[Git][security-tracker-team/security-tracker][master] 2 commits: Add two CVEs for limesurvey, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 538b1dd0 by Salvatore Bonaccorso at 2023-01-30T08:16:49+01:00 Add two CVEs for limesurvey, itped - - - - - c4e14364 by Salvatore Bonaccorso at 2023-01-30T08:16:50+01:00 Add CVE-2022-48007/piwigo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7025,13 +7025,13 @@ CVE-2022-48012 (Opencats v0.9.7 was discovered to contain a reflected cross-site CVE-2022-48011 (Opencats v0.9.7 was discovered to contain a SQL injection vulnerabilit ...) TODO: check CVE-2022-48010 (LimeSurvey v5.4.15 was discovered to contain a stored cross-site scrip ...) - TODO: check + - limesurvey (bug #472802) CVE-2022-48009 RESERVED CVE-2022-48008 (An arbitrary file upload vulnerability in the plugin manager of LimeSu ...) - TODO: check + - limesurvey (bug #472802) CVE-2022-48007 (A stored cross-site scripting (XSS) vulnerability in identification.ph ...) - TODO: check + - piwigo CVE-2022-48006 RESERVED CVE-2022-48005 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b...c4e14364d73a1b004005d251702ca1e493bbf75e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b...c4e14364d73a1b004005d251702ca1e493bbf75e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim modsecurity-crs
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ac91a2e0 by Tobias Frost at 2023-01-30T07:47:46+01:00 Reclaim modsecurity-crs - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -140,11 +140,12 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -modsecurity-crs +modsecurity-crs (tobi) NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git NOTE: 20230113: backported rule set to strech (did not see the notice from 20230111 before), mailed maintainers for feedback. + NOTE: 20200130: WIP, in heavy contact with upstream. (alomst ready for upload) -- netatalk NOTE: 20220816: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 95472c99 by Anton Gladky at 2023-01-30T06:50:17+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ bind9 (Emilio) NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. -- -ceph (Stefano Rivera) +ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk) @@ -140,7 +140,7 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -modsecurity-crs (Tobias Frost) +modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git @@ -168,7 +168,7 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-moment (Utkarsh) +node-moment NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for varnish update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e78894d by Salvatore Bonaccorso at 2023-01-29T22:05:44+01:00 Reserve DSA number for varnish update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[29 Jan 2023] DSA-5334-1 varnish - security update + {CVE-2022-45060} + [bullseye] - varnish 6.5.1-1+deb11u3 [29 Jan 2023] DSA-5333-1 tiff - security update {CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597 CVE-2022-3599 CVE-2022-3627 CVE-2022-3636 CVE-2022-34526 CVE-2022-48281} [bullseye] - tiff 4.2.0-1+deb11u3 = data/dsa-needed.txt = @@ -61,8 +61,6 @@ thunderbird (jmm) -- tiff (aron) -- -varnish (carnil) --- xrdp needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e78894dedd70d7e8b7794b9f8626b196501a5a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e78894dedd70d7e8b7794b9f8626b196501a5a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA: take fig2dev
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abf8ef50 by Adrian Bunk at 2023-01-29T23:01:24+02:00 DLA: take fig2dev - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,7 +50,7 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- -fig2dev +fig2dev (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Harmonize with bullseye 11.5 and stretch (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf8ef50c28d09c714ad3230d389ac13ee531fa2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf8ef50c28d09c714ad3230d389ac13ee531fa2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3292-1 for sofia-sip
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ae9e78e7 by Adrian Bunk at 2023-01-29T23:00:41+02:00 Reserve DLA-3292-1 for sofia-sip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Jan 2023] DLA-3292-1 sofia-sip - security update + {CVE-2023-22741} + [buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u2 [29 Jan 2023] DLA-3291-1 node-object-path - security update {CVE-2021-3805 CVE-2021-23434} [buster] - node-object-path 0.11.4-2+deb10u2 = data/dla-needed.txt = @@ -309,10 +309,6 @@ snort (Markus Koschany) NOTE: 20230121: Prepared new upstream version for unstable which we could NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- -sofia-sip (Adrian Bunk) - NOTE: 20230125: Programming language: C. - NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git --- sox (Helmut Grohne) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9e78e7fbd44307003cebb83d8dcc2fb9c4a941 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9e78e7fbd44307003cebb83d8dcc2fb9c4a941 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76afcd4f by Salvatore Bonaccorso at 2023-01-29T21:18:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-0571 (A vulnerability has been found in SourceCodester Canteen Management Sy ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-0570 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0569 (Weak Password Requirements in GitHub repository publify/publify prior ...) - TODO: check + NOT-FOR-US: Publify CVE-2023-0568 RESERVED CVE-2023-0567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76afcd4f59adb6d17cf866211b330d8f3fcf37a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76afcd4f59adb6d17cf866211b330d8f3fcf37a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-rack and tmux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ad80502d by Utkarsh Gupta at 2023-01-30T01:40:47+05:30 Take ruby-rack and tmux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,7 +268,7 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- -ruby-rack +ruby-rack (Utkarsh) NOTE: 20230129: Programming language: Ruby. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git -- @@ -331,7 +331,7 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- -tmux +tmux (Utkarsh) NOTE: 20230129: Programming language: C. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1c82bbe by security tracker role at 2023-01-29T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2023-0571 (A vulnerability has been found in SourceCodester Canteen Management Sy ...) + TODO: check +CVE-2023-0570 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2023-0569 (Weak Password Requirements in GitHub repository publify/publify prior ...) + TODO: check +CVE-2023-0568 + RESERVED +CVE-2023-0567 + RESERVED +CVE-2022-48302 + RESERVED +CVE-2022-48301 + RESERVED +CVE-2022-48300 + RESERVED +CVE-2022-48299 + RESERVED +CVE-2022-48298 + RESERVED +CVE-2022-48297 + RESERVED +CVE-2022-48296 + RESERVED +CVE-2022-48295 + RESERVED +CVE-2022-48294 + RESERVED +CVE-2022-48293 + RESERVED +CVE-2022-48292 + RESERVED +CVE-2022-48291 + RESERVED +CVE-2022-48290 + RESERVED +CVE-2022-48289 + RESERVED +CVE-2022-48288 + RESERVED +CVE-2022-48287 + RESERVED +CVE-2022-48286 + RESERVED CVE-2023-24607 RESERVED CVE-2023-24606 @@ -36,10 +80,10 @@ CVE-2023-0561 (A vulnerability, which was classified as critical, was found in S NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0560 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Online Tours & Travels Management System -CVE-2016-15022 - RESERVED -CVE-2009-10003 - RESERVED +CVE-2016-15022 (A vulnerability was found in mosbth cimage up to 0.7.18. It has been d ...) + TODO: check +CVE-2009-10003 (A vulnerability was found in capnsquarepants wordcraft up to 0.6. It h ...) + TODO: check CVE-2023-0559 RESERVED CVE-2023-0558 (The ContentStudio plugin for WordPress is vulnerable to authorization ...) @@ -104129,6 +104173,7 @@ CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Comple CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extractArc ...) NOT-FOR-US: Pardus Software Center CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...) + {DLA-3291-1} - node-object-path 0.11.8-1 [bullseye] - node-object-path 0.11.5-3+deb11u1 [stretch] - node-object-path (Nodejs in stretch not covered by security support) @@ -149284,6 +149329,7 @@ CVE-2021-23436 (This affects the package immer before 9.0.6. A type confusion vu CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerability can ...) NOT-FOR-US: Rails clearance gem CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...) + {DLA-3291-1} - node-object-path 0.11.7-1 [bullseye] - node-object-path 0.11.5-3+deb11u1 [stretch] - node-object-path (Nodejs in stretch not covered by security support) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1c82bbeafae7b789d1b2a9efa93d268bb03bb3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1c82bbeafae7b789d1b2a9efa93d268bb03bb3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45907/pytorch fixed version via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 379af556 by Salvatore Bonaccorso at 2023-01-29T21:05:02+01:00 Add CVE-2022-45907/pytorch fixed version via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15009,7 +15009,7 @@ CVE-2022-45909 (drachtio-server before 0.8.19 has a heap-based buffer over-read CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vuln ...) NOT-FOR-US: PaddlePaddle CVE-2022-45907 (In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...) - - pytorch (bug #1024903) + - pytorch 1.13.1+dfsg-1 (bug #1024903) [bullseye] - pytorch (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 NOTE: https://github.com/pytorch/pytorch/issues/88868 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379af556decbd8ce2e117e3599b891ff4aa00582 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379af556decbd8ce2e117e3599b891ff4aa00582 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for openjdk-8 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec623ecd by Salvatore Bonaccorso at 2023-01-29T21:03:51+01:00 Track fixed version for openjdk-8 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9780,7 +9780,7 @@ CVE-2023-21844 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o NOT-FOR-US: Oracle CVE-2023-21843 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5331-1} - - openjdk-8 + - openjdk-8 8u362-ga-1 - openjdk-11 11.0.18+10-1 - openjdk-17 17.0.6+10-1 - openjdk-21 21~7ea-1 @@ -9812,7 +9812,7 @@ CVE-2023-21832 (Vulnerability in the Oracle BI Publisher product of Oracle Fusio CVE-2023-21831 (Vulnerability in the PeopleSoft Enterprise CS Academic Advisement prod ...) NOT-FOR-US: Oracle CVE-2023-21830 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u362-ga-1 - openjdk-21 21~7ea-1 CVE-2023-21829 (Vulnerability in the Oracle Database RDBMS Security component of Oracl ...) NOT-FOR-US: Oracle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec623ecd8713c0b0e4626f917e640a824144a365 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec623ecd8713c0b0e4626f917e640a824144a365 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-24839/nekohtml via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54f9a02f by Salvatore Bonaccorso at 2023-01-29T21:02:40+01:00 Track fixed version for CVE-2022-24839/nekohtml via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76657,7 +76657,7 @@ CVE-2022-24841 (fleetdm/fleet is an open source device management, built on osqu CVE-2022-24840 (django-s3file is a lightweight file upload input for Django and Amazon ...) NOT-FOR-US: django-s3file CVE-2022-24839 (org.cyberneko.html is an html parser written in Java. The fork of `org ...) - - nekohtml (bug #1021739) + - nekohtml 1.9.22.noko2-0.1 (bug #1021739) [bullseye] - nekohtml (Minor issue) [buster] - nekohtml (Minor issue) [stretch] - nekohtml (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f9a02f279dd18e9368dac1f01bafd39f2ca3d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f9a02f279dd18e9368dac1f01bafd39f2ca3d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-rack to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a75521a by Anton Gladky at 2023-01-29T20:51:06+01:00 LTS: add ruby-rack to dla-needed.txt - - - - - b7512050 by Anton Gladky at 2023-01-29T20:55:40+01:00 LTS: add tmux to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,10 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- +ruby-rack + NOTE: 20230129: Programming language: Ruby. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git +-- ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git @@ -327,6 +331,10 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- +tmux + NOTE: 20230129: Programming language: C. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git +-- wireshark NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take libgit2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c570f946 by Anton Gladky at 2023-01-29T18:23:14+01:00 LTS: take libgit2 - - - - - 2d135f18 by Anton Gladky at 2023-01-29T18:23:41+01:00 LTS: take man2html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,7 +112,7 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libgit2 +libgit2 (gladk) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). @@ -135,7 +135,7 @@ libstb (Adrian Bunk) linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html +man2html (gladk) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3291-1 for node-object-path
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 86672ee3 by Guilhem Moulin at 2023-01-29T17:05:53+01:00 Reserve DLA-3291-1 for node-object-path - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -104131,7 +104131,6 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...) - node-object-path 0.11.8-1 [bullseye] - node-object-path 0.11.5-3+deb11u1 - [buster] - node-object-path (Minor issue) [stretch] - node-object-path (Nodejs in stretch not covered by security support) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 NOTE: https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884 (v0.11.8) @@ -149287,7 +149286,6 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...) - node-object-path 0.11.7-1 [bullseye] - node-object-path 0.11.5-3+deb11u1 - [buster] - node-object-path (Minor issue) [stretch] - node-object-path (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 NOTE: https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Jan 2023] DLA-3291-1 node-object-path - security update + {CVE-2021-3805 CVE-2021-23434} + [buster] - node-object-path 0.11.4-2+deb10u2 [29 Jan 2023] DLA-3290-1 libzen - security update {CVE-2020-36646} [buster] - libzen 0.4.37-1+deb10u1 = data/dla-needed.txt = @@ -177,11 +177,6 @@ node-nth-check NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-object-path (guilhem) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) - NOTE: 20221223: Functional part of CVE-2021-3805 might be https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby) --- node-qs NOTE: 20230105: Programming language: JavaScript. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Claim apache2 and asterisk
Lee Garrett pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f4b39a3 by Lee Garrett at 2023-01-29T16:53:03+01:00 LTS: Claim apache2 and asterisk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,12 +17,12 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- -apache2 +apache2 (Lee Garrett) NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. -- -asterisk +asterisk (Lee Garrett) NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4b39a34213dea3ed60b3d8c0f046869a5b167a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4b39a34213dea3ed60b3d8c0f046869a5b167a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add tiff to dsa-needed.txt and claim it
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: f7db63d1 by Aron Xu at 2023-01-29T21:20:57+08:00 add tiff to dsa-needed.txt and claim it There are three more open CVEs to be addressed which is not covered by previous release - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -59,6 +59,8 @@ sox -- thunderbird (jmm) -- +tiff (aron) +-- varnish (carnil) -- xrdp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7db63d1e9908f34db27c4245219b8906cb030c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7db63d1e9908f34db27c4245219b8906cb030c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track source wise fix for CVE-2022-4842/linux via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72166d1c by Salvatore Bonaccorso at 2023-01-29T13:36:51+01:00 Track source wise fix for CVE-2022-4842/linux via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6497,7 +6497,7 @@ CVE-2022-4843 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p NOTE: https://huntr.dev/bounties/075b2760-66a0-4d38-b3b5-e9934956ab7f NOTE: https://github.com/radareorg/radare2/commit/842f809d4ec6a12af2906f948657281c9ebc8a24 CVE-2022-4842 (A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver funct ...) - - linux (unimportant) + - linux 6.1.8-1 (unimportant) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2156927 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72166d1c08916209eb89f668ca5b3c02b0195469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72166d1c08916209eb89f668ca5b3c02b0195469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-object-path in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 841100ea by Guilhem Moulin at 2023-01-29T12:02:33+01:00 LTS: claim node-object-path in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,7 @@ node-nth-check NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-object-path +node-object-path (guilhem) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) NOTE: 20221223: Functional part of CVE-2021-3805 might be https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/841100ea1bcc25637d57ff72b40f4b42550983ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/841100ea1bcc25637d57ff72b40f4b42550983ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bdef1465 by Salvatore Bonaccorso at 2023-01-29T09:47:06+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,11 +27,11 @@ CVE-2023-0565 CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor prior ...) - froxlor (bug #581792) CVE-2023-0563 (A vulnerability classified as problematic has been found in PHPGurukul ...) - TODO: check + NOT-FOR-US: PHPGurukul Bank Locker Management System CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craft ...) TODO: check CVE-2023-0562 (A vulnerability was found in PHPGurukul Bank Locker Management System ...) - TODO: check + NOT-FOR-US: PHPGurukul Bank Locker Management System CVE-2023-0561 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0560 (A vulnerability, which was classified as critical, has been found in S ...) @@ -65,7 +65,7 @@ CVE-2022-48284 CVE-2022-48283 RESERVED CVE-2021-4315 (A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and class ...) - TODO: check + NOT-FOR-US: NYUCCL psiTurk CVE-2023-24595 RESERVED CVE-2023-24583 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdef1465a23dc3ef9be29b43c6bf12dc0a292ac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdef1465a23dc3ef9be29b43c6bf12dc0a292ac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0564/froxlor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21180ba7 by Salvatore Bonaccorso at 2023-01-29T09:28:01+01:00 Add CVE-2023-0564/froxlor - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2023-0566 CVE-2023-0565 RESERVED CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor prior ...) - TODO: check + - froxlor (bug #581792) CVE-2023-0563 (A vulnerability classified as problematic has been found in PHPGurukul ...) TODO: check CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21180ba767caf929befb3471fc57b21b0e84fcd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21180ba767caf929befb3471fc57b21b0e84fcd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8b7cd73 by security tracker role at 2023-01-29T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,37 @@ -CVE-2023-0562 +CVE-2023-24607 RESERVED +CVE-2023-24606 + RESERVED +CVE-2023-24605 + RESERVED +CVE-2023-24604 + RESERVED +CVE-2023-24603 + RESERVED +CVE-2023-24602 + RESERVED +CVE-2023-24601 + RESERVED +CVE-2023-24600 + RESERVED +CVE-2023-24599 + RESERVED +CVE-2023-24598 + RESERVED +CVE-2023-24597 + RESERVED +CVE-2023-0566 + RESERVED +CVE-2023-0565 + RESERVED +CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor prior ...) + TODO: check +CVE-2023-0563 (A vulnerability classified as problematic has been found in PHPGurukul ...) + TODO: check +CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craft ...) + TODO: check +CVE-2023-0562 (A vulnerability was found in PHPGurukul Bank Locker Management System ...) + TODO: check CVE-2023-0561 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0560 (A vulnerability, which was classified as critical, has been found in S ...) @@ -32,8 +64,8 @@ CVE-2022-48284 RESERVED CVE-2022-48283 RESERVED -CVE-2021-4315 - RESERVED +CVE-2021-4315 (A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and class ...) + TODO: check CVE-2023-24595 RESERVED CVE-2023-24583 @@ -1386,6 +1418,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub repository pyload/pyload prior CVE-2022-4895 RESERVED CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ...) + {DSA-5333-1} - tiff 4.5.0-4 (bug #1029653) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488 @@ -5055,6 +5088,7 @@ CVE-2023-22850 (Tiki before 24.1, when the Spreadsheets feature is enabled, allo CVE-2021-4307 (A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has ...) NOT-FOR-US: Yomguithereal Baobab CVE-2020-36646 (A vulnerability classified as problematic has been found in MediaArea ...) + {DLA-3290-1} - libzen 0.4.39-1 [bullseye] - libzen (Minor issue) NOTE: https://github.com/MediaArea/ZenLib/pull/119 @@ -24277,7 +24311,7 @@ CVE-2022-43553 (A remote code execution vulnerability in EdgeRouters (Version 2. NOT-FOR-US: EdgeRouters CVE-2022-43552 [HTTP Proxy deny use-after-free] RESERVED - {DSA-5330-1} + {DSA-5330-1 DLA-3288-1} - curl 7.86.0-3 (bug #1026830) NOTE: https://curl.se/docs/CVE-2022-43552.html NOTE: Introduced by (telnet): https://github.com/curl/curl/commit/b7eeb6e67fca686f840eacd6b8394edb58b07482 (curl-7_16_0) @@ -24563,6 +24597,7 @@ CVE-2022-3637 (A vulnerability has been found in Linux Kernel and classified as NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f (5.65) NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6f02010ce0043ec2e17eb15f2a1dd42f6c64e223 (5.65) CVE-2022-3636 (A vulnerability, which was classified as critical, was found in Linux ...) + {DSA-5333-1} - linux (No vulnerable code in any upstream or Debian released version) NOTE: https://git.kernel.org/linus/17a5f6a78dc7b8db385de346092d7d9f9dc24df6 CVE-2022-3635 (A vulnerability, which was classified as critical, has been found in L ...) @@ -24600,7 +24635,7 @@ CVE-2022-3628 (A buffer overflow flaw was found in the Linux kernel Broadcom Ful [bullseye] - linux 5.10.158-1 NOTE: https://www.openwall.com/lists/oss-security/2022/10/29/1 CVE-2022-3627 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif ...) - {DLA-3278-1} + {DSA-5333-1 DLA-3278-1} - tiff 4.4.0-5 (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/411 @@ -24691,7 +24726,7 @@ CVE-2022-3601 (The Image Hover Effects Css3 WordPress plugin through 4.5 does no CVE-2022-3600 (The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not va ...) NOT-FOR-US: WordPress plugin CVE-2022-3599 (LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools ...) - {DLA-3278-1} + {DSA-5333-1 DLA-3278-1} - tiff 4.4.0-5 (bug #1022555) NOTE: