[Git][security-tracker-team/security-tracker][master] Track fixes for firefox-esr via unstable for mfsa2023-10
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8aaa1a0 by Salvatore Bonaccorso at 2023-03-15T05:18:11+01:00 Track fixes for firefox-esr via unstable for mfsa2023-10 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -473,7 +473,7 @@ CVE-2023-28177 CVE-2023-28176 RESERVED - firefox - - firefox-esr + - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28176 CVE-2023-28175 @@ -501,7 +501,7 @@ CVE-2023-28165 CVE-2023-28164 RESERVED - firefox - - firefox-esr + - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28164 CVE-2023-28163 @@ -513,7 +513,7 @@ CVE-2023-28163 CVE-2023-28162 RESERVED - firefox - - firefox-esr + - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28162 CVE-2023-28161 @@ -7094,13 +7094,13 @@ CVE-2023-25753 CVE-2023-25752 RESERVED - firefox - - firefox-esr + - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25752 CVE-2023-25751 RESERVED - firefox - - firefox-esr + - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25751 CVE-2023-25750 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8aaa1a05f105ab8ebca6832227fa23ba06dd56a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8aaa1a05f105ab8ebca6832227fa23ba06dd56a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two emacs CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7352919 by Salvatore Bonaccorso at 2023-03-14T22:55:18+01:00 Track fixed version for two emacs CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1310,14 +1310,14 @@ CVE-2023-1268 CVE-2023-1267 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Ulkem Company PtteM Kart CVE-2023-27986 (emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to E ...) - - emacs (bug #1032538) + - emacs 1:28.2+1-13 (bug #1032538) [bullseye] - emacs (Vulnerable code not present, introduced in 28.1) [buster] - emacs (Vulnerable code not present, introduced in 28.1) NOTE: https://www.openwall.com/lists/oss-security/2023/03/08/2 NOTE: Introduced by: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=b1b05c828d67930bb3b897fe98e1992db42cf23c (emacs-28.0.90) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc CVE-2023-27985 (emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to s ...) - - emacs (bug #1032538) + - emacs 1:28.2+1-13 (bug #1032538) [bullseye] - emacs (Vulnerable code not present, introduced in 28.1) [buster] - emacs (Vulnerable code not present, introduced in 28.1) NOTE: https://www.openwall.com/lists/oss-security/2023/03/08/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a73529191994a7bd41fe7f66928ea803701e05f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a73529191994a7bd41fe7f66928ea803701e05f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-sqlite3 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6809e58e by Moritz Mühlenhoff at 2023-03-14T22:35:56+01:00 node-sqlite3 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[14 Mar 2023] DSA-5373-1 node-sqlite3 - security update + {CVE-2022-43441} + [bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u2 [13 Mar 2023] DSA-5372-1 rails - security update {CVE-2021-22942 CVE-2021-44528 CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2023-22792 CVE-2023-22794 CVE-2023-22795 CVE-2023-22796} [bullseye] - rails 2:6.0.3.7+dfsg-2+deb11u1 = data/dsa-needed.txt = @@ -28,8 +28,6 @@ linux (carnil) netatalk open regression with MacOS, tentative patch not yet merged upstream -- -node-sqlite3 (jmm) --- nodejs (aron) -- openimageio View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6809e58ee521beb8ce85a67881b529cc37e24ae4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6809e58ee521beb8ce85a67881b529cc37e24ae4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed node-webpack update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf0bb595 by Salvatore Bonaccorso at 2023-03-14T21:56:54+01:00 Track proposed node-webpack update via bullseye-pu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -575,6 +575,7 @@ CVE-2023-28155 RESERVED CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access. Impo ...) - node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904) + [bullseye] - node-webpack (Minor issue) NOTE: https://github.com/webpack/webpack/pull/16500 NOTE: Merge commit: https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80 (v5.76.0) CVE-2023-1363 (A vulnerability, which was classified as problematic, was found in Sou ...) = data/next-point-update.txt = @@ -146,3 +146,5 @@ CVE-2022-21222 [bullseye] - node-css-what 4.0.0-3+deb11u1 CVE-2021-33587 [bullseye] - node-css-what 4.0.0-3+deb11u1 +CVE-2023-28154 + [bullseye] - node-webpack 4.43.0-6+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf0bb595d0b6f59c1c7ef6f74e4e2767ead8e31b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf0bb595d0b6f59c1c7ef6f74e4e2767ead8e31b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b3c5d6 by Salvatore Bonaccorso at 2023-03-14T21:41:20+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,21 +53,21 @@ CVE-2023-1400 CVE-2023-1399 RESERVED CVE-2023-1398 (A vulnerability classified as critical was found in XiaoBingBy TeaCMS ...) - TODO: check + NOT-FOR-US: XiaoBingBy TeaCMS CVE-2023-1397 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester Online Student Management System CVE-2023-1396 (A vulnerability was found in SourceCodester Online Tours Travels ...) - TODO: check + NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-1395 (A vulnerability was found in SourceCodester Yoga Class Registration Sy ...) - TODO: check + NOT-FOR-US: SourceCodester Yoga Class Registration System CVE-2023-1394 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) - TODO: check + NOT-FOR-US: SourceCodester Online Graduate Tracer System CVE-2023-1393 RESERVED CVE-2023-1392 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) - TODO: check + NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1391 (A vulnerability, which was classified as problematic, was found in Sou ...) - TODO: check + NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-1390 RESERVED CVE-2023-1389 @@ -2690,9 +2690,9 @@ CVE-2023-27465 CVE-2023-27464 RESERVED CVE-2023-27463 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...) - TODO: check + NOT-FOR-US: RUGGEDCOM CROSSBOW CVE-2023-27462 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...) - TODO: check + NOT-FOR-US: RUGGEDCOM CROSSBOW CVE-2023-27461 RESERVED CVE-2023-27460 @@ -2804,23 +2804,23 @@ CVE-2023-27408 CVE-2023-27407 RESERVED CVE-2023-27406 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27405 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27404 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27403 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27402 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27401 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27400 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27399 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27398 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27383 RESERVED CVE-2023-27307 @@ -3095,9 +3095,9 @@ CVE-2023-27312 CVE-2023-27311 RESERVED CVE-2023-27310 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-27309 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-23554 (Uncontrolled search path element vulnerability exists in pg_ivm versio ...) NOT-FOR-US: pg_ivm CVE-2023-22847 (Information disclosure vulnerability exists in pg_ivm versions prior t ...) @@ -3712,9 +3712,9 @@ CVE-2023-27076 CVE-2023-27075 RESERVED CVE-2023-27074 (BP Monitoring Management System v1.0 was discovered to contain a SQL i ...) - TODO: check + NOT-FOR-US: BP Monitoring Management System CVE-2023-27073 (A Cross-Site Request Forgery (CSRF) in Online Food Ordering System v1. ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-27072 RESERVED CVE-2023-27071 @@ -6490,7 +6490,7 @@ CVE-2023-25959 CVE-2023-25958 RESERVED CVE-2023-25957 (A vulnerability has been identified in Mendix SAML (Mendix 7 compatibl ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-25956 (Generation of Error Message Containing Sensitive Information vulnerabi ...) NOT-FOR-US: Apache Airflow AWS Provider CVE-2023-25077 (Cross-site scripting vulnerability in Authentication Key Settings of E
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28339/opendoas
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 539aa812 by Salvatore Bonaccorso at 2023-03-14T21:18:31+01:00 Add CVE-2023-28339/opendoas - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,13 @@ CVE-2023-28341 CVE-2023-28340 RESERVED CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...) - TODO: check + - doas + - opendoas + NOTE: https://github.com/Duncaen/OpenDoas/issues/106 + NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4 + NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been + NOTE: posted to kernel-hardening list, and can be mitigated with Linux 6.2, see option + NOTE: CONFIG_LEGACY_TIOCSTI. CVE-2023-28338 RESERVED CVE-2023-28337 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/539aa812d0b36b426ea02267ec0152171f5ce236 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/539aa812d0b36b426ea02267ec0152171f5ce236 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88a53a6f by security tracker role at 2023-03-14T20:10:33+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,101 @@ +CVE-2023-28342 + RESERVED +CVE-2023-28341 + RESERVED +CVE-2023-28340 + RESERVED +CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...) + TODO: check +CVE-2023-28338 + RESERVED +CVE-2023-28337 + RESERVED +CVE-2023-28336 + RESERVED +CVE-2023-28335 + RESERVED +CVE-2023-28334 + RESERVED +CVE-2023-28333 + RESERVED +CVE-2023-28332 + RESERVED +CVE-2023-28331 + RESERVED +CVE-2023-28330 + RESERVED +CVE-2023-28329 + RESERVED +CVE-2023-28328 + RESERVED +CVE-2023-28327 + RESERVED +CVE-2023-28326 + RESERVED +CVE-2023-1405 + RESERVED +CVE-2023-1404 + RESERVED +CVE-2023-1403 + RESERVED +CVE-2023-1402 + RESERVED +CVE-2023-1401 + RESERVED +CVE-2023-1400 + RESERVED +CVE-2023-1399 + RESERVED +CVE-2023-1398 (A vulnerability classified as critical was found in XiaoBingBy TeaCMS ...) + TODO: check +CVE-2023-1397 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2023-1396 (A vulnerability was found in SourceCodester Online Tours Travels ...) + TODO: check +CVE-2023-1395 (A vulnerability was found in SourceCodester Yoga Class Registration Sy ...) + TODO: check +CVE-2023-1394 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) + TODO: check +CVE-2023-1393 + RESERVED +CVE-2023-1392 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) + TODO: check +CVE-2023-1391 (A vulnerability, which was classified as problematic, was found in Sou ...) + TODO: check +CVE-2023-1390 + RESERVED +CVE-2023-1389 + RESERVED +CVE-2023-1388 + RESERVED +CVE-2023-1387 + RESERVED +CVE-2023-1386 + RESERVED +CVE-2023-1385 + RESERVED +CVE-2023-1384 + RESERVED +CVE-2023-1383 + RESERVED +CVE-2023-1382 + RESERVED +CVE-2022-48410 + RESERVED +CVE-2022-48409 + RESERVED +CVE-2022-48408 + RESERVED +CVE-2022-48407 + RESERVED +CVE-2022-48406 + RESERVED +CVE-2022-48405 + RESERVED +CVE-2022-48404 + RESERVED +CVE-2022-48403 + RESERVED CVE-2023-28325 RESERVED CVE-2023-28324 @@ -555,8 +653,7 @@ CVE-2023-28146 RESERVED CVE-2023-28145 RESERVED -CVE-2023-28144 - RESERVED +CVE-2023-28144 (KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configura ...) - hotspot NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8 NOTE: Introduced by: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb (v1.3.0) @@ -977,8 +1074,8 @@ CVE-2023-1301 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: SourceCodester CVE-2023-1300 (A vulnerability classified as critical was found in SourceCodester COV ...) NOT-FOR-US: SourceCodester -CVE-2023-1299 - RESERVED +CVE-2023-1299 (HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to es ...) + TODO: check CVE-2023-1298 RESERVED CVE-2023-28004 @@ -1019,8 +1116,8 @@ CVE-2023-27987 RESERVED CVE-2023-1297 RESERVED -CVE-2023-1296 - RESERVED +CVE-2023-1296 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correct ...) + TODO: check CVE-2023-1295 RESERVED CVE-2023-1294 (A vulnerability was found in SourceCodester File Tracker Manager Syste ...) @@ -2195,16 +2292,16 @@ CVE-2023-27591 RESERVED CVE-2023-27590 RESERVED -CVE-2023-27589 - RESERVED -CVE-2023-27588 - RESERVED +CVE-2023-27589 (Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE ...) + TODO: check +CVE-2023-27588 (Hasura is an open-source product that provides users GraphQL or REST A ...) + TODO: check CVE-2023-27587 (ReadtoMyShoe, a web app that lets users upload articles and listen to ...) NOT-FOR-US: ReadtoMyShoe CVE-2023-27586 RESERVED -CVE-2023-27585 - RESERVED +CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...) + TODO: check CVE-2023-27584 RESERVED CVE-2023-27583 (PanIndex is a network disk directory index. In Panindex prior to versi ...) @@ -2586,10 +2683,10 @@ CVE-2023-27465 RESERVED CVE-2023-27464 RESERVED -CVE-2023-27463 - RESERVED -CVE-2023-27462 - RESERVED +CVE-2023-27463 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...) + TODO: check +CVE-2023-27462 (A vulnerability has
[Git][security-tracker-team/security-tracker][master] Update note for CVE-2023-28144/hotspot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9d788fe by Salvatore Bonaccorso at 2023-03-14T20:54:46+01:00 Update note for CVE-2023-28144/hotspot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -560,6 +560,8 @@ CVE-2023-28144 - hotspot NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8 NOTE: Introduced by: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb (v1.3.0) + NOTE: Opt-In to allow privilege escalation (and disable by default): + NOTE: https://github.com/KDAB/hotspot/commit/65a246ce9196462081483fd07d97678dcfe36b9c CVE-2023-1356 RESERVED CVE-2023-1355 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.140 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9d788fe0ef8d62d7ce35390e8a6dfce5bc30696 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9d788fe0ef8d62d7ce35390e8a6dfce5bc30696 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28144/hotspot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e55bb019 by Salvatore Bonaccorso at 2023-03-14T20:48:35+01:00 Add CVE-2023-28144/hotspot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -557,6 +557,9 @@ CVE-2023-28145 RESERVED CVE-2023-28144 RESERVED + - hotspot + NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8 + NOTE: Introduced by: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb (v1.3.0) CVE-2023-1356 RESERVED CVE-2023-1355 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.140 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55bb019aca85cb47fa5ebacd5a7a1e0b23f76cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55bb019aca85cb47fa5ebacd5a7a1e0b23f76cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1380/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08655120 by Salvatore Bonaccorso at 2023-03-14T20:44:12+01:00 Add CVE-2023-1380/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -426,6 +426,9 @@ CVE-2023-28159 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28159 CVE-2023-1380 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1 + NOTE: https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u CVE-2023-1379 RESERVED CVE-2023-1378 (A vulnerability classified as critical was found in SourceCodester Fri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0865512004e2e0a6214417b135f982720db69ace -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0865512004e2e0a6214417b135f982720db69ace You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track temporarily experimental fix for CVE-2022-24803
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b61850c6 by Salvatore Bonaccorso at 2023-03-14T20:35:46+01:00 Track temporarily experimental fix for CVE-2022-24803 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87695,6 +87695,7 @@ CVE-2022-24805 [A buffer overflow in the handling of the INDEX of NET-SNMP-VACM- CVE-2022-24804 (Discourse is an open source platform for community discussion. In stab ...) NOT-FOR-US: Discourse CVE-2022-24803 (Asciidoctor-include-ext is Asciidoctors standard include proces ...) + [experimental] - ruby-asciidoctor-include-ext 0.4.0-1 - ruby-asciidoctor-include-ext (bug #1009035) [bullseye] - ruby-asciidoctor-include-ext (Minor issue) NOTE: https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61850c6a2431bc1ef2b11c212a41515c0e6c75e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61850c6a2431bc1ef2b11c212a41515c0e6c75e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3362-1 for qemu
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d08acceb by Sylvain Beucler at 2023-03-14T20:25:36+01:00 Reserve DLA-3362-1 for qemu - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -79523,7 +79523,6 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:7.1+dfsg-2 (bug #1014589) [bullseye] - qemu (Minor issue) - [buster] - qemu (pvrdma disabled in [1:3.1+dfsg-4, 1:4.1-1[) [stretch] - qemu (rdma devices introduced in v2.12) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (master, after v7.2.0) NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1 @@ -93728,7 +93727,6 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...) - qemu 1:7.1+dfsg-1 (bug #1014590) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue, DoS, fix along with next DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953 NOTE: https://starlabs.sg/advisories/22/22-0216/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -131949,7 +131947,6 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989996) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0) @@ -131959,7 +131956,6 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989995) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. @@ -131968,7 +131964,6 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989994) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. @@ -131976,7 +131971,6 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989993) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu (Minor issue, fix along in next DLA if doesn't introduce #994080) [stretch] - qemu (Introduces a regression. See Debian bug #994080. Reverted in DLA-2753-2) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0) @@ -174705,7 +174699,6 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a buffer over-read because {DLA-2560-1} - libslirp 4.4.0-1 - qemu 1:4.1-2 - [buster] - qemu (Fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (v4.4.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-2j37-w439-87q3 @@ -188252,7 +188245,6 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffectiv ...) {DLA-2623-1} - qemu 1:5.2+dfsg-10 (bug
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2836c442 by Moritz Muehlenhoff at 2023-03-14T17:28:54+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -451,7 +451,7 @@ CVE-2023-1369 (A vulnerability was found in TG Soft Vir.IT eXplorer 9.4.86.0. It CVE-2023-1368 (A vulnerability was found in XHCMS 1.0. It has been declared as critic ...) NOT-FOR-US: XHCMS CVE-2023-1367 (Code Injection in GitHub repository alextselegidis/easyappointments pr ...) - TODO: check + NOT-FOR-US: alextselegidis/easyappointments CVE-2023-1366 (A vulnerability was found in SourceCodester Yoga Class Registration Sy ...) NOT-FOR-US: SourceCodester Yoga Class Registration System CVE-2023-1365 (A vulnerability was found in SourceCodester Online Pizza Ordering Syst ...) @@ -2192,7 +2192,7 @@ CVE-2023-27589 CVE-2023-27588 RESERVED CVE-2023-27587 (ReadtoMyShoe, a web app that lets users upload articles and listen to ...) - TODO: check + NOT-FOR-US: ReadtoMyShoe CVE-2023-27586 RESERVED CVE-2023-27585 @@ -2200,13 +2200,13 @@ CVE-2023-27585 CVE-2023-27584 RESERVED CVE-2023-27583 (PanIndex is a network disk directory index. In Panindex prior to versi ...) - TODO: check + NOT-FOR-US: PanIndex CVE-2023-27582 (maddy is a composable, all-in-one mail server. Starting with version 0 ...) - TODO: check + NOT-FOR-US: maddy CVE-2023-27581 (github-slug-action is a GitHub Action to expose slug value of GitHub e ...) - TODO: check + NOT-FOR-US: github-slug-action CVE-2023-27580 (CodeIgniter Shield provides authentication and authorization for the C ...) - TODO: check + NOT-FOR-US: CodeIgniter CVE-2023-27579 RESERVED CVE-2023-27578 @@ -3645,7 +3645,7 @@ CVE-2023-27054 CVE-2023-27053 RESERVED CVE-2023-27052 (E-Commerce System v1.0 ws discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: E-Commerce System CVE-2023-27051 RESERVED CVE-2023-27050 @@ -5348,7 +5348,7 @@ CVE-2023-26315 CVE-2023-0979 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: MedData Informatics MedDataPACS CVE-2023-0978 (A command injection vulnerability in Trellix Intelligent Sandbox CLI f ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-0977 RESERVED CVE-2023-0976 @@ -5358,7 +5358,7 @@ CVE-2023-0975 CVE-2023-0974 RESERVED CVE-2023-0973 (STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null poi ...) - TODO: check + NOT-FOR-US: STEPTools ifcmesh library CVE-2023-0972 RESERVED CVE-2023-0971 @@ -6403,7 +6403,7 @@ CVE-2023-0890 CVE-2023-0889 RESERVED CVE-2023-0888 (An improper neutralization of directives in dynamically evaluated code ...) - TODO: check + NOT-FOR-US: Space Battery Pack SP with Wi-Fi CVE-2023-0887 (A vulnerability was found in phjounin TFTPD64-SE 4.64 and classified a ...) NOT-FOR-US: phjounin TFTPD64-SE CVE-2023-0886 @@ -6809,9 +6809,9 @@ CVE-2023-25805 (versionn, software for changing version information across multi CVE-2023-25804 RESERVED CVE-2023-25803 (Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Ke ...) - TODO: check + NOT-FOR-US: Roxy-WI CVE-2023-25802 (Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Ke ...) - TODO: check + NOT-FOR-US: Roxy-WI CVE-2023-25801 RESERVED CVE-2023-25800 @@ -8509,7 +8509,7 @@ CVE-2023-25285 CVE-2023-25284 RESERVED CVE-2023-25283 (A stack overflow vulnerability in D-Link DIR820LA1_FW106B02 allows att ...) - TODO: check + NOT-FOR-US: D-Link CVE-2023-25282 RESERVED CVE-2023-25281 @@ -8517,7 +8517,7 @@ CVE-2023-25281 CVE-2023-25280 RESERVED CVE-2023-25279 (OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows ...) - TODO: check + NOT-FOR-US: D-Link CVE-2023-25278 RESERVED CVE-2023-25277 @@ -8664,7 +8664,7 @@ CVE-2023-25209 CVE-2023-25208 RESERVED CVE-2023-25207 (PrestaShop dpdfrance 6.1.3 is vulnerable to SQL Injection via dpdf ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-25206 RESERVED CVE-2023-25205 @@ -8832,7 +8832,7 @@ CVE-2023-25172 CVE-2023-25171 (Kiwi TCMS, an open source test management system, does not impose rate ...) NOT-FOR-US: Kiwi TCMS CVE-2023-25170 (PrestaShop is an open source e-commerce web application that, prior to ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2023-25169 (discourse-yearly-review is a discourse plugin which publishes an autom ...) NOT-FOR-US: Discourse plugin CVE-2023-25168 (Wings is Pterodactyl's server control plane. This vulnerability can be
[Git][security-tracker-team/security-tracker][master] new firefox-esr issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f0ec73f by Moritz Muehlenhoff at 2023-03-14T16:38:47+01:00 new firefox-esr issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -369,7 +369,9 @@ CVE-2023-28177 CVE-2023-28176 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28176 CVE-2023-28175 RESERVED CVE-2023-28174 @@ -395,15 +397,21 @@ CVE-2023-28165 CVE-2023-28164 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28164 CVE-2023-28163 RESERVED - firefox (Windows-specific) + - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28163 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28163 CVE-2023-28162 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28162 CVE-2023-28161 RESERVED - firefox @@ -6974,11 +6982,15 @@ CVE-2023-25753 CVE-2023-25752 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25752 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25752 CVE-2023-25751 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25751 CVE-2023-25750 RESERVED - firefox = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- apache2 (jmm) -- +firefox-esr (jmm) +-- gpac (aron) -- jupyter-core View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f0ec73fc55333502c21abea1eef459aa12a3a5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f0ec73fc55333502c21abea1eef459aa12a3a5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new firefox issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b17b3dc by Moritz Muehlenhoff at 2023-03-14T16:35:47+01:00 new firefox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -364,8 +364,12 @@ CVE-2023-28178 RESERVED CVE-2023-28177 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28177 CVE-2023-28176 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 CVE-2023-28175 RESERVED CVE-2023-28174 @@ -390,16 +394,28 @@ CVE-2023-28165 RESERVED CVE-2023-28164 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 CVE-2023-28163 RESERVED + - firefox (Windows-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28163 CVE-2023-28162 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 CVE-2023-28161 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28161 CVE-2023-28160 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28160 CVE-2023-28159 RESERVED + - firefox (Android-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28159 CVE-2023-1380 RESERVED CVE-2023-1379 @@ -6957,14 +6973,24 @@ CVE-2023-25753 RESERVED CVE-2023-25752 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25752 CVE-2023-25751 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25751 CVE-2023-25750 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25750 CVE-2023-25749 RESERVED + - firefox (Android-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25749 CVE-2023-25748 RESERVED + - firefox (Android-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25748 CVE-2023-25747 RESERVED CVE-2023-25746 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b17b3dc121dc764b5f7b09867964f11c5411148 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b17b3dc121dc764b5f7b09867964f11c5411148 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a1b5eb28 by Moritz Muehlenhoff at 2023-03-14T16:29:52+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -557,6 +557,7 @@ CVE-2023-1351 (A vulnerability classified as critical has been found in SourceCo NOT-FOR-US: SourceCodester Computer Parts Sales and Inventory System CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critical. A ...) - liferea 1.14.1-1 (bug #1032822) + [bullseye] - liferea (Minor issue) NOTE: Introduced by: https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5 (v1.12.0) NOTE: introduced by: https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e (v1.12.0) NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 (v1.14.1) @@ -1003,6 +1004,7 @@ CVE-2023-1290 (A vulnerability, which was classified as critical, has been found CVE-2023-1289 RESERVED - imagemagick + [bullseye] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...) @@ -2112,6 +2114,7 @@ CVE-2023-1176 RESERVED CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository vim/vim prio ...) - vim 2:9.0.1378-1 + [bullseye] - vim (Minor issue) NOTE: https://huntr.dev/bounties/7e93fc17-92eb-4ae7-b01a-93bb460b643e NOTE: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba (v9.0.1378) CVE-2022-4930 (A vulnerability classified as problematic was found in nuxsmin sysPass ...) @@ -2245,9 +2248,10 @@ CVE-2023-1172 CVE-2023-1171 RESERVED CVE-2023-1170 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - - vim 2:9.0.1378-1 + - vim 2:9.0.1378-1 (unimportant) NOTE: https://huntr.dev/bounties/286e0090-e654-46d2-ac60-29f81799d0a4 NOTE: https://github.com/vim/vim/commit/1c73b65229c25e3c1fd8824ba958f7cc4d604f9c (v9.0.1376) + NOTE: Crash in CLI tool, no security impact CVE-2023-1169 RESERVED CVE-2015-10089 (A vulnerability classified as problematic has been found in flame.js. ...) @@ -7762,6 +7766,7 @@ CVE-2023-25567 (GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that imple NOTE: https://github.com/gssapi/gss-ntlmssp/commit/025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 (v1.2.0) CVE-2023-25566 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...) - gss-ntlmssp 1.2.0-1 (bug #1031369) + [bullseye] - gss-ntlmssp (Vulnerable code not present) NOTE: https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-mfm4-6g58-jw74 NOTE: https://github.com/gssapi/gss-ntlmssp/commit/8660fb16474054e692a596e9c79670cd4d3954f4 (v1.2.0) CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...) @@ -7770,6 +7775,7 @@ CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that imp NOTE: https://github.com/gssapi/gss-ntlmssp/commit/c16100f60907a2de92bcb676f303b81facee0f64 (v1.2.0) CVE-2023-25564 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...) - gss-ntlmssp 1.2.0-1 (bug #1031369) + [bullseye] - gss-ntlmssp (Vulnerable code not present) NOTE: https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-r85x-q5px-9xfq NOTE: https://github.com/gssapi/gss-ntlmssp/commit/c753000eb31835c0664e528fbc99378ae0cbe950 (v1.2.0) CVE-2023-25563 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...) @@ -48847,6 +48853,7 @@ CVE-2022-38102 RESERVED CVE-2022-38090 (Improper isolation of shared resources in some Intel(R) Processors whe ...) - intel-microcode (bug #1031334) + [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 CVE-2022-38084 @@ -54402,6 +54409,7 @@ CVE-2022-34657 RESERVED CVE-2022-33196 (Incorrect default permissions in some memory controller configurations ...) - intel-microcode (bug #1031334) + [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html NOTE:
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-4144/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c6ea268e by Sylvain Beucler at 2023-03-14T15:00:46+01:00 CVE-2022-4144/qemu: buster postponed - - - - - e04cdcf3 by Sylvain Beucler at 2023-03-14T15:04:26+01:00 CVE-2023-0330/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13012,6 +13012,7 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi - qemu (bug #1029155) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html NOTE: No sanctioned upstream patch as of 2023-03-09 @@ -25613,6 +25614,7 @@ CVE-2022-45898 CVE-2022-4144 (An out-of-bounds read flaw was found in the QXL display device emulati ...) - qemu 1:7.2+dfsg-1 [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue, DoS) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2148506 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg04143.html NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1336 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/629d2aaf9e97ee59315bade07c0666111312bdd6...e04cdcf309558f3fb3b64ca621ea9b34f41351ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/629d2aaf9e97ee59315bade07c0666111312bdd6...e04cdcf309558f3fb3b64ca621ea9b34f41351ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 629d2aaf by Salvatore Bonaccorso at 2023-03-14T13:13:24+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1269,13 +1269,13 @@ CVE-2023-27898 (Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 throug CVE-2023-27897 RESERVED CVE-2023-27896 (In SAP BusinessObjects Business Intelligence Platform - version 420, 4 ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27895 (SAP Authenticator for Android - version 1.3.0, allows the screen to be ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27894 (SAP BusinessObjects Business Intelligence Platform (Web Services) - ve ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27893 (An attacker authenticated as a user with a non-administrative role and ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-1258 RESERVED CVE-2023-1257 (An attacker with physical access to the affected Moxa UC Series device ...) @@ -2413,13 +2413,13 @@ CVE-2023-27506 CVE-2023-27505 RESERVED CVE-2023-27501 (SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27500 (An attacker with non-administrative authorizations can exploit a direc ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27499 RESERVED CVE-2023-27498 (SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated at ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27497 RESERVED CVE-2023-27393 @@ -3075,13 +3075,13 @@ CVE-2023-27273 CVE-2023-27272 RESERVED CVE-2023-27271 (In SAP BusinessObjects Business Intelligence Platform (Web Services) - ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27270 (SAP NetWeaver Application Server for ABAP and ABAP Platform - versions ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27269 (SAP NetWeaver Application Server for ABAP and ABAP Platform - versions ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27268 (SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-27267 RESERVED CVE-2023-27266 (Mattermost fails to honor the ShowEmailAddress setting when constructi ...) @@ -5024,15 +5024,15 @@ CVE-2023-26463 CVE-2023-26462 (ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privi ...) NOT-FOR-US: ThingsBoard CVE-2023-26461 (SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-26460 (Cache Management Service in SAP NetWeaver Application Server for Java ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-26459 (Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP P ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-26458 RESERVED CVE-2023-26457 (SAP Content Server - version 7.53, does not sufficiently encode user-c ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-26456 RESERVED CVE-2023-26455 @@ -7536,13 +7536,13 @@ CVE-2023-25620 CVE-2023-25619 RESERVED CVE-2023-25618 (SAP NetWeaver Application Server for ABAP and ABAP Platform - versions ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-25617 (SAP Business Object (Adaptive Job Server) - versions 420, 430, allows ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-25616 (In some scenario, SAP Business Objects Business Intelligence Platform ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-25615 (Due to insufficient input sanitization, SAP ABAP - versions 751, 753, ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-25614 (SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, ...) NOT-FOR-US: SAP CVE-2023-25613 (An LDAP Injection vulnerability exists in the LdapIdentityBackend of A ...) @@ -10599,7 +10599,7 @@ CVE-2023-24528 (SAP Fiori apps for Travel Management in SAP ERP (My Travel Reque CVE-2023-24527 RESERVED CVE-2023-24526 (SAP NetWeaver Application Server Java for Classload Service - version ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-24525 (SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, ...) NOT-FOR-US: SAP CVE-2023-24524 (SAP S/4 HANA Map Treasury Correspondence Format Data does not perform ...) @@ -12333,7 +12333,7 @@ CVE-2023-23859 (SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, CVE-2023-23858 (Due to insufficient input validation, SAP NetWeaver AS for ABAP and AB ...) NOT-FOR-US: SAP CVE-2023-23857 (Due to missing authentication check, SAP NetWeaver AS for Java - versi ...) - TODO: check + NOT-FOR-US: SAP CVE-2023-23856 (In SAP BusinessObjects
[Git][security-tracker-team/security-tracker][master] CVE-2022-4144/qemu: reference another pre-requisite
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 856ac826 by Sylvain Beucler at 2023-03-14T11:40:18+01:00 CVE-2022-4144/qemu: reference another pre-requisite - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25616,8 +25616,9 @@ CVE-2022-4144 (An out-of-bounds read flaw was found in the QXL display device em NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2148506 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg04143.html NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1336 - NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (v7.2.0-rc3) - NOTE: https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (v7.2.0-rc3) + NOTE: Pre-requisite 1: https://gitlab.com/qemu-project/qemu/-/commit/61c34fc194b776ecadc39fb26b061331107e5599 (v7.2.0-rc3) + NOTE: Pre-requisite 2: https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (v7.2.0-rc3) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (v7.2.0-rc3) CVE-2022-4143 RESERVED CVE-2022-4142 (The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/856ac82660582ee4b0d365128c70f9f07c832e32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/856ac82660582ee4b0d365128c70f9f07c832e32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1050/qemu: move pvrdma info to NOTE for consistency
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 44c667e0 by Sylvain Beucler at 2023-03-14T11:11:04+01:00 CVE-2022-1050/qemu: move pvrdma info to NOTE for consistency - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79476,6 +79476,7 @@ CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtu [buster] - qemu (pvrdma disabled in [1:3.1+dfsg-4, 1:4.1-1[) [stretch] - qemu (rdma devices introduced in v2.12) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (master, after v7.2.0) + NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1 CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1 DLA-3108-1} - pcs 0.11.3-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44c667e0ee829e2d665257a9a5b7e0813a3db81d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44c667e0ee829e2d665257a9a5b7e0813a3db81d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-4144/qemu: reference first patch half
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ae9fea0 by Sylvain Beucler at 2023-03-14T11:06:01+01:00 CVE-2022-4144/qemu: reference first patch half - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25616,7 +25616,8 @@ CVE-2022-4144 (An out-of-bounds read flaw was found in the QXL display device em NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2148506 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg04143.html NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1336 - NOTE: https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (v7.2.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (v7.2.0-rc3) CVE-2022-4143 RESERVED CVE-2022-4142 (The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae9fea0dcfe0942546a9b3ce0750d97ef6476b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae9fea0dcfe0942546a9b3ce0750d97ef6476b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b7c3c7 by security tracker role at 2023-03-14T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,291 @@ +CVE-2023-28325 + RESERVED +CVE-2023-28324 + RESERVED +CVE-2023-28323 + RESERVED +CVE-2023-28322 + RESERVED +CVE-2023-28321 + RESERVED +CVE-2023-28320 + RESERVED +CVE-2023-28319 + RESERVED +CVE-2023-28318 + RESERVED +CVE-2023-28317 + RESERVED +CVE-2023-28316 + RESERVED +CVE-2023-28315 + RESERVED +CVE-2023-28314 + RESERVED +CVE-2023-28313 + RESERVED +CVE-2023-28312 + RESERVED +CVE-2023-28311 + RESERVED +CVE-2023-28310 + RESERVED +CVE-2023-28309 + RESERVED +CVE-2023-28308 + RESERVED +CVE-2023-28307 + RESERVED +CVE-2023-28306 + RESERVED +CVE-2023-28305 + RESERVED +CVE-2023-28304 + RESERVED +CVE-2023-28303 + RESERVED +CVE-2023-28302 + RESERVED +CVE-2023-28301 + RESERVED +CVE-2023-28300 + RESERVED +CVE-2023-28299 + RESERVED +CVE-2023-28298 + RESERVED +CVE-2023-28297 + RESERVED +CVE-2023-28296 + RESERVED +CVE-2023-28295 + RESERVED +CVE-2023-28294 + RESERVED +CVE-2023-28293 + RESERVED +CVE-2023-28292 + RESERVED +CVE-2023-28291 + RESERVED +CVE-2023-28290 + RESERVED +CVE-2023-28289 + RESERVED +CVE-2023-28288 + RESERVED +CVE-2023-28287 + RESERVED +CVE-2023-28286 + RESERVED +CVE-2023-28285 + RESERVED +CVE-2023-28284 + RESERVED +CVE-2023-28283 + RESERVED +CVE-2023-28282 + RESERVED +CVE-2023-28281 + RESERVED +CVE-2023-28280 + RESERVED +CVE-2023-28279 + RESERVED +CVE-2023-28278 + RESERVED +CVE-2023-28277 + RESERVED +CVE-2023-28276 + RESERVED +CVE-2023-28275 + RESERVED +CVE-2023-28274 + RESERVED +CVE-2023-28273 + RESERVED +CVE-2023-28272 + RESERVED +CVE-2023-28271 + RESERVED +CVE-2023-28270 + RESERVED +CVE-2023-28269 + RESERVED +CVE-2023-28268 + RESERVED +CVE-2023-28267 + RESERVED +CVE-2023-28266 + RESERVED +CVE-2023-28265 + RESERVED +CVE-2023-28264 + RESERVED +CVE-2023-28263 + RESERVED +CVE-2023-28262 + RESERVED +CVE-2023-28261 + RESERVED +CVE-2023-28260 + RESERVED +CVE-2023-28259 + RESERVED +CVE-2023-28258 + RESERVED +CVE-2023-28257 + RESERVED +CVE-2023-28256 + RESERVED +CVE-2023-28255 + RESERVED +CVE-2023-28254 + RESERVED +CVE-2023-28253 + RESERVED +CVE-2023-28252 + RESERVED +CVE-2023-28251 + RESERVED +CVE-2023-28250 + RESERVED +CVE-2023-28249 + RESERVED +CVE-2023-28248 + RESERVED +CVE-2023-28247 + RESERVED +CVE-2023-28246 + RESERVED +CVE-2023-28245 + RESERVED +CVE-2023-28244 + RESERVED +CVE-2023-28243 + RESERVED +CVE-2023-28242 + RESERVED +CVE-2023-28241 + RESERVED +CVE-2023-28240 + RESERVED +CVE-2023-28239 + RESERVED +CVE-2023-28238 + RESERVED +CVE-2023-28237 + RESERVED +CVE-2023-28236 + RESERVED +CVE-2023-28235 + RESERVED +CVE-2023-28234 + RESERVED +CVE-2023-28233 + RESERVED +CVE-2023-28232 + RESERVED +CVE-2023-28231 + RESERVED +CVE-2023-28230 + RESERVED +CVE-2023-28229 + RESERVED +CVE-2023-28228 + RESERVED +CVE-2023-28227 + RESERVED +CVE-2023-28226 + RESERVED +CVE-2023-28225 + RESERVED +CVE-2023-28224 + RESERVED +CVE-2023-28223 + RESERVED +CVE-2023-28222 + RESERVED +CVE-2023-28221 + RESERVED +CVE-2023-28220 + RESERVED +CVE-2023-28219 + RESERVED +CVE-2023-28218 + RESERVED +CVE-2023-28217 + RESERVED +CVE-2023-28216 + RESERVED +CVE-2023-27917 + RESERVED +CVE-2023-27389 + RESERVED +CVE-2023-23575 + RESERVED +CVE-2023-1381 + RESERVED +CVE-2022-48402 + RESERVED +CVE-2022-48401 + RESERVED +CVE-2022-48400 + RESERVED +CVE-2022-48399 + RESERVED +CVE-2022-48398 + RESERVED +CVE-2022-48397 + RESERVED +CVE-2022-48396 + RESERVED +CVE-2022-48395 + RESERVED +CVE-2022-48394 + RESERVED +CVE-2022-48393 + RESERVED +CVE-2020-36680 + RESERVED +CVE-2020-36679 + RESERVED +CVE-2020-36678 + RESERVED +CVE-2020-36677 + RESERVED +CVE-2020-36676 + RESERVED +CVE-2020-36675 + RESERVED +CVE-2020-36674 + RESERVED +CVE-2020-36673 + RESERVED +CVE-2020-36672 + RESERVED +CVE-2020-36671 + RESERVED +CVE-2019-25115 + RESERVED +CVE-2019-25114 + RESERVED +CVE-2019-25113 + RESERVED +CVE-2019-25112 + RESERVED +CVE-2019-25111 + RESERVED +CVE-2019-25110 + RESERVED +CVE-2019-25109 +