598bb2e8a5ea8a26b4c2b2d53407a2bf9ad64f5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5598bb2e8a5ea8a26b4c2b2d53407a2bf9ad64f5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
