[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4833{7,8,9}/emacs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d64a2bc7 by Salvatore Bonaccorso at 2023-02-21T08:06:59+01:00 Add CVE-2022-4833{7,8,9}/emacs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,12 @@ +CVE-2022-48339 [Fix htmlfontify.el command injection vulnerability] + - emacs + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c +CVE-2022-48338 [Fix ruby-mode.el local command injection vulnerability] + - emacs + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c +CVE-2022-48337 [Fix etags local command injection vulnerability] + - emacs + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c CVE-2023-26213 RESERVED CVE-2023-26212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d64a2bc7e316467d8f752048c06355ce51260147 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d64a2bc7e316467d8f752048c06355ce51260147 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update runc status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 84a28eb6 by Sylvain Beucler at 2023-02-20T23:35:14+01:00 dla: update runc status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -311,6 +311,8 @@ runc (Sylvain Beucler) NOTE: 20220905: Special attention: Sync with Bullseye. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/runc.git NOTE: 20230213: Starting checking security issues, packaging strategy and testing procedures (Beuc) + NOTE: 20230218: golang-github-opencontainers-selinux fix uploaded via DLA-3322-1 (Beuc) + NOTE: 20230220: Checking possible re-introduction of CVE-2019-19921 with upstream (Beuc) -- salt NOTE: 20220814: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84a28eb623e5dc615173061003783cd5b4c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84a28eb623e5dc615173061003783cd5b4c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add python3.7 to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 81eb6f56 by Ola Lundqvist at 2023-02-20T23:20:45+01:00 LTS: add python3.7 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -247,6 +247,11 @@ python-werkzeug NOTE: 20230219: Programming language: Python. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/python-werkzeug.git -- +python3.7 + NOTE: 20230220: Programming language: Python. + NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git + NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html +-- qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81eb6f56c0272d6bd7577f82cbc9a46ddc991969 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81eb6f56c0272d6bd7577f82cbc9a46ddc991969 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-0482 as no-dsa for buster following decision for later release as well.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b6796349 by Ola Lundqvist at 2023-02-20T22:18:52+01:00 CVE-2023-0482 as no-dsa for buster following decision for later release as well. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4895,6 +4895,7 @@ CVE-2023-0482 (In RESTEasy the insecure File.createTempFile() is used in the Dat - resteasy - resteasy3.0 [bullseye] - resteasy3.0 (Minor issue) + [buster] - resteasy3.0 (Minor issue) NOTE: https://github.com/resteasy/resteasy/pull/3409/ NOTE: https://github.com/resteasy/resteasy/commit/3d8a551d80b98f185edaff6f895188ec8211366b CVE-2023-0481 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6796349cf4b634f2a30c66a0c6c3c1d2ff8e9fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6796349cf4b634f2a30c66a0c6c3c1d2ff8e9fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add git to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 5213b591 by Ola Lundqvist at 2023-02-20T22:04:34+01:00 LTS: add git to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,6 +80,10 @@ fusiondirectory NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git -- +git + NOTE: 20230220: Programming language: C. + NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/git.git +-- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5213b5910fe3be8977d7185c430e98263b559d96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5213b5910fe3be8977d7185c430e98263b559d96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-40899/python-future
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9864421 by Salvatore Bonaccorso at 2023-02-20T21:44:47+01:00 Add Debian bug reference for CVE-2022-40899/python-future - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36334,7 +36334,7 @@ CVE-2022-40901 CVE-2022-40900 RESERVED CVE-2022-40899 (An issue discovered in Python Charmers Future 0.18.2 and earlier allow ...) - - python-future + - python-future (bug #1031699) NOTE: https://github.com/PythonCharmers/python-future/pull/610 NOTE: https://github.com/PythonCharmers/python-future/commit/c91d70b34ef0402aef3e9d04364ba98509dca76f (v0.18.3) CVE-2022-40898 (An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9864421fcd42a38a1cf36627601b67c1535f725 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9864421fcd42a38a1cf36627601b67c1535f725 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new CVEs for check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98ea3b40 by Salvatore Bonaccorso at 2023-02-20T21:24:26+01:00 Process some new CVEs for check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1894,15 +1894,15 @@ CVE-2023-0746 CVE-2023-0745 (Relative Path Traversal vulnerability in YugaByte, Inc. Yugabyte Manag ...) - yugabyte-db (bug #989673) CVE-2022-48321 (Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe2 ...) - TODO: check + - check-mk CVE-2022-48320 (Cross-site Request Forgery (CSRF) in Tribe29's Checkmk = 2.1.0p17, ...) - TODO: check + - check-mk CVE-2022-48319 (Sensitive host secret disclosed in cmk-update-agent.log file in Tribe2 ...) - TODO: check + - check-mk CVE-2022-48318 (No authorisation controls in the RestAPI documentation for Tribe29's C ...) - TODO: check + - check-mk CVE-2022-48317 (Expired sessions were not securely terminated in the RestAPI for Tribe ...) - TODO: check + - check-mk CVE-2023-25600 RESERVED CVE-2023-25599 @@ -6749,11 +6749,11 @@ CVE-2023-0368 CVE-2022-4892 (A vulnerability was found in MyCMS. It has been classified as problema ...) NOT-FOR-US: MyCMS CVE-2022-47909 (Livestatus Query Language (LQL) injection in the AuthUser HTTP query h ...) - TODO: check + - check-mk CVE-2022-46836 (PHP code injection in watolib auth.php and hosttags.php in Tribe29's C ...) - TODO: check + - check-mk CVE-2022-46303 (Command injection in SMS notifications in Tribe29 Checkmk = 2.1.0p ...) - TODO: check + - check-mk CVE-2022-46302 RESERVED CVE-2022-43440 (Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98ea3b40980695c949c4e448f412b97c16676a7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98ea3b40980695c949c4e448f412b97c16676a7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50dae3c4 by Salvatore Bonaccorso at 2023-02-20T21:18:56+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -357,11 +357,11 @@ CVE-2023-0915 (A vulnerability classified as critical has been found in SourceCo CVE-2017-20178 RESERVED CVE-2016-15027 (A vulnerability was found in meta4creations Post Duplicator Plugin 2.1 ...) - TODO: check + NOT-FOR-US: meta4creations Post Duplicator Plugin CVE-2015-10082 RESERVED CVE-2015-10081 (A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and c ...) - TODO: check + NOT-FOR-US: arnoldle submitByMailPlugin CVE-2014-125089 RESERVED CVE-2023-0914 (Improper Authorization in GitHub repository pixelfed/pixelfed prior to ...) @@ -1992,9 +1992,9 @@ CVE-2023-25572 (react-admin is a frontend framework for building browser applica CVE-2023-25571 (Backstage is an open platform for building developer portals. `@backst ...) NOT-FOR-US: Backstage CVE-2023-25570 (Apollo is a configuration management system. Prior to version 2.1.0, t ...) - TODO: check + NOT-FOR-US: Apollo CVE-2023-25569 (Apollo is a configuration management system. Prior to version 2.1.0, a ...) - TODO: check + NOT-FOR-US: Apollo CVE-2023-25568 RESERVED CVE-2023-25567 (GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dae3c4e7449cf654c73ac03f3cac277b28f5c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dae3c4e7449cf654c73ac03f3cac277b28f5c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1527c76 by security tracker role at 2023-02-20T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,241 @@ +CVE-2023-26213 + RESERVED +CVE-2023-26212 + RESERVED +CVE-2023-26211 + RESERVED +CVE-2023-26210 + RESERVED +CVE-2023-26209 + RESERVED +CVE-2023-26208 + RESERVED +CVE-2023-26207 + RESERVED +CVE-2023-26206 + RESERVED +CVE-2023-26205 + RESERVED +CVE-2023-26204 + RESERVED +CVE-2023-26203 + RESERVED +CVE-2023-26202 + RESERVED +CVE-2023-26201 + RESERVED +CVE-2023-26200 + RESERVED +CVE-2023-26199 + RESERVED +CVE-2023-26198 + RESERVED +CVE-2023-26197 + RESERVED +CVE-2023-26196 + RESERVED +CVE-2023-26195 + RESERVED +CVE-2023-26194 + RESERVED +CVE-2023-26193 + RESERVED +CVE-2023-26192 + RESERVED +CVE-2023-26191 + RESERVED +CVE-2023-26190 + RESERVED +CVE-2023-26189 + RESERVED +CVE-2023-26188 + RESERVED +CVE-2023-26187 + RESERVED +CVE-2023-26186 + RESERVED +CVE-2023-26185 + RESERVED +CVE-2023-26184 + RESERVED +CVE-2023-26183 + RESERVED +CVE-2023-26182 + RESERVED +CVE-2023-26181 + RESERVED +CVE-2023-26180 + RESERVED +CVE-2023-26179 + RESERVED +CVE-2023-26178 + RESERVED +CVE-2023-26177 + RESERVED +CVE-2023-26176 + RESERVED +CVE-2023-26175 + RESERVED +CVE-2023-26174 + RESERVED +CVE-2023-26173 + RESERVED +CVE-2023-26172 + RESERVED +CVE-2023-26171 + RESERVED +CVE-2023-26170 + RESERVED +CVE-2023-26169 + RESERVED +CVE-2023-26168 + RESERVED +CVE-2023-26167 + RESERVED +CVE-2023-26166 + RESERVED +CVE-2023-26165 + RESERVED +CVE-2023-26164 + RESERVED +CVE-2023-26163 + RESERVED +CVE-2023-26162 + RESERVED +CVE-2023-26161 + RESERVED +CVE-2023-26160 + RESERVED +CVE-2023-26159 + RESERVED +CVE-2023-26158 + RESERVED +CVE-2023-26157 + RESERVED +CVE-2023-26156 + RESERVED +CVE-2023-26155 + RESERVED +CVE-2023-26154 + RESERVED +CVE-2023-26153 + RESERVED +CVE-2023-26152 + RESERVED +CVE-2023-26151 + RESERVED +CVE-2023-26150 + RESERVED +CVE-2023-26149 + RESERVED +CVE-2023-26148 + RESERVED +CVE-2023-26147 + RESERVED +CVE-2023-26146 + RESERVED +CVE-2023-26145 + RESERVED +CVE-2023-26144 + RESERVED +CVE-2023-26143 + RESERVED +CVE-2023-26142 + RESERVED +CVE-2023-26141 + RESERVED +CVE-2023-26140 + RESERVED +CVE-2023-26139 + RESERVED +CVE-2023-26138 + RESERVED +CVE-2023-26137 + RESERVED +CVE-2023-26136 + RESERVED +CVE-2023-26135 + RESERVED +CVE-2023-26134 + RESERVED +CVE-2023-26133 + RESERVED +CVE-2023-26132 + RESERVED +CVE-2023-26131 + RESERVED +CVE-2023-26130 + RESERVED +CVE-2023-26129 + RESERVED +CVE-2023-26128 + RESERVED +CVE-2023-26127 + RESERVED +CVE-2023-26126 + RESERVED +CVE-2023-26125 + RESERVED +CVE-2023-26124 + RESERVED +CVE-2023-26123 + RESERVED +CVE-2023-26122 + RESERVED +CVE-2023-26121 + RESERVED +CVE-2023-26120 + RESERVED +CVE-2023-26119 + RESERVED +CVE-2023-26118 + RESERVED +CVE-2023-26117 + RESERVED +CVE-2023-26116 + RESERVED +CVE-2023-26115 + RESERVED +CVE-2023-26114 + RESERVED +CVE-2023-26113 + RESERVED +CVE-2023-26112 + RESERVED +CVE-2023-26111 + RESERVED +CVE-2023-26110 + RESERVED +CVE-2023-26109 + RESERVED +CVE-2023-26108 + RESERVED +CVE-2023-26107 + RESERVED +CVE-2023-26106 + RESERVED +CVE-2023-26105 + RESERVED +CVE-2023-26104 + RESERVED +CVE-2023-26103 + RESERVED +CVE-2023-26102 + RESERVED +CVE-2023-0926 + RESERVED +CVE-2023-0925 + RESERVED +CVE-2023-0924 + RESERVED +CVE-2023-0923 + RESERVED +CVE-2023-0922 + RESERVED +CVE-2023-0921 + RESERVED +CVE-2022-48330 + RESERVED CVE-2023-26101 RESERVED CVE-2023-26100 @@ -118,12 +356,12 @@ CVE-2023-0915 (A vulnerability classified as critical has been found in SourceCo NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2017-20178 RESERVED -CVE-2016-15027 - RESERVED +CVE-2016-15027 (A vulnerability was found in meta4creations Post Duplicator Plugin 2.1 ...) + TODO: check CVE-2015-10082 RESERVED -CVE-2015-10081 - RESERVED +CVE-2015-10081 (A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and c ...) + TODO: check CVE-2014-125089 RESERVED CVE-2023-0914 (Improper Authorization in GitHub repository pixelfed/pixelfed prior to ...) @@ -132,16 +370,16 @@
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3329-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 29b72345 by Chris Lamb at 2023-02-20T12:00:18-08:00 Reserve DLA-3329-1 for python-django - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3329-1 python-django - security update + {CVE-2023-24580} + [buster] - python-django 1:1.11.29-1+deb10u7 [20 Feb 2023] DLA-3328-1 clamav - security update {CVE-2023-20032 CVE-2023-20052} [buster] - clamav 0.103.8+dfsg-0+deb10u1 = data/dla-needed.txt = @@ -235,11 +235,6 @@ python-cryptography (Chris Lamb) NOTE: 20230219: Programming language: Python. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/python-cryptography.git -- -python-django (Chris Lamb) - NOTE: 20230219: Programming language: Python. - NOTE: 20230219: VCS: https://salsa.debian.org/python-team/packages/python-django - NOTE: 20230219: Special attention: Chris Lamb is the maintainer. --- python-oslo.privsep NOTE: 20221231: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29b723451d47dca94748816c874cd4f43f9f22dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29b723451d47dca94748816c874cd4f43f9f22dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-cryptography.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b25f15b by Chris Lamb at 2023-02-20T11:14:49-08:00 data/dla-needed.txt: Claim python-cryptography. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -231,7 +231,7 @@ puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git -- -python-cryptography +python-cryptography (Chris Lamb) NOTE: 20230219: Programming language: Python. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/python-cryptography.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b25f15bbc050d15bb9fdeae0a2361af0635790d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b25f15bbc050d15bb9fdeae0a2361af0635790d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3108472d by Chris Lamb at 2023-02-20T11:10:21-08:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -235,7 +235,7 @@ python-cryptography NOTE: 20230219: Programming language: Python. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/python-cryptography.git -- -python-django +python-django (Chris Lamb) NOTE: 20230219: Programming language: Python. NOTE: 20230219: VCS: https://salsa.debian.org/python-team/packages/python-django NOTE: 20230219: Special attention: Chris Lamb is the maintainer. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3108472d648d461d34e13423e443321787dfd194 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3108472d648d461d34e13423e443321787dfd194 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim amanda.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 45f61428 by Chris Lamb at 2023-02-20T11:07:32-08:00 data/dla-needed.txt: Claim amanda. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,7 +18,7 @@ rather than remove/replace existing ones. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git -- -amanda +amanda (Chris Lamb) NOTE: 20230219: Programming language: C. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git NOTE: 20230219: Special attention: Privilege escalation. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45f614288da392a90753aec50211f32d3f57f887 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45f614288da392a90753aec50211f32d3f57f887 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sox DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a6145b00 by Moritz Mühlenhoff at 2023-02-20T19:58:57+01:00 sox DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -61155,13 +61155,11 @@ CVE-2022-31652 CVE-2022-31651 (In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in ...) {DLA-3315-1} - sox 14.4.2+git20190427-3.1 (bug #1012516) - [bullseye] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/360/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2022-31650 (In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwri ...) {DLA-3315-1} - sox 14.4.2+git20190427-3.1 (bug #1012516) - [bullseye] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/360/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2022-31649 (ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Inf ...) @@ -120471,7 +120469,6 @@ CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function within lib ...) {DLA-3315-1} - sox 14.4.2+git20190427-3.2 (bug #1010374) - [bullseye] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626 NOTE: Triggered by same reproducer as for CVE-2021-23210 NOTE: https://sourceforge.net/p/sox/bugs/351/ @@ -127280,7 +127277,6 @@ CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b firmware version, does not han CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered in So ...) {DLA-3315-1} - sox 14.4.2+git20190427-3.2 (bug #1010374) - [bullseye] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975670 NOTE: https://sourceforge.net/p/sox/bugs/351/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 = data/DSA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DSA-5356-1 sox - security update + {CVE-2021-3643 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651} + [bullseye] - sox 14.4.2+git20190427-2+deb11u1 [18 Feb 2023] DSA-5355-1 thunderbird - security update {CVE-2022-46871 CVE-2022-46877 CVE-2023-0430 CVE-2023-0616 CVE-2023-0767 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605 CVE-2023-25728 CVE-2023-25729 CVE-2023-25730 CVE-2023-25732 CVE-2023-25735 CVE-2023-25737 CVE-2023-25739 CVE-2023-25742 CVE-2023-25744 CVE-2023-25746} [bullseye] - thunderbird 1:102.8.0-1~deb11u1 = data/dsa-needed.txt = @@ -56,9 +56,6 @@ samba sofia-sip Maintainer proposed debdiff for review with additional question and sent a followup -- -sox (jmm) - patch needed for CVE-2021-40426, check with upstream --- tiff (aron) -- xrdp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6145b0031de33e3acb93c4c6511b3beacd1e3de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6145b0031de33e3acb93c4c6511b3beacd1e3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3328-1 for clamav
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4247c702 by Emilio Pozuelo Monfort at 2023-02-20T18:44:20+01:00 Reserve DLA-3328-1 for clamav - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3328-1 clamav - security update + {CVE-2023-20032 CVE-2023-20052} + [buster] - clamav 0.103.8+dfsg-0+deb10u1 [20 Feb 2023] DLA-3327-1 nss - security update {CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2023-0767} [buster] - nss 2:3.42.1-1+deb10u6 = data/dla-needed.txt = @@ -45,11 +45,6 @@ ceph NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -clamav (Emilio) - NOTE: 20230220: Programming language: C. - NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/clamav.git - NOTE: 20230220: Testsuite: https://lists.debian.org/debian-lts/2019/04/msg00117.html --- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4247c702bcd5c328b3dd5cb5a6e419227e8497aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4247c702bcd5c328b3dd5cb5a6e419227e8497aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update fixing information for CVE-2017-9271/libzypp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf62d234 by Salvatore Bonaccorso at 2023-02-20T17:37:49+01:00 Update fixing information for CVE-2017-9271/libzypp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -380585,8 +380585,7 @@ CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susc CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy credentia ...) - - libzypp (low; bug #988152) - [bullseye] - libzypp (Minor issue) + - libzypp 17.25.5-2 (low; bug #988152) [buster] - libzypp (Minor issue) [jessie] - libzypp (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf62d2345e0f4c19901112758abcc3d4b19091a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf62d2345e0f4c19901112758abcc3d4b19091a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2017-9271
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 222d4ff9 by Salvatore Bonaccorso at 2023-02-20T17:36:49+01:00 Update information for CVE-2017-9271 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -380585,11 +380585,12 @@ CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susc CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy credentia ...) - - zypper (low; bug #988152) - [bullseye] - zypper (Minor issue) - [buster] - zypper (Minor issue) - [jessie] - zypper (Minor issue) + - libzypp (low; bug #988152) + [bullseye] - libzypp (Minor issue) + [buster] - libzypp (Minor issue) + [jessie] - libzypp (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625 + NOTE: https://github.com/openSUSE/libzypp/commit/c693f46ca9bf18dda9b4b56f78e069e26b5b03ff (17.25.3) CVE-2017-9270 (In cryptctl before version 2.0 a malicious server could send RPC reque ...) NOT-FOR-US: SuSE cryptctl CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositories we ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/222d4ff97c0b20a73727626b1f742d4607a534bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/222d4ff97c0b20a73727626b1f742d4607a534bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed.txt: add git and claim it
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b371a17 by Aron Xu at 2023-02-21T00:32:42+08:00 dsa-needed.txt: add git and claim it - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,6 +20,8 @@ curl -- frr -- +git (aron) +-- jupyter-core Maintainer asked for availability to prepare updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b371a177388c51dbb3b80853169d227d00c2c49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b371a177388c51dbb3b80853169d227d00c2c49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-19921/runc: possibly not fixed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: db67e466 by Sylvain Beucler at 2023-02-20T17:27:32+01:00 CVE-2019-19921/runc: possibly not fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -235207,6 +235207,7 @@ CVE-2019-19921 (runc through 1.0.0-rc9 has Incorrect Access Control leading to E NOTE: https://github.com/opencontainers/runc/issues/2197 NOTE: https://github.com/opencontainers/runc/pull/2190 NOTE: https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942 (v1.0.0-rc10) + NOTE: possibly partial fix only: https://github.com/opencontainers/runc/issues/2197#issuecomment-1437276049 CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...) - node-handlebars 3:4.5.3-1 [buster] - node-handlebars 3:4.1.0-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db67e4665aa975859c5fc900fae2ea9c519a972a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db67e4665aa975859c5fc900fae2ea9c519a972a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a759aab by Moritz Muehlenhoff at 2023-02-20T17:23:09+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46581,7 +46581,7 @@ CVE-2020-36565 (Due to improper sanitization of user input on Windows, the stati NOTE: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa NOTE: https://pkg.go.dev/vuln/GO-2021-0051 CVE-2020-36564 (Due to improper validation of caller input, validation is silently dis ...) - TODO: check + NOT-FOR-US: nosurf CVE-2020-36563 (XML Digital Signatures generated and validated using this package use ...) TODO: check CVE-2019-25075 (HTML injection combined with path traversal in the Email service in Gr ...) @@ -46623,7 +46623,7 @@ CVE-2022-2574 (The Meks Easy Social Share WordPress plugin before 1.2.8 does not CVE-2022-2573 RESERVED CVE-2020-36562 (Due to unchecked type assertions, maliciously crafted messages can cau ...) - TODO: check + NOT-FOR-US: shiyanhui/dht CVE-2020-36561 (Due to improper path santization, archives containing relative file pa ...) TODO: check CVE-2020-36560 (Due to improper path santization, archives containing relative file pa ...) @@ -58194,7 +58194,7 @@ CVE-2022-32667 CVE-2022-32666 RESERVED CVE-2022-32665 (In Boa, there is a possible command injection due to improper input va ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2022-32664 (In Config Manager, there is a possible command injection due to improp ...) NOT-FOR-US: MediaTek CVE-2022-32663 (In Wi-Fi driver, there is a possible system crash due to null pointer ...) @@ -77953,17 +77953,17 @@ CVE-2022-25914 (The package com.google.cloud.tools:jib-core before 0.22.0 are vu CVE-2022-25913 RESERVED CVE-2022-25912 (The package simple-git before 3.15.0 are vulnerable to Remote Code Exe ...) - TODO: check + NOT-FOR-US: Node simple-git CVE-2022-25911 RESERVED CVE-2022-25910 RESERVED CVE-2022-25908 (All versions of the package create-choo-electron are vulnerable to Com ...) - TODO: check + NOT-FOR-US: create-choo-electron stability CVE-2022-25907 (The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Poll ...) NOT-FOR-US: voodoocreation/ts-deepmerge CVE-2022-25906 (All versions of the package is-http2 are vulnerable to Command Injecti ...) - TODO: check + NOT-FOR-US: Node is-http2 CVE-2022-25904 (All versions of package safe-eval are vulnerable to Prototype Pollutio ...) TODO: check CVE-2022-25903 (The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) ...) @@ -77986,9 +77986,9 @@ CVE-2022-25896 (This affects the package passport before 0.6.0. When a user logs NOTE: https://github.com/jaredhanson/passport/pull/900 NOTE: https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631 CVE-2022-25895 (All versions of package lite-dev-server are vulnerable to Directory Tr ...) - TODO: check + NOT-FOR-US: Node lite-dev-server CVE-2022-25894 (All versions of the package com.bstek.uflo:uflo-core are vulnerable to ...) - TODO: check + NOT-FOR-US: com.bstek.uflo:uflo-core CVE-2022-25893 (The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Executi ...) NOT-FOR-US: Node vm2 CVE-2022-25892 (The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all v ...) @@ -81842,7 +81842,7 @@ CVE-2022-0554 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim p NOTE: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8 (v8.2.4327) NOTE: Crash in CLI tool, no security impact CVE-2022-0553 (There is no check to see if slot 0 is being uploaded from the device t ...) - TODO: check + NOT-FOR-US: Zephyr CVE-2022-0552 (A flaw was found in the original fix for the netty-codec-http CVE-2021 ...) NOT-FOR-US: Red Hat OpenShift Logging elasticsearch6 container CVE-2022-24699 @@ -86165,11 +86165,11 @@ CVE-2022-23489 CVE-2022-23488 (BigBlueButton is an open source web conferencing system. Versions prio ...) NOT-FOR-US: BigBlueButton CVE-2022-23487 (js-libp2p is the official javascript Implementation of libp2p networki ...) - TODO: check + NOT-FOR-US: js-libp2p CVE-2022-23486 (libp2p-rust is the official rust language Implementation of the libp2p ...) - TODO: check + NOT-FOR-US: libp2p-rust CVE-2022-23485 (Sentry is an error tracking and performance monitoring platform. In ve ...) - TODO: check + NOT-FOR-US: Sentry CVE-2022-23484 (xrdp is an open source project which provides a graphical login to rem ...) - xrdp 0.9.21.1-1 (bug #1025879) NOTE:
[Git][security-tracker-team/security-tracker][master] golang-github-labstack-echo n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cdeb82d6 by Moritz Muehlenhoff at 2023-02-20T17:13:15+01:00 golang-github-labstack-echo n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46574,7 +46574,12 @@ CVE-2020-36567 (Unsanitized input in the default logger in github.com/gin-gonic/ CVE-2020-36566 (Due to improper path santization, archives containing relative file pa ...) NOT-FOR-US: Go whyrusleeping/tar-utils CVE-2020-36565 (Due to improper sanitization of user input on Windows, the static file ...) - TODO: check + - golang-github-labstack-echo (Windows-specific) + - golang-github-labstack-echo.v2 (Windows-specific) + - golang-github-labstack-echo.v3 (Windows-specific) + NOTE: https://github.com/labstack/echo/pull/1718 + NOTE: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa + NOTE: https://pkg.go.dev/vuln/GO-2021-0051 CVE-2020-36564 (Due to improper validation of caller input, validation is silently dis ...) TODO: check CVE-2020-36563 (XML Digital Signatures generated and validated using this package use ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdeb82d6b8051f569685bce25655fa98e9c6d4b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdeb82d6b8051f569685bce25655fa98e9c6d4b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2022-44900/py7zr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34f9128a by Salvatore Bonaccorso at 2023-02-20T16:57:21+01:00 Add upstream tag information for CVE-2022-44900/py7zr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22499,7 +22499,7 @@ CVE-2022-44901 RESERVED CVE-2022-44900 (A directory traversal vulnerability in the SevenZipFile.extractall() f ...) - py7zr - NOTE: https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406 + NOTE: https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406 (v0.20.1) NOTE: https://lessonsec.com/cve/cve-2022-44900/ CVE-2022-44899 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34f9128ac3efe5d8ee3a86da6bae940d3490105e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34f9128ac3efe5d8ee3a86da6bae940d3490105e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new py7zr issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c1774b2b by Moritz Muehlenhoff at 2023-02-20T16:47:07+01:00 new py7zr issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22498,7 +22498,9 @@ CVE-2022-44902 CVE-2022-44901 RESERVED CVE-2022-44900 (A directory traversal vulnerability in the SevenZipFile.extractall() f ...) - TODO: check + - py7zr + NOTE: https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406 + NOTE: https://lessonsec.com/cve/cve-2022-44900/ CVE-2022-44899 RESERVED CVE-2022-44898 (The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1774b2b9f7bef36aaccd2e124f802b5add24306 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1774b2b9f7bef36aaccd2e124f802b5add24306 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new resteasy issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5a51f92 by Moritz Muehlenhoff at 2023-02-20T16:13:40+01:00 new resteasy issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4654,7 +4654,11 @@ CVE-2023-0484 CVE-2023-0483 RESERVED CVE-2023-0482 (In RESTEasy the insecure File.createTempFile() is used in the DataSour ...) - TODO: check + - resteasy + - resteasy3.0 + [bullseye] - resteasy3.0 (Minor issue) + NOTE: https://github.com/resteasy/resteasy/pull/3409/ + NOTE: https://github.com/resteasy/resteasy/commit/3d8a551d80b98f185edaff6f895188ec8211366b CVE-2023-0481 RESERVED NOT-FOR-US: Quarkus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a51f92808f5bfea027da225af8bb0fe615b5cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a51f92808f5bfea027da225af8bb0fe615b5cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3327-1 for nss
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 121e7aee by Markus Koschany at 2023-02-20T16:11:24+01:00 Reserve DLA-3327-1 for nss - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -211474,7 +211474,6 @@ CVE-2020-12404 (For native-to-JS bridging the app requires a unique token to be CVE-2020-12403 (A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS i ...) {DLA-2388-1} - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38 NOTE: https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771 @@ -211488,7 +211487,6 @@ CVE-2020-12401 (During ECDSA signature generation, padding applied in the nonce {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/aeb2e583ee957a699d949009c7ba37af76515c20 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631573 (private) NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes @@ -211497,7 +211495,6 @@ CVE-2020-12400 (When converting coordinates from projective to affine, the modul {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0 NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes @@ -227156,7 +227153,6 @@ CVE-2020-6829 (When performing EC scalar point multiplication, the wNAF point mu {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0 NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3327-1 nss - security update + {CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2023-0767} + [buster] - nss 2:3.42.1-1+deb10u6 [20 Feb 2023] DLA-3326-1 isc-dhcp - security update [buster] - isc-dhcp 4.4.1-2+deb10u3 [20 Feb 2023] DLA-3325-1 openssl - security update = data/dla-needed.txt = @@ -199,10 +199,6 @@ nodejs NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- -nss (Markus Koschany) - NOTE: 20230219: Programming language: C. - NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/nss.git --- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121e7aee475909e691d33c6698d0cfed22806fe9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121e7aee475909e691d33c6698d0cfed22806fe9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new epiphany issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fa83d1e2 by Moritz Muehlenhoff at 2023-02-20T16:07:50+01:00 new epiphany issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,9 @@ CVE-2023-26083 CVE-2023-26082 RESERVED CVE-2023-26081 (In Epiphany (aka GNOME Web) through 43.0, untrusted web content can tr ...) - TODO: check + - epiphany-browser + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275 + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd CVE-2023-26080 RESERVED CVE-2023-26079 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa83d1e2f9709829f981b6d432ddbfc0ce892bb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa83d1e2f9709829f981b6d432ddbfc0ce892bb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fadbaff by Moritz Muehlenhoff at 2023-02-20T15:51:53+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,9 +15,9 @@ CVE-2023-26095 CVE-2023-26094 RESERVED CVE-2023-26093 (Liima before 1.17.28 allows Hibernate query language (HQL) injection, ...) - TODO: check + NOT-FOR-US: Liima CVE-2023-26092 (Liima before 1.17.28 allows server-side template injection. ...) - TODO: check + NOT-FOR-US: Liima CVE-2023-26091 RESERVED CVE-2023-26090 @@ -105,7 +105,7 @@ CVE-2015-10084 CVE-2015-10083 RESERVED CVE-2023-0919 (Missing Authentication for Critical Function in GitHub repository kare ...) - TODO: check + NOT-FOR-US: Kavita CVE-2023-0918 (A vulnerability has been found in codeprojects Pharmacy Management Sys ...) NOT-FOR-US: codeprojects Pharmacy Management System CVE-2023-0917 (A vulnerability, which was classified as critical, was found in Source ...) @@ -141,9 +141,9 @@ CVE-2015-10080 CVE-2014-125088 RESERVED CVE-2013-10019 (A vulnerability was found in OCLC-Research OAICat 1.5.61. It has been ...) - TODO: check + NOT-FOR-US: OAICat CVE-2012-10008 (A vulnerability, which was classified as critical, has been found in u ...) - TODO: check + NOT-FOR-US: uakfdotb oneapp CVE-2023-0911 RESERVED CVE-2023-0910 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) @@ -165,11 +165,11 @@ CVE-2023-0903 (A vulnerability was found in SourceCodester Employee Task Managem CVE-2023-0902 (A vulnerability was found in SourceCodester Simple Food Ordering Syste ...) NOT-FOR-US: SourceCodester Simple Food Ordering System CVE-2016-15024 (A vulnerability was found in doomsider shadow. It has been classified ...) - TODO: check + NOT-FOR-US: doomsider shadow CVE-2014-125087 (A vulnerability was found in java-xmlbuilder up to 1.1. It has been ra ...) - TODO: check + NOT-FOR-US: java-xmlbuilder CVE-2012-10007 (A vulnerability was found in madgicweb BuddyStream Plugin up to 3.2.7. ...) - TODO: check + NOT-FOR-US: madgicweb BuddyStream Plugin CVE-2023-26056 RESERVED CVE-2023-26055 @@ -11137,7 +11137,7 @@ CVE-2022-48117 CVE-2022-48116 (AyaCMS v3.1.2 was discovered to contain a remote code execution (RCE) ...) NOT-FOR-US: AyaCMS CVE-2022-48115 (The dropdown menu in jspreadsheet before v4.6.0 was discovered to be v ...) - TODO: check + NOT-FOR-US: jspreadsheet CVE-2022-48114 (RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerabi ...) NOT-FOR-US: RuoYi CVE-2022-48113 (A vulnerability in TOTOLINK N200RE_v5 firmware V9.3.5u.6139 allows una ...) @@ -41480,7 +41480,7 @@ CVE-2022-38780 CVE-2022-38779 RESERVED CVE-2022-38778 (A flaw (CVE-2022-38900) was discovered in one of Kibanas third ...) - TODO: check + - kibana (bug #700337) CVE-2022-38777 (An issue was discovered in the rollback feature of Elastic Endpoint Se ...) NOT-FOR-US: Elastic Endpoint Security CVE-2022-38776 @@ -77844,7 +77844,7 @@ CVE-2022-25982 CVE-2022-25981 RESERVED CVE-2022-25979 (Versions of the package jsuites before 5.0.1 are vulnerable to Cross-s ...) - TODO: check + NOT-FOR-US: Node jsuites CVE-2022-25978 (All versions of the package github.com/usememos/memos/server are vulne ...) NOT-FOR-US: github.com/usememos/memos/server CVE-2022-25977 @@ -77868,7 +77868,7 @@ CVE-2022-25964 CVE-2022-25963 RESERVED CVE-2022-25962 (All versions of the package vagrant.js are vulnerable to Command Injec ...) - TODO: check + NOT-FOR-US: vagrant.js CVE-2022-25961 RESERVED CVE-2022-25956 @@ -77894,15 +77894,15 @@ CVE-2022-25944 CVE-2022-25941 RESERVED CVE-2022-25940 (All versions of package lite-server are vulnerable to Denial of Servic ...) - TODO: check + NOT-FOR-US: Node lite-server CVE-2022-25939 RESERVED CVE-2022-25938 RESERVED CVE-2022-25937 (Versions of the package glance before 3.0.9 are vulnerable to Director ...) - TODO: check + NOT-FOR-US: Node glance CVE-2022-25936 (Versions of the package servst before 2.0.3 are vulnerable to Director ...) - TODO: check + NOT-FOR-US: Node servst CVE-2022-25935 RESERVED CVE-2022-25934 @@ -77910,23 +77910,23 @@ CVE-2022-25934 CVE-2022-25933 RESERVED CVE-2022-25931 (All versions of package easy-static-server are vulnerable to Directory ...) - TODO: check + NOT-FOR-US: Node easy-static-server CVE-2022-25930 RESERVED CVE-2022-25929 (The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to C ...) - TODO: check + NOT-FOR-US: Node smoothie
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ee3fea33 by Moritz Muehlenhoff at 2023-02-20T14:20:11+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1552,6 +1552,7 @@ CVE-2023-25614 (SAP NetWeaver AS ABAP (BSP Framework) application - versions 700 NOT-FOR-US: SAP CVE-2023-25613 RESERVED + NOT-FOR-US: Apache Kerby CVE-2023-0767 RESERVED {DSA-5355-1 DSA-5353-1 DSA-5350-1 DLA-3319-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee3fea33deb2356835b500e7b395ff10c667a7fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee3fea33deb2356835b500e7b395ff10c667a7fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3326-1 for isc-dhcp
Bastian Blank pushed to branch master at Debian Security Tracker / security-tracker Commits: 1af9fffd by Bastian Blank at 2023-02-20T14:17:56+01:00 Reserve DLA-3326-1 for isc-dhcp - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[20 Feb 2023] DLA-3326-1 isc-dhcp - security update + [buster] - isc-dhcp 4.4.1-2+deb10u3 [20 Feb 2023] DLA-3325-1 openssl - security update {CVE-2022-2097 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286} [buster] - openssl 1.1.1n-0+deb10u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1af9fffd1a17581228d8772a44ad36a6ca531953 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1af9fffd1a17581228d8772a44ad36a6ca531953 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim node-url-parse in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: ed99e3bc by Guilhem Moulin at 2023-02-20T14:01:15+01:00 LTS: reclaim node-url-parse in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ node-nth-check NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-nth-check.git -- -node-url-parse +node-url-parse (guilhem) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-url-parse.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed99e3bcb1ceb702604565c02eaf688ab45bc753 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed99e3bcb1ceb702604565c02eaf688ab45bc753 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3325-1 for openssl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e959340 by Emilio Pozuelo Monfort at 2023-02-20T12:08:44+01:00 Reserve DLA-3325-1 for openssl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55655,7 +55655,6 @@ CVE-2022-33759 CVE-2022-2097 (AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimi ...) {DSA-5343-1} - openssl 3.0.5-1 (bug #1023424) - [buster] - openssl (Minor issue, fix along in next round of security updates) NOTE: https://www.openssl.org/news/secadv/20220705.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93 (openssl-3.0.5) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=919925673d6c9cfed3c1085497f5dfbbed5fc431 (OpenSSL_1_1_1q) = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3325-1 openssl - security update + {CVE-2022-2097 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286} + [buster] - openssl 1.1.1n-0+deb10u4 [20 Feb 2023] DLA-3324-1 thunderbird - security update {CVE-2022-46871 CVE-2022-46877 CVE-2023-0430 CVE-2023-0616 CVE-2023-0767 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605 CVE-2023-25728 CVE-2023-25729 CVE-2023-25730 CVE-2023-25732 CVE-2023-25735 CVE-2023-25737 CVE-2023-25739 CVE-2023-25742 CVE-2023-25744 CVE-2023-25746} [buster] - thunderbird 1:102.8.0-1~deb10u1 = data/dla-needed.txt = @@ -218,11 +218,6 @@ openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- -openssl (Emilio) - NOTE: 20230208: Programming language: C. - NOTE: 20230208: Special attention: Very high popcon! - NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/openssl.git --- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e959340aefb9ea5abbf3ab638c26695244e9077 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e959340aefb9ea5abbf3ab638c26695244e9077 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim imagemagick
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 98a7b4a2 by Holger Levsen at 2023-02-20T11:16:02+01:00 claim imagemagick Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,7 +117,7 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -imagemagick +imagemagick (Holger Levsen) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98a7b4a2cced685e5991d061ee4bfe70caef967b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98a7b4a2cced685e5991d061ee4bfe70caef967b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim apache2
Lee Garrett pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dba7257 by Lee Garrett at 2023-02-20T11:08:45+01:00 Reclaim apache2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ amanda NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git NOTE: 20230219: Special attention: Privilege escalation. -- -apache2 +apache2 (Lee Garrett) NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dba7257fb74b39eafa8ac44f6b9e0fd6ffd6b00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dba7257fb74b39eafa8ac44f6b9e0fd6ffd6b00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf8e04c7 by Salvatore Bonaccorso at 2023-02-20T10:19:37+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91,9 +91,9 @@ CVE-2023-26057 CVE-2023-0920 RESERVED CVE-2022-48329 (MISP before 2.4.166 unsafely allows users to use the order parameter, ...) - TODO: check + NOT-FOR-US: MISP CVE-2022-48328 (app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.1 ...) - TODO: check + NOT-FOR-US: MISP CVE-2021-4325 RESERVED CVE-2017-20179 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf8e04c756c1b1760335bd1a3ebd3efd6218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf8e04c756c1b1760335bd1a3ebd3efd6218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: DLA: take sofia-sip
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab0a8e21 by Adrian Bunk at 2023-02-20T11:01:37+02:00 DLA: take sofia-sip - - - - - abdd15e5 by Adrian Bunk at 2023-02-20T11:02:23+02:00 DLA: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,7 +55,7 @@ consul NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- -curl +curl (Adrian Bunk) NOTE: 20230220: Programming language: C. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html @@ -342,7 +342,7 @@ snakeyaml NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/snakeyaml.git -- -sofia-sip +sofia-sip (Adrian Bunk) NOTE: 20230220: Programming language: C. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eaa3e34e72b0a5bd1cf5d8a77f70e31192b8d989...abdd15e5853e0f2e4d9fc255872b6aa83d7d1042 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eaa3e34e72b0a5bd1cf5d8a77f70e31192b8d989...abdd15e5853e0f2e4d9fc255872b6aa83d7d1042 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take clamav
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa3e34e by Emilio Pozuelo Monfort at 2023-02-20T09:19:28+01:00 lts: take clamav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,7 @@ ceph NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -clamav +clamav (Emilio) NOTE: 20230220: Programming language: C. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/clamav.git NOTE: 20230220: Testsuite: https://lists.debian.org/debian-lts/2019/04/msg00117.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa3e34e72b0a5bd1cf5d8a77f70e31192b8d989 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa3e34e72b0a5bd1cf5d8a77f70e31192b8d989 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one emacs issue also affects that one person who still uses xemacs21...
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8de71375 by Moritz Muehlenhoff at 2023-02-20T09:14:00+01:00 one emacs issue also affects that one person who still uses xemacs21... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19344,6 +19344,8 @@ CVE-2022-45940 CVE-2022-45939 (GNU Emacs through 28.2 allows attackers to execute commands via shell ...) {DSA-5314-1 DLA-3257-1} - emacs 1:28.2+1-8 (bug #1025009) + - xemacs21 21.4.24-11 + [bullseye] - xemacs21 (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51 CVE-2022-45938 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8de7137503888a4729f4d51e46534bb9e9f67185 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8de7137503888a4729f4d51e46534bb9e9f67185 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3324-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0147c2f7 by Emilio Pozuelo Monfort at 2023-02-20T09:12:05+01:00 Reserve DLA-3324-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3324-1 thunderbird - security update + {CVE-2022-46871 CVE-2022-46877 CVE-2023-0430 CVE-2023-0616 CVE-2023-0767 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605 CVE-2023-25728 CVE-2023-25729 CVE-2023-25730 CVE-2023-25732 CVE-2023-25735 CVE-2023-25737 CVE-2023-25739 CVE-2023-25742 CVE-2023-25744 CVE-2023-25746} + [buster] - thunderbird 1:102.8.0-1~deb10u1 [18 Feb 2023] DLA-3323-1 c-ares - security update {CVE-2022-4904} [buster] - c-ares 1.14.0-1+deb10u2 = data/dla-needed.txt = @@ -355,11 +355,6 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -thunderbird (Emilio) - NOTE: 20230123: Programming language: C++ - NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git - NOTE: 20230205: Maintainer notes: Coordinate with maintainer --- tiff (Markus Koschany) NOTE: 20230218: Programming language: C. NOTE: 20230218: VCS: https://salsa.debian.org/lts-team/packages/tiff.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0147c2f79233c75fc8e65201d8e63f6d7b45b55e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0147c2f79233c75fc8e65201d8e63f6d7b45b55e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b6b4b92 by security tracker role at 2023-02-20T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,109 @@ +CVE-2023-26101 + RESERVED +CVE-2023-26100 + RESERVED +CVE-2023-26099 + RESERVED +CVE-2023-26098 + RESERVED +CVE-2023-26097 + RESERVED +CVE-2023-26096 + RESERVED +CVE-2023-26095 + RESERVED +CVE-2023-26094 + RESERVED +CVE-2023-26093 (Liima before 1.17.28 allows Hibernate query language (HQL) injection, ...) + TODO: check +CVE-2023-26092 (Liima before 1.17.28 allows server-side template injection. ...) + TODO: check +CVE-2023-26091 + RESERVED +CVE-2023-26090 + RESERVED +CVE-2023-26089 + RESERVED +CVE-2023-26088 + RESERVED +CVE-2023-26087 + RESERVED +CVE-2023-26086 + RESERVED +CVE-2023-26085 + RESERVED +CVE-2023-26084 + RESERVED +CVE-2023-26083 + RESERVED +CVE-2023-26082 + RESERVED +CVE-2023-26081 (In Epiphany (aka GNOME Web) through 43.0, untrusted web content can tr ...) + TODO: check +CVE-2023-26080 + RESERVED +CVE-2023-26079 + RESERVED +CVE-2023-26078 + RESERVED +CVE-2023-26077 + RESERVED +CVE-2023-26076 + RESERVED +CVE-2023-26075 + RESERVED +CVE-2023-26074 + RESERVED +CVE-2023-26073 + RESERVED +CVE-2023-26072 + RESERVED +CVE-2023-26071 + RESERVED +CVE-2023-26070 + RESERVED +CVE-2023-26069 + RESERVED +CVE-2023-26068 + RESERVED +CVE-2023-26067 + RESERVED +CVE-2023-26066 + RESERVED +CVE-2023-26065 + RESERVED +CVE-2023-26064 + RESERVED +CVE-2023-26063 + RESERVED +CVE-2023-26062 + RESERVED +CVE-2023-26061 + RESERVED +CVE-2023-26060 + RESERVED +CVE-2023-26059 + RESERVED +CVE-2023-26058 + RESERVED +CVE-2023-26057 + RESERVED +CVE-2023-0920 + RESERVED +CVE-2022-48329 (MISP before 2.4.166 unsafely allows users to use the order parameter, ...) + TODO: check +CVE-2022-48328 (app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.1 ...) + TODO: check +CVE-2021-4325 + RESERVED +CVE-2017-20179 + RESERVED +CVE-2015-10085 + RESERVED +CVE-2015-10084 + RESERVED +CVE-2015-10083 + RESERVED CVE-2023-0919 (Missing Authentication for Critical Function in GitHub repository kare ...) TODO: check CVE-2023-0918 (A vulnerability has been found in codeprojects Pharmacy Management Sys ...) @@ -34,10 +140,10 @@ CVE-2015-10080 RESERVED CVE-2014-125088 RESERVED -CVE-2013-10019 - RESERVED -CVE-2012-10008 - RESERVED +CVE-2013-10019 (A vulnerability was found in OCLC-Research OAICat 1.5.61. It has been ...) + TODO: check +CVE-2012-10008 (A vulnerability, which was classified as critical, has been found in u ...) + TODO: check CVE-2023-0911 RESERVED CVE-2023-0910 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6b4b92b3c1eabf332297f797fb4a17d60407e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6b4b92b3c1eabf332297f797fb4a17d60407e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4875a9b2 by Emilio Pozuelo Monfort at 2023-02-20T09:08:25+01:00 lts: reclaim thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -355,7 +355,7 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -thunderbird +thunderbird (Emilio) NOTE: 20230123: Programming language: C++ NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git NOTE: 20230205: Maintainer notes: Coordinate with maintainer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4875a9b2d21731a14d49a6778f6c2b956885b51d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4875a9b2d21731a14d49a6778f6c2b956885b51d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits