from:"Moritz Mühlenhoff"

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2024-28318[0]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a
| out of boundary write vulnerability via swf_get_string at
| scene_manager/swf_parse.c:325

https://github.com/gpac/gpac/issues/2764
https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716

CVE-2024-28319[1]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an
| out of boundary read vulnerability via gf_dash_setup_period
| media_tools/dash_client.c:6374

https://github.com/gpac/gpac/issues/2763
https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e

CVE-2023-46426[2]:
| Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV-
| rev588-g7edc40fee-master, allows remote attackers to execute
| arbitrary code and cause a denial of service (DoS) via gf_fwrite
| component in at utils/os_file.c.

https://github.com/gpac/gpac/issues/2642
https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341

CVE-2023-46427[3]:
| An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-
| master, allows remote attackers to execute arbitrary code, cause a
| denial of service (DoS), and obtain sensitive information via null
| pointer deference in gf_dash_setup_period component in
| media_tools/dash_client.c.

https://github.com/gpac/gpac/issues/2641
https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a

CVE-2024-24265[4]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| dst_props variable in the gf_filter_pid_merge_properties_internal
| function.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md

CVE-2024-24266[5]:
| gpac v2.2.1 was discovered to contain a Use-After-Free (UAF)
| vulnerability via the dasher_configure_pid function at
| /src/filters/dasher.c.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md

CVE-2024-24267[6]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| gfio_blob variable in the gf_fileio_from_blob function.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28318
https://www.cve.org/CVERecord?id=CVE-2024-28318
[1] https://security-tracker.debian.org/tracker/CVE-2024-28319
https://www.cve.org/CVERecord?id=CVE-2024-28319
[2] https://security-tracker.debian.org/tracker/CVE-2023-46426
https://www.cve.org/CVERecord?id=CVE-2023-46426
[3] https://security-tracker.debian.org/tracker/CVE-2023-46427
https://www.cve.org/CVERecord?id=CVE-2023-46427
[4] https://security-tracker.debian.org/tracker/CVE-2024-24265
https://www.cve.org/CVERecord?id=CVE-2024-24265
[5] https://security-tracker.debian.org/tracker/CVE-2024-24266
https://www.cve.org/CVERecord?id=CVE-2024-24266
[6] https://security-tracker.debian.org/tracker/CVE-2024-24267
https://www.cve.org/CVERecord?id=CVE-2024-24267

Please adjust the affected versions in the BTS as needed.

Bug#1068457: azure-uamqp-python: CVE-2024-29195

Source: azure-uamqp-python
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for azure-uamqp-python.

CVE-2024-29195[0]:
| The azure-c-shared-utility is a C library for AMQP/MQTT
| communication to Azure Cloud Services. This library may be used by
| the Azure IoT C SDK for communication between IoT Hub and IoT Hub
| devices. An attacker can cause an integer wraparound or under-
| allocation or heap buffer overflow due to vulnerabilities in
| parameter checking mechanism, by exploiting the buffer length
| parameter in Azure C SDK, which may lead to remote code execution.
| Requirements for RCE are 1. Compromised Azure account allowing
| malformed payloads to be sent to the device via IoT Hub service, 2.
| By passing IoT hub service max message payload limit of 128KB, and
| 3. Ability to overwrite code space with remote code. Fixed in commit
| https://github.com/Azure/azure-c-shared-
| utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.

https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg
https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-29195
https://www.cve.org/CVERecord?id=CVE-2024-29195

Please adjust the affected versions in the BTS as needed.

Bug#1068453: request-tracker5: CVE-2024-3262

Source: request-tracker5
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for request-tracker5.

CVE-2024-3262[0]:
| Information exposure vulnerability in RT software affecting version
| 4.4.1. This vulnerability allows an attacker with local access to
| the device to retrieve sensitive information about the application,
| such as vulnerability tickets, because the application stores the
| information in the browser cache, leading to information exposure
| despite session termination.

https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3262
https://www.cve.org/CVERecord?id=CVE-2024-3262

Please adjust the affected versions in the BTS as needed.

Bug#1068452: request-tracker4: CVE-2024-3262

Source: request-tracker4
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for request-tracker4.

CVE-2024-3262[0]:
| Information exposure vulnerability in RT software affecting version
| 4.4.1. This vulnerability allows an attacker with local access to
| the device to retrieve sensitive information about the application,
| such as vulnerability tickets, because the application stores the
| information in the browser cache, leading to information exposure
| despite session termination.

https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3262
https://www.cve.org/CVERecord?id=CVE-2024-3262

Please adjust the affected versions in the BTS as needed.

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

2024-04-04 Thread Moritz Mühlenhoff

Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.

Bug#1068347: nodejs: CVE-2024-27983 CVE-2024-27982

2024-04-03 Thread Moritz Mühlenhoff

Source: nodejs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for nodejs.

CVE-2024-27983[0]:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/

CVE-2024-27982[1]:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27983
https://www.cve.org/CVERecord?id=CVE-2024-27983
[1] https://security-tracker.debian.org/tracker/CVE-2024-27982
https://www.cve.org/CVERecord?id=CVE-2024-27982

Please adjust the affected versions in the BTS as needed.

Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security

2024-03-31 Thread Moritz Mühlenhoff

Hi Adrian,

> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).

Thanks!

> General notes:
> 
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.

Nah, no need.

> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that 
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before 
> for bullseye and buster since there was anyway a different upstream 
> tarball required for the +really version that is required to avoid 
> creating file conflicts with ghwdump when upgrading to bookworm.
> 
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1

That's fine.

> debdiffs contain only changes to debian/

The bookworm/bullseye debdiffs looks good, please upload to security-master, 
thanks!

Note that both need -sa, but dak needs some special attention when
uploading to security-master. You'll need to wait for the ACCEPTED mail
before you can upload the next one.

Cheers,
Moritz

Bug#1064967: fontforge: CVE-2024-25081 CVE-2024-25082

2024-02-28 Thread Moritz Mühlenhoff

Source: fontforge
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for fontforge.

CVE-2024-25081[0]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted filenames.

CVE-2024-25082[1]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted archives or compressed files.

Fixed by:
https://github.com/fontforge/fontforge/pull/5367
https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25081
https://www.cve.org/CVERecord?id=CVE-2024-25081
[1] https://security-tracker.debian.org/tracker/CVE-2024-25082
https://www.cve.org/CVERecord?id=CVE-2024-25082

Please adjust the affected versions in the BTS as needed.

Bug#1064516: ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146

2024-02-23 Thread Moritz Mühlenhoff

Source: ruby-rack
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for ruby-rack.

CVE-2024-26141[0]:
Reject Range headers which are too large
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b 
(v2.2.8.1)

CVE-2024-25126[1]:
Fixed ReDoS in Content Type header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1

CVE-2024-26146[2]:
Fixed ReDoS in Accept header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd 
(v2.2.8.1)


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-26141
https://www.cve.org/CVERecord?id=CVE-2024-26141
[1] https://security-tracker.debian.org/tracker/CVE-2024-25126
https://www.cve.org/CVERecord?id=CVE-2024-25126
[2] https://security-tracker.debian.org/tracker/CVE-2024-26146
https://www.cve.org/CVERecord?id=CVE-2024-26146

Please adjust the affected versions in the BTS as needed.

Bug#1064514: pymatgen: CVE-2024-23346

2024-02-23 Thread Moritz Mühlenhoff

Source: pymatgen
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for pymatgen.

CVE-2024-23346[0]:
| Pymatgen (Python Materials Genomics) is an open-source Python
| library for materials analysis. A critical security vulnerability
| exists in the
| `JonesFaithfulTransformation.from_transformation_str()` method
| within the `pymatgen` library prior to version 2024.2.20. This
| method insecurely utilizes `eval()` for processing input, enabling
| execution of arbitrary code when parsing untrusted input. Version
| 2024.2.20 fixes this issue.

https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-23346
https://www.cve.org/CVERecord?id=CVE-2024-23346

Please adjust the affected versions in the BTS as needed.

Bug#1064062: iwd: CVE-2023-52161

Source: iwd
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for iwd.

CVE-2023-52161[0]:
https://www.top10vpn.com/research/wifi-vulnerabilities/

While this mentions a patch for wpasupplication, it's not obvious
if this was reported/fixed in iwd.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52161
https://www.cve.org/CVERecord?id=CVE-2023-52161

Please adjust the affected versions in the BTS as needed.

Bug#1064061: wpa: CVE-2023-52160

Source: wpa
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for wpa.

CVE-2023-52160[0]:
https://www.top10vpn.com/research/wifi-vulnerabilities/
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52160
https://www.cve.org/CVERecord?id=CVE-2023-52160

Please adjust the affected versions in the BTS as needed.

Bug#1064055: nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892

Source: nodejs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for nodejs.

CVE-2023-46809[0]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium

CVE-2024-22019[1]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high

CVE-2024-21892[2]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high

There are some other issues, but they only affect the version in expeirimental.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46809
https://www.cve.org/CVERecord?id=CVE-2023-46809
[1] https://security-tracker.debian.org/tracker/CVE-2024-22019
https://www.cve.org/CVERecord?id=CVE-2024-22019
[2] https://security-tracker.debian.org/tracker/CVE-2024-21892
https://www.cve.org/CVERecord?id=CVE-2024-21892

Please adjust the affected versions in the BTS as needed.

Bug#1064051: azure-uamqp-python: CVE-2024-25110

Source: azure-uamqp-python
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for azure-uamqp-python.

CVE-2024-25110[0]:
| The UAMQP is a general purpose C library for AMQP 1.0. During a call
| to open_get_offered_capabilities, a memory allocation may fail
| causing a use-after-free issue and if a client called it during
| connection communication it may cause a remote code execution. Users
| are advised to update the submodule with commit `30865c9c`. There
| are no known workarounds for this vulnerability.

azure-uamqp-python appears bundle azure-uamqp-c, so presumably it's
also affected?

https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25110
https://www.cve.org/CVERecord?id=CVE-2024-25110

Please adjust the affected versions in the BTS as needed.

Bug#1060409: gpac: CVE-2024-0321 CVE-2024-0322

2024-01-10 Thread Moritz Mühlenhoff

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2024-0321[0]:
| Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.3-DEV.

https://huntr.com/bounties/4c027b94-8e9c-4c31-a169-893b25047769/
https://github.com/gpac/gpac/commit/d0ced41651b279bb054eb6390751e2d4eb84819a

CVE-2024-0322[1]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

https://huntr.com/bounties/87611fc9-ed7c-43e9-8e52-d83cd270bbec/
https://github.com/gpac/gpac/commit/092904b80edbc4dce315684a59cc3184c45c1b70


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-0321
https://www.cve.org/CVERecord?id=CVE-2024-0321
[1] https://security-tracker.debian.org/tracker/CVE-2024-0322
https://www.cve.org/CVERecord?id=CVE-2024-0322

Please adjust the affected versions in the BTS as needed.

Bug#877016: Time to drop cpufrequtils?

2024-01-05 Thread Moritz Mühlenhoff

Am Fri, Jan 05, 2024 at 12:08:54PM +0100 schrieb Chris Hofstaedtler:
> On Sun, Sep 03, 2023 at 08:26:00PM +0200, Moritz Mühlenhoff wrote:
> > severity 877016 serious
> > thanks
> > 
> > Am Thu, Sep 28, 2017 at 06:51:30AM -0700 schrieb Mattia Dongili:
> > > On Wed, Sep 27, 2017 at 03:16:52PM -0400, Phil Susi wrote:
> > > > Package: cpufrequtils
> > > > Version: 008-1
> > > ...
> > > > is the case, should cpufrequtils not be removed now?
> > > 
> > > Yes, indeed it should. Thanks for nagging.
> > 
> > Bumping the severity to RC to move forward with this for trixie.
> > 
> 
> $ dak rm -nR cpufrequtils
> Will remove the following packages from unstable:
> 
> cpufrequtils |  008-2 | source, amd64, arm64, armel, armhf, i386, 
> mips64el, s390x
> libcpufreq-dev |  008-2 | amd64, arm64, armel, armhf, i386, mips64el, 
> ppc64el, s390x
> libcpufreq-dev |   008-2+b1 | riscv64
> libcpufreq0 |  008-2 | amd64, arm64, armel, armhf, i386, mips64el, 
> ppc64el, s390x
> libcpufreq0 |   008-2+b1 | riscv64
> 
> Maintainer: Seunghun Han 
> 
> --- Reason ---
> 
> --
> 
> Checking reverse dependencies...
> No dependency problem found.
> 
> Seems like it's good to go?

Given the original bug to suggest it's removal is from 2017, I think it's safe 
to
say that anyone had a chance to object to it's removal :-)

Cheers,
Moritz

Bug#1059307: ring: CVE-2023-38703

Source: ring
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for pjsig, which is
bundled in ring:

CVE-2023-38703[0]:
| PJSIP is a free and open source multimedia communication library
| written in C with high level API in C, C++, Java, C#, and Python
| languages. SRTP is a higher level media transport which is stacked
| upon a lower level media transport such as UDP and ICE. Currently a
| higher level transport is not synchronized with its lower level
| transport that may introduce use-after-free issue. This
| vulnerability affects applications that have SRTP capability
| (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
| than UDP. This vulnerability’s impact may range from unexpected
| application termination to control flow hijack/memory corruption.
| The patch is available as a commit in the master branch.

https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
 (2.14)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38703
https://www.cve.org/CVERecord?id=CVE-2023-38703

Please adjust the affected versions in the BTS as needed.

Bug#1059303: asterisk: CVE-2023-37457 CVE-2023-38703

Source: asterisk
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for asterisk.

CVE-2023-37457[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior,
| and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the
| 'update' functionality of the PJSIP_HEADER dialplan function can
| exceed the available buffer space for storing the new value of a
| header. By doing so this can overwrite memory or cause a crash. This
| is not externally exploitable, unless dialplan is explicitly written
| to update a header based on data from an outside source. If the
| 'update' functionality is not used the vulnerability does not occur.
| A patch is available at commit
| a1ca0268254374b515fa5992f01340f7717113fa.

https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh
https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa

CVE-2023-38703[1]:
| PJSIP is a free and open source multimedia communication library
| written in C with high level API in C, C++, Java, C#, and Python
| languages. SRTP is a higher level media transport which is stacked
| upon a lower level media transport such as UDP and ICE. Currently a
| higher level transport is not synchronized with its lower level
| transport that may introduce use-after-free issue. This
| vulnerability affects applications that have SRTP capability
| (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
| than UDP. This vulnerability’s impact may range from unexpected
| application termination to control flow hijack/memory corruption.
| The patch is available as a commit in the master branch.

https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
 (2.14)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-37457
https://www.cve.org/CVERecord?id=CVE-2023-37457
[1] https://security-tracker.debian.org/tracker/CVE-2023-38703
https://www.cve.org/CVERecord?id=CVE-2023-38703

Please adjust the affected versions in the BTS as needed.

Bug#1059300: ruby-sidekiq: CVE-2023-26141

Source: ruby-sidekiq
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for ruby-sidekiq.

CVE-2023-26141[0]:
| Versions of the package sidekiq before 7.1.3 are vulnerable to
| Denial of Service (DoS) due to insufficient checks in the dashboard-
| charts.js file. An attacker can exploit this vulnerability by
| manipulating the localStorage value which will cause excessive
| polling requests.

https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107
https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89
 (v7.1.3)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26141
https://www.cve.org/CVERecord?id=CVE-2023-26141

Please adjust the affected versions in the BTS as needed.

Bug#1059293: lrzip: CVE-2023-39741

Source: lrzip
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for lrzip.

CVE-2023-39741[0]:
| lrzip v0.651 was discovered to contain a heap overflow via the
| libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp.
| This vulnerability allows attackers to cause a Denial of Service
| (DoS) via a crafted file.

https://github.com/ckolivas/lrzip/issues/246


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-39741
https://www.cve.org/CVERecord?id=CVE-2023-39741

Please adjust the affected versions in the BTS as needed.

Bug#1059265: w3m: CVE-2023-4255

Source: w3m
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for w3m.

CVE-2023-4255[0]:
| An out-of-bounds write issue has been discovered in the backspace
| handling of the checkType() function in etc.c within the W3M
| application. This vulnerability is triggered by supplying a
| specially crafted HTML file to the w3m binary. Exploitation of this
| flaw could lead to application crashes, resulting in a denial of
| service condition.

https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
https://github.com/tats/w3m/issues/268
https://github.com/tats/w3m/pull/273

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-4255
https://www.cve.org/CVERecord?id=CVE-2023-4255

Please adjust the affected versions in the BTS as needed.

Bug#1059261: clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010

Source: clickhouse
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for clickhouse.

CVE-2023-48298[0]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| This vulnerability is an integer underflow resulting in crash due to
| stack buffer overflow in decompression of FPC codec. It can be
| triggered and exploited by an unauthenticated attacker. The
| vulnerability is very similar to CVE-2023-47118 with how the
| vulnerable function can be exploited.

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795

CVE-2023-47118[1]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| A heap buffer overflow issue was discovered in ClickHouse server. An
| attacker could send a specially crafted payload to the native
| interface exposed by default on port 9000/tcp, triggering a bug in
| the decompression logic of T64 codec that crashes the ClickHouse
| server process. This attack does not require authentication. Note
| that this exploit can also be triggered via HTTP protocol, however,
| the attacker will need a valid credential as the HTTP authentication
| take places first. This issue has been fixed in version
| 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and
| 23.3.16.7-lts.

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v

CVE-2022-44011[2]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| authenticated user (with the ability to load data) could cause a
| heap buffer overflow and crash the server by inserting a malformed
| CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.

https://github.com/ClickHouse/ClickHouse/pull/40241

CVE-2022-44010[3]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| attacker could send a crafted HTTP request to the HTTP Endpoint
| (usually listening on port 8123 by default), causing a heap-based
| buffer overflow that crashes the process. This does not require
| authentication. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.

https://github.com/ClickHouse/ClickHouse/pull/40292

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48298
https://www.cve.org/CVERecord?id=CVE-2023-48298
[1] https://security-tracker.debian.org/tracker/CVE-2023-47118
https://www.cve.org/CVERecord?id=CVE-2023-47118
[2] https://security-tracker.debian.org/tracker/CVE-2022-44011
https://www.cve.org/CVERecord?id=CVE-2022-44011
[3] https://security-tracker.debian.org/tracker/CVE-2022-44010
https://www.cve.org/CVERecord?id=CVE-2022-44010

Please adjust the affected versions in the BTS as needed.

Bug#1059259: lwip: CVE-2023-49287

Source: lwip
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for lwip.

CVE-2023-49287[0]:
| TinyDir is a lightweight C directory and file reader. Buffer
| overflows in the `tinydir_file_open()` function. This vulnerability
| has been patched in version 1.2.6.

https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt

falcosecurity-libs embeds a copy of tinydir, if it's not used to
open files from potentially untrusted paths, feel free to downgrade.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49287
https://www.cve.org/CVERecord?id=CVE-2023-49287

Please adjust the affected versions in the BTS as needed.

Bug#1059257: gemmi: CVE-2023-49287

Source: gemmi
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for gemmi.

CVE-2023-49287[0]:
| TinyDir is a lightweight C directory and file reader. Buffer
| overflows in the `tinydir_file_open()` function. This vulnerability
| has been patched in version 1.2.6.

https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt

gemmi embeds a copy of tinydir, if it's not used to
open files from potentially untrusted paths, feel free to downgrade.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49287
https://www.cve.org/CVERecord?id=CVE-2023-49287

Please adjust the affected versions in the BTS as needed.

Bug#1059256: falcosecurity-libs: CVE-2023-49287

Source: falcosecurity-libs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for falcosecurity-libs.

CVE-2023-49287[0]:
| TinyDir is a lightweight C directory and file reader. Buffer
| overflows in the `tinydir_file_open()` function. This vulnerability
| has been patched in version 1.2.6.

https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt

falcosecurity-libs embeds a copy of tinydir, if it's not used to
open files from potentially untrusted paths, feel free to downgrade.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49287
https://www.cve.org/CVERecord?id=CVE-2023-49287

Please adjust the affected versions in the BTS as needed.

Bug#1059254: cacti: CVE-2023-49084 CVE-2023-49086

Source: cacti
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for cacti.

CVE-2023-49084[0]:
| Cacti is a robust performance and fault management framework and a
| frontend to RRDTool - a Time Series Database (TSDB). While using the
| detected SQL Injection and insufficient processing of the include
| file path, it is possible to execute arbitrary code on the server.
| Exploitation of the vulnerability is possible for an authorized
| user. The vulnerable component is the `link.php`. Impact of the
| vulnerability execution of arbitrary code on the server.

https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc

CVE-2023-49086[1]:
| Cacti is a robust performance and fault management framework and a
| frontend to RRDTool - a Time Series Database (TSDB). Bypassing an
| earlier fix (CVE-2023-39360) that leads to a DOM XSS attack.
| Exploitation of the vulnerability is possible for an authorized
| user. The vulnerable component is the `graphs_new.php`. Impact of
| the vulnerability - execution of arbitrary javascript code in the
| attacked user's browser. This issue has been patched in version
| 1.2.26.

https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr

I think 
https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc
should address both, but please doublecheck.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49084
https://www.cve.org/CVERecord?id=CVE-2023-49084
[1] https://security-tracker.debian.org/tracker/CVE-2023-49086
https://www.cve.org/CVERecord?id=CVE-2023-49086

Please adjust the affected versions in the BTS as needed.

Bug#1059056: gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090

2023-12-19 Thread Moritz Mühlenhoff

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-48958[0]:
| gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in
| gf_mpd_resolve_url media_tools/mpd.c:4589.

https://github.com/gpac/gpac/issues/2689
Fixed by: 
https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4

CVE-2023-46871[1]:
| GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a
| memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This
| vulnerability may lead to a denial of service.

https://github.com/gpac/gpac/issues/2658
Fixed by: 
https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c

CVE-2023-46932[2]:
| Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-
| rev617-g671976fcc-master, allows attackers to execute arbitrary code
| and cause a denial of service (DoS) via str2ulong class in
| src/media_tools/avilib.c in gpac/MP4Box.

https://github.com/gpac/gpac/issues/2669
https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b

CVE-2023-47465[3]:
| An issue in GPAC v.2.2.1 and before allows a local attacker to cause
| a denial of service (DoS) via the ctts_box_read function of file
| src/isomedia/box_code_base.c.

https://github.com/gpac/gpac/issues/2652
https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49
https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521

CVE-2023-48039[4]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak
| in gf_mpd_parse_string media_tools/mpd.c:75.

https://github.com/gpac/gpac/issues/2679

CVE-2023-48090[5]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks
| in extract_attributes media_tools/m3u8.c:329.

https://github.com/gpac/gpac/issues/2680

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48958
https://www.cve.org/CVERecord?id=CVE-2023-48958
[1] https://security-tracker.debian.org/tracker/CVE-2023-46871
https://www.cve.org/CVERecord?id=CVE-2023-46871
[2] https://security-tracker.debian.org/tracker/CVE-2023-46932
https://www.cve.org/CVERecord?id=CVE-2023-46932
[3] https://security-tracker.debian.org/tracker/CVE-2023-47465
https://www.cve.org/CVERecord?id=CVE-2023-47465
[4] https://security-tracker.debian.org/tracker/CVE-2023-48039
https://www.cve.org/CVERecord?id=CVE-2023-48039
[5] https://security-tracker.debian.org/tracker/CVE-2023-48090
https://www.cve.org/CVERecord?id=CVE-2023-48090

Please adjust the affected versions in the BTS as needed.

Bug#1059054: nss: CVE-2023-6135

2023-12-19 Thread Moritz Mühlenhoff

Source: nss
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nss.

CVE-2023-6135[0]:
| Multiple NSS NIST curves were susceptible to a side-channel attack
| known as "Minerva". This attack could potentially allow an attacker
| to recover the private key. This vulnerability affects Firefox <
| 121.

The bug linked from
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135
is restricted, do you happen to have a commit reference for NSS itself?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-6135
https://www.cve.org/CVERecord?id=CVE-2023-6135

Please adjust the affected versions in the BTS as needed.

Bug#1056282: gpac: CVE-2023-47384 CVE-2023-4785 CVE-2023-48011 CVE-2023-48013 CVE-2023-48014 CVE-2023-5998 CVE-2023-46001

2023-11-19 Thread Moritz Mühlenhoff

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-47384[0]:
| MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to
| contain a memory leak in the function gf_isom_add_chapter at
| /isomedia/isom_write.c. This vulnerability allows attackers to cause
| a Denial of Service (DoS) via a crafted MP4 file.

https://github.com/gpac/gpac/issues/2672

CVE-2023-4785[1]:
| Lack of error handling in the TCP server in Google's gRPC starting
| version 1.23 on posix-compatible platforms (ex. Linux) allows an
| attacker to cause a denial of service by initiating a significant
| number of connections with the server. Note that gRPC C++ Python,
| and Ruby are affected, but gRPC Java, and Go are NOT affected.

https://github.com/grpc/grpc/pull/33656
https://github.com/grpc/grpc/pull/33667
https://github.com/grpc/grpc/pull/33669
https://github.com/grpc/grpc/pull/33670
https://github.com/grpc/grpc/pull/33672

CVE-2023-48011[2]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| heap-use-after-free via the flush_ref_samples function at
| /gpac/src/isomedia/movie_fragments.c.

https://github.com/gpac/gpac/issues/2611
https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea

CVE-2023-48013[3]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| double free via the gf_filterpacket_del function at
| /gpac/src/filter_core/filter.c.

https://github.com/gpac/gpac/issues/2612
https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893

CVE-2023-48014[4]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| stack overflow via the hevc_parse_vps_extension function at
| /media_tools/av_parsers.c.

https://github.com/gpac/gpac/issues/2613
https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b

CVE-2023-5998[5]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to
| 2.3.0-DEV.

https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113
https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e

CVE-2023-46001[6]:
| Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-
| rev573-g201320819-master allows a local attacker to cause a denial
| of service via the gpac/src/isomedia/isom_read.c:2807:51 function in
| gf_isom_get_user_data.

https://github.com/gpac/gpac/issues/2629
https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-47384
https://www.cve.org/CVERecord?id=CVE-2023-47384
[1] https://security-tracker.debian.org/tracker/CVE-2023-4785
https://www.cve.org/CVERecord?id=CVE-2023-4785
[2] https://security-tracker.debian.org/tracker/CVE-2023-48011
https://www.cve.org/CVERecord?id=CVE-2023-48011
[3] https://security-tracker.debian.org/tracker/CVE-2023-48013
https://www.cve.org/CVERecord?id=CVE-2023-48013
[4] https://security-tracker.debian.org/tracker/CVE-2023-48014
https://www.cve.org/CVERecord?id=CVE-2023-48014
[5] https://security-tracker.debian.org/tracker/CVE-2023-5998
https://www.cve.org/CVERecord?id=CVE-2023-5998
[6] https://security-tracker.debian.org/tracker/CVE-2023-46001
https://www.cve.org/CVERecord?id=CVE-2023-46001

Please adjust the affected versions in the BTS as needed.

Bug#1056281: snort: CVE-2023-20246 CVE-2023-20031

2023-11-19 Thread Moritz Mühlenhoff

Source: snort
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for snort.

CVE-2023-20246[0]:
| Multiple Cisco products are affected by a vulnerability in Snort
| access control policies that could allow an unauthenticated, remote
| attacker to bypass the configured policies on an affected system.
| This vulnerability is due to a logic error that occurs when the
| access control policies are being populated. An attacker could
| exploit this vulnerability by establishing a connection to an
| affected device. A successful exploit could allow the attacker to
| bypass configured access control rules on the affected system.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3acp-bypass-3bdR2BEh

CVE-2023-20031[1]:
| A vulnerability in the SSL/TLS certificate handling of Snort 3
| Detection Engine integration with Cisco Firepower Threat Defense
| (FTD) Software could allow an unauthenticated, remote attacker to
| cause the Snort 3 detection engine to restart. This vulnerability is
| due to a logic error that occurs when an SSL/TLS certificate that is
| under load is accessed when it is initiating an SSL connection.
| Under specific, time-based constraints, an attacker could exploit
| this vulnerability by sending a high rate of SSL/TLS connection
| requests to be inspected by the Snort 3 detection engine on an
| affected device. A successful exploit could allow the attacker to
| cause the Snort 3 detection engine to reload, resulting in either a
| bypass or a denial of service (DoS) condition, depending on device
| configuration. The Snort detection engine will restart
| automatically. No manual intervention is required.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3-8U4HHxH8

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-20246
https://www.cve.org/CVERecord?id=CVE-2023-20246
[1] https://security-tracker.debian.org/tracker/CVE-2023-20031
https://www.cve.org/CVERecord?id=CVE-2023-20031

Please adjust the affected versions in the BTS as needed.

Bug#1055852: frr: CVE-2023-38407 CVE-2023-41361 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235

2023-11-12 Thread Moritz Mühlenhoff

Source: frr
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for frr.

CVE-2023-38407[0]:
| bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read
| beyond the end of the stream during labeled unicast parsing.

https://github.com/FRRouting/frr/pull/12951
https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b
 (base_9.0)
https://github.com/FRRouting/frr/pull/12956
https://github.com/FRRouting/frr/commit/ab362eae68edec12c175d9bc488bcc3f8b73d36f
 (frr-8.5)

CVE-2023-41361[1]:
| An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does
| not check for an overly large length of the rcv software version.

https://github.com/FRRouting/frr/pull/14241
Fixed by: 
https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840
Backport for 9.0 branch: https://github.com/FRRouting/frr/pull/14250
Fixed by: 
https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e

CVE-2023-46752[2]:
| An issue was discovered in FRRouting FRR through 9.0.1. It
| mishandles malformed MP_REACH_NLRI data, leading to a crash.

Fixed by: 
https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35
 (master)
Fixed by: 
https://github.com/FRRouting/frr/commit/30b5c2a434d25981e16792f6f50162beb517ae4d
 (stable/8.5 branch)

CVE-2023-46753[3]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur for a crafted BGP UPDATE message without mandatory attributes,
| e.g., one with only an unknown transit attribute.

Fixed by: 
https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9
 (master)
Fixed by: 
https://github.com/FRRouting/frr/commit/21418d64af11553c402f932b0311c812d98ac3e4
 (stable/8.5 branch)

CVE-2023-47234[4]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur when processing a crafted BGP UPDATE message with a
| MP_UNREACH_NLRI attribute and additional NLRI data (that lacks
| mandatory path attributes).

https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf

CVE-2023-47235[5]:
| An issue was discovered in FRRouting FRR through 9.0.1. A crash can
| occur when a malformed BGP UPDATE message with an EOR is processed,
| because the presence of EOR does not lead to a treat-as-withdraw
| outcome.

https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38407
https://www.cve.org/CVERecord?id=CVE-2023-38407
[1] https://security-tracker.debian.org/tracker/CVE-2023-41361
https://www.cve.org/CVERecord?id=CVE-2023-41361
[2] https://security-tracker.debian.org/tracker/CVE-2023-46752
https://www.cve.org/CVERecord?id=CVE-2023-46752
[3] https://security-tracker.debian.org/tracker/CVE-2023-46753
https://www.cve.org/CVERecord?id=CVE-2023-46753
[4] https://security-tracker.debian.org/tracker/CVE-2023-47234
https://www.cve.org/CVERecord?id=CVE-2023-47234
[5] https://security-tracker.debian.org/tracker/CVE-2023-47235
https://www.cve.org/CVERecord?id=CVE-2023-47235

Please adjust the affected versions in the BTS as needed.

Bug#1055179: salt: CVE-2023-34049

2023-11-01 Thread Moritz Mühlenhoff

Source: salt
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for salt.

CVE-2023-34049[0]:
https://saltproject.io/security-announcements/2023-10-27-advisory/index.html

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34049
https://www.cve.org/CVERecord?id=CVE-2023-34049

Please adjust the affected versions in the BTS as needed.

Bug#1055175: zabbix: CVE-2023-29449 CVE-2023-29450 CVE-2023-29451 CVE-2023-29452 CVE-2023-29453 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458

2023-11-01 Thread Moritz Mühlenhoff

Source: zabbix
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for zabbix.

CVE-2023-29449[0]:
| JavaScript preprocessing, webhooks and global scripts can cause
| uncontrolled CPU, memory, and disk I/O utilization.
| Preprocessing/webhook/global script configuration and testing are
| only available to Administrative roles (Admin and Superadmin).
| Administrative privileges should be typically granted to users who
| need to perform tasks that require more control over the system. The
| security risk is limited because not all users have this level of
| access.

https://support.zabbix.com/browse/ZBX-22589
Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
applied in upstream release/5.0 branch: 
https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
vulnerable module introduced in 
https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)

CVE-2023-29450[1]:
| JavaScript pre-processing can be used by the attacker to gain access
| to the file system (read-only access on behalf of user "zabbix") on
| the Zabbix Server or Zabbix Proxy, potentially leading to
| unauthorized access to sensitive data.

https://support.zabbix.com/browse/ZBX-22588
Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4
Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb

CVE-2023-29451[2]:
| Specially crafted string can cause a buffer overrun in the JSON
| parser library leading to a crash of the Zabbix Server or a Zabbix
| Proxy.

https://support.zabbix.com/browse/ZBX-22587

CVE-2023-29452[3]:
| Currently, geomap configuration (Administration -> General ->
| Geographical maps) allows using HTML in the field “Attribution text”
| when selected “Other” Tile provider.

https://support.zabbix.com/browse/ZBX-22981
Patches links: https://support.zabbix.com/browse/ZBX-22720
vulnerable geopmap widget introduced in version with 
https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2
 (6.0.0alpha6)

CVE-2023-29453[4]:
| Templates do not properly consider backticks (`) as Javascript
| string delimiters, and do not escape them as expected. Backticks are
| used, since ES6, for JS template literals. If a template contains a
| Go template action within a Javascript template literal, the
| contents of the action can be used to terminate the literal,
| injecting arbitrary Javascript code into the Go template. As ES6
| template literals are rather complex, and themselves can do string
| interpolation, the decision was made to simply disallow Go template
| actions from being used inside of them (e.g., "var a = {{.}}"),
| since there is no obviously safe way to allow this behavior. This
| takes the same approach as github.com/google/safehtml. With fix,
| Template. Parse returns an Error when it encounters templates like
| this, with an ErrorCode of value 12. This ErrorCode is currently
| unexported but will be exported in the release of Go 1.21. Users who
| rely on the previous behavior can re-enable it using the GODEBUG
| flag jstmpllitinterp=1, with the caveat that backticks will now be
| escaped. This should be used with caution.

https://support.zabbix.com/browse/ZBX-23388

CVE-2023-29454[5]:
| Stored or persistent cross-site scripting (XSS) is a type of XSS
| where the attacker first sends the payload to the web application,
| then the application saves the payload (e.g., in a database or
| server-side text files), and finally, the application
| unintentionally executes the payload for every victim visiting its
| web pages.

https://support.zabbix.com/browse/ZBX-22985

CVE-2023-29455[6]:
| Reflected XSS attacks, also known as non-persistent attacks, occur
| when a malicious script is reflected off a web application to the
| victim's browser. The script is activated through a link, which
| sends a request to a website with a vulnerability that enables
| execution of malicious scripts.

https://support.zabbix.com/browse/ZBX-22986

CVE-2023-29456[7]:
| URL validation scheme receives input from a user and then parses it
| to identify its various components. The validation scheme can ensure
| that all URL components comply with internet standards.

https://support.zabbix.com/browse/ZBX-22987

CVE-2023-29457[8]:
| Reflected XSS attacks, occur when a malicious script is reflected
| off a web application to the victim's browser. The script can be
| activated through Action form fields, which can be sent as request
| to a website with a vulnerability that enables execution of
| malicious scripts.

https://support.zabbix.com/browse/ZBX-22988

CVE-2023-29458[9]:
| Duktape is an 3rd-party embeddable JavaScript engine, with a focus
| on portability and compact footprint. When adding too many values in
| valstack JavaScript will crash. This issue occurs due to bug in
| Duktape 2.6 which is an 3rd-party solution that we use.

This appears to be bug in Zabbix's use of

Bug#1054667: node-browserify-sign: CVE-2023-46234

2023-10-27 Thread Moritz Mühlenhoff

Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for node-browserify-sign.

CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.

https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
https://www.cve.org/CVERecord?id=CVE-2023-46234

Please adjust the affected versions in the BTS as needed.

Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

2023-10-27 Thread Moritz Mühlenhoff

Source: open-vm-tools
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for open-vm-tools.

CVE-2023-34059[0]:
| open-vm-tools contains a file descriptor hijack vulnerability in the
| vmware-user-suid-wrapper. A malicious actor with non-root privileges
| may be able to hijack the  /dev/uinput file descriptor allowing them
| to simulate user inputs.

https://www.openwall.com/lists/oss-security/2023/10/27/3

CVE-2023-34058[1]:
| VMware Tools contains a SAML token signature bypass vulnerability. A
| malicious actor that has been granted  Guest Operation Privileges
| https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-
| security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target
| virtual machine may be able to elevate their privileges if that
| target virtual machine has been assigned a more privileged  Guest
| Alias https://vdc-download.vmware.com/vmwb-repository/dcr-
| public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-
| db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

https://www.openwall.com/lists/oss-security/2023/10/27/1
https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch/CVE-2023-34058.patch


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34059
https://www.cve.org/CVERecord?id=CVE-2023-34059
[1] https://security-tracker.debian.org/tracker/CVE-2023-34058
https://www.cve.org/CVERecord?id=CVE-2023-34058

Please adjust the affected versions in the BTS as needed.

Bug#1054429: fastdds: CVE-2023-42459

2023-10-23 Thread Moritz Mühlenhoff

Source: fastdds
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for fastdds.

CVE-2023-42459[0]:
| Fast DDS is a C++ implementation of the DDS (Data Distribution
| Service) standard of the OMG (Object Management Group). In affected
| versions specific DATA submessages can be sent to a discovery
| locator which may trigger a free error. This can remotely crash any
| Fast-DDS process. The call to free() could potentially leave the
| pointer in the attackers control which could lead to a double free.
| This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3,
| and 2.6.7. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.

https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm
https://github.com/eProsima/Fast-DDS/issues/3207
https://github.com/eProsima/Fast-DDS/pull/3824
https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42459
https://www.cve.org/CVERecord?id=CVE-2023-42459

Please adjust the affected versions in the BTS as needed.

Bug#1054427: trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487

2023-10-23 Thread Moritz Mühlenhoff

Source: trafficserver
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for trafficserver.

CVE-2023-41752[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Traffic Server.This issue affects Apache
| Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.
| Users are recommended to upgrade to version 8.1.9 or 9.2.3, which
| fixes the issue.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0
 (8.1.x)
https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e
 (9.2.x)

CVE-2023-39456[1]:
| Improper Input Validation vulnerability in Apache Traffic Server
| with malformed HTTP/2 frames.This issue affects Apache Traffic
| Server: from 9.0.0 through 9.2.2.  Users are recommended to upgrade
| to version 9.2.3, which fixes the issue.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5
 (9.2.x)

CVE-2023-44487[2]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682
 (9.2.3-rc0)
https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620
 (8.1.x)

For oldstable-security let's move to 8.1.8 and for stable-security
to 9.2.3?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-41752
https://www.cve.org/CVERecord?id=CVE-2023-41752
[1] https://security-tracker.debian.org/tracker/CVE-2023-39456
https://www.cve.org/CVERecord?id=CVE-2023-39456
[2] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.

Bug#1053880: node-babel7: CVE-2023-45133

2023-10-13 Thread Moritz Mühlenhoff

Source: node-babel7
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for node-babel7.

CVE-2023-45133[0]:
| Babel is a compiler for writingJavaScript. In `@babel/traverse`
| prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of
| `babel-traverse`, using Babel to compile code that was specifically
| crafted by an attacker can lead to arbitrary code execution during
| compilation, when using plugins that rely on the `path.evaluate()`or
| `path.evaluateTruthy()` internal Babel methods. Known affected
| plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env`
| when using its `useBuiltIns` option; and any "polyfill provider"
| plugin that depends on `@babel/helper-define-polyfill-provider`,
| such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-
| corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-
| regenerator`. No other plugins under the `@babel/` namespace are
| impacted, but third-party plugins might be. Users that only compile
| trusted code are not impacted. The vulnerability has been fixed in
| `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those
| who cannot upgrade `@babel/traverse` and are using one of the
| affected packages mentioned above should upgrade them to their
| latest version to avoid triggering the vulnerable code path in
| affected `@babel/traverse` versions: `@babel/plugin-transform-
| runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-
| define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2`
| v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-
| polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator`
| v0.5.3.

https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
https://github.com/babel/babel/pull/16033
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-45133
https://www.cve.org/CVERecord?id=CVE-2023-45133

Please adjust the affected versions in the BTS as needed.

Bug#1053877: zabbix: CVE-2023-32721 CVE-2023-32722 CVE-2023-32723 CVE-2023-32724

2023-10-13 Thread Moritz Mühlenhoff

Source: zabbix
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for zabbix.

CVE-2023-32721[0]:
| A stored XSS has been found in the Zabbix web application in the
| Maps element if a URL field is set with spaces before URL.

https://support.zabbix.com/browse/ZBX-23389

CVE-2023-32722[1]:
| The zabbix/src/libs/zbxjson module is vulnerable to a buffer
| overflow when parsing JSON files via zbx_json_open.

https://support.zabbix.com/browse/ZBX-23390

CVE-2023-32723[2]:
| Request to LDAP is sent before user permissions are checked.

https://support.zabbix.com/browse/ZBX-23230

CVE-2023-32724[3]:
| Memory pointer is in a property of the Ducktape object. This leads
| to multiple vulnerabilities related to direct memory access and
| manipulation.

https://support.zabbix.com/browse/ZBX-23391

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-32721
https://www.cve.org/CVERecord?id=CVE-2023-32721
[1] https://security-tracker.debian.org/tracker/CVE-2023-32722
https://www.cve.org/CVERecord?id=CVE-2023-32722
[2] https://security-tracker.debian.org/tracker/CVE-2023-32723
https://www.cve.org/CVERecord?id=CVE-2023-32723
[3] https://security-tracker.debian.org/tracker/CVE-2023-32724
https://www.cve.org/CVERecord?id=CVE-2023-32724

Please adjust the affected versions in the BTS as needed.

Bug#1053801: trafficserver: CVE-2023-44487

2023-10-11 Thread Moritz Mühlenhoff

Source: trafficserver
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for trafficserver.

CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.

Fixed in 9.2.3:
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682
 (9.2.x)

Bug#1053769: nghttp2: CVE-2023-44487

2023-10-10 Thread Moritz Mühlenhoff

Source: nghttp2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nghttp2.

CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.

Bug#1051889: freeimage: CVE-2020-22524

2023-09-13 Thread Moritz Mühlenhoff

Source: freeimage
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for freeimage.

CVE-2020-22524[0]:
| Buffer Overflow vulnerability in FreeImage_Load function in
| FreeImage Library 3.19.0(r1828) allows attackers to cuase a denial
| of service via crafted PFM file.

https://sourceforge.net/p/freeimage/bugs/319/
Fixed with r1848 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-22524
https://www.cve.org/CVERecord?id=CVE-2020-22524

Please adjust the affected versions in the BTS as needed.

Bug#1051740: gpac: CVE-2023-3012 CVE-2023-3013 CVE-2023-3291 CVE-2023-39562 CVE-2023-4678 CVE-2023-4681 CVE-2023-4682 CVE-2023-4683 CVE-2023-4720 CVE-2023-4721 CVE-2023-4722 CVE-2023-4754 CVE-2023-475

2023-09-11 Thread Moritz Mühlenhoff

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-3012[0]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.2.2.

https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69
https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7

CVE-2023-3013[1]:
| Unchecked Return Value in GitHub repository gpac/gpac prior to
| 2.2.2.

https://huntr.dev/bounties/52f95edc-cc03-4a9f-9bf8-74f641260073
https://github.com/gpac/gpac/commit/78e539b43293829a14a32e821f5267e3b7417594

CVE-2023-3291[2]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.2.2.

https://huntr.dev/bounties/526954e6-8683-4697-bfa2-886c3204a1d5/
https://github.com/gpac/gpac/commit/6a748ccc3f76ff10e3ae43014967ea4b0c088aaf

CVE-2023-39562[3]:
| GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a
| heap-use-after-free via the gf_bs_align function at bitstream.c.
| This vulnerability allows attackers to cause a Denial of Service
| (DoS) via supplying a crafted file.

https://github.com/gpac/gpac/issues/2537
https://github.com/gpac/gpac/commit/9024531ee8e6ae8318a8fe0cbb64710d1acc31f6

CVE-2023-4678[4]:
| Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07
https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877

CVE-2023-4681[5]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.3-DEV.

https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c
https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e

CVE-2023-4682[6]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.3-DEV.

https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be
https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c

CVE-2023-4683[7]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.3-DEV.

https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec
https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922

CVE-2023-4720[8]:
| Floating Point Comparison with Incorrect Operator in GitHub
| repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/e396648e48c57e2d53988d3fd4465b068b96c89a
https://huntr.dev/bounties/1dc2954c-8497-49fa-b2af-113e1e9381ad

CVE-2023-4721[9]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/3ec93d73d048ed7b46fe6e9f307cc7a0cc13db63
https://huntr.dev/bounties/f457dc62-3cff-47bd-8fd2-1cb2b4a832fc

CVE-2023-4722[10]:
| Integer Overflow or Wraparound in GitHub repository gpac/gpac prior
| to 2.3-DEV.

https://github.com/gpac/gpac/commit/de7f3a852bef72a52825fd307cf4e8f486401a76
https://huntr.dev/bounties/ddfdb41d-e708-4fec-afe5-68ff1f88f830

CVE-2023-4754[11]:
| Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/7e2e92feb1b30fac1d659f6620d743b5a188ffe0
https://huntr.dev/bounties/b7ed24ad-7d0b-40b7-8f4d-3c18a906620c

CVE-2023-4755[12]:
| Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/895ac12da168435eb8db3f96978ffa4c69d66c3a
https://huntr.dev/bounties/463474b7-a4e8-42b6-8b30-e648a77ee6b3

CVE-2023-4756[13]:
| Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.3-DEV.

https://github.com/gpac/gpac/commit/6914d016e2b540bac2c471c4aea156ddef8e8e01
https://huntr.dev/bounties/2342da0e-f097-4ce7-bfdc-3ec0ba446e05

CVE-2023-4758[14]:
| Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.

https://github.com/gpac/gpac/commit/193633b1648582444fc99776cd741d7ba0125e86
https://huntr.dev/bounties/2f496261-1090-45ac-bc89-cc93c82090d6

CVE-2023-4778[15]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

https://huntr.dev/bounties/abb450fb-4ab2-49b0-90da-3d878eea5397/
https://github.com/gpac/gpac/commit/d553698050af478049e1a09e44a15ac884f223ed


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-3012
https://www.cve.org/CVERecord?id=CVE-2023-3012
[1] https://security-tracker.debian.org/tracker/CVE-2023-3013
https://www.cve.org/CVERecord?id=CVE-2023-3013
[2] https://security-tracker.debian.org/tracker/CVE-2023-3291
https://www.cve.org/CVERecord?id=CVE-2023-3291
[3] https://security-tracker.debian.org/tracker/CVE-2023-39562
https://www.cve.org/CVERecord?id=CVE-2023-39562
[4] https://security-tracker.debian.org/tracker/CVE-2023-4678
https://www.cve.org/CVERecord?id=CVE-2023-4678
[5] https://security-tracker.debian.org/tracker/CVE-2023-4681
https://www.cve.org/CVERecord?id=CVE-2023-4681
[6]

Bug#1051738: freeimage: CVE-2020-21428

2023-09-11 Thread Moritz Mühlenhoff

Source: freeimage
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for freeimage.

CVE-2020-21428[0]:
| Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp
| in FreeImage 3.18.0 allows remote attackers to run arbitrary code
| and cause other impacts via crafted image file.

https://sourceforge.net/p/freeimage/bugs/299/

This appears to be fixed in r1877 of the upstream Subversion repository

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-21428
https://www.cve.org/CVERecord?id=CVE-2020-21428

Please adjust the affected versions in the BTS as needed.

Bug#1050835: nuget: CVE-2023-29337

2023-08-29 Thread Moritz Mühlenhoff

Source: nuget
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nuget.

CVE-2023-29337[0]:
Does https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
affect nuget as packaged in Debian?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29337
https://www.cve.org/CVERecord?id=CVE-2023-29337

Please adjust the affected versions in the BTS as needed.

Bug#1041430: ruby-sanitize: CVE-2023-36823

Source: ruby-sanitize
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for ruby-sanitize.

CVE-2023-36823[0]:
| Sanitize is an allowlist-based HTML and CSS sanitizer. Using
| carefully crafted input, an attacker may be able to sneak arbitrary
| HTML and CSS through Sanitize starting with version 3.0.0 and prior
| to version 6.0.2 when Sanitize is configured to use the built-in
| "relaxed" config or when using a custom config that allows `style`
| elements and one or more CSS at-rules. This could result in cross-
| site scripting or other undesired behavior when the malicious HTML
| and CSS are rendered in a browser. Sanitize 6.0.2 performs
| additional escaping of CSS in `style` element content, which fixes
| this issue. Users who are unable to upgrade can prevent this issue
| by using a Sanitize config that doesn't allow `style` elements,
| using a Sanitize config that doesn't allow CSS at-rules, or by
| manually escaping the character sequence `https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220
 (v6.0.2)
https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7
  

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-36823
https://www.cve.org/CVERecord?id=CVE-2023-36823

Please adjust the affected versions in the BTS as needed.

Bug#1041429: restrictedpython: CVE-2023-37271

Source: restrictedpython
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for restrictedpython.

CVE-2023-37271[0]:
| RestrictedPython is a tool that helps to define a subset of the
| Python language which allows users to provide a program input into a
| trusted environment. RestrictedPython does not check access to stack
| frames and their attributes. Stack frames are accessible within at
| least generators and generator expressions, which are allowed inside
| RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with
| access to a RestrictedPython environment can write code that gets
| the current stack frame in a generator and then walk the stack all
| the way beyond the RestrictedPython invocation boundary, thus
| breaking out of the restricted sandbox and potentially allowing
| arbitrary code execution in the Python interpreter. All
| RestrictedPython deployments that allow untrusted users to write
| Python code in the RestrictedPython environment are at risk. In
| terms of Zope and Plone, this would mean deployments where the
| administrator allows untrusted users to create and/or edit objects
| of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope
| Page Template`. This is a non-default configuration and likely to be
| extremely rare. The problem has been fixed in versions 6.1 and 5.3.

https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh
https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531
 (master)
https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002
 (5.3)
   

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-37271
https://www.cve.org/CVERecord?id=CVE-2023-37271

Please adjust the affected versions in the BTS as needed.

Bug#1041427: bitcoin: CVE-2023-37192

Source: bitcoin
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for bitcoin.

CVE-2023-37192[0]:
| Memory management and protection issues in Bitcoin Core v22 allows
| attackers to modify the stored sending address within the app's
| memory, potentially allowing them to redirect Bitcoin transactions
| to wallets of their own choosing.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-37192
https://www.cve.org/CVERecord?id=CVE-2023-37192

Please adjust the affected versions in the BTS as needed.

Bug#1041423: cjose: CVE-2023-37464