[Git][security-tracker-team/security-tracker][master] 2 commits: Add two CVEs for limesurvey, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 538b1dd0 by Salvatore Bonaccorso at 2023-01-30T08:16:49+01:00 Add two CVEs for limesurvey, itped - - - - - c4e14364 by Salvatore Bonaccorso at 2023-01-30T08:16:50+01:00 Add CVE-2022-48007/piwigo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7025,13 +7025,13 @@ CVE-2022-48012 (Opencats v0.9.7 was discovered to contain a reflected cross-site CVE-2022-48011 (Opencats v0.9.7 was discovered to contain a SQL injection vulnerabilit ...) TODO: check CVE-2022-48010 (LimeSurvey v5.4.15 was discovered to contain a stored cross-site scrip ...) - TODO: check + - limesurvey (bug #472802) CVE-2022-48009 RESERVED CVE-2022-48008 (An arbitrary file upload vulnerability in the plugin manager of LimeSu ...) - TODO: check + - limesurvey (bug #472802) CVE-2022-48007 (A stored cross-site scripting (XSS) vulnerability in identification.ph ...) - TODO: check + - piwigo CVE-2022-48006 RESERVED CVE-2022-48005 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b...c4e14364d73a1b004005d251702ca1e493bbf75e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b...c4e14364d73a1b004005d251702ca1e493bbf75e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim modsecurity-crs
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ac91a2e0 by Tobias Frost at 2023-01-30T07:47:46+01:00 Reclaim modsecurity-crs - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -140,11 +140,12 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -modsecurity-crs +modsecurity-crs (tobi) NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git NOTE: 20230113: backported rule set to strech (did not see the notice from 20230111 before), mailed maintainers for feedback. + NOTE: 20200130: WIP, in heavy contact with upstream. (alomst ready for upload) -- netatalk NOTE: 20220816: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac91a2e03c27a3052bab5891c7c3e600e5e5f72b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 95472c99 by Anton Gladky at 2023-01-30T06:50:17+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ bind9 (Emilio) NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. -- -ceph (Stefano Rivera) +ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk) @@ -140,7 +140,7 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -modsecurity-crs (Tobias Frost) +modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git @@ -168,7 +168,7 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-moment (Utkarsh) +node-moment NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for varnish update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0e78894d by Salvatore Bonaccorso at 2023-01-29T22:05:44+01:00
Reserve DSA number for varnish update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[29 Jan 2023] DSA-5334-1 varnish - security update
+ {CVE-2022-45060}
+ [bullseye] - varnish 6.5.1-1+deb11u3
[29 Jan 2023] DSA-5333-1 tiff - security update
{CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056
CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521
CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570
CVE-2022-3597 CVE-2022-3599 CVE-2022-3627 CVE-2022-3636 CVE-2022-34526
CVE-2022-48281}
[bullseye] - tiff 4.2.0-1+deb11u3
=
data/dsa-needed.txt
=
@@ -61,8 +61,6 @@ thunderbird (jmm)
--
tiff (aron)
--
-varnish (carnil)
---
xrdp
needs some additional clarification, tentatively DSA worthy
maybe upgrade to 0.9.21 within bullseye?
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e78894dedd70d7e8b7794b9f8626b196501a5a4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e78894dedd70d7e8b7794b9f8626b196501a5a4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA: take fig2dev
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abf8ef50 by Adrian Bunk at 2023-01-29T23:01:24+02:00 DLA: take fig2dev - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,7 +50,7 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- -fig2dev +fig2dev (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Harmonize with bullseye 11.5 and stretch (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf8ef50c28d09c714ad3230d389ac13ee531fa2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf8ef50c28d09c714ad3230d389ac13ee531fa2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3292-1 for sofia-sip
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ae9e78e7 by Adrian Bunk at 2023-01-29T23:00:41+02:00
Reserve DLA-3292-1 for sofia-sip
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Jan 2023] DLA-3292-1 sofia-sip - security update
+ {CVE-2023-22741}
+ [buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u2
[29 Jan 2023] DLA-3291-1 node-object-path - security update
{CVE-2021-3805 CVE-2021-23434}
[buster] - node-object-path 0.11.4-2+deb10u2
=
data/dla-needed.txt
=
@@ -309,10 +309,6 @@ snort (Markus Koschany)
NOTE: 20230121: Prepared new upstream version for unstable which we could
NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276
--
-sofia-sip (Adrian Bunk)
- NOTE: 20230125: Programming language: C.
- NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git
---
sox (Helmut Grohne)
NOTE: 20220818: Programming language: C.
NOTE: 20220818: Requires some investigation; see #1012138 etc.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9e78e7fbd44307003cebb83d8dcc2fb9c4a941
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9e78e7fbd44307003cebb83d8dcc2fb9c4a941
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76afcd4f by Salvatore Bonaccorso at 2023-01-29T21:18:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-0571 (A vulnerability has been found in SourceCodester Canteen Management Sy ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-0570 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0569 (Weak Password Requirements in GitHub repository publify/publify prior ...) - TODO: check + NOT-FOR-US: Publify CVE-2023-0568 RESERVED CVE-2023-0567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76afcd4f59adb6d17cf866211b330d8f3fcf37a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76afcd4f59adb6d17cf866211b330d8f3fcf37a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-rack and tmux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ad80502d by Utkarsh Gupta at 2023-01-30T01:40:47+05:30 Take ruby-rack and tmux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,7 +268,7 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- -ruby-rack +ruby-rack (Utkarsh) NOTE: 20230129: Programming language: Ruby. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git -- @@ -331,7 +331,7 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- -tmux +tmux (Utkarsh) NOTE: 20230129: Programming language: C. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a1c82bbe by security tracker role at 2023-01-29T20:10:21+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,47 @@
+CVE-2023-0571 (A vulnerability has been found in SourceCodester Canteen
Management Sy ...)
+ TODO: check
+CVE-2023-0570 (A vulnerability, which was classified as critical, was found in
Source ...)
+ TODO: check
+CVE-2023-0569 (Weak Password Requirements in GitHub repository publify/publify
prior ...)
+ TODO: check
+CVE-2023-0568
+ RESERVED
+CVE-2023-0567
+ RESERVED
+CVE-2022-48302
+ RESERVED
+CVE-2022-48301
+ RESERVED
+CVE-2022-48300
+ RESERVED
+CVE-2022-48299
+ RESERVED
+CVE-2022-48298
+ RESERVED
+CVE-2022-48297
+ RESERVED
+CVE-2022-48296
+ RESERVED
+CVE-2022-48295
+ RESERVED
+CVE-2022-48294
+ RESERVED
+CVE-2022-48293
+ RESERVED
+CVE-2022-48292
+ RESERVED
+CVE-2022-48291
+ RESERVED
+CVE-2022-48290
+ RESERVED
+CVE-2022-48289
+ RESERVED
+CVE-2022-48288
+ RESERVED
+CVE-2022-48287
+ RESERVED
+CVE-2022-48286
+ RESERVED
CVE-2023-24607
RESERVED
CVE-2023-24606
@@ -36,10 +80,10 @@ CVE-2023-0561 (A vulnerability, which was classified as
critical, was found in S
NOT-FOR-US: SourceCodester Online Tours & Travels Management System
CVE-2023-0560 (A vulnerability, which was classified as critical, has been
found in S ...)
NOT-FOR-US: SourceCodester Online Tours & Travels Management System
-CVE-2016-15022
- RESERVED
-CVE-2009-10003
- RESERVED
+CVE-2016-15022 (A vulnerability was found in mosbth cimage up to 0.7.18. It
has been d ...)
+ TODO: check
+CVE-2009-10003 (A vulnerability was found in capnsquarepants wordcraft up to
0.6. It h ...)
+ TODO: check
CVE-2023-0559
RESERVED
CVE-2023-0558 (The ContentStudio plugin for WordPress is vulnerable to
authorization ...)
@@ -104129,6 +104173,7 @@ CVE-2021-3807 (ansi-regex is vulnerable to
Inefficient Regular Expression Comple
CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's
"extractArc ...)
NOT-FOR-US: Pardus Software Center
CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification
of Obj ...)
+ {DLA-3291-1}
- node-object-path 0.11.8-1
[bullseye] - node-object-path 0.11.5-3+deb11u1
[stretch] - node-object-path (Nodejs in stretch not
covered by security support)
@@ -149284,6 +149329,7 @@ CVE-2021-23436 (This affects the package immer before
9.0.6. A type confusion vu
CVE-2021-23435 (This affects the package clearance before 2.5.0. The
vulnerability can ...)
NOT-FOR-US: Rails clearance gem
CVE-2021-23434 (This affects the package object-path before 0.11.6. A type
confusion v ...)
+ {DLA-3291-1}
- node-object-path 0.11.7-1
[bullseye] - node-object-path 0.11.5-3+deb11u1
[stretch] - node-object-path (Nodejs in stretch not
covered by security support)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1c82bbeafae7b789d1b2a9efa93d268bb03bb3f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1c82bbeafae7b789d1b2a9efa93d268bb03bb3f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45907/pytorch fixed version via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 379af556 by Salvatore Bonaccorso at 2023-01-29T21:05:02+01:00 Add CVE-2022-45907/pytorch fixed version via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15009,7 +15009,7 @@ CVE-2022-45909 (drachtio-server before 0.8.19 has a heap-based buffer over-read CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vuln ...) NOT-FOR-US: PaddlePaddle CVE-2022-45907 (In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...) - - pytorch (bug #1024903) + - pytorch 1.13.1+dfsg-1 (bug #1024903) [bullseye] - pytorch (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 NOTE: https://github.com/pytorch/pytorch/issues/88868 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379af556decbd8ce2e117e3599b891ff4aa00582 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379af556decbd8ce2e117e3599b891ff4aa00582 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for openjdk-8 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ec623ecd by Salvatore Bonaccorso at 2023-01-29T21:03:51+01:00
Track fixed version for openjdk-8 issues fixed via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -9780,7 +9780,7 @@ CVE-2023-21844 (Vulnerability in the PeopleSoft
Enterprise PeopleTools product o
NOT-FOR-US: Oracle
CVE-2023-21843 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
Edition ...)
{DSA-5331-1}
- - openjdk-8
+ - openjdk-8 8u362-ga-1
- openjdk-11 11.0.18+10-1
- openjdk-17 17.0.6+10-1
- openjdk-21 21~7ea-1
@@ -9812,7 +9812,7 @@ CVE-2023-21832 (Vulnerability in the Oracle BI Publisher
product of Oracle Fusio
CVE-2023-21831 (Vulnerability in the PeopleSoft Enterprise CS Academic
Advisement prod ...)
NOT-FOR-US: Oracle
CVE-2023-21830 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
Edition ...)
- - openjdk-8
+ - openjdk-8 8u362-ga-1
- openjdk-21 21~7ea-1
CVE-2023-21829 (Vulnerability in the Oracle Database RDBMS Security component
of Oracl ...)
NOT-FOR-US: Oracle
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec623ecd8713c0b0e4626f917e640a824144a365
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec623ecd8713c0b0e4626f917e640a824144a365
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-24839/nekohtml via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54f9a02f by Salvatore Bonaccorso at 2023-01-29T21:02:40+01:00 Track fixed version for CVE-2022-24839/nekohtml via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76657,7 +76657,7 @@ CVE-2022-24841 (fleetdm/fleet is an open source device management, built on osqu CVE-2022-24840 (django-s3file is a lightweight file upload input for Django and Amazon ...) NOT-FOR-US: django-s3file CVE-2022-24839 (org.cyberneko.html is an html parser written in Java. The fork of `org ...) - - nekohtml (bug #1021739) + - nekohtml 1.9.22.noko2-0.1 (bug #1021739) [bullseye] - nekohtml (Minor issue) [buster] - nekohtml (Minor issue) [stretch] - nekohtml (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f9a02f279dd18e9368dac1f01bafd39f2ca3d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f9a02f279dd18e9368dac1f01bafd39f2ca3d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-rack to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a75521a by Anton Gladky at 2023-01-29T20:51:06+01:00 LTS: add ruby-rack to dla-needed.txt - - - - - b7512050 by Anton Gladky at 2023-01-29T20:55:40+01:00 LTS: add tmux to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,10 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- +ruby-rack + NOTE: 20230129: Programming language: Ruby. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git +-- ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git @@ -327,6 +331,10 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- +tmux + NOTE: 20230129: Programming language: C. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git +-- wireshark NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take libgit2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c570f946 by Anton Gladky at 2023-01-29T18:23:14+01:00 LTS: take libgit2 - - - - - 2d135f18 by Anton Gladky at 2023-01-29T18:23:41+01:00 LTS: take man2html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,7 +112,7 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libgit2 +libgit2 (gladk) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). @@ -135,7 +135,7 @@ libstb (Adrian Bunk) linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html +man2html (gladk) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3291-1 for node-object-path
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
86672ee3 by Guilhem Moulin at 2023-01-29T17:05:53+01:00
Reserve DLA-3291-1 for node-object-path
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -104131,7 +104131,6 @@ CVE-2021-3806 (A path traversal vulnerability on
Pardus Software Center's "extra
CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification
of Obj ...)
- node-object-path 0.11.8-1
[bullseye] - node-object-path 0.11.5-3+deb11u1
- [buster] - node-object-path (Minor issue)
[stretch] - node-object-path (Nodejs in stretch not
covered by security support)
NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
NOTE:
https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884
(v0.11.8)
@@ -149287,7 +149286,6 @@ CVE-2021-23435 (This affects the package clearance
before 2.5.0. The vulnerabili
CVE-2021-23434 (This affects the package object-path before 0.11.6. A type
confusion v ...)
- node-object-path 0.11.7-1
[bullseye] - node-object-path 0.11.5-3+deb11u1
- [buster] - node-object-path (Minor issue)
[stretch] - node-object-path (Nodejs in stretch not
covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
NOTE:
https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Jan 2023] DLA-3291-1 node-object-path - security update
+ {CVE-2021-3805 CVE-2021-23434}
+ [buster] - node-object-path 0.11.4-2+deb10u2
[29 Jan 2023] DLA-3290-1 libzen - security update
{CVE-2020-36646}
[buster] - libzen 0.4.37-1+deb10u1
=
data/dla-needed.txt
=
@@ -177,11 +177,6 @@ node-nth-check
NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk)
NOTE: 20221223: Module has been rewritten in Typescript since Buster
released (lamby).
--
-node-object-path (guilhem)
- NOTE: 2022: Programming language: JavaScript.
- NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk)
- NOTE: 20221223: Functional part of CVE-2021-3805 might be
https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby)
---
node-qs
NOTE: 20230105: Programming language: JavaScript.
NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Claim apache2 and asterisk
Lee Garrett pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f4b39a3 by Lee Garrett at 2023-01-29T16:53:03+01:00 LTS: Claim apache2 and asterisk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,12 +17,12 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- -apache2 +apache2 (Lee Garrett) NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. -- -asterisk +asterisk (Lee Garrett) NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4b39a34213dea3ed60b3d8c0f046869a5b167a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4b39a34213dea3ed60b3d8c0f046869a5b167a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add tiff to dsa-needed.txt and claim it
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: f7db63d1 by Aron Xu at 2023-01-29T21:20:57+08:00 add tiff to dsa-needed.txt and claim it There are three more open CVEs to be addressed which is not covered by previous release - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -59,6 +59,8 @@ sox -- thunderbird (jmm) -- +tiff (aron) +-- varnish (carnil) -- xrdp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7db63d1e9908f34db27c4245219b8906cb030c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7db63d1e9908f34db27c4245219b8906cb030c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track source wise fix for CVE-2022-4842/linux via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72166d1c by Salvatore Bonaccorso at 2023-01-29T13:36:51+01:00 Track source wise fix for CVE-2022-4842/linux via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6497,7 +6497,7 @@ CVE-2022-4843 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p NOTE: https://huntr.dev/bounties/075b2760-66a0-4d38-b3b5-e9934956ab7f NOTE: https://github.com/radareorg/radare2/commit/842f809d4ec6a12af2906f948657281c9ebc8a24 CVE-2022-4842 (A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver funct ...) - - linux (unimportant) + - linux 6.1.8-1 (unimportant) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2156927 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72166d1c08916209eb89f668ca5b3c02b0195469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72166d1c08916209eb89f668ca5b3c02b0195469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-object-path in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 841100ea by Guilhem Moulin at 2023-01-29T12:02:33+01:00 LTS: claim node-object-path in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,7 @@ node-nth-check NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-object-path +node-object-path (guilhem) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) NOTE: 20221223: Functional part of CVE-2021-3805 might be https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/841100ea1bcc25637d57ff72b40f4b42550983ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/841100ea1bcc25637d57ff72b40f4b42550983ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bdef1465 by Salvatore Bonaccorso at 2023-01-29T09:47:06+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,11 +27,11 @@ CVE-2023-0565 CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor prior ...) - froxlor (bug #581792) CVE-2023-0563 (A vulnerability classified as problematic has been found in PHPGurukul ...) - TODO: check + NOT-FOR-US: PHPGurukul Bank Locker Management System CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craft ...) TODO: check CVE-2023-0562 (A vulnerability was found in PHPGurukul Bank Locker Management System ...) - TODO: check + NOT-FOR-US: PHPGurukul Bank Locker Management System CVE-2023-0561 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-0560 (A vulnerability, which was classified as critical, has been found in S ...) @@ -65,7 +65,7 @@ CVE-2022-48284 CVE-2022-48283 RESERVED CVE-2021-4315 (A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and class ...) - TODO: check + NOT-FOR-US: NYUCCL psiTurk CVE-2023-24595 RESERVED CVE-2023-24583 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdef1465a23dc3ef9be29b43c6bf12dc0a292ac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdef1465a23dc3ef9be29b43c6bf12dc0a292ac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0564/froxlor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21180ba7 by Salvatore Bonaccorso at 2023-01-29T09:28:01+01:00 Add CVE-2023-0564/froxlor - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2023-0566 CVE-2023-0565 RESERVED CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor prior ...) - TODO: check + - froxlor (bug #581792) CVE-2023-0563 (A vulnerability classified as problematic has been found in PHPGurukul ...) TODO: check CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21180ba767caf929befb3471fc57b21b0e84fcd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21180ba767caf929befb3471fc57b21b0e84fcd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c8b7cd73 by security tracker role at 2023-01-29T08:10:14+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,5 +1,37 @@
-CVE-2023-0562
+CVE-2023-24607
RESERVED
+CVE-2023-24606
+ RESERVED
+CVE-2023-24605
+ RESERVED
+CVE-2023-24604
+ RESERVED
+CVE-2023-24603
+ RESERVED
+CVE-2023-24602
+ RESERVED
+CVE-2023-24601
+ RESERVED
+CVE-2023-24600
+ RESERVED
+CVE-2023-24599
+ RESERVED
+CVE-2023-24598
+ RESERVED
+CVE-2023-24597
+ RESERVED
+CVE-2023-0566
+ RESERVED
+CVE-2023-0565
+ RESERVED
+CVE-2023-0564 (Weak Password Requirements in GitHub repository froxlor/froxlor
prior ...)
+ TODO: check
+CVE-2023-0563 (A vulnerability classified as problematic has been found in
PHPGurukul ...)
+ TODO: check
+CVE-2022-48285 (loadAsync in JSZip before 3.8.0 allows Directory Traversal via
a craft ...)
+ TODO: check
+CVE-2023-0562 (A vulnerability was found in PHPGurukul Bank Locker Management
System ...)
+ TODO: check
CVE-2023-0561 (A vulnerability, which was classified as critical, was found in
Source ...)
NOT-FOR-US: SourceCodester Online Tours & Travels Management System
CVE-2023-0560 (A vulnerability, which was classified as critical, has been
found in S ...)
@@ -32,8 +64,8 @@ CVE-2022-48284
RESERVED
CVE-2022-48283
RESERVED
-CVE-2021-4315
- RESERVED
+CVE-2021-4315 (A vulnerability has been found in NYUCCL psiTurk up to 3.2.0
and class ...)
+ TODO: check
CVE-2023-24595
RESERVED
CVE-2023-24583
@@ -1386,6 +1418,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub
repository pyload/pyload prior
CVE-2022-4895
RESERVED
CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through
4.5.0 has ...)
+ {DSA-5333-1}
- tiff 4.5.0-4 (bug #1029653)
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488
@@ -5055,6 +5088,7 @@ CVE-2023-22850 (Tiki before 24.1, when the Spreadsheets
feature is enabled, allo
CVE-2021-4307 (A vulnerability was found in Yomguithereal Baobab up to 2.6.0.
It has ...)
NOT-FOR-US: Yomguithereal Baobab
CVE-2020-36646 (A vulnerability classified as problematic has been found in
MediaArea ...)
+ {DLA-3290-1}
- libzen 0.4.39-1
[bullseye] - libzen (Minor issue)
NOTE: https://github.com/MediaArea/ZenLib/pull/119
@@ -24277,7 +24311,7 @@ CVE-2022-43553 (A remote code execution vulnerability
in EdgeRouters (Version 2.
NOT-FOR-US: EdgeRouters
CVE-2022-43552 [HTTP Proxy deny use-after-free]
RESERVED
- {DSA-5330-1}
+ {DSA-5330-1 DLA-3288-1}
- curl 7.86.0-3 (bug #1026830)
NOTE: https://curl.se/docs/CVE-2022-43552.html
NOTE: Introduced by (telnet):
https://github.com/curl/curl/commit/b7eeb6e67fca686f840eacd6b8394edb58b07482
(curl-7_16_0)
@@ -24563,6 +24597,7 @@ CVE-2022-3637 (A vulnerability has been found in Linux
Kernel and classified as
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f
(5.65)
NOTE: Introduced by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6f02010ce0043ec2e17eb15f2a1dd42f6c64e223
(5.65)
CVE-2022-3636 (A vulnerability, which was classified as critical, was found in
Linux ...)
+ {DSA-5333-1}
- linux (No vulnerable code in any upstream or Debian
released version)
NOTE:
https://git.kernel.org/linus/17a5f6a78dc7b8db385de346092d7d9f9dc24df6
CVE-2022-3635 (A vulnerability, which was classified as critical, has been
found in L ...)
@@ -24600,7 +24635,7 @@ CVE-2022-3628 (A buffer overflow flaw was found in the
Linux kernel Broadcom Ful
[bullseye] - linux 5.10.158-1
NOTE: https://www.openwall.com/lists/oss-security/2022/10/29/1
CVE-2022-3627 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in
libtiff/tif ...)
- {DLA-3278-1}
+ {DSA-5333-1 DLA-3278-1}
- tiff 4.4.0-5 (bug #1022555)
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/411
@@ -24691,7 +24726,7 @@ CVE-2022-3601 (The Image Hover Effects Css3 WordPress
plugin through 4.5 does no
CVE-2022-3600 (The Easy Digital Downloads WordPress plugin before 3.1.0.2 does
not va ...)
NOT-FOR-US: WordPress plugin
CVE-2022-3599 (LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection
in tools ...)
- {DLA-3278-1}
+ {DSA-5333-1 DLA-3278-1}
- tiff 4.4.0-5 (bug #1022555)
NOTE:
