[Git][security-tracker-team/security-tracker][master] Claim rar and unrar-nonfree in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0635c44d by Markus Koschany at 2023-08-09T08:35:57+02:00 Claim rar and unrar-nonfree in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,7 +138,7 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- -rar +rar (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) NOTE: 20230808: CVE-2022-30333 was tagged "Non-free not supported" but we have sponsors for this package in buster, NOTE: 20230808: so it should be fixed. Fixed by 6.12, not sure there's a fix in the 5.x series. (Beuc/front-desk) @@ -193,7 +193,7 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -unrar-nonfree +unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- zabbix (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0635c44dab58a551dd4488edd928c827c1c592b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0635c44dab58a551dd4488edd928c827c1c592b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark remaining hdf5 CVE as no-dsa/postponed.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 70c636c5 by Markus Koschany at 2023-08-09T08:23:58+02:00 Mark remaining hdf5 CVE as no-dsa/postponed. Wait until those issues are fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103711,16 +103711,19 @@ CVE-2022-26061 (A heap-based buffer overflow vulnerability exists in the gif2h5 - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487 CVE-2022-25972 (An out-of-bounds write vulnerability exists in the gif2h5 functionalit ...) - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485 CVE-2022-25942 (An out-of-bounds read vulnerability exists in the gif2h5 functionality ...) - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486 CVE-2022-0935 (Host Header injection in password Reset in GitHub repository livehelpe ...) NOT-FOR-US: livehelperchat @@ -308039,6 +308042,7 @@ CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is - hdf5 (bug #1034838) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710 CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) @@ -308053,6 +308057,7 @@ CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF - hdf5 (bug #1034838) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712 NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream release. @@ -353341,6 +353346,7 @@ CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c i - hdf5 (bug #1034807) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10479 CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...) - hdf5 1.10.4+repack-1 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70c636c5a9aa86e41001ee62ec2f063b3e63fc27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70c636c5a9aa86e41001ee62ec2f063b3e63fc27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3522-1 for hdf5
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7803b26c by Markus Koschany at 2023-08-09T08:21:04+02:00 Reserve DLA-3522-1 for hdf5 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -336548,7 +336548,6 @@ CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5 NOTE: Negligible security impact CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in ...) - hdf5 1.10.6+repack-2 (low) - [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper @@ -336568,7 +336567,6 @@ CVE-2018-17435 (A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c NOTE: Fixed for 1.10.x in 1.10.7: https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511 CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5repack_ ...) - hdf5 1.10.6+repack-2 (low) - [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters @@ -337011,7 +337009,6 @@ CVE-2018-17238 RESERVED CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_real() o ...) - hdf5 1.10.6+repack-2 (low) - [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero @@ -337030,7 +337027,6 @@ CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in ...) - hdf5 1.10.6+repack-2 (low) - [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak @@ -337039,7 +337035,6 @@ CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f4138013dbc6851e968ea3d37b32776538ef306b CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file_map_h ...) - hdf5 1.10.6+repack-2 (low) - [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Aug 2023] DLA-3522-1 hdf5 - security update + {CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437} + [buster] - hdf5 1.10.4+repack-10+deb10u1 [08 Aug 2023] DLA-3521-1 thunderbird - security update {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} [buster] - thunderbird 1:102.14.0-1~deb10u1 = data/dla-needed.txt = @@ -60,18 +60,6 @@ glib2.0 (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test NOTE: 20230807: idem. -- -hdf5 (Markus Koschany) - NOTE: 20230318: Added by Front-Desk (utkarsh) - NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) - NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably - NOTE: 20230318: sync w/ him. (utkarsh) - NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x - NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi) - NOTE: 20230520: Tried to backport 1.10.6 to buster, however, it seems that there is a (hidden) SONAME bump, - NOTE: 20230520: https://salsa.debian.org/debian/hdf5/-/commit/52b5fe589e68361ea840121d8f4a8eb9148bf3da - NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files, - NOTE: 20230520: so giving up on the package. (tobi) --- imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 2
[Git][security-tracker-team/security-tracker][master] Add reference to oss-security post for CVE-2023-20569
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ede0872c by Salvatore Bonaccorso at 2023-08-09T07:58:32+02:00 Add reference to oss-security post for CVE-2023-20569 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54447,6 +54447,7 @@ CVE-2023-20569 (A side channel vulnerability on some of the AMD CPUs may allow a NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf NOTE: https://github.com/comsec-group/inception NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005 + NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/4 CVE-2023-20568 RESERVED CVE-2023-20567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede0872c2a0aca0f652ca63902d4ce4736b2ae05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede0872c2a0aca0f652ca63902d4ce4736b2ae05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-3750/libvirt via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d3ae82d by Salvatore Bonaccorso at 2023-08-09T05:48:03+02:00 Track fixed version for CVE-2023-3750/libvirt via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2543,7 +2543,7 @@ CVE-2023-34966 (An infinite loop vulnerability was found in Samba's mdssvc RPC s - samba 2:4.18.5+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2023-34966.html CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch function ...) - - libvirt (bug #1041811) + - libvirt 9.6.0-1 (bug #1041811) [bookworm] - libvirt (Minor issue) [bullseye] - libvirt (Vulnerable code not present) [buster] - libvirt (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d3ae82d86082b8a3fdb70d2f9c87013bdc1af9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d3ae82d86082b8a3fdb70d2f9c87013bdc1af9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2022-40982
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6cccf1c by Salvatore Bonaccorso at 2023-08-09T05:40:23+02:00 Add additional reference for CVE-2022-40982 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62483,6 +62483,7 @@ CVE-2022-40982 NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 + NOTE: https://downfall.page/ CVE-2022-40971 (Incorrect default permissions for the Intel(R) HDMI Firmware Update To ...) NOT-FOR-US: Intel CVE-2022-40970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6cccf1ce29b00eedc942e60deedf8f456bc37c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6cccf1ce29b00eedc942e60deedf8f456bc37c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add intel-microcode to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d0ddd4f by Salvatore Bonaccorso at 2023-08-09T05:38:04+02:00 Add intel-microcode to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,8 @@ cinder/oldstable frr (aron) maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea -- +intel-microcode (carnil) +-- librsvg -- linux (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d0ddd4f52ae43e0c90195c8092f8d66cc46daa6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d0ddd4f52ae43e0c90195c8092f8d66cc46daa6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for intel-microcode via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 234f28cd by Salvatore Bonaccorso at 2023-08-09T05:36:00+02:00 Track fixed version for intel-microcode via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31536,7 +31536,7 @@ CVE-2023-24543 RESERVED CVE-2023-23908 RESERVED - - intel-microcode (bug #1043305) + - intel-microcode 3.20230808.1 (bug #1043305) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00836.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2023-23580 (Stack-based buffer overflow for some Intel(R) Trace Analyzer and Colle ...) @@ -61730,7 +61730,7 @@ CVE-2022-41815 RESERVED CVE-2022-41804 RESERVED - - intel-microcode (bug #1043305) + - intel-microcode 3.20230808.1 (bug #1043305) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2022-41803 @@ -62478,7 +62478,7 @@ CVE-2022-41314 (Uncontrolled search path in some Intel(R) Network Adapter instal CVE-2022-40982 RESERVED - linux 6.4.4-3 - - intel-microcode (bug #1043305) + - intel-microcode 3.20230808.1 (bug #1043305) NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/5 NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/234f28cdc697b207d89179e733a6947aeb971e55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/234f28cdc697b207d89179e733a6947aeb971e55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-30590/nodejs for buster.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 62859eb0 by Guilhem Moulin at 2023-08-08T23:00:29+02:00 Triage CVE-2023-30590/nodejs for buster. This alone doesn't warrant a DLA: “These design issues in this old API have been around for many years, and we are not currently aware of any misuse in the ecosystem that falls into the above scenario. Changing the behavior of the API would be a significant breaking change and is thus not appropriate for a security release (nor is it a goal.) The reported issue is treated as CWE-1068 (after a vast amount of uncertainty whether to treat it as a vulnerability at all), therefore, this change only updates the documentation to match the actual behavior. Tests are also added that demonstrate this particular oddity.” — https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13185,7 +13185,9 @@ CVE-2023-30591 CVE-2023-30590 RESERVED - nodejs (bug #1039990) + [buster] - nodejs (minor issue - Inconsistency Between Implementation and Documented Design) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590 + NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...) - nodejs (bug #1039990) [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] orthanc DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dbdf715c by Moritz Mühlenhoff at 2023-08-08T22:46:18+02:00 orthanc DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[08 Aug 2023] DSA-5473-1 orthanc - security update + {CVE-2023-33466} + [bullseye] - orthanc 1.9.2+really1.9.1+dfsg-1+deb11u1 + [bookworm] - orthanc 1.10.1+dfsg-2+deb12u1 [08 Aug 2023] DSA-5472-1 cjose - security update {CVE-2023-37464} [bullseye] - cjose 0.6.1+dfsg1-1+deb11u1 = data/dsa-needed.txt = @@ -42,9 +42,6 @@ openjdk-11/oldstable (jmm) -- openjdk-17/oldstable (jmm) -- -orthanc (jmm) - needs ca-certificates-java fix for bookworm --- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbdf715c060bb7aa7b2e40ff4d6a1f4b14304677 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbdf715c060bb7aa7b2e40ff4d6a1f4b14304677 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e11cb08 by Salvatore Bonaccorso at 2023-08-08T22:31:11+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-4219 (A vulnerability was found in SourceCodester Doctors Appointment System ...) - TODO: check + NOT-FOR-US: SourceCodester Doctors Appointment System CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-4202 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-4009 (In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 i ...) TODO: check CVE-2023-40042 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) @@ -11,23 +11,23 @@ CVE-2023-40042 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer ove CVE-2023-40041 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) NOT-FOR-US: TOTOLINK CVE-2023-3898 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: mAyaNet E-Commerce Software CVE-2023-3894 (Those using jackson-dataformats-text to parse TOML data may be vulnera ...) TODO: check CVE-2023-3717 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) TODO: check CVE-2023-3716 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Oduyo Online Collection Software CVE-2023-3653 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Digital Ant E-Commerce Software CVE-2023-3652 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Digital Ant E-Commerce Software CVE-2023-3651 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Digital Ant E-Commerce Software CVE-2023-3522 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: a2 License Portal System CVE-2023-3386 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: a2 Camera Trap Tracking System CVE-2023-39549 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) TODO: check CVE-2023-39533 (go-libp2p is the Go implementation of the libp2p Networking Stack. Pri ...) @@ -43,11 +43,11 @@ CVE-2023-39342 (Dangerzone is software for converting potentially dangerous PDFs CVE-2023-39269 (A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800N ...) TODO: check CVE-2023-39218 (Client-side enforcement of server-side security in Zoom clients before ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39217 (Improper input validation in Zoom SDK\u2019s before 5.14.10 may allow ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39216 (Improper input validation in Zoom Desktop Client for Windows before 5. ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39188 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) TODO: check CVE-2023-39187 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) @@ -65,37 +65,37 @@ CVE-2023-39182 (A vulnerability has been identified in Solid Edge SE2023 (All ve CVE-2023-39181 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) TODO: check CVE-2023-39086 (ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitiv ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-38815 REJECTED CVE-2023-38814 REJECTED CVE-2023-38773 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38771 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38770 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38769 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38768 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38767 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2023-38766 (Cross Site Scripting (XSS) vulnerabi
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-21264/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd5111b0 by Salvatore Bonaccorso at 2023-08-08T22:26:03+02:00 Add CVE-2023-21264/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51140,6 +51140,11 @@ CVE-2023-21265 RESERVED CVE-2023-21264 RESERVED + - linux 6.3.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://source.android.com/docs/security/bulletin/2023-08-01 + NOTE: https://git.kernel.org/linus/09cce60bddd6461a93a5bf434265a47827d1bc6f CVE-2023-21263 RESERVED CVE-2023-21262 (In startInput of AudioPolicyInterfaceImpl.cpp, there is a possible way ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd5111b08d1cca8a254df99f276f4b36c456 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd5111b08d1cca8a254df99f276f4b36c456 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e9545e5 by Salvatore Bonaccorso at 2023-08-08T22:16:31+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,9 +7,9 @@ CVE-2023-4202 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are a CVE-2023-4009 (In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 i ...) TODO: check CVE-2023-40042 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-40041 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-3898 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) TODO: check CVE-2023-3894 (Those using jackson-dataformats-text to parse TOML data may be vulnera ...) @@ -323,7 +323,7 @@ CVE-2023-35368 (Microsoft Exchange Remote Code Execution Vulnerability) CVE-2023-35359 (Windows Kernel Elevation of Privilege Vulnerability) TODO: check CVE-2023-32503 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32292 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GetB ...) TODO: check CVE-2023-2423 (A vulnerability was discovered in the Rockwell Automation Armor PowerF ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e9545e5286aebb2dd85355f6c86a35fe3dfb77b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e9545e5286aebb2dd85355f6c86a35fe3dfb77b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 200a1cd6 by security tracker role at 2023-08-08T20:12:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,333 @@ +CVE-2023-4219 (A vulnerability was found in SourceCodester Doctors Appointment System ...) + TODO: check +CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) + TODO: check +CVE-2023-4202 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) + TODO: check +CVE-2023-4009 (In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 i ...) + TODO: check +CVE-2023-40042 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) + TODO: check +CVE-2023-40041 (TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow ...) + TODO: check +CVE-2023-3898 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3894 (Those using jackson-dataformats-text to parse TOML data may be vulnera ...) + TODO: check +CVE-2023-3717 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3716 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3653 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-3652 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-3651 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3522 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3386 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-39549 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39533 (go-libp2p is the Go implementation of the libp2p Networking Stack. Pri ...) + TODO: check +CVE-2023-39532 (SES is a JavaScript environment that allows safe execution of arbitrar ...) + TODO: check +CVE-2023-39518 (social-media-skeleton is an uncompleted social media project implement ...) + TODO: check +CVE-2023-39419 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39342 (Dangerzone is software for converting potentially dangerous PDFs, offi ...) + TODO: check +CVE-2023-39269 (A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800N ...) + TODO: check +CVE-2023-39218 (Client-side enforcement of server-side security in Zoom clients before ...) + TODO: check +CVE-2023-39217 (Improper input validation in Zoom SDK\u2019s before 5.14.10 may allow ...) + TODO: check +CVE-2023-39216 (Improper input validation in Zoom Desktop Client for Windows before 5. ...) + TODO: check +CVE-2023-39188 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39187 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39186 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39185 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39184 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39183 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39182 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39181 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) + TODO: check +CVE-2023-39086 (ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitiv ...) + TODO: check +CVE-2023-38815 + REJECTED +CVE-2023-38814 + REJECTED +CVE-2023-38773 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38771 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38770 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38769 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38768 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38767 (SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2023-38766 (Cross Site Scripti
[Git][security-tracker-team/security-tracker][master] Fix copy paste error for amd64-microcode version for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3cdab62 by Salvatore Bonaccorso at 2023-08-08T21:40:03+02:00 Fix copy paste error for amd64-microcode version for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54101,7 +54101,7 @@ CVE-2023-20569 RESERVED - amd64-microcode 3.20230719.1 [bookworm] - amd64-microcode 3.20230719.1~deb12u1 - [bullseye] - amd64-microcode 3.20230719.1~deb12u1 + [bullseye] - amd64-microcode 3.20230719.1~deb11u1 [buster] - amd64-microcode 3.20230719.1~deb10u1 - linux 6.4.4-3 NOTE: SRSO microcode for Milan (Zen3 EPYC): View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cdab6289f25a21ca42ffa707752273886cbf89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cdab6289f25a21ca42ffa707752273886cbf89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes via unstable for two linux issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 35b7fe72 by Salvatore Bonaccorso at 2023-08-08T21:38:52+02:00 Track fixes via unstable for two linux issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54103,7 +54103,7 @@ CVE-2023-20569 [bookworm] - amd64-microcode 3.20230719.1~deb12u1 [bullseye] - amd64-microcode 3.20230719.1~deb12u1 [buster] - amd64-microcode 3.20230719.1~deb10u1 - - linux + - linux 6.4.4-3 NOTE: SRSO microcode for Milan (Zen3 EPYC): NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 NOTE: 3.20230719.1 ships the first batch of fixes, only for 3nd gen EPYC CPUs, @@ -62142,7 +62142,7 @@ CVE-2022-41314 (Uncontrolled search path in some Intel(R) Network Adapter instal NOT-FOR-US: Intel CVE-2022-40982 RESERVED - - linux + - linux 6.4.4-3 - intel-microcode (bug #1043305) NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/5 NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35b7fe72706eaf148dd21844ffa180fa5771455a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35b7fe72706eaf148dd21844ffa180fa5771455a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for intel-microcode CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc4a47b9 by Salvatore Bonaccorso at 2023-08-08T21:32:25+02:00 Add Debian bug reference for intel-microcode CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31205,7 +31205,7 @@ CVE-2023-24543 RESERVED CVE-2023-23908 RESERVED - - intel-microcode + - intel-microcode (bug #1043305) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00836.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2023-23580 (Stack-based buffer overflow for some Intel(R) Trace Analyzer and Colle ...) @@ -61395,7 +61395,7 @@ CVE-2022-41815 RESERVED CVE-2022-41804 RESERVED - - intel-microcode + - intel-microcode (bug #1043305) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2022-41803 @@ -62143,7 +62143,7 @@ CVE-2022-41314 (Uncontrolled search path in some Intel(R) Network Adapter instal CVE-2022-40982 RESERVED - linux - - intel-microcode + - intel-microcode (bug #1043305) NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/5 NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc4a47b947595c97241d1bd709aa95c6268018d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc4a47b947595c97241d1bd709aa95c6268018d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add rar and unrar-nonfree
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c1c67975 by Sylvain Beucler at 2023-08-08T21:31:23+02:00 dla: add rar and unrar-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -150,6 +150,11 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- +rar + NOTE: 20230808: Added by Front-Desk (Beuc) + NOTE: 20230808: CVE-2022-30333 was tagged "Non-free not supported" but we have sponsors for this package in buster, + NOTE: 20230808: so it should be fixed. Fixed by 6.12, not sure there's a fix in the 5.x series. (Beuc/front-desk) +-- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package @@ -200,6 +205,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +unrar-nonfree + NOTE: 20230808: Added by Front-Desk (Beuc) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c67975e96811c5fb381773626530d55487cf80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c67975e96811c5fb381773626530d55487cf80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cjose DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c9183602 by Moritz Mühlenhoff at 2023-08-08T21:10:55+02:00 cjose DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[08 Aug 2023] DSA-5472-1 cjose - security update + {CVE-2023-37464} + [bullseye] - cjose 0.6.1+dfsg1-1+deb11u1 + [bookworm] - cjose 0.6.2.1-1+deb12u1 [07 Aug 2023] DSA-5471-1 libhtmlcleaner-java - security update {CVE-2023-34624} [bullseye] - libhtmlcleaner-java 2.24-1+deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- aom/oldstable -- -cjose (jmm) --- cinder/oldstable -- frr (aron) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9183602563c35a890f893baa89352d59f6730f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9183602563c35a890f893baa89352d59f6730f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add information on intel-microcode CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 40852827 by Salvatore Bonaccorso at 2023-08-08T21:05:54+02:00 Add information on intel-microcode CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31205,6 +31205,9 @@ CVE-2023-24543 RESERVED CVE-2023-23908 RESERVED + - intel-microcode + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00836.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2023-23580 (Stack-based buffer overflow for some Intel(R) Trace Analyzer and Colle ...) NOT-FOR-US: Intel CVE-2023-23577 @@ -61392,6 +61395,9 @@ CVE-2022-41815 RESERVED CVE-2022-41804 RESERVED + - intel-microcode + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2022-41803 RESERVED CVE-2022-41801 (Uncontrolled resource consumption in the Intel(R) Connect M Android ap ...) @@ -62140,6 +62146,8 @@ CVE-2022-40982 - intel-microcode NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/5 NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808 CVE-2022-40971 (Incorrect default permissions for the Intel(R) HDMI Firmware Update To ...) NOT-FOR-US: Intel CVE-2022-40970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408528276f40d8af4452fe7589d02fbdf8dfae2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408528276f40d8af4452fe7589d02fbdf8dfae2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34319/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 622a2e08 by Salvatore Bonaccorso at 2023-08-08T20:50:25+02:00 Add CVE-2023-34319/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-34319 [xen/netback: Fix buffer overrun triggered by unusual packet] + - linux + NOTE: https://git.kernel.org/linus/534fc31d09b706a16d83533e16b5dc855caf7576 + NOTE: https://xenbits.xen.org/xsa/advisory-432.html CVE-2023-3573 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) NOT-FOR-US: PHOENIX CVE-2023-3572 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/622a2e0869f60f664dec57225376fc4e89b48535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/622a2e0869f60f664dec57225376fc4e89b48535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Old llhttp parser issues: Add links to PoCs.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 49de627d by Guilhem Moulin at 2023-08-08T20:27:45+02:00 Old llhttp parser issues: Add links to PoCs. These issues are about llhttp, which nodejs embeds since 12.x, but llhttp is merely a “port of http_parser to llparse”. Older nodejs embeds http_parser instead, which appears to be vulnerable to (at least some of) the same PoCs. Need to evaluate further and file new CVEs against http_parser/nodejs<12. - - - - - b84a2d74 by Guilhem Moulin at 2023-08-08T20:27:46+02:00 CVE-2023-30589/nodejs: Mark as not-affected for buster. For consistency with CVE-2021-22959, CVE-2021-22960, CVE-2022-3221[345], CVE-2022-35256. The reporter's PoC is reproducible with buster's nodejs, but that one embeds http_parser not llhttp so a separate CVE ID will be needed for it. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12854,6 +12854,7 @@ CVE-2023-30590 NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...) - nodejs (bug #1039990) + [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589 NOTE: https://hackerone.com/reports/2001873 @@ -79015,6 +79016,7 @@ CVE-2022-35256 (The llhttp parser in the http module in Node v18.7.0 does not co [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256 + NOTE: https://hackerone.com/reports/1888760 NOTE: https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main) NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1) CVE-2022-35255 (A weak randomness in WebCrypto keygen vulnerability exists in Node.js ...) @@ -87362,6 +87364,7 @@ CVE-2022-32215 (The llhttp parser (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215 + NOTE: https://hackerone.com/reports/1630667 NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x) NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-multi-line-transfer-encoding-medium-improper-fix-for-cve-2022-32215 @@ -87371,6 +87374,7 @@ CVE-2022-32214 (The llhttp parser (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214 + NOTE: https://hackerone.com/reports/1630669 NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x) NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main) CVE-2022-32213 (The llhttp parser (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213 + NOTE: https://hackerone.com/reports/1630668 NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x) + NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.x) NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213 CVE-2022-32212 (A OS Command Injection vulnerability exists in Node.js versions <14.20 ...) @@ -183322,6 +183328,8 @@ CVE-2021-22960 (The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk - nodejs 12.22.7~dfsg-1 [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) [stretch] - nodejs (Nodejs in stretch not covered by security support) + NOTE: https://hackerone.com/rep
[Git][security-tracker-team/security-tracker][master] Add clarifying note about microcode update and Zen3 vs. Zen4 inclusions
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2669d89 by Salvatore Bonaccorso at 2023-08-08T19:53:15+02:00 Add clarifying note about microcode update and Zen3 vs. Zen4 inclusions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54098,6 +54098,8 @@ CVE-2023-20569 - linux NOTE: SRSO microcode for Milan (Zen3 EPYC): NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 + NOTE: 3.20230719.1 ships the first batch of fixes, only for 3nd gen EPYC CPUs, + NOTE: further update for 4th gen EPYC CPUs to follow in later releases NOTE: https://comsec.ethz.ch/research/microarch/inception/ NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf NOTE: https://github.com/comsec-group/inception View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2669d89e8908adc6fc95dc664edcc86e8693842 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2669d89e8908adc6fc95dc664edcc86e8693842 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add reference for CVE-2023-20569
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f01e493e by Salvatore Bonaccorso at 2023-08-08T19:23:35+02:00 Add reference for CVE-2023-20569 - - - - - 41f0a901 by Salvatore Bonaccorso at 2023-08-08T19:24:43+02:00 Add references for CVE-2022-40982 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54101,6 +54101,7 @@ CVE-2023-20569 NOTE: https://comsec.ethz.ch/research/microarch/inception/ NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf NOTE: https://github.com/comsec-group/inception + NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005 CVE-2023-20568 RESERVED CVE-2023-20567 @@ -62130,6 +62131,8 @@ CVE-2022-40982 RESERVED - linux - intel-microcode + NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/5 + NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html CVE-2022-40971 (Incorrect default permissions for the Intel(R) HDMI Firmware Update To ...) NOT-FOR-US: Intel CVE-2022-40970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fda70de4f8e693b1051aed09d9768b6faa39fd12...41f0a901f616755d0f0a25d70fe85e78a06c1ef5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fda70de4f8e693b1051aed09d9768b6faa39fd12...41f0a901f616755d0f0a25d70fe85e78a06c1ef5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3896/vim: patches, affected versions, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: fda70de4 by Sylvain Beucler at 2023-08-08T19:13:07+02:00 CVE-2023-3896/vim: patches, affected versions, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80,8 +80,12 @@ CVE-2023-4155 NOTE: https://git.kernel.org/linus/7588dbcebcbf0193ab5b76987396d0254270b04a CVE-2023-3896 (Divide By Zero in vim/vim from9.0.1367-1 to9.0.1367-3) - vim + [buster] - vim (Vulnerable code introduced later) NOTE: https://github.com/vim/vim/issues/12528 NOTE: https://github.com/vim/vim/pull/12540 + NOTE: Introduced by: https://github.com/vim/vim/commit/361895d2a15b4b04c009261eab5b3d69ebf1 (v9.0.0908) + NOTE: https://github.com/vim/vim/commit/8154e642aa476e1a5d3de66c34e8289845b2b797 (v9.0.1664) + NOTE: https://github.com/vim/vim/commit/e42989374144a63d986b878618aeac328e35ac3b (v9.0.1667) CVE-2023-3671 (The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15 ...) NOT-FOR-US: WordPress plugin CVE-2023-3650 (The Bubble Menu WordPress plugin before 3.0.5 does not sanitize and es ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fda70de4f8e693b1051aed09d9768b6faa39fd12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fda70de4f8e693b1051aed09d9768b6faa39fd12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40982 for "Gather Data Sampling (GDS)"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d5e7892 by Salvatore Bonaccorso at 2023-08-08T19:07:36+02:00 Add CVE-2022-40982 for "Gather Data Sampling (GDS)" - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62124,6 +62124,8 @@ CVE-2022-41314 (Uncontrolled search path in some Intel(R) Network Adapter instal NOT-FOR-US: Intel CVE-2022-40982 RESERVED + - linux + - intel-microcode CVE-2022-40971 (Incorrect default permissions for the Intel(R) HDMI Firmware Update To ...) NOT-FOR-US: Intel CVE-2022-40970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d5e7892977186572e6a93c057f52c169edb2bed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d5e7892977186572e6a93c057f52c169edb2bed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-20569 for "Speculative Return Stack Overflow (SRSO)"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e51275f4 by Salvatore Bonaccorso at 2023-08-08T19:05:41+02:00 Add CVE-2023-20569 for "Speculative Return Stack Overflow (SRSO)" - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54087,6 +54087,16 @@ CVE-2023-20570 RESERVED CVE-2023-20569 RESERVED + - amd64-microcode 3.20230719.1 + [bookworm] - amd64-microcode 3.20230719.1~deb12u1 + [bullseye] - amd64-microcode 3.20230719.1~deb12u1 + [buster] - amd64-microcode 3.20230719.1~deb10u1 + - linux + NOTE: SRSO microcode for Milan (Zen3 EPYC): + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 + NOTE: https://comsec.ethz.ch/research/microarch/inception/ + NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf + NOTE: https://github.com/comsec-group/inception CVE-2023-20568 RESERVED CVE-2023-20567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51275f4b6544dba9ff14e08b82c4e4e0dbc8be6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51275f4b6544dba9ff14e08b82c4e4e0dbc8be6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add ruby-rmagick
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e40a706 by Sylvain Beucler at 2023-08-08T18:27:30+02:00 dla: add ruby-rmagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -165,6 +165,9 @@ ruby-rails-html-sanitizer NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- +ruby-rmagick (rouca) + NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e40a706598d9b5c5c9aa543d14af008c55ab32c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e40a706598d9b5c5c9aa543d14af008c55ab32c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39978/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d49df14a by Salvatore Bonaccorso at 2023-08-08T17:33:47+02:00 Add CVE-2023-39978/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,8 @@ CVE-2023-3569 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions pri CVE-2023-3526 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to ...) NOT-FOR-US: PHOENIX CVE-2023-39978 (ImageMagick before 6.9.12-91 allows attackers to cause a denial of ser ...) - TODO: check + - imagemagick + NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/c90e79b3b22fec309cab55af2ee606f71b027b12 (6.9.12-91) CVE-2023-39977 REJECTED CVE-2023-39976 (log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d49df14ab1986b9f934799e5284b0027eae38249 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d49df14ab1986b9f934799e5284b0027eae38249 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update already the status for CVE-2023-39977
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e3f341b by Salvatore Bonaccorso at 2023-08-08T17:27:40+02:00 Update already the status for CVE-2023-39977 Verified it is rejected and will be marked as such in next update. It was a duplicate of CVE-2023-3268. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,8 +12,8 @@ CVE-2023-3526 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions pri NOT-FOR-US: PHOENIX CVE-2023-39978 (ImageMagick before 6.9.12-91 allows attackers to cause a denial of ser ...) TODO: check -CVE-2023-39977 (An issue was discovered in the Linux kernel before 6.3.2. There is an ...) - TODO: check +CVE-2023-39977 + REJECTED CVE-2023-39976 (log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long ...) TODO: check CVE-2023-39530 (PrestaShop is an open source e-commerce web application. Prior to vers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e3f341b66805ef99647b878d4b4bc42f5db2d5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e3f341b66805ef99647b878d4b4bc42f5db2d5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 962ea749 by Salvatore Bonaccorso at 2023-08-08T17:26:23+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2023-3573 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-3572 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-3571 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-3570 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-3569 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-3526 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2023-39978 (ImageMagick before 6.9.12-91 allows attackers to cause a denial of ser ...) TODO: check CVE-2023-39977 (An issue was discovered in the Linux kernel before 6.3.2. There is an ...) @@ -17,17 +17,17 @@ CVE-2023-39977 (An issue was discovered in the Linux kernel before 6.3.2. There CVE-2023-39976 (log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long ...) TODO: check CVE-2023-39530 (PrestaShop is an open source e-commerce web application. Prior to vers ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39529 (PrestaShop is an open source e-commerce web application. Prior to vers ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39528 (PrestaShop is an open source e-commerce web application. Prior to vers ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39527 (PrestaShop is an open source e-commerce web application. Versions prio ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39526 (PrestaShop is an open source e-commerce web application. Versions prio ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39525 (PrestaShop is an open source e-commerce web application. Prior to vers ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-39523 (ScanCode.io is a server to script and automate software composition an ...) TODO: check CVE-2023-39440 (In SAP BusinessObjects Business Intelligence - version 420, If a user ...) @@ -39,7 +39,7 @@ CVE-2023-39437 (SAP business One allows - version 10.0, allows an attacker to in CVE-2023-39436 (SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605 ...) NOT-FOR-US: SAP CVE-2023-37569 (This vulnerability exists in ESDS Emagic Data Center Management Suit d ...) - TODO: check + NOT-FOR-US: ESDS Emagic Data Center Management Suit CVE-2023-37492 (SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP ...) NOT-FOR-US: SAP CVE-2023-37491 (The ACL (AccessControlList) of SAP Message Server - versions KERNEL 7. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962ea749c48d5c7a49e28947d8c2f82cf17e6d84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962ea749c48d5c7a49e28947d8c2f82cf17e6d84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a4f2540 by Bastien Roucariès at 2023-08-08T14:43:47+00:00 Retake imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ hdf5 (Markus Koschany) NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files, NOTE: 20230520: so giving up on the package. (tobi) -- -imagemagick +imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a4f2540b723ac87847fd33f734854fd6785860b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a4f2540b723ac87847fd33f734854fd6785860b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-30589/nodejs: Add links to report and upstream fix.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 04187550 by Guilhem Moulin at 2023-08-08T14:49:55+02:00 CVE-2023-30589/nodejs: Add links to report and upstream fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12851,6 +12851,9 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st - nodejs (bug #1039990) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589 + NOTE: https://hackerone.com/reports/2001873 + NOTE: https://github.com/advisories/GHSA-cggh-pq45-6h9x + NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x) CVE-2023-30588 RESERVED - nodejs (bug #1039990) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/041875501e6b47c78a8b16a7a25dc92a989fa1e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/041875501e6b47c78a8b16a7a25dc92a989fa1e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3521-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c787fee by Emilio Pozuelo Monfort at 2023-08-08T12:11:49+02:00 Reserve DLA-3521-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Aug 2023] DLA-3521-1 thunderbird - security update + {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} + [buster] - thunderbird 1:102.14.0-1~deb10u1 [07 Aug 2023] DLA-3520-1 libhtmlcleaner-java - security update {CVE-2023-34624} [buster] - libhtmlcleaner-java 2.21-5+deb10u1 = data/dla-needed.txt = @@ -197,10 +197,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230804: Added by Front-Desk (gladk) - NOTE: 20230807: Maintainer updated buster directly, coordinating announcement (Beuc/front-desk) --- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c787feee127b4320899314f2e470c64146c12c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c787feee127b4320899314f2e470c64146c12c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b0fc32ad by Emilio Pozuelo Monfort at 2023-08-08T12:08:21+02:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,7 +197,7 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Sylvain Beucler) +thunderbird (Emilio) NOTE: 20230804: Added by Front-Desk (gladk) NOTE: 20230807: Maintainer updated buster directly, coordinating announcement (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0fc32ad8b81603f62d281b91815524f109afa55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0fc32ad8b81603f62d281b91815524f109afa55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec80d5f3 by Salvatore Bonaccorso at 2023-08-08T10:44:35+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,37 +31,37 @@ CVE-2023-39525 (PrestaShop is an open source e-commerce web application. Prior t CVE-2023-39523 (ScanCode.io is a server to script and automate software composition an ...) TODO: check CVE-2023-39440 (In SAP BusinessObjects Business Intelligence - version 420, If a user ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-39439 (SAP Commerce Cloud may accept an empty passphrase for user ID and pass ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-39437 (SAP business One allows - version 10.0, allows an attacker to insert m ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-39436 (SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605 ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37569 (This vulnerability exists in ESDS Emagic Data Center Management Suit d ...) TODO: check CVE-2023-37492 (SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37491 (The ACL (AccessControlList) of SAP Message Server - versions KERNEL 7. ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37490 (SAP Business Objects Installer - versions 420, 430, allows an authenti ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37488 (In SAP NetWeaverProcess Integration - versions SAP_XIESR 7.50, SAP_XIT ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37487 (SAP Business One (Service Layer) - version 10.0, allows an authenticat ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37486 (Under certain conditionsSAP Commerce(OCC API) - versions HY_COM 2105, ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37484 (SAP PowerDesigner - version 16.7, queries all password hashes in the b ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-37483 (SAP PowerDesigner - version 16.7, has improper access control which mi ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-36926 (Due to missing authentication check in SAP Host Agent - version 7.22, ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-36923 (SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-33993 (B1i module of SAP Business One - version 10.0, application allows an a ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-4205 (An out-of-bounds memory access flaw was found in the Linux kernel\u201 ...) - linux NOTE: https://www.spinics.net/lists/kernel/msg4876594.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec80d5f3e7aa231d6bf0c0bef281b48ddbf03b2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec80d5f3e7aa231d6bf0c0bef281b48ddbf03b2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dca61ea5 by security tracker role at 2023-08-08T08:12:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,67 @@ +CVE-2023-3573 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) + TODO: check +CVE-2023-3572 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) + TODO: check +CVE-2023-3571 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) + TODO: check +CVE-2023-3570 (In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0 ...) + TODO: check +CVE-2023-3569 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to ...) + TODO: check +CVE-2023-3526 (In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to ...) + TODO: check +CVE-2023-39978 (ImageMagick before 6.9.12-91 allows attackers to cause a denial of ser ...) + TODO: check +CVE-2023-39977 (An issue was discovered in the Linux kernel before 6.3.2. There is an ...) + TODO: check +CVE-2023-39976 (log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long ...) + TODO: check +CVE-2023-39530 (PrestaShop is an open source e-commerce web application. Prior to vers ...) + TODO: check +CVE-2023-39529 (PrestaShop is an open source e-commerce web application. Prior to vers ...) + TODO: check +CVE-2023-39528 (PrestaShop is an open source e-commerce web application. Prior to vers ...) + TODO: check +CVE-2023-39527 (PrestaShop is an open source e-commerce web application. Versions prio ...) + TODO: check +CVE-2023-39526 (PrestaShop is an open source e-commerce web application. Versions prio ...) + TODO: check +CVE-2023-39525 (PrestaShop is an open source e-commerce web application. Prior to vers ...) + TODO: check +CVE-2023-39523 (ScanCode.io is a server to script and automate software composition an ...) + TODO: check +CVE-2023-39440 (In SAP BusinessObjects Business Intelligence - version 420, If a user ...) + TODO: check +CVE-2023-39439 (SAP Commerce Cloud may accept an empty passphrase for user ID and pass ...) + TODO: check +CVE-2023-39437 (SAP business One allows - version 10.0, allows an attacker to insert m ...) + TODO: check +CVE-2023-39436 (SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605 ...) + TODO: check +CVE-2023-37569 (This vulnerability exists in ESDS Emagic Data Center Management Suit d ...) + TODO: check +CVE-2023-37492 (SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP ...) + TODO: check +CVE-2023-37491 (The ACL (AccessControlList) of SAP Message Server - versions KERNEL 7. ...) + TODO: check +CVE-2023-37490 (SAP Business Objects Installer - versions 420, 430, allows an authenti ...) + TODO: check +CVE-2023-37488 (In SAP NetWeaverProcess Integration - versions SAP_XIESR 7.50, SAP_XIT ...) + TODO: check +CVE-2023-37487 (SAP Business One (Service Layer) - version 10.0, allows an authenticat ...) + TODO: check +CVE-2023-37486 (Under certain conditionsSAP Commerce(OCC API) - versions HY_COM 2105, ...) + TODO: check +CVE-2023-37484 (SAP PowerDesigner - version 16.7, queries all password hashes in the b ...) + TODO: check +CVE-2023-37483 (SAP PowerDesigner - version 16.7, has improper access control which mi ...) + TODO: check +CVE-2023-36926 (Due to missing authentication check in SAP Host Agent - version 7.22, ...) + TODO: check +CVE-2023-36923 (SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 ...) + TODO: check +CVE-2023-33993 (B1i module of SAP Business One - version 10.0, application allows an a ...) + TODO: check CVE-2023-4205 (An out-of-bounds memory access flaw was found in the Linux kernel\u201 ...) - linux NOTE: https://www.spinics.net/lists/kernel/msg4876594.html @@ -9,7 +73,7 @@ CVE-2023-4200 (A vulnerability has been found in SourceCodester Inventory Manage CVE-2023-4199 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Inventory Management System CVE-2023-4155 -- linux + - linux [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7588dbcebcbf0193ab5b76987396d0254270b04a @@ -2522,7 +2586,7 @@ CVE-2023-2579 (The InventoryPress WordPress plugin through 1.7 does not sanitise NOT-FOR-US: WordPress plugin CVE-2023-2330 (The Caldera Forms Google Sheets Connector WordPress plugin through 1.2 ...) NOT-FOR-US: WordPress plugin -CVE-2023-2329 (The WooCommerce Google Sheet Connector
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4155/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5c2ef60 by Salvatore Bonaccorso at 2023-08-08T09:24:46+02:00 Add CVE-2023-4155/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,6 +8,11 @@ CVE-2023-4200 (A vulnerability has been found in SourceCodester Inventory Manage NOT-FOR-US: SourceCodester Inventory Management System CVE-2023-4199 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Inventory Management System +CVE-2023-4155 +- linux + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/7588dbcebcbf0193ab5b76987396d0254270b04a CVE-2023-3896 (Divide By Zero in vim/vim from9.0.1367-1 to9.0.1367-3) - vim NOTE: https://github.com/vim/vim/issues/12528 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c2ef6037fcb7ca784d31ec624be66dce69d908 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c2ef6037fcb7ca784d31ec624be66dce69d908 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits