[Git][security-tracker-team/security-tracker][master] fill in details for CVE-2023-1667

2023-05-08 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6335d9da by Moritz Muehlenhoff at 2023-05-09T08:55:06+02:00
fill in details for CVE-2023-1667

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7143,8 +7143,16 @@ CVE-2023-1668 (A flaw was found in openvswitch (OVS). 
When processing an IP pack
 CVE-2023-1667
RESERVED
- libssh 
-   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2182199
-   TODO: check details
+   NOTE: https://www.libssh.org/security/advisories/CVE-2023-1667.txt
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=dc1254d53e4fc6cbeb4797fc6ca1c9ed2c21f15c
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=d08f1b2377fead6489aa1d6a102bf65895ecf858
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=70565ac43867053871f47378c53e5d90ba9007d8
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=fc1a8bb4555624f85ba1370721ad2086a4feff8c
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=b759ae557d611ba347392c051504de474a8d9b60
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=6df2daea040c47daff0a861a30761092886fe748
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=99760776d4552d8e63edd68ba4a7448766517b8c
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=247a4a761cfa745ed1090290c5107de6321143c9
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=a30339d7b16da7784413e4a4667feb3604ed0458
 (stable-0.10)
 CVE-2023-1666 (A vulnerability has been found in SourceCodester Automatic 
Question Pa ...)
NOT-FOR-US: SourceCodester Automatic Question Paper Generator System
 CVE-2023-1665 (Improper Restriction of Excessive Authentication Attempts in 
GitHub re ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6335d9daa1963f7ff0f018c4ff8ba63843aea271

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6335d9daa1963f7ff0f018c4ff8ba63843aea271
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] fill in details for CVE-2023-2283

2023-05-08 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8cd87534 by Moritz Muehlenhoff at 2023-05-09T08:50:41+02:00
fill in details for CVE-2023-2283

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -611,8 +611,9 @@ CVE-2023-31207 (Transmission of credentials within query 
parameters in Checkmk <
 CVE-2023-2283
RESERVED
- libssh 
-   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2189736
-   TODO: check details
+   NOTE: https://www.libssh.org/security/advisories/CVE-2023-2283.txt
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=c68a58575b6d0520e342cb3d3796a8fecd66405d
 (stable-0.10)
+   NOTE: 
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=e8dfbb85a28514e1f869dac3000c6cec6cb8d08d
 (stable-0.10)
 CVE-2023-2282 (Improper access control in the Web Login listener in 
Devolutions Remot ...)
NOT-FOR-US: Devolutions
 CVE-2023-2281 (When archiving a team, Mattermost fails to sanitize the related 
Websoc ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd87534a3377084f63f8ed98e562c249a1feb94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd87534a3377084f63f8ed98e562c249a1feb94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] webkit2gtk n/a

2023-05-08 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
90a2f4e7 by Moritz Muehlenhoff at 2023-05-09T08:45:45+02:00
webkit2gtk n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1396,6 +1396,8 @@ CVE-2023-2204 (A vulnerability was found in Campcodes 
Retro Basketball Shoes Onl
NOT-FOR-US: Campcodes Retro Basketball Shoes Online Store
 CVE-2023-2203
RESERVED
+   - webkit2gtk  (RHEL-specific backport regression)
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188543
 CVE-2023-2202 (Improper Access Control in GitHub repository 
francoisjacquet/rosariosi ...)
NOT-FOR-US: RosarioSIS
 CVE-2023-2201



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a2f4e79aa160951e0d9680e683ebc14a97a8d5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a2f4e79aa160951e0d9680e683ebc14a97a8d5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1667/libssh

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
68dd66b9 by Salvatore Bonaccorso at 2023-05-09T08:29:42+02:00
Add CVE-2023-1667/libssh

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7139,6 +7139,9 @@ CVE-2023-1668 (A flaw was found in openvswitch (OVS). 
When processing an IP pack
NOTE: 
https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
 (v2.15.8)
 CVE-2023-1667
RESERVED
+   - libssh 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2182199
+   TODO: check details
 CVE-2023-1666 (A vulnerability has been found in SourceCodester Automatic 
Question Pa ...)
NOT-FOR-US: SourceCodester Automatic Question Paper Generator System
 CVE-2023-1665 (Improper Restriction of Excessive Authentication Attempts in 
GitHub re ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68dd66b9f4e1a0103b18f079c95bb33d8912620c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68dd66b9f4e1a0103b18f079c95bb33d8912620c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2283/libssh

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c6fe3252 by Salvatore Bonaccorso at 2023-05-09T08:28:53+02:00
Add CVE-2023-2283/libssh

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -610,6 +610,9 @@ CVE-2023-31207 (Transmission of credentials within query 
parameters in Checkmk <
- check-mk 
 CVE-2023-2283
RESERVED
+   - libssh 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2189736
+   TODO: check details
 CVE-2023-2282 (Improper access control in the Web Login listener in 
Devolutions Remot ...)
NOT-FOR-US: Devolutions
 CVE-2023-2281 (When archiving a team, Mattermost fails to sanitize the related 
Websoc ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe32527796e52a73fd390e96ecb65478833f76

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe32527796e52a73fd390e96ecb65478833f76
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a113fb06 by Salvatore Bonaccorso at 2023-05-08T22:35:47+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,13 +1,13 @@
 CVE-2023-2583 (Code Injection in GitHub repository jsreport/jsreport prior to 
3.11.3.)
TODO: check
 CVE-2023-2582 (A prototype pollution vulnerability exists in Strikingly CMS 
which can ...)
-   TODO: check
+   NOT-FOR-US: Strikingly CMS
 CVE-2023-2575 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
-   TODO: check
+   NOT-FOR-US: Advantech
 CVE-2023-2574 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
-   TODO: check
+   NOT-FOR-US: Advantech
 CVE-2023-2573 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
-   TODO: check
+   NOT-FOR-US: Advantech
 CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository 
openemr/opene ...)
NOT-FOR-US: OpenEMR
 CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 
(Websocket API  ...)
@@ -1596,7 +1596,7 @@ CVE-2023-30857 (@aedart/support is the support package 
for Ion, a monorepo for J
 CVE-2023-30856 (eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 
and pri ...)
NOT-FOR-US: eDEX-UI
 CVE-2023-30855 (Pimcore is an open source data and experience management 
platform. Ver ...)
-   TODO: check
+   NOT-FOR-US: Pimcore
 CVE-2023-30854 (AVideo is an open source video platform. Prior to version 
12.4, an OS  ...)
NOT-FOR-US: AVideo
 CVE-2023-30853 (Gradle Build Action allows users to execute a Gradle Build in 
their Gi ...)
@@ -3814,7 +3814,7 @@ CVE-2023-30094 (A stored cross-site scripting (XSS) 
vulnerability in TotalJS Flo
 CVE-2023-30093 (An arbitrary file upload vulnerability in Open Networking 
Foundation O ...)
NOT-FOR-US: Open Network Operating System (ONOS)
 CVE-2023-30092 (SourceCodester Online Pizza Ordering System v1.0 is vulnerable 
to SQL  ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Online Pizza Ordering System
 CVE-2023-30091
RESERVED
 CVE-2023-30090 (Semcms Shop v4.2 was discovered to contain an arbitrary file 
uplaod vu ...)
@@ -3960,7 +3960,7 @@ CVE-2023-30021
 CVE-2023-30020
RESERVED
 CVE-2023-30019 (imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery 
(SSRF)  ...)
-   TODO: check
+   NOT-FOR-US: imgproxy
 CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. 
via /ph ...)
NOT-FOR-US: Judging Management System
 CVE-2023-30017
@@ -4644,13 +4644,13 @@ CVE-2023-29698
 CVE-2023-29697
RESERVED
 CVE-2023-29696 (H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a 
stack over ...)
-   TODO: check
+   NOT-FOR-US: H3C
 CVE-2023-29695
RESERVED
 CVE-2023-29694
RESERVED
 CVE-2023-29693 (H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a 
stack over ...)
-   TODO: check
+   NOT-FOR-US: H3C
 CVE-2023-29692
RESERVED
 CVE-2023-29691
@@ -8572,7 +8572,7 @@ CVE-2023-28495
 CVE-2023-28494
RESERVED
 CVE-2023-28493 (Auth (subscriber+) Reflected Cross-Site Scripting (XSS) 
vulnerability  ...)
-   TODO: check
+   NOT-FOR-US: Wordpress theme
 CVE-2023-28492
RESERVED
 CVE-2023-28491
@@ -9716,7 +9716,7 @@ CVE-2023-28171
 CVE-2023-28170
RESERVED
 CVE-2023-28169 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in Core ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-28168
RESERVED
 CVE-2023-28167
@@ -17802,7 +17802,7 @@ CVE-2023-25454
 CVE-2023-25453
RESERVED
 CVE-2023-25452 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in Mich ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-25451 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in WPCh ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-25450
@@ -18747,7 +18747,7 @@ CVE-2023-25054
 CVE-2023-25053
RESERVED
 CVE-2023-25052 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in Tepl ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-25051
RESERVED
 CVE-2023-25050
@@ -20808,7 +20808,7 @@ CVE-2023-24410
 CVE-2023-24409
RESERVED
 CVE-2023-24408 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) 
vulnerability i ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-24407
RESERVED
 CVE-2023-24406
@@ -22807,7 +22807,7 @@ CVE-2023-23670 (Auth. (contributor+) Cross-Site 
Scripting (XSS) vulnerability in
 CVE-2023-23669
RESERVED
 CVE-2023-23668 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) 
vulnerability i ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-23667
RESERVED
 C

[Git][security-tracker-team/security-tracker][master] Process some new NFUs

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a02729ba by Salvatore Bonaccorso at 2023-05-08T22:29:37+02:00
Process some new NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1909,7 +1909,7 @@ CVE-2023-2116
 CVE-2023-2115
RESERVED
 CVE-2023-2114 (The NEX-Forms WordPress plugin before 8.4 does not properly 
escape the ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-2113
RESERVED
 CVE-2023-2112 (Desktop component service allows lateral movement between 
sessions in  ...)
@@ -2992,7 +2992,7 @@ CVE-2023-1981 [avahi-daemon can be crashed via DBus]
 CVE-2023-1980 (Two factor   authentication  bypass on login in Devolutions 
Remote Des ...)
NOT-FOR-US: Devolutions
 CVE-2023-1979 (The Web Stories for WordPress plugin supports the WordPress 
built-in f ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1978
RESERVED
 CVE-2023-1977
@@ -5462,7 +5462,7 @@ CVE-2023-1906 (A heap-based buffer overflow issue was 
discovered in ImageMagick'
NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d
 (ImageMagick 6.9.12-84)
 CVE-2023-1905 (The WP Popups WordPress plugin before 2.1.5.1 does not properly 
escape ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2015-10098 (A vulnerability was found in Broken Link Checker Plugin up to 
1.10.5.  ...)
NOT-FOR-US: WordPress plugin
 CVE-2013-10023 (A vulnerability was found in Editorial Calendar Plugin up to 
2.6. It h ...)
@@ -6297,7 +6297,7 @@ CVE-2023-29170 (Auth. (admin+) Stored Cross-site 
Scripting (XSS) vulnerability i
 CVE-2023-1807
RESERVED
 CVE-2023-1806 (The WP Inventory Manager WordPress plugin before 2.1.0.12 does 
not san ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1805 (The Product Catalog Feed by PixelYourSite WordPress plugin 
before 2.1. ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-1804 (The Product Catalog Feed by PixelYourSite WordPress plugin 
before 2.1. ...)
@@ -7220,7 +7220,7 @@ CVE-2023-1662
 CVE-2023-1661
RESERVED
 CVE-2023-1660 (The AI ChatBot WordPress plugin before 4.4.9 does not have 
authorisati ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1659
REJECTED
 CVE-2023-1658
@@ -7247,11 +7247,11 @@ CVE-2023-1652 (A use-after-free flaw was found in 
nfsd4_ssc_setup_dul in fs/nfsd
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd (6.2-rc5)
 CVE-2023-1651 (The AI ChatBot WordPress plugin before 4.4.9 does not have 
authorisati ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1650 (The AI ChatBot WordPress plugin before 4.4.7 unserializes user 
input f ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1649 (The AI ChatBot WordPress plugin before 4.5.1 does not sanitise 
and esc ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1648
REJECTED
 CVE-2022-48429 (In JetBrains Hub before 2022.3.15573, 2022.2.15572, 
2022.1.15583 refle ...)
@@ -9137,7 +9137,7 @@ CVE-2023-28344
 CVE-2023-28343 (OS command injection affects Altenergy Power Control Software 
C1.2.5 v ...)
NOT-FOR-US: Altenergy Power Control Software
 CVE-2023-1408 (The Video List Manager WordPress plugin through 1.7 does not 
properly  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1407 (A vulnerability classified as critical was found in 
SourceCodester Stu ...)
NOT-FOR-US: SourceCodester
 CVE-2023-1406 (The JetEngine WordPress plugin before 3.1.3.1 includes uploaded 
files  ...)
@@ -10002,7 +10002,7 @@ CVE-2023-28120
 CVE-2023-1348
RESERVED
 CVE-2023-1347 (The Customizer Export/Import WordPress plugin before 0.9.6 
unserialize ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-28119 (The crewjam/saml go library contains a partial implementation 
of the S ...)
- golang-github-crewjam-saml  (bug #1033753)
NOTE: 
https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021 
(v0.4.13)
@@ -14406,7 +14406,7 @@ CVE-2023-1013 (Improper Neutralization of 
Script-Related HTML Tags in a Web Page
 CVE-2023-1012
RESERVED
 CVE-2023-1011 (The AI ChatBot WordPress plugin before 4.4.5 does not escape 
most of i ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-1010 (A vulnerability classified as critical was found in vox2png 
1.0. Affec ...)
NOT-FOR-US: vox2png
 CVE-2023-1009 (A vulnerability classified as problematic has been found in 
DrayTek Vi ...)
@@ -14988,7 +14988,7 @@ CVE-2023-0950
 CVE-2023-0949 (Cross-site Scripting

[Git][security-tracker-team/security-tracker][master] Track fixed version for linux issues via unstable

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1297e750 by Salvatore Bonaccorso at 2023-05-08T22:27:40+02:00
Track fixed version for linux issues via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52,7 +52,7 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel 
before 6.1.11. In ne
 CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary 
files wi ...)
NOT-FOR-US: Ghost CMS
 CVE-2023-32233 (In the Linux kernel through 6.3.1, a use-after-free in 
Netfilter nf_ta ...)
-   - linux 
+   - linux 6.1.27-1
NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4
NOTE: 
https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1)
 CVE-2023-31415 (Kibana version 8.7.0 contains an arbitrary code execution 
flaw. An att ...)
@@ -359,7 +359,7 @@ CVE-2023- [RUSTSEC-2023-0035: enumflags2: Adverserial 
use of make_bitflags!
- rust-enumflags2  (Introduced in 0.7.0)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0035.html
 CVE-2023-31436 (qfq_change_class in net/sched/sch_qfq.c in the Linux kernel 
before 6.2 ...)
-   - linux 
+   - linux 6.1.27-1
[buster] - linux 4.19.282-1
NOTE: 
https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3)
NOTE: https://kernel.dance/#3037933448f60f9acb705997eae62013ecb81e0d
@@ -2773,7 +2773,7 @@ CVE-2023-2003
RESERVED
 CVE-2023-2002
RESERVED
-   - linux 
+   - linux 6.1.27-1
NOTE: https://www.openwall.com/lists/oss-security/2023/04/16/3
NOTE: Fixed by: 
https://git.kernel.org/linus/25c150ac103a4ebeed0319994c742a90634ddf18
NOTE: Fixed by: 
https://lore.kernel.org/linux-bluetooth/20230416081404.8227-1-lrh2...@pku.edu.cn/
@@ -9764,7 +9764,7 @@ CVE-2023-28159
- firefox  (Android-specific)
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28159
 CVE-2023-1380 (A slab-out-of-bound read problem was found in 
brcmf_get_assoc_ies in d ...)
-   - linux 
+   - linux 6.1.27-1
NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1
NOTE: 
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u
NOTE: 
https://git.kernel.org/linus/0da40e018fd034d87c9460123fa7f897b69fdee7 (6.4-rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1297e75025614da40bb1abaa6570841106902ede

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1297e75025614da40bb1abaa6570841106902ede
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Drop notes for CVE-2023-2248 (duplicate of CVE-2023-31436)

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f7a99ef by Salvatore Bonaccorso at 2023-05-08T22:25:17+02:00
Drop notes for CVE-2023-2248 (duplicate of CVE-2023-31436)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -892,11 +892,6 @@ CVE-2023-2249
RESERVED
 CVE-2023-2248
REJECTED
-   - linux 
-   [buster] - linux 4.19.282-1
-   NOTE: 
https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3)
-   NOTE: https://kernel.dance/#3037933448f60f9acb705997eae62013ecb81e0d
-   NOTE: Duplicate of CVE-2023-31436
 CVE-2022-48477 (In JetBrains Hub before 2023.1.15725 SSRF protection in Auth 
Module in ...)
NOT-FOR-US: JetBrains Hub
 CVE-2022-48476 (In JetBrains Ktor before 2.3.0 path traversal in the 
`resolveResource` ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f7a99ef4010ea727ce952c27c77fc707a512504

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f7a99ef4010ea727ce952c27c77fc707a512504
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01c1aa1f by security tracker role at 2023-05-08T20:12:26+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2023-2583 (Code Injection in GitHub repository jsreport/jsreport prior to 
3.11.3.)
+   TODO: check
+CVE-2023-2582 (A prototype pollution vulnerability exists in Strikingly CMS 
which can ...)
+   TODO: check
+CVE-2023-2575 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
+   TODO: check
+CVE-2023-2574 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
+   TODO: check
+CVE-2023-2573 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are 
affect ...)
+   TODO: check
 CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository 
openemr/opene ...)
NOT-FOR-US: OpenEMR
 CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 
(Websocket API  ...)
@@ -41,7 +51,7 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel 
before 6.1.11. In ne
NOTE: 
https://git.kernel.org/linus/611792920925fb088ddccbe2783c7f92fdfb6b64 (6.2-rc7)
 CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary 
files wi ...)
NOT-FOR-US: Ghost CMS
-CVE-2023-32233 [netfilter: nf_tables: deactivate anonymous set from 
preparation phase]
+CVE-2023-32233 (In the Linux kernel through 6.3.1, a use-after-free in 
Netfilter nf_ta ...)
- linux 
NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4
NOTE: 
https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1)
@@ -756,16 +766,16 @@ CVE-2023-31129
RESERVED
 CVE-2023-31128
RESERVED
-CVE-2023-31127
-   RESERVED
+CVE-2023-31127 (libspdm is a sample implementation that follows the DMTF SPDM 
specific ...)
+   TODO: check
 CVE-2023-31126
RESERVED
 CVE-2023-31125
RESERVED
 CVE-2023-31124
RESERVED
-CVE-2023-31123
-   RESERVED
+CVE-2023-31123 (`effectindex/tripreporter` is a community-powered, universal 
platform  ...)
+   TODO: check
 CVE-2023-30768
RESERVED
 CVE-2023-30763
@@ -869,7 +879,7 @@ CVE-2023-2253
RESERVED
 CVE-2023-2252
RESERVED
-CVE-2023-2251 (Uncaught Exception in GitHub repository eemeli/yaml prior to 
2.0.0-4.)
+CVE-2023-2251 (Uncaught Exception in GitHub repository eemeli/yaml prior to 
2.0.0-5.)
- node-yaml 2.1.3-2 (bug #1035580)
[bullseye] - node-yaml  (Vulnerable code not present)
NOTE: https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c
@@ -880,7 +890,8 @@ CVE-2023-2250 (A flaw was found in the Open Cluster 
Management (OCM) when a user
NOT-FOR-US: Open Cluster Management (OCM)
 CVE-2023-2249
RESERVED
-CVE-2023-2248 (A heap out-of-bounds read/write vulnerability in the Linux 
Kernel traf ...)
+CVE-2023-2248
+   REJECTED
- linux 
[buster] - linux 4.19.282-1
NOTE: 
https://git.kernel.org/linus/3037933448f60f9acb705997eae62013ecb81e0d (6.3)
@@ -1032,10 +1043,10 @@ CVE-2023-31040
RESERVED
 CVE-2023-2246 (A vulnerability has been found in SourceCodester Online Pizza 
Ordering ...)
NOT-FOR-US: SourceCodester
-CVE-2023-31039
-   RESERVED
-CVE-2023-31038
-   RESERVED
+CVE-2023-31039 (Security vulnerabilityin Apache bRPC <1.5.0 on all platforms 
allows at ...)
+   TODO: check
+CVE-2023-31038 (SQL injection in Log4cxx when using the ODBC appender to send 
log mess ...)
+   TODO: check
 CVE-2023-2245 (A vulnerability was found in hansunCMS 1.4.3. It has been 
declared as  ...)
NOT-FOR-US: hansunCMS
 CVE-2023-2244 (A vulnerability was found in SourceCodester Online Eyewear Shop 
1.0. I ...)
@@ -1579,8 +1590,8 @@ CVE-2023-30861 (Flask is a lightweight WSGI web 
application framework. When all
NOTE: 
https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq
NOTE: 
https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
 (2.2.5)
NOTE: 
https://github.com/pallets/flask/commit/8705dd39c4fa563ea0fe0bf84c85da8fcc98b88d
 (2.3.2)
-CVE-2023-30860
-   RESERVED
+CVE-2023-30860 (WWBN AVideo is an open source video platform. In AVideo prior 
to versi ...)
+   TODO: check
 CVE-2023-30859 (Triton is a Minecraft plugin for Spigot and BungeeCord that 
helps you  ...)
NOT-FOR-US: Triton Minecraft plugin
 CVE-2023-30858 (The Denosaurs emoji package provides emojis for dinosaurs. 
Starting in ...)
@@ -1589,8 +1600,8 @@ CVE-2023-30857 (@aedart/support is the support package 
for Ion, a monorepo for J
NOT-FOR-US: support package for Ion
 CVE-2023-30856 (eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 
and pri ...)
NOT-FOR-US: eDEX-UI
-CVE-2023-30855
-

[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2022-48425/linux

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
390c74a8 by Salvatore Bonaccorso at 2023-05-08T21:36:54+02:00
Add upstream commit reference for CVE-2022-48425/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9054,6 +9054,7 @@ CVE-2022-48425 (In the Linux kernel through 6.2.7, 
fs/ntfs3/inode.c has an inval
- linux  (unimportant)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/98bea253aa28ad8be2ce565a9ca21beb4a9419e5 (6.4-rc1)
NOTE: NTFS3 driver not enabled in Debian
 CVE-2022-48424 (In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not 
validate t ...)
- linux 6.1.4-1 (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/390c74a8779163cd105fef7e3cc0957d42078c03

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/390c74a8779163cd105fef7e3cc0957d42078c03
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2023-1380

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
68b7f5e6 by Salvatore Bonaccorso at 2023-05-08T21:29:21+02:00
Add upstream commit reference for CVE-2023-1380

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9760,6 +9760,7 @@ CVE-2023-1380 (A slab-out-of-bound read problem was found 
in brcmf_get_assoc_ies
- linux 
NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1
NOTE: 
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u
+   NOTE: 
https://git.kernel.org/linus/0da40e018fd034d87c9460123fa7f897b69fdee7 (6.4-rc1)
 CVE-2023-1379 (A vulnerability was found in SourceCodester Friendly Island 
Pizza Webs ...)
NOT-FOR-US: SourceCodester Friendly Island Pizza Website and Ordering 
System
 CVE-2023-1378 (A vulnerability classified as critical was found in 
SourceCodester Fri ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b7f5e62158f5dcd07dbcadab4ba8fc2d0010f9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b7f5e62158f5dcd07dbcadab4ba8fc2d0010f9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2023-2124

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc25a648 by Salvatore Bonaccorso at 2023-05-08T21:22:54+02:00
Add upstream commit reference for CVE-2023-2124

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1883,6 +1883,7 @@ CVE-2023-2124 [OOB access in the Linux kernel's XFS 
subsystem]
- linux 
NOTE: https://www.openwall.com/lists/oss-security/2023/04/19/2
NOTE: 
https://lore.kernel.org/linux-xfs/20230412214034.gl3223...@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d
+   NOTE: 
https://git.kernel.org/linus/22ed903eee23a5b174e240f1cdfa9acf393a5210 (6.4-rc1)
 CVE-2023-2123
RESERVED
 CVE-2023-2122



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc25a648657de4eddd7f4845f1aa8f90b4ad0af2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc25a648657de4eddd7f4845f1aa8f90b4ad0af2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update severity for CVE-2023-23039

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47f453ed by Salvatore Bonaccorso at 2023-05-08T21:10:38+02:00
Update severity for CVE-2023-23039

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24600,8 +24600,9 @@ CVE-2023-23041
 CVE-2023-23040 (TP-Link router TL-WR940N V6 3.19.1 Build 180119 uses a 
deprecated MD5  ...)
NOT-FOR-US: TP-Link
 CVE-2023-23039 (An issue was discovered in the Linux kernel through 6.2.0-rc2. 
drivers ...)
-   - linux 
+   - linux  (unimportant)
NOTE: 
https://lore.kernel.org/lkml/20230102010528.2868403-1-yoochan1...@gmail.com/
+   NOTE: CONFIG_VCC depends on CONFIG_SUN_LDOMS, which is SPARC64 only
 CVE-2023-23038
RESERVED
 CVE-2023-23037



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f453edbb8198b5b44b13d0bcb7fc541a0c5318

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f453edbb8198b5b44b13d0bcb7fc541a0c5318
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-26544/linux

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a9a9f24a by Salvatore Bonaccorso at 2023-05-08T21:03:03+02:00
Update information for CVE-2023-26544/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14281,7 +14281,7 @@ CVE-2023-26545 (In the Linux kernel before 6.1.13, 
there is a double free in net
[bullseye] - linux 5.10.178-1
NOTE: 
https://git.kernel.org/linus/fda6c89fe3d9aca073495a664e1d5aea28cd4377 (6.2)
 CVE-2023-26544 (In the Linux kernel 6.0.8, there is a use-after-free in 
run_unpack in  ...)
-   - linux  (unimportant)
+   - linux 6.1.4-1 (unimportant)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: https://lkml.org/lkml/2023/2/20/128



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9a9f24afc49793119debf2b54dba9a41def2ee1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9a9f24afc49793119debf2b54dba9a41def2ee1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-26606

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a68d62fd by Salvatore Bonaccorso at 2023-05-08T20:55:08+02:00
Update information for CVE-2023-26606

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14070,7 +14070,7 @@ CVE-2023-26607 (In the Linux kernel 6.0.8, there is an 
out-of-bounds read in ntf
- linux 4.19.37-1
NOTE: https://lkml.org/lkml/2023/2/21/1353
 CVE-2023-26606 (In the Linux kernel 6.0.8, there is a use-after-free in 
ntfs_trim_fs i ...)
-   - linux  (unimportant)
+   - linux 6.1.4-1 (unimportant)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: https://lkml.org/lkml/2023/2/20/860



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a68d62fdcf14a3094026460dfce3b8b3841f75a5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a68d62fdcf14a3094026460dfce3b8b3841f75a5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-28464

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
12728470 by Salvatore Bonaccorso at 2023-05-08T20:46:02+02:00
Update information for CVE-2023-28464

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8759,9 +8759,10 @@ CVE-2023-28467
 CVE-2023-28465
RESERVED
 CVE-2023-28464 (hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux 
kernel throu ...)
-   - linux 
+   - linux 6.1.25-1
NOTE: https://www.openwall.com/lists/oss-security/2023/03/28/2
NOTE: 
https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmm...@gmail.com/
+   NOTE: 
https://git.kernel.org/linus/5dc7d23e167e2882ef118456ceccd57873e876d8
 CVE-2023-28463
RESERVED
 CVE-2023-28462 (A JNDI rebind operation in the default ORB listener in Payara 
Server 4 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12728470fa7481edac6124feb139b2f36f48c2bf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12728470fa7481edac6124feb139b2f36f48c2bf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32233/linux

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dd194c5e by Salvatore Bonaccorso at 2023-05-08T18:09:24+02:00
Add CVE-2023-32233/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41,6 +41,10 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel 
before 6.1.11. In ne
NOTE: 
https://git.kernel.org/linus/611792920925fb088ddccbe2783c7f92fdfb6b64 (6.2-rc7)
 CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary 
files wi ...)
NOT-FOR-US: Ghost CMS
+CVE-2023-32233 [netfilter: nf_tables: deactivate anonymous set from 
preparation phase]
+   - linux 
+   NOTE: https://www.openwall.com/lists/oss-security/2023/05/08/4
+   NOTE: 
https://git.kernel.org/linus/c1592a89942e9678f7d9c8030efa777c0d57edab (6.4-rc1)
 CVE-2023-31415 (Kibana version 8.7.0 contains an arbitrary code execution 
flaw. An att ...)
- kibana  (bug #700337)
 CVE-2023-31414 (Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code 
executio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd194c5eb2aca60cfc7bd70ff176850af7700f4c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd194c5eb2aca60cfc7bd70ff176850af7700f4c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye triage

2023-05-08 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47fd1137 by Moritz Muehlenhoff at 2023-05-08T17:27:21+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -2334,6 +2334,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for 
inserting a Matrix cha
NOTE: 
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
 CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In 
affected ...)
- sqlparse  (bug #1034615)
+   [bullseye] - sqlparse  (Minor issue)
NOTE: 
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
NOTE: Introduced by: 
https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
 (0.1.15)
NOTE: Fixed by: 
https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
 (0.4.4)
@@ -2753,6 +2754,7 @@ CVE-2023-2005
RESERVED
 CVE-2023-2004 (An integer overflow vulnerability was discovered in Freetype in 
tt_hva ...)
- freetype 2.12.1+dfsg-5 (bug #1034612)
+   [bullseye] - freetype  (Minor issue)
[buster] - freetype  (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
NOTE: 
https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611
 (VER-2-13-0)
@@ -2860,18 +2862,21 @@ CVE-2023-1994 (GQUIC dissector crash in Wireshark 4.0.0 
to 4.0.4 and 3.6.0 to 3.
{DLA-3402-1}
[experimental] - wireshark 4.0.5-1~exp1
- wireshark  (bug #1034721)
+   [bullseye] - wireshark  (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18947
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-11.html
 CVE-2023-1993 (LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 
to 3.6 ...)
{DLA-3402-1}
[experimental] - wireshark 4.0.5-1~exp1
- wireshark  (bug #1034721)
+   [bullseye] - wireshark  (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18900
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-10.html
 CVE-2023-1992 (RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 
to 3.6. ...)
{DLA-3402-1}
[experimental] - wireshark 4.0.5-1~exp1
- wireshark  (bug #1034721)
+   [bullseye] - wireshark  (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18852
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-09.html
 CVE-2023-1991
@@ -4873,6 +4878,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to 
contain a segmentation vi
NOTE: Crash in CLI tool, no security impact
 CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack 
overflow via th ...)
- yasm 
+   [bullseye] - yasm  (Minor issue)
NOTE: https://github.com/yasm/yasm/issues/214
 CVE-2023-29578 (mp4v2 v2.0.0 was discovered to contain a heap buffer overflow 
via the  ...)
NOT-FOR-US: MP4v2
@@ -5195,6 +5201,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows 
remote attackers to execute
NOT-FOR-US: Novi Survey
 CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid 
application, allows ...)
- ncurses  (bug #1034372)
+   [bullseye] - ncurses  (Minor issue)
NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408
NOTE: 
http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
NOTE: 
https://github.com/ThomasDickey/ncurses-snapshots/commit/a6d3f92bb5bba1a71c7c3df39497abbe5fe999ff
@@ -5439,6 +5446,7 @@ CVE-2023-1907
RESERVED
 CVE-2023-1906 (A heap-based buffer overflow issue was discovered in 
ImageMagick's Imp ...)
- imagemagick  (bug #1034373)
+   [bullseye] - imagemagick  (Minor issue)
[buster] - imagemagick  (Minor issue)
NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d
 (ImageMagick 6.9.12-84)
@@ -9061,6 +9069,7 @@ CVE-2023-28372
RESERVED
 CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that 
are typic ...)
- stellarium  (bug #1034183)
+   [bullseye] - stellarium  (Minor issue)
NOTE: 
https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7
NOTE: 
https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78
NOTE: 
https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb
@@ -17588,18 +17597,23 @@ CVE-2023-25515
RESERVED
 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

2023-05-08 Thread @roberto 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52544f46 by Roberto C. Sánchez at 2023-05-08T11:09:39-04:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Roberto C. Sánchez 

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-cairosvg (dleidert)
+cairosvg
   NOTE: 20230323: Programming language: Python.
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert)
 --
@@ -22,14 +22,14 @@ configobj (Chris Lamb)
   NOTE: 20230416: Special attention: Low priority but high popcon.
   NOTE: 20230502: No upstream-blessed patch yet. (lamby)
 --
-consul (Abhijith PA)
+consul
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
   NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith)
   NOTE: 20230422: Resume work. (abhijith)
 --
-docker.io (gladk)
+docker.io
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
   NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] xpdf n/a

2023-05-08 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47a099c4 by Moritz Muehlenhoff at 2023-05-08T11:01:33+02:00
xpdf n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13357,23 +13357,23 @@ CVE-2023-26940
 CVE-2023-26939
RESERVED
 CVE-2023-26938 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26937 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26936 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26935 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26934 (An issue found in XPDF v.4.04 allows an attacker to cause a 
denial of  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26933
RESERVED
 CVE-2023-26932
RESERVED
 CVE-2023-26931 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26930 (Buffer Overflow vulnerability found in XPDF v.4.04 allows an 
attacker  ...)
-   TODO: check
+   - xpdf  (Debian uses poppler, which is not affected)
 CVE-2023-26929
RESERVED
 CVE-2023-26928



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47a099c4b20035812eb4a20cce6b327be0ae0056

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47a099c4b20035812eb4a20cce6b327be0ae0056
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lts: update notes

2023-05-08 Thread Emilio Pozuelo Monfort (@pochu) 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7cf17d7f by Emilio Pozuelo Monfort at 2023-05-08T10:47:01+02:00
lts: update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -149,6 +149,7 @@ openimageio (gladk)
 openjdk-11 (Emilio)
   NOTE: 20230419: Programming language: Java.
   NOTE: 20230419: VCS: 
https://salsa.debian.org/lts-team/packages/openjdk-11.git
+  NOTE: 20230508: waiting for sid/bullseye update (pochu)
 --
 php-cas
   NOTE: 20221105: Programming language: PHP.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf17d7f31fc6483b10415f0c5f645bfadce483f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf17d7f31fc6483b10415f0c5f645bfadce483f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e2e3d0fc by Salvatore Bonaccorso at 2023-05-08T10:33:20+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,5 @@
 CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository 
openemr/opene ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 
(Websocket API  ...)
TODO: check
 CVE-2023-2565 (A vulnerability has been found in SourceCodester Multi Language 
Hotel  ...)
@@ -3467,7 +3467,7 @@ CVE-2023-30259
 CVE-2023-30258
RESERVED
 CVE-2023-30257 (A buffer overflow in the component /proc/ft-debug of FiiO 
M6 Build ...)
-   TODO: check
+   NOT-FOR-US: FiiO M6
 CVE-2023-30256
RESERVED
 CVE-2023-30255
@@ -3611,7 +3611,7 @@ CVE-2023-30187
 CVE-2023-30186
RESERVED
 CVE-2023-30185 (CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file 
upload  ...)
-   TODO: check
+   NOT-FOR-US: CRMEB
 CVE-2023-30184 (A stored cross-site scripting (XSS) vulnerability in Typecho 
v1.2.0 al ...)
NOT-FOR-US: Typecho
 CVE-2023-30183
@@ -3946,7 +3946,7 @@ CVE-2023-30020
 CVE-2023-30019
RESERVED
 CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. 
via /ph ...)
-   TODO: check
+   NOT-FOR-US: Judging Management System
 CVE-2023-30017
RESERVED
 CVE-2023-30016
@@ -4095,7 +4095,7 @@ CVE-2023-29946
 CVE-2023-29945
RESERVED
 CVE-2023-29944 (Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote 
Command Exec ...)
-   TODO: check
+   NOT-FOR-US: Metersphere
 CVE-2023-29943
RESERVED
 CVE-2023-29942 (llvm-project commit a0138390 was discovered to contain a 
segmentation  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e3d0fc6066ead1335a24c92dd346f68ccf6ceb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e3d0fc6066ead1335a24c92dd346f68ccf6ceb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-05-08 Thread Salvatore Bonaccorso (@carnil) 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c9a0fb2 by security tracker role at 2023-05-08T08:11:55+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2023-2566 (Cross-site Scripting (XSS) - Stored in GitHub repository 
openemr/opene ...)
+   TODO: check
+CVE-2023-2534 (Improper Authorization vulnerability in OTRS AG OTRS 8 
(Websocket API  ...)
+   TODO: check
 CVE-2023-2565 (A vulnerability has been found in SourceCodester Multi Language 
Hotel  ...)
NOT-FOR-US: SourceCodester Multi Language Hotel Management Software
 CVE-2023-2564 (OS Command Injection in GitHub repository sbs20/scanservjs 
prior to v2 ...)
@@ -3462,8 +3466,8 @@ CVE-2023-30259
RESERVED
 CVE-2023-30258
RESERVED
-CVE-2023-30257
-   RESERVED
+CVE-2023-30257 (A buffer overflow in the component /proc/ft-debug of FiiO 
M6 Build ...)
+   TODO: check
 CVE-2023-30256
RESERVED
 CVE-2023-30255
@@ -3606,8 +3610,8 @@ CVE-2023-30187
RESERVED
 CVE-2023-30186
RESERVED
-CVE-2023-30185
-   RESERVED
+CVE-2023-30185 (CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file 
upload  ...)
+   TODO: check
 CVE-2023-30184 (A stored cross-site scripting (XSS) vulnerability in Typecho 
v1.2.0 al ...)
NOT-FOR-US: Typecho
 CVE-2023-30183
@@ -3941,8 +3945,8 @@ CVE-2023-30020
RESERVED
 CVE-2023-30019
RESERVED
-CVE-2023-30018
-   RESERVED
+CVE-2023-30018 (Judging Management System v1.0 is vulnerable to SQL Injection. 
via /ph ...)
+   TODO: check
 CVE-2023-30017
RESERVED
 CVE-2023-30016
@@ -4090,8 +4094,8 @@ CVE-2023-29946
RESERVED
 CVE-2023-29945
RESERVED
-CVE-2023-29944
-   RESERVED
+CVE-2023-29944 (Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote 
Command Exec ...)
+   TODO: check
 CVE-2023-29943
RESERVED
 CVE-2023-29942 (llvm-project commit a0138390 was discovered to contain a 
segmentation  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c9a0fb21044d2d65065294b471ec4b55fa39378

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c9a0fb21044d2d65065294b471ec4b55fa39378
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits