[Git][security-tracker-team/security-tracker][master] fill in details for CVE-2023-1667
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6335d9da by Moritz Muehlenhoff at 2023-05-09T08:55:06+02:00 fill in details for CVE-2023-1667 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7143,8 +7143,16 @@ CVE-2023-1668 (A flaw was found in openvswitch (OVS). When processing an IP pack CVE-2023-1667 RESERVED - libssh - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2182199 - TODO: check details + NOTE: https://www.libssh.org/security/advisories/CVE-2023-1667.txt + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=dc1254d53e4fc6cbeb4797fc6ca1c9ed2c21f15c (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=d08f1b2377fead6489aa1d6a102bf65895ecf858 (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=70565ac43867053871f47378c53e5d90ba9007d8 (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=fc1a8bb4555624f85ba1370721ad2086a4feff8c (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=b759ae557d611ba347392c051504de474a8d9b60 (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=6df2daea040c47daff0a861a30761092886fe748 (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=99760776d4552d8e63edd68ba4a7448766517b8c (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=247a4a761cfa745ed1090290c5107de6321143c9 (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=a30339d7b16da7784413e4a4667feb3604ed0458 (stable-0.10) CVE-2023-1666 (A vulnerability has been found in SourceCodester Automatic Question Pa ...) NOT-FOR-US: SourceCodester Automatic Question Paper Generator System CVE-2023-1665 (Improper Restriction of Excessive Authentication Attempts in GitHub re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6335d9daa1963f7ff0f018c4ff8ba63843aea271 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6335d9daa1963f7ff0f018c4ff8ba63843aea271 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fill in details for CVE-2023-2283
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cd87534 by Moritz Muehlenhoff at 2023-05-09T08:50:41+02:00 fill in details for CVE-2023-2283 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -611,8 +611,9 @@ CVE-2023-31207 (Transmission of credentials within query parameters in Checkmk < CVE-2023-2283 RESERVED - libssh - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2189736 - TODO: check details + NOTE: https://www.libssh.org/security/advisories/CVE-2023-2283.txt + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=c68a58575b6d0520e342cb3d3796a8fecd66405d (stable-0.10) + NOTE: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=e8dfbb85a28514e1f869dac3000c6cec6cb8d08d (stable-0.10) CVE-2023-2282 (Improper access control in the Web Login listener in Devolutions Remot ...) NOT-FOR-US: Devolutions CVE-2023-2281 (When archiving a team, Mattermost fails to sanitize the related Websoc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd87534a3377084f63f8ed98e562c249a1feb94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd87534a3377084f63f8ed98e562c249a1feb94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 90a2f4e7 by Moritz Muehlenhoff at 2023-05-09T08:45:45+02:00 webkit2gtk n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1396,6 +1396,8 @@ CVE-2023-2204 (A vulnerability was found in Campcodes Retro Basketball Shoes Onl NOT-FOR-US: Campcodes Retro Basketball Shoes Online Store CVE-2023-2203 RESERVED + - webkit2gtk (RHEL-specific backport regression) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188543 CVE-2023-2202 (Improper Access Control in GitHub repository francoisjacquet/rosariosi ...) NOT-FOR-US: RosarioSIS CVE-2023-2201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a2f4e79aa160951e0d9680e683ebc14a97a8d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a2f4e79aa160951e0d9680e683ebc14a97a8d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1667/libssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68dd66b9 by Salvatore Bonaccorso at 2023-05-09T08:29:42+02:00 Add CVE-2023-1667/libssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7139,6 +7139,9 @@ CVE-2023-1668 (A flaw was found in openvswitch (OVS). When processing an IP pack NOTE: https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6 (v2.15.8) CVE-2023-1667 RESERVED + - libssh + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2182199 + TODO: check details CVE-2023-1666 (A vulnerability has been found in SourceCodester Automatic Question Pa ...) NOT-FOR-US: SourceCodester Automatic Question Paper Generator System CVE-2023-1665 (Improper Restriction of Excessive Authentication Attempts in GitHub re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68dd66b9f4e1a0103b18f079c95bb33d8912620c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68dd66b9f4e1a0103b18f079c95bb33d8912620c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2283/libssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6fe3252 by Salvatore Bonaccorso at 2023-05-09T08:28:53+02:00 Add CVE-2023-2283/libssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -610,6 +610,9 @@ CVE-2023-31207 (Transmission of credentials within query parameters in Checkmk < - check-mk CVE-2023-2283 RESERVED + - libssh + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2189736 + TODO: check details CVE-2023-2282 (Improper access control in the Web Login listener in Devolutions Remot ...) NOT-FOR-US: Devolutions CVE-2023-2281 (When archiving a team, Mattermost fails to sanitize the related Websoc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe32527796e52a73fd390e96ecb65478833f76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe32527796e52a73fd390e96ecb65478833f76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a113fb06 by Salvatore Bonaccorso at 2023-05-08T22:35:47+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-2583 (Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.) TODO: check CVE-2023-2582 (A prototype pollution vulnerability exists in Strikingly CMS which can ...) - TODO: check + NOT-FOR-US: Strikingly CMS CVE-2023-2575 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-2574 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-2573 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository openemr/opene ...) NOT-FOR-US: OpenEMR CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API ...) @@ -1596,7 +1596,7 @@ CVE-2023-30857 (@aedart/support is the support package for Ion, a monorepo for J CVE-2023-30856 (eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and pri ...) NOT-FOR-US: eDEX-UI CVE-2023-30855 (Pimcore is an open source data and experience management platform. Ver ...) - TODO: check + NOT-FOR-US: Pimcore CVE-2023-30854 (AVideo is an open source video platform. Prior to version 12.4, an OS ...) NOT-FOR-US: AVideo CVE-2023-30853 (Gradle Build Action allows users to execute a Gradle Build in their Gi ...) @@ -3814,7 +3814,7 @@ CVE-2023-30094 (A stored cross-site scripting (XSS) vulnerability in TotalJS Flo CVE-2023-30093 (An arbitrary file upload vulnerability in Open Networking Foundation O ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2023-30092 (SourceCodester Online Pizza Ordering System v1.0 is vulnerable to SQL ...) - TODO: check + NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-30091 RESERVED CVE-2023-30090 (Semcms Shop v4.2 was discovered to contain an arbitrary file uplaod vu ...) @@ -3960,7 +3960,7 @@ CVE-2023-30021 CVE-2023-30020 RESERVED CVE-2023-30019 (imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) ...) - TODO: check + NOT-FOR-US: imgproxy CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. via /ph ...) NOT-FOR-US: Judging Management System CVE-2023-30017 @@ -4644,13 +4644,13 @@ CVE-2023-29698 CVE-2023-29697 RESERVED CVE-2023-29696 (H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack over ...) - TODO: check + NOT-FOR-US: H3C CVE-2023-29695 RESERVED CVE-2023-29694 RESERVED CVE-2023-29693 (H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack over ...) - TODO: check + NOT-FOR-US: H3C CVE-2023-29692 RESERVED CVE-2023-29691 @@ -8572,7 +8572,7 @@ CVE-2023-28495 CVE-2023-28494 RESERVED CVE-2023-28493 (Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability ...) - TODO: check + NOT-FOR-US: Wordpress theme CVE-2023-28492 RESERVED CVE-2023-28491 @@ -9716,7 +9716,7 @@ CVE-2023-28171 CVE-2023-28170 RESERVED CVE-2023-28169 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Core ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-28168 RESERVED CVE-2023-28167 @@ -17802,7 +17802,7 @@ CVE-2023-25454 CVE-2023-25453 RESERVED CVE-2023-25452 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mich ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25451 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPCh ...) NOT-FOR-US: WordPress plugin CVE-2023-25450 @@ -18747,7 +18747,7 @@ CVE-2023-25054 CVE-2023-25053 RESERVED CVE-2023-25052 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tepl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25051 RESERVED CVE-2023-25050 @@ -20808,7 +20808,7 @@ CVE-2023-24410 CVE-2023-24409 RESERVED CVE-2023-24408 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-24407 RESERVED CVE-2023-24406 @@ -22807,7 +22807,7 @@ CVE-2023-23670 (Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in CVE-2023-23669 RESERVED CVE-2023-23668 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23667 RESERVED C
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a02729ba by Salvatore Bonaccorso at 2023-05-08T22:29:37+02:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1909,7 +1909,7 @@ CVE-2023-2116 CVE-2023-2115 RESERVED CVE-2023-2114 (The NEX-Forms WordPress plugin before 8.4 does not properly escape the ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2113 RESERVED CVE-2023-2112 (Desktop component service allows lateral movement between sessions in ...) @@ -2992,7 +2992,7 @@ CVE-2023-1981 [avahi-daemon can be crashed via DBus] CVE-2023-1980 (Two factor authentication bypass on login in Devolutions Remote Des ...) NOT-FOR-US: Devolutions CVE-2023-1979 (The Web Stories for WordPress plugin supports the WordPress built-in f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1978 RESERVED CVE-2023-1977 @@ -5462,7 +5462,7 @@ CVE-2023-1906 (A heap-based buffer overflow issue was discovered in ImageMagick' NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84) CVE-2023-1905 (The WP Popups WordPress plugin before 2.1.5.1 does not properly escape ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2015-10098 (A vulnerability was found in Broken Link Checker Plugin up to 1.10.5. ...) NOT-FOR-US: WordPress plugin CVE-2013-10023 (A vulnerability was found in Editorial Calendar Plugin up to 2.6. It h ...) @@ -6297,7 +6297,7 @@ CVE-2023-29170 (Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability i CVE-2023-1807 RESERVED CVE-2023-1806 (The WP Inventory Manager WordPress plugin before 2.1.0.12 does not san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1805 (The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1. ...) NOT-FOR-US: WordPress plugin CVE-2023-1804 (The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1. ...) @@ -7220,7 +7220,7 @@ CVE-2023-1662 CVE-2023-1661 RESERVED CVE-2023-1660 (The AI ChatBot WordPress plugin before 4.4.9 does not have authorisati ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1659 REJECTED CVE-2023-1658 @@ -7247,11 +7247,11 @@ CVE-2023-1652 (A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd (6.2-rc5) CVE-2023-1651 (The AI ChatBot WordPress plugin before 4.4.9 does not have authorisati ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1650 (The AI ChatBot WordPress plugin before 4.4.7 unserializes user input f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1649 (The AI ChatBot WordPress plugin before 4.5.1 does not sanitise and esc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1648 REJECTED CVE-2022-48429 (In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 refle ...) @@ -9137,7 +9137,7 @@ CVE-2023-28344 CVE-2023-28343 (OS command injection affects Altenergy Power Control Software C1.2.5 v ...) NOT-FOR-US: Altenergy Power Control Software CVE-2023-1408 (The Video List Manager WordPress plugin through 1.7 does not properly ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1407 (A vulnerability classified as critical was found in SourceCodester Stu ...) NOT-FOR-US: SourceCodester CVE-2023-1406 (The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files ...) @@ -10002,7 +10002,7 @@ CVE-2023-28120 CVE-2023-1348 RESERVED CVE-2023-1347 (The Customizer Export/Import WordPress plugin before 0.9.6 unserialize ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-28119 (The crewjam/saml go library contains a partial implementation of the S ...) - golang-github-crewjam-saml (bug #1033753) NOTE: https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021 (v0.4.13) @@ -14406,7 +14406,7 @@ CVE-2023-1013 (Improper Neutralization of Script-Related HTML Tags in a Web Page CVE-2023-1012 RESERVED CVE-2023-1011 (The AI ChatBot WordPress plugin before 4.4.5 does not escape most of i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1010 (A vulnerability classified as critical was found in vox2png 1.0. Affec ...) NOT-FOR-US: vox2png CVE-2023-1009 (A vulnerability classified as problematic has been found in DrayTek Vi ...) @@ -14988,7 +14988,7 @@ CVE-2023-0950 CVE-2023-0949 (Cross-site Scripting
[Git][security-tracker-team/security-tracker][master] Track fixed version for linux issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1297e750 by Salvatore Bonaccorso at 2023-05-08T22:27:40+02:00 Track fixed version for linux issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,7 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel before 6.1.11. In ne CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary files wi ...) NOT-FOR-US: Ghost CMS CVE-2023-32233 (In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_ta ...) - - linux + - linux 6.1.27-1 NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4 NOTE: https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1) CVE-2023-31415 (Kibana version 8.7.0 contains an arbitrary code execution flaw. An att ...) @@ -359,7 +359,7 @@ CVE-2023- [RUSTSEC-2023-0035: enumflags2: Adverserial use of make_bitflags! - rust-enumflags2 (Introduced in 0.7.0) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0035.html CVE-2023-31436 (qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2 ...) - - linux + - linux 6.1.27-1 [buster] - linux 4.19.282-1 NOTE: https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3) NOTE: https://kernel.dance/#3037933448f60f9acb705997eae62013ecb81e0d @@ -2773,7 +2773,7 @@ CVE-2023-2003 RESERVED CVE-2023-2002 RESERVED - - linux + - linux 6.1.27-1 NOTE: https://www.openwall.com/lists/oss-security/2023/04/16/3 NOTE: Fixed by: https://git.kernel.org/linus/25c150ac103a4ebeed0319994c742a90634ddf18 NOTE: Fixed by: https://lore.kernel.org/linux-bluetooth/20230416081404.8227-1-lrh2...@pku.edu.cn/ @@ -9764,7 +9764,7 @@ CVE-2023-28159 - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28159 CVE-2023-1380 (A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in d ...) - - linux + - linux 6.1.27-1 NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1 NOTE: https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u NOTE: https://git.kernel.org/linus/0da40e018fd034d87c9460123fa7f897b69fdee7 (6.4-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1297e75025614da40bb1abaa6570841106902ede -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1297e75025614da40bb1abaa6570841106902ede You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes for CVE-2023-2248 (duplicate of CVE-2023-31436)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f7a99ef by Salvatore Bonaccorso at 2023-05-08T22:25:17+02:00 Drop notes for CVE-2023-2248 (duplicate of CVE-2023-31436) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -892,11 +892,6 @@ CVE-2023-2249 RESERVED CVE-2023-2248 REJECTED - - linux - [buster] - linux 4.19.282-1 - NOTE: https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3) - NOTE: https://kernel.dance/#3037933448f60f9acb705997eae62013ecb81e0d - NOTE: Duplicate of CVE-2023-31436 CVE-2022-48477 (In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module in ...) NOT-FOR-US: JetBrains Hub CVE-2022-48476 (In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f7a99ef4010ea727ce952c27c77fc707a512504 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f7a99ef4010ea727ce952c27c77fc707a512504 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01c1aa1f by security tracker role at 2023-05-08T20:12:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2023-2583 (Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.) + TODO: check +CVE-2023-2582 (A prototype pollution vulnerability exists in Strikingly CMS which can ...) + TODO: check +CVE-2023-2575 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) + TODO: check +CVE-2023-2574 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) + TODO: check +CVE-2023-2573 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) + TODO: check CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository openemr/opene ...) NOT-FOR-US: OpenEMR CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API ...) @@ -41,7 +51,7 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel before 6.1.11. In ne NOTE: https://git.kernel.org/linus/611792920925fb088ddccbe2783c7f92fdfb6b64 (6.2-rc7) CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary files wi ...) NOT-FOR-US: Ghost CMS -CVE-2023-32233 [netfilter: nf_tables: deactivate anonymous set from preparation phase] +CVE-2023-32233 (In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_ta ...) - linux NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4 NOTE: https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1) @@ -756,16 +766,16 @@ CVE-2023-31129 RESERVED CVE-2023-31128 RESERVED -CVE-2023-31127 - RESERVED +CVE-2023-31127 (libspdm is a sample implementation that follows the DMTF SPDM specific ...) + TODO: check CVE-2023-31126 RESERVED CVE-2023-31125 RESERVED CVE-2023-31124 RESERVED -CVE-2023-31123 - RESERVED +CVE-2023-31123 (`effectindex/tripreporter` is a community-powered, universal platform ...) + TODO: check CVE-2023-30768 RESERVED CVE-2023-30763 @@ -869,7 +879,7 @@ CVE-2023-2253 RESERVED CVE-2023-2252 RESERVED -CVE-2023-2251 (Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-4.) +CVE-2023-2251 (Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.) - node-yaml 2.1.3-2 (bug #1035580) [bullseye] - node-yaml (Vulnerable code not present) NOTE: https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c @@ -880,7 +890,8 @@ CVE-2023-2250 (A flaw was found in the Open Cluster Management (OCM) when a user NOT-FOR-US: Open Cluster Management (OCM) CVE-2023-2249 RESERVED -CVE-2023-2248 (A heap out-of-bounds read/write vulnerability in the Linux Kernel traf ...) +CVE-2023-2248 + REJECTED - linux [buster] - linux 4.19.282-1 NOTE: https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3) @@ -1032,10 +1043,10 @@ CVE-2023-31040 RESERVED CVE-2023-2246 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) NOT-FOR-US: SourceCodester -CVE-2023-31039 - RESERVED -CVE-2023-31038 - RESERVED +CVE-2023-31039 (Security vulnerabilityin Apache bRPC <1.5.0 on all platforms allows at ...) + TODO: check +CVE-2023-31038 (SQL injection in Log4cxx when using the ODBC appender to send log mess ...) + TODO: check CVE-2023-2245 (A vulnerability was found in hansunCMS 1.4.3. It has been declared as ...) NOT-FOR-US: hansunCMS CVE-2023-2244 (A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. I ...) @@ -1579,8 +1590,8 @@ CVE-2023-30861 (Flask is a lightweight WSGI web application framework. When all NOTE: https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq NOTE: https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d (2.2.5) NOTE: https://github.com/pallets/flask/commit/8705dd39c4fa563ea0fe0bf84c85da8fcc98b88d (2.3.2) -CVE-2023-30860 - RESERVED +CVE-2023-30860 (WWBN AVideo is an open source video platform. In AVideo prior to versi ...) + TODO: check CVE-2023-30859 (Triton is a Minecraft plugin for Spigot and BungeeCord that helps you ...) NOT-FOR-US: Triton Minecraft plugin CVE-2023-30858 (The Denosaurs emoji package provides emojis for dinosaurs. Starting in ...) @@ -1589,8 +1600,8 @@ CVE-2023-30857 (@aedart/support is the support package for Ion, a monorepo for J NOT-FOR-US: support package for Ion CVE-2023-30856 (eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and pri ...) NOT-FOR-US: eDEX-UI -CVE-2023-30855 -
[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2022-48425/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 390c74a8 by Salvatore Bonaccorso at 2023-05-08T21:36:54+02:00 Add upstream commit reference for CVE-2022-48425/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9054,6 +9054,7 @@ CVE-2022-48425 (In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an inval - linux (unimportant) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/98bea253aa28ad8be2ce565a9ca21beb4a9419e5 (6.4-rc1) NOTE: NTFS3 driver not enabled in Debian CVE-2022-48424 (In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate t ...) - linux 6.1.4-1 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/390c74a8779163cd105fef7e3cc0957d42078c03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/390c74a8779163cd105fef7e3cc0957d42078c03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2023-1380
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68b7f5e6 by Salvatore Bonaccorso at 2023-05-08T21:29:21+02:00 Add upstream commit reference for CVE-2023-1380 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9760,6 +9760,7 @@ CVE-2023-1380 (A slab-out-of-bound read problem was found in brcmf_get_assoc_ies - linux NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1 NOTE: https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u + NOTE: https://git.kernel.org/linus/0da40e018fd034d87c9460123fa7f897b69fdee7 (6.4-rc1) CVE-2023-1379 (A vulnerability was found in SourceCodester Friendly Island Pizza Webs ...) NOT-FOR-US: SourceCodester Friendly Island Pizza Website and Ordering System CVE-2023-1378 (A vulnerability classified as critical was found in SourceCodester Fri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b7f5e62158f5dcd07dbcadab4ba8fc2d0010f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b7f5e62158f5dcd07dbcadab4ba8fc2d0010f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2023-2124
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc25a648 by Salvatore Bonaccorso at 2023-05-08T21:22:54+02:00 Add upstream commit reference for CVE-2023-2124 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1883,6 +1883,7 @@ CVE-2023-2124 [OOB access in the Linux kernel's XFS subsystem] - linux NOTE: https://www.openwall.com/lists/oss-security/2023/04/19/2 NOTE: https://lore.kernel.org/linux-xfs/20230412214034.gl3223...@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d + NOTE: https://git.kernel.org/linus/22ed903eee23a5b174e240f1cdfa9acf393a5210 (6.4-rc1) CVE-2023-2123 RESERVED CVE-2023-2122 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc25a648657de4eddd7f4845f1aa8f90b4ad0af2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc25a648657de4eddd7f4845f1aa8f90b4ad0af2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update severity for CVE-2023-23039
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47f453ed by Salvatore Bonaccorso at 2023-05-08T21:10:38+02:00 Update severity for CVE-2023-23039 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24600,8 +24600,9 @@ CVE-2023-23041 CVE-2023-23040 (TP-Link router TL-WR940N V6 3.19.1 Build 180119 uses a deprecated MD5 ...) NOT-FOR-US: TP-Link CVE-2023-23039 (An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20230102010528.2868403-1-yoochan1...@gmail.com/ + NOTE: CONFIG_VCC depends on CONFIG_SUN_LDOMS, which is SPARC64 only CVE-2023-23038 RESERVED CVE-2023-23037 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f453edbb8198b5b44b13d0bcb7fc541a0c5318 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f453edbb8198b5b44b13d0bcb7fc541a0c5318 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-26544/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9a9f24a by Salvatore Bonaccorso at 2023-05-08T21:03:03+02:00 Update information for CVE-2023-26544/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14281,7 +14281,7 @@ CVE-2023-26545 (In the Linux kernel before 6.1.13, there is a double free in net [bullseye] - linux 5.10.178-1 NOTE: https://git.kernel.org/linus/fda6c89fe3d9aca073495a664e1d5aea28cd4377 (6.2) CVE-2023-26544 (In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in ...) - - linux (unimportant) + - linux 6.1.4-1 (unimportant) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2023/2/20/128 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9a9f24afc49793119debf2b54dba9a41def2ee1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9a9f24afc49793119debf2b54dba9a41def2ee1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-26606
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a68d62fd by Salvatore Bonaccorso at 2023-05-08T20:55:08+02:00 Update information for CVE-2023-26606 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14070,7 +14070,7 @@ CVE-2023-26607 (In the Linux kernel 6.0.8, there is an out-of-bounds read in ntf - linux 4.19.37-1 NOTE: https://lkml.org/lkml/2023/2/21/1353 CVE-2023-26606 (In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs i ...) - - linux (unimportant) + - linux 6.1.4-1 (unimportant) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2023/2/20/860 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a68d62fdcf14a3094026460dfce3b8b3841f75a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a68d62fdcf14a3094026460dfce3b8b3841f75a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-28464
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12728470 by Salvatore Bonaccorso at 2023-05-08T20:46:02+02:00 Update information for CVE-2023-28464 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8759,9 +8759,10 @@ CVE-2023-28467 CVE-2023-28465 RESERVED CVE-2023-28464 (hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel throu ...) - - linux + - linux 6.1.25-1 NOTE: https://www.openwall.com/lists/oss-security/2023/03/28/2 NOTE: https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmm...@gmail.com/ + NOTE: https://git.kernel.org/linus/5dc7d23e167e2882ef118456ceccd57873e876d8 CVE-2023-28463 RESERVED CVE-2023-28462 (A JNDI rebind operation in the default ORB listener in Payara Server 4 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12728470fa7481edac6124feb139b2f36f48c2bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12728470fa7481edac6124feb139b2f36f48c2bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32233/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd194c5e by Salvatore Bonaccorso at 2023-05-08T18:09:24+02:00 Add CVE-2023-32233/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,6 +41,10 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel before 6.1.11. In ne NOTE: https://git.kernel.org/linus/611792920925fb088ddccbe2783c7f92fdfb6b64 (6.2-rc7) CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary files wi ...) NOT-FOR-US: Ghost CMS +CVE-2023-32233 [netfilter: nf_tables: deactivate anonymous set from preparation phase] + - linux + NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4 + NOTE: https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1) CVE-2023-31415 (Kibana version 8.7.0 contains an arbitrary code execution flaw. An att ...) - kibana (bug #700337) CVE-2023-31414 (Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code executio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd194c5eb2aca60cfc7bd70ff176850af7700f4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd194c5eb2aca60cfc7bd70ff176850af7700f4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 47fd1137 by Moritz Muehlenhoff at 2023-05-08T17:27:21+02:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2334,6 +2334,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for inserting a Matrix cha NOTE: https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In affected ...) - sqlparse (bug #1034615) + [bullseye] - sqlparse (Minor issue) NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 NOTE: Introduced by: https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a (0.1.15) NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb (0.4.4) @@ -2753,6 +2754,7 @@ CVE-2023-2005 RESERVED CVE-2023-2004 (An integer overflow vulnerability was discovered in Freetype in tt_hva ...) - freetype 2.12.1+dfsg-5 (bug #1034612) + [bullseye] - freetype (Minor issue) [buster] - freetype (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 NOTE: https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611 (VER-2-13-0) @@ -2860,18 +2862,21 @@ CVE-2023-1994 (GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3. {DLA-3402-1} [experimental] - wireshark 4.0.5-1~exp1 - wireshark (bug #1034721) + [bullseye] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18947 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-11.html CVE-2023-1993 (LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6 ...) {DLA-3402-1} [experimental] - wireshark 4.0.5-1~exp1 - wireshark (bug #1034721) + [bullseye] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18900 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-10.html CVE-2023-1992 (RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6. ...) {DLA-3402-1} [experimental] - wireshark 4.0.5-1~exp1 - wireshark (bug #1034721) + [bullseye] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18852 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-09.html CVE-2023-1991 @@ -4873,6 +4878,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to contain a segmentation vi NOTE: Crash in CLI tool, no security impact CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via th ...) - yasm + [bullseye] - yasm (Minor issue) NOTE: https://github.com/yasm/yasm/issues/214 CVE-2023-29578 (mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the ...) NOT-FOR-US: MP4v2 @@ -5195,6 +5201,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute NOT-FOR-US: Novi Survey CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...) - ncurses (bug #1034372) + [bullseye] - ncurses (Minor issue) NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408 NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 NOTE: https://github.com/ThomasDickey/ncurses-snapshots/commit/a6d3f92bb5bba1a71c7c3df39497abbe5fe999ff @@ -5439,6 +5446,7 @@ CVE-2023-1907 RESERVED CVE-2023-1906 (A heap-based buffer overflow issue was discovered in ImageMagick's Imp ...) - imagemagick (bug #1034373) + [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84) @@ -9061,6 +9069,7 @@ CVE-2023-28372 RESERVED CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are typic ...) - stellarium (bug #1034183) + [bullseye] - stellarium (Minor issue) NOTE: https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7 NOTE: https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78 NOTE: https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb @@ -17588,18 +17597,23 @@ CVE-2023-25515 RESERVED CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 52544f46 by Roberto C. Sánchez at 2023-05-08T11:09:39-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -cairosvg (dleidert) +cairosvg NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) -- @@ -22,14 +22,14 @@ configobj (Chris Lamb) NOTE: 20230416: Special attention: Low priority but high popcon. NOTE: 20230502: No upstream-blessed patch yet. (lamby) -- -consul (Abhijith PA) +consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) NOTE: 20230422: Resume work. (abhijith) -- -docker.io (gladk) +docker.io NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xpdf n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 47a099c4 by Moritz Muehlenhoff at 2023-05-08T11:01:33+02:00 xpdf n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13357,23 +13357,23 @@ CVE-2023-26940 CVE-2023-26939 RESERVED CVE-2023-26938 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26937 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26936 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26935 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26934 (An issue found in XPDF v.4.04 allows an attacker to cause a denial of ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26933 RESERVED CVE-2023-26932 RESERVED CVE-2023-26931 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26930 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2023-26929 RESERVED CVE-2023-26928 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47a099c4b20035812eb4a20cce6b327be0ae0056 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47a099c4b20035812eb4a20cce6b327be0ae0056 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: update notes
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cf17d7f by Emilio Pozuelo Monfort at 2023-05-08T10:47:01+02:00 lts: update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -149,6 +149,7 @@ openimageio (gladk) openjdk-11 (Emilio) NOTE: 20230419: Programming language: Java. NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git + NOTE: 20230508: waiting for sid/bullseye update (pochu) -- php-cas NOTE: 20221105: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf17d7f31fc6483b10415f0c5f645bfadce483f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf17d7f31fc6483b10415f0c5f645bfadce483f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2e3d0fc by Salvatore Bonaccorso at 2023-05-08T10:33:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository openemr/opene ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API ...) TODO: check CVE-2023-2565 (A vulnerability has been found in SourceCodester Multi Language Hotel ...) @@ -3467,7 +3467,7 @@ CVE-2023-30259 CVE-2023-30258 RESERVED CVE-2023-30257 (A buffer overflow in the component /proc/ft-debug of FiiO M6 Build ...) - TODO: check + NOT-FOR-US: FiiO M6 CVE-2023-30256 RESERVED CVE-2023-30255 @@ -3611,7 +3611,7 @@ CVE-2023-30187 CVE-2023-30186 RESERVED CVE-2023-30185 (CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload ...) - TODO: check + NOT-FOR-US: CRMEB CVE-2023-30184 (A stored cross-site scripting (XSS) vulnerability in Typecho v1.2.0 al ...) NOT-FOR-US: Typecho CVE-2023-30183 @@ -3946,7 +3946,7 @@ CVE-2023-30020 CVE-2023-30019 RESERVED CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. via /ph ...) - TODO: check + NOT-FOR-US: Judging Management System CVE-2023-30017 RESERVED CVE-2023-30016 @@ -4095,7 +4095,7 @@ CVE-2023-29946 CVE-2023-29945 RESERVED CVE-2023-29944 (Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Exec ...) - TODO: check + NOT-FOR-US: Metersphere CVE-2023-29943 RESERVED CVE-2023-29942 (llvm-project commit a0138390 was discovered to contain a segmentation ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e3d0fc6066ead1335a24c92dd346f68ccf6ceb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e3d0fc6066ead1335a24c92dd346f68ccf6ceb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c9a0fb2 by security tracker role at 2023-05-08T08:11:55+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository openemr/opene ...) + TODO: check +CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API ...) + TODO: check CVE-2023-2565 (A vulnerability has been found in SourceCodester Multi Language Hotel ...) NOT-FOR-US: SourceCodester Multi Language Hotel Management Software CVE-2023-2564 (OS Command Injection in GitHub repository sbs20/scanservjs prior to v2 ...) @@ -3462,8 +3466,8 @@ CVE-2023-30259 RESERVED CVE-2023-30258 RESERVED -CVE-2023-30257 - RESERVED +CVE-2023-30257 (A buffer overflow in the component /proc/ft-debug of FiiO M6 Build ...) + TODO: check CVE-2023-30256 RESERVED CVE-2023-30255 @@ -3606,8 +3610,8 @@ CVE-2023-30187 RESERVED CVE-2023-30186 RESERVED -CVE-2023-30185 - RESERVED +CVE-2023-30185 (CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload ...) + TODO: check CVE-2023-30184 (A stored cross-site scripting (XSS) vulnerability in Typecho v1.2.0 al ...) NOT-FOR-US: Typecho CVE-2023-30183 @@ -3941,8 +3945,8 @@ CVE-2023-30020 RESERVED CVE-2023-30019 RESERVED -CVE-2023-30018 - RESERVED +CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. via /ph ...) + TODO: check CVE-2023-30017 RESERVED CVE-2023-30016 @@ -4090,8 +4094,8 @@ CVE-2023-29946 RESERVED CVE-2023-29945 RESERVED -CVE-2023-29944 - RESERVED +CVE-2023-29944 (Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Exec ...) + TODO: check CVE-2023-29943 RESERVED CVE-2023-29942 (llvm-project commit a0138390 was discovered to contain a segmentation ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c9a0fb21044d2d65065294b471ec4b55fa39378 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c9a0fb21044d2d65065294b471ec4b55fa39378 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits