[Git][security-tracker-team/security-tracker][master] 3 commits: add yajl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fcb78095 by Thorsten Alteholz at 2023-07-03T00:07:40+02:00 add yajl - - - - - fd0c9bcc by Thorsten Alteholz at 2023-07-03T00:07:41+02:00 mark CVE-2023-2861 as no-dsa for Buster - - - - - 430ae682 by Thorsten Alteholz at 2023-07-03T00:07:42+02:00 mark CVE-2023-3354 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -445,6 +445,7 @@ CVE-2023-3354 [VNC: improper I/O watch removal in TLS handshake can lead to remo - qemu [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 TODO: check, no details in RHBZ#2216478 on upstream status CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plant ...) @@ -497,6 +498,7 @@ CVE-2023-2996 (The Jetpack WordPress plugin before 12.1.1 does not validate uplo NOT-FOR-US: WordPress plugin CVE-2023-2861 [9pfs: prevent opening special files] - qemu + [buster] - qemu (Minor issue) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda CVE-2023-2860 [ipv6: sr: fix out-of-bounds read when setting HMAC data.] - linux 5.19.11-1 = data/dla-needed.txt = @@ -263,3 +263,6 @@ webkit2gtk (Emilio) NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu) -- +yajl (tobi) + NOTE: 20230702: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d...430ae6821506cd4290eacaa2d66eb4b328c866e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d...430ae6821506cd4290eacaa2d66eb4b328c866e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take tiff
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab48cb7e by Adrian Bunk at 2023-07-03T00:57:55+03:00 dla: take tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -251,7 +251,7 @@ symfony (guilhem) syncthing (Abhijith PA) NOTE: 20230616: Added by Front-Desk (opal) -- -tiff +tiff (Adrian Bunk) NOTE: 20230702: Added by Front-Desk (ta) -- webkit2gtk (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69c7d7ef by security tracker role at 2023-07-02T20:13:36+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2798,6 +2798,7 @@ CVE-2023-33530 (There is a command injection vulnerability in the Tenda G103 Gig CVE-2023-33477 (In Harmonic NSG 9000-6G devices, an authenticated remote user can obta ...) NOT-FOR-US: Harmonic NSG 9000-6G devices CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse functi ...) + {DLA-3478-1} - yajl 2.1.0-3.1 (bug #1039984) [bookworm] - yajl (Minor issue) [bullseye] - yajl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69c7d7ef5a23088566d99a19fab807c4cbc6172b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69c7d7ef5a23088566d99a19fab807c4cbc6172b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track nvidia-graphics-drivers-tesla-510 as removed from everywhere
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b13c039 by Salvatore Bonaccorso at 2023-07-02T21:22:16+02:00 Track nvidia-graphics-drivers-tesla-510 as removed from everywhere - - - - - 1 changed file: - data/packages/removed-packages Changes: = data/packages/removed-packages = @@ -941,3 +941,4 @@ rust-crossbeam-utils-0.7 mariadb-10.6 cgminer rust-ncurses +nvidia-graphics-drivers-tesla-510 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b13c03976127c4579f310a8de8499528f247f9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b13c03976127c4579f310a8de8499528f247f9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed versions via unstable for nvidia-graphics-drivers-tesla-510 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07e4135c by Salvatore Bonaccorso at 2023-07-02T21:21:35+02:00 Track fixed versions via unstable for nvidia-graphics-drivers-tesla-510 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94316,7 +94316,7 @@ CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28191 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) @@ -94327,7 +94327,7 @@ CVE-2022-28191 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28190 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...) NOT-FOR-US: NVIDIA Windows drivers @@ -94358,7 +94358,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28184 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) @@ -94369,7 +94369,7 @@ CVE-2022-28184 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28183 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) @@ -94380,7 +94380,7 @@ CVE-2022-28183 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28182 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...) NOT-FOR-US: NVIDIA Windows drivers @@ -94403,7 +94403,7 @@ CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [experimental] - nvidia-graphics-drivers-tesla-510 510.73.08-1 - - nvidia-graphics-drivers-tesla-510 (bug #1011147) + - nvidia-graphics-drivers-tesla-510 510.73.08-2 (bug #1011147) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353 CVE-2022-28180 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07e4135caceb07581fa267d58451d28bcd0e8b9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07e4135caceb07581fa267d58451d28bcd0e8b9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-24809,nethack: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 003e787b by Markus Koschany at 2023-07-02T21:05:35+02:00 CVE-2023-24809,nethack: fixed in unstable - - - - - 4e08f493 by Markus Koschany at 2023-07-02T21:10:47+02:00 Claim mediawiki and erlang in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -25463,7 +25463,7 @@ CVE-2023-24811 (Misskey is an open source, decentralized social media platform. CVE-2023-24810 (Misskey is an open source, decentralized social media platform. Due to ...) NOT-FOR-US: Misskey CVE-2023-24809 (NetHack is a single player dungeon exploration game. Starting with ver ...) - - nethack (bug #1031869) + - nethack 3.6.7-1 (bug #1031869) [bookworm] - nethack (Minor issue) [bullseye] - nethack (Minor issue) [buster] - nethack (Minor issue) = data/dla-needed.txt = @@ -50,7 +50,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -erlang +erlang (Markus Koschany) NOTE: 20221119: Added by Front-Desk (ta) NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- @@ -123,7 +123,7 @@ libusrsctp (rouca) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- -mediawiki +mediawiki (Markus Koschany) NOTE: 20230701: Added by Front-Desk (ta) -- nova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f3e36f6e822d8806925535e7691d91972d26a939...4e08f4932a826df4529a6a48f6536f6440a05bb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f3e36f6e822d8806925535e7691d91972d26a939...4e08f4932a826df4529a6a48f6536f6440a05bb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix one source package name
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3e36f6e by Salvatore Bonaccorso at 2023-07-02T21:00:20+02:00 Fix one source package name - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2806,8 +2806,8 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse [buster] - burp (Minor issue; fix only after newer releases got a fix) - crun [buster] - crun (Minor issue; fix only after newer releases got a fix) - - epic-base - [buster] - epic-base (Minor issue; fix only after newer releases got a fix) + - epics-base + [buster] - epics-base (Minor issue; fix only after newer releases got a fix) - r-cran-jsonlite [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3e36f6e822d8806925535e7691d91972d26a939 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3e36f6e822d8806925535e7691d91972d26a939 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 53214c97 by Thorsten Alteholz at 2023-07-02T20:57:30+02:00 add tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -251,6 +251,9 @@ symfony (guilhem) syncthing (Abhijith PA) NOTE: 20230616: Added by Front-Desk (opal) -- +tiff + NOTE: 20230702: Added by Front-Desk (ta) +-- webkit2gtk (Emilio) NOTE: 20230512: Re-added (pochu) NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53214c97c89931d766d6b9230cc77f56320847b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53214c97c89931d766d6b9230cc77f56320847b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add gst-plugins-*
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 703de18a by Thorsten Alteholz at 2023-07-02T20:49:56+02:00 add gst-plugins-* - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,6 +79,15 @@ grpc NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) -- +gst-plugins-bad1.0 (Thorsten Alteholz) + NOTE: 20230702: Added by Front-Desk (ta) +-- +gst-plugins-base1.0 (Thorsten Alteholz) + NOTE: 20230702: Added by Front-Desk (ta) +-- +gst-plugins-good1.0 (Thorsten Alteholz) + NOTE: 20230702: Added by Front-Desk (ta) +-- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/703de18adc5574e0651e8b44993c91510077ae59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/703de18adc5574e0651e8b44993c91510077ae59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove some source package listings for yajl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fede245d by Salvatore Bonaccorso at 2023-07-02T20:47:14+02:00 Remove some source package listings for yajl issues Link: https://salsa.debian.org/security-tracker-team/security-tracker/commit/230e1c66b5df3f8c29e672b74bd7dc66274d7e24 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2815,10 +2815,6 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - ruby-yajl [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) - - argyll (bug #1040151) - - collada2gltf (bug #1040153) - - lnav - - r-cran-jsonlite CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) @@ -104252,12 +104248,8 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation - yajl (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - - argyll (bug #1040150) - - collada2gltf (bug #1040153) - epics-base (bug #1040159) - - lnav (bug #1040160) - r-cran-jsonlite (bug #1040161) - - whitedb 0.7.3+git211004+dfsg-1 - xqilla (bug #1040164) NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 @@ -381987,12 +381979,8 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - yajl (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - - argyll (bug #1040150) - - collada2gltf (bug #1040153) - epics-base (bug #1040159) - - lnav (bug #1040160) - r-cran-jsonlite (bug #1040161) - - whitedb 0.7.3+git211004+dfsg-1 - xqilla (bug #1040164) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fede245ded53d2bea1e7e75db94e193df3a7ce1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fede245ded53d2bea1e7e75db94e193df3a7ce1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xqilla also embeds yajl, is vulnerable to CVE-2017-16516 and CVE-2022-24795.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b62bb6d by Tobias Frost at 2023-07-02T19:20:51+02:00 xqilla also embeds yajl, is vulnerable to CVE-2017-16516 and CVE-2022-24795. - - - - - 2 changed files: - data/CVE/list - data/embedded-code-copies Changes: = data/CVE/list = @@ -104258,6 +104258,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation - lnav (bug #1040160) - r-cran-jsonlite (bug #1040161) - whitedb 0.7.3+git211004+dfsg-1 + - xqilla (bug #1040164) NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 @@ -381992,6 +381993,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - lnav (bug #1040160) - r-cran-jsonlite (bug #1040161) - whitedb 0.7.3+git211004+dfsg-1 + - xqilla (bug #1040164) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce NOTE: yail: https://github.com/lloyd/yajl/issues/248 = data/embedded-code-copies = @@ -1271,6 +1271,7 @@ yajl - r-cran-jsonlite (embed; bug #1039082) - ruby-yajl (embed; bug #881142) - whitedb 0.7.3+git211004+dfsg-1 (embed; bug #1039088) + - xqilla (embed; bug #1040163) nusoap - gforge 4.8.2-1 (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b62bb6d33a363aa944bd57340ce342914ef3088 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b62bb6d33a363aa944bd57340ce342914ef3088 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage packages with embedded code copies of yajl for CVE-2022-24795,...
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ca70a32 by Tobias Frost at 2023-07-02T18:54:45+02:00 Triage packages with embedded code copies of yajl for CVE-2022-24795, CVE-2017-16516 and CVE-2023-33460 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2815,6 +2815,10 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - ruby-yajl [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) + - argyll (bug #1040151) + - collada2gltf (bug #1040153) + - lnav + - r-cran-jsonlite CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) @@ -104246,6 +104250,14 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [buster] - ruby-yajl (Minor issue) [stretch] - ruby-yajl (Minor issue) - yajl (bug #1040036) + - burp (bug #1040146) + - crun (bug #1040147) + - argyll (bug #1040150) + - collada2gltf (bug #1040153) + - epics-base (bug #1040159) + - lnav (bug #1040160) + - r-cran-jsonlite (bug #1040161) + - whitedb 0.7.3+git211004+dfsg-1 NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 @@ -381972,6 +381984,14 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) - yajl (bug #1040036) + - burp (bug #1040146) + - crun (bug #1040147) + - argyll (bug #1040150) + - collada2gltf (bug #1040153) + - epics-base (bug #1040159) + - lnav (bug #1040160) + - r-cran-jsonlite (bug #1040161) + - whitedb 0.7.3+git211004+dfsg-1 NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce NOTE: yail: https://github.com/lloyd/yajl/issues/248 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ca70a328445d5dbfe035198a3e3a680c3660f9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ca70a328445d5dbfe035198a3e3a680c3660f9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openimageio
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 787f91d4 by Anton Gladky at 2023-07-02T18:47:46+02:00 LTS: take openimageio - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,7 +136,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openimageio +openimageio (gladk) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in embedded-code-copies for yajl.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 93ed3e00 by Tobias Frost at 2023-07-02T17:51:54+02:00 Fix typo in embedded-code-copies for yajl. - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1265,7 +1265,7 @@ yajl - burp (embed; bug #1039085) - collada2gltf (embed; bug #1039086) - crun (embed; bug #1039083) - - epic-base (embed; bug #1039087) + - epics-base (embed; bug #1039087) NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html - lnav (embed; bug #724693) - r-cran-jsonlite (embed; bug #1039082) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ed3e003ef62f0f26ac98735cdafe36b88e941d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ed3e003ef62f0f26ac98735cdafe36b88e941d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-16516 and CVE-2022-24795 for now as unfixed according to #1040036
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ae4f8aa by Salvatore Bonaccorso at 2023-07-02T14:43:41+02:00 Mark CVE-2017-16516 and CVE-2022-24795 for now as unfixed according to #1040036 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104245,7 +104245,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bullseye] - ruby-yajl (Minor issue) [buster] - ruby-yajl (Minor issue) [stretch] - ruby-yajl (Minor issue) - - yajl 1.0.5.dfsg-1 (bug #1040036) + - yajl (bug #1040036) NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 @@ -381971,7 +381971,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) - - yajl 1.0.5.dfsg-1 (bug #1040036) + - yajl (bug #1040036) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce NOTE: yail: https://github.com/lloyd/yajl/issues/248 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae4f8aa0d84443332b80292d2a2cd97af2630ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae4f8aa0d84443332b80292d2a2cd97af2630ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24795 and CVE-2017-16516 also affects yajl.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ec6a443 by Tobias Frost at 2023-07-02T14:19:51+02:00 CVE-2022-24795 and CVE-2017-16516 also affects yajl. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104245,9 +104245,11 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bullseye] - ruby-yajl (Minor issue) [buster] - ruby-yajl (Minor issue) [stretch] - ruby-yajl (Minor issue) + - yajl 1.0.5.dfsg-1 (bug #1040036) NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 + NOTE: https://github.com/lloyd/yajl/issues/239 CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing sign o ...) NOT-FOR-US: Express OpenID Connect CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...) @@ -381969,8 +381971,10 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) + - yajl 1.0.5.dfsg-1 (bug #1040036) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce + NOTE: yail: https://github.com/lloyd/yajl/issues/248 CVE-2017-16515 RESERVED CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec6a44396fc0dd7b55c6aba203671e30b313638 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec6a44396fc0dd7b55c6aba203671e30b313638 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed yajl updates via {bookworm,bullseye}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 792006c2 by Salvatore Bonaccorso at 2023-07-02T14:03:25+02:00 Track proposed yajl updates via {bookworm,bullseye}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -121,3 +121,5 @@ CVE-2023-34241 [bullseye] - cups 2.3.3op2-3+deb11u3 CVE-2023-32324 [bullseye] - cups 2.3.3op2-3+deb11u3 +CVE-2023-33460 + [bullseye] - yajl 2.1.0-3+deb11u1 = data/next-point-update.txt = @@ -28,3 +28,5 @@ CVE-2023-34241 [bookworm] - cups 2.4.2-3+deb12u1 CVE-2023-34095 [bookworm] - cpdb-libs 1.2.0-2+deb12u1 +CVE-2023-33460 + [bookworm] - yajl 2.1.0-3+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792006c2c0cd9d37ec27396921f28b90417eff7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792006c2c0cd9d37ec27396921f28b90417eff7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix version number of yajl upload
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ce3a1614 by Tobias Frost at 2023-07-02T14:02:41+02:00 Fix version number of yajl upload - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ [02 Jul 2023] DLA-3478-1 yajl - security update {CVE-2023-33460} - [buster] - yajl 2.1.0-2+deb10u1 + [buster] - yajl 2.1.0-3+deb10u1 [30 Jun 2023] DLA-3477-1 python3.7 - security update {CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061} [buster] - python3.7 3.7.3-2+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3a1614102d69b2eb2570bde8055d0565a11841 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3a1614102d69b2eb2570bde8055d0565a11841 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3478-1 for yajl
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4da854d9 by Tobias Frost at 2023-07-02T13:07:45+02:00 Reserve DLA-3478-1 for yajl - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -2801,7 +2801,6 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - yajl 2.1.0-3.1 (bug #1039984) [bookworm] - yajl (Minor issue) [bullseye] - yajl (Minor issue) - [buster] - yajl (Minor issue) NOTE: https://github.com/lloyd/yajl/issues/250 - burp [buster] - burp (Minor issue; fix only after newer releases got a fix) = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Jul 2023] DLA-3478-1 yajl - security update + {CVE-2023-33460} + [buster] - yajl 2.1.0-2+deb10u1 [30 Jun 2023] DLA-3477-1 python3.7 - security update {CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061} [buster] - python3.7 3.7.3-2+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da854d9d9c5e4e9b297a0c9c3503b3f24dbc276 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da854d9d9c5e4e9b297a0c9c3503b3f24dbc276 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3439: Ass oss-security post reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cb21833 by Salvatore Bonaccorso at 2023-07-02T13:03:11+02:00 CVE-2023-3439: Ass oss-security post reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -349,6 +349,7 @@ CVE-2023-3439 (A flaw was found in the MCTP protocol in the Linux kernel. The fu [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b561275d633bcd8e0e8055ab86f1a13df75a0269 (5.18-rc5) + NOTE: https://www.openwall.com/lists/oss-security/2023/07/02/1 CVE-2023-3390 (A use-after-free vulnerability was found in the Linux kernel's netfilt ...) - linux 6.3.11-1 NOTE: https://git.kernel.org/linus/1240eb93f0616b21c675416516ff3d74798fdc97 (6.4-rc7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cb21833440a859f8cee2fef83e6fec60dea1015 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cb21833440a859f8cee2fef83e6fec60dea1015 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] yajl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fa735f95 by Moritz Muehlenhoff at 2023-07-02T12:12:27+02:00 yajl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2797,7 +2797,7 @@ CVE-2023-33530 (There is a command injection vulnerability in the Tenda G103 Gig CVE-2023-33477 (In Harmonic NSG 9000-6G devices, an authenticated remote user can obta ...) NOT-FOR-US: Harmonic NSG 9000-6G devices CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse functi ...) - - yajl (bug #1039984) + - yajl 2.1.0-3.1 (bug #1039984) [bookworm] - yajl (Minor issue) [bullseye] - yajl (Minor issue) [buster] - yajl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa735f959e275cdf873d90dacc6bbedb85b9b619 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa735f959e275cdf873d90dacc6bbedb85b9b619 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libheif fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0371b96c by Moritz Muehlenhoff at 2023-07-02T12:11:32+02:00 libheif fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10368,7 +10368,7 @@ CVE-2023-29661 CVE-2023-29660 RESERVED CVE-2023-29659 (A Segmentation fault caused by a floating point exception exists in li ...) - - libheif (bug #1035607) + - libheif 1.16.2-1 (bug #1035607) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0371b96c544aad00d5e4eb30ba44d1adb61f8c7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0371b96c544aad00d5e4eb30ba44d1adb61f8c7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track version where whitedb starts using system yajl library
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cbd3529 by Salvatore Bonaccorso at 2023-07-02T11:48:30+02:00 Track version where whitedb starts using system yajl library - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1270,7 +1270,7 @@ yajl - lnav (embed; bug #724693) - r-cran-jsonlite (embed; bug #1039082) - ruby-yajl (embed; bug #881142) - - whitedb (embed; bug #1039088) + - whitedb 0.7.3+git211004+dfsg-1 (embed; bug #1039088) nusoap - gforge 4.8.2-1 (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cbd3529824953f0ef6570890137b66cda0387bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cbd3529824953f0ef6570890137b66cda0387bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-37360/pacparser
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c07d7c54 by Salvatore Bonaccorso at 2023-07-02T09:23:19+02:00 Add CVE-2023-37360/pacparser - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -118,7 +118,8 @@ CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argumen - hnswlib NOTE: https://github.com/nmslib/hnswlib/issues/467 CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...) - TODO: check + - pacparser + NOTE: https://github.com/manugarg/pacparser/security/advisories/GHSA-62q6-v997-f7v9 CVE-2023-37307 (In MISP before 2.4.172, title_for_layout is not properly sanitized in ...) NOT-FOR-US: MISP CVE-2023-37306 (MISP 2.4.172 mishandles different certificate file extensions in serve ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c07d7c5416bfeb006ef19656e5d1e72d25e12ed4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c07d7c5416bfeb006ef19656e5d1e72d25e12ed4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-37365/hnswlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 513b6bcc by Salvatore Bonaccorso at 2023-07-02T09:22:29+02:00 Add CVE-2023-37365/hnswlib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,7 +115,8 @@ CVE-2023-3479 (Cross-site Scripting (XSS) - Reflected in GitHub repository hesti CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5. Aff ...) NOT-FOR-US: IBOS OA CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...) - TODO: check + - hnswlib + NOTE: https://github.com/nmslib/hnswlib/issues/467 CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...) TODO: check CVE-2023-37307 (In MISP before 2.4.172, title_for_layout is not properly sanitized in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/513b6bcc9a56772031d36a5f6d100f8ff44d812c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/513b6bcc9a56772031d36a5f6d100f8ff44d812c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47d87ec6 by Salvatore Bonaccorso at 2023-07-02T09:20:52+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -109,11 +109,11 @@ CVE-2020-36736 (The WooCommerce Checkout & Funnel Builder by CartFlows plugin fo CVE-2020-36735 (The WP ERP | Complete HR solution with recruitment & job listings | Wo ...) NOT-FOR-US: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress CVE-2023-3485 (Insecure defaults in open-source Temporal Server before version 1.20 o ...) - TODO: check + NOT-FOR-US: Temporal Server CVE-2023-3479 (Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/h ...) - TODO: check + NOT-FOR-US: Hestia Control Panel CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5. Aff ...) - TODO: check + NOT-FOR-US: IBOS OA CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...) TODO: check CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...) @@ -121,7 +121,7 @@ CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript CVE-2023-37307 (In MISP before 2.4.172, title_for_layout is not properly sanitized in ...) NOT-FOR-US: MISP CVE-2023-37306 (MISP 2.4.172 mishandles different certificate file extensions in serve ...) - TODO: check + NOT-FOR-US: MISP CVE-2023-37305 (An issue was discovered in the ProofreadPage (aka Proofread Page) exte ...) NOT-FOR-US: MediaWiki extension ProofreadPage CVE-2023-37304 (An issue was discovered in the DoubleWiki extension for MediaWiki thro ...) @@ -153,9 +153,9 @@ CVE-2023-35176 (Certain HP LaserJet Pro print products are potentially vulnerabl CVE-2023-35175 (Certain HP LaserJet Pro print products are potentially vulnerable to P ...) NOT-FOR-US: HP CVE-2023-34840 (angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to c ...) - TODO: check + NOT-FOR-US: angular-ui-notification CVE-2023-33276 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and ...) - TODO: check + NOT-FOR-US: Gira Giersiepen Gira KNX/IP-Router CVE-2023-31543 (A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers t ...) TODO: check CVE-2023-3477 (A vulnerability was found in RocketSoft Rocket LMS 1.7. It has been de ...) @@ -265,7 +265,7 @@ CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and ...) NOT-FOR-US: Gira Giersiepen Gira KNX/IP-Router CVE-2023-33190 (Sealos is an open source cloud operating system distribution based on ...) - TODO: check + NOT-FOR-US: Sealos CVE-2023- [Heap overwrite in PGS subtitle overlay decoder] - gst-plugins-bad1.0 1.22.4-1 [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u1 @@ -293,17 +293,17 @@ CVE-2023- [Heap overwrite in subtitle parsing] CVE-2023-3447 (The Active Directory Integration / LDAP Integration plugin for WordPre ...) NOT-FOR-US: Active Directory Integration / LDAP Integration plugin for WordPress CVE-2023-3243 (** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authentica ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2023-37237 (In Veritas NetBackup Appliance before 4.1.0.1 MR3, insecure permission ...) NOT-FOR-US: Veritas NetBackup Appliance CVE-2023-36476 (calamares-nixos-extensions provides Calamares branding and modules for ...) TODO: check CVE-2023-36475 (Parse Server is an open source backend that can be deployed to any inf ...) - TODO: check + NOT-FOR-US: Node parse-server CVE-2023-36474 (Interactsh is an open-source tool for detecting out-of-band interactio ...) TODO: check CVE-2023-34843 (Traggo Server 0.3.0 is vulnerable to directory traversal via a crafted ...) - TODO: check + NOT-FOR-US: Traggo Server CVE-2023-34834 (A Directory Browsing vulnerability in MCL-Net version 4.3.5.8788 webse ...) NOT-FOR-US: MCL-Net CVE-2023-34831 (The "Submission Web Form" of Turnitin LTI tool/plugin version 1.3 is a ...) @@ -390,7 +390,7 @@ CVE-2023-33592 (Lost and Found Information System v1.0 was discovered to contain CVE-2023-33570 (Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).) NOT-FOR-US: Bagisto CVE-2023-2625 (A vulnerability exists that can be exploited by an authenticated clien ...) - TODO: check + NOT-FOR-US: ABB CoreTec CVE-2023-3436 (Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is ...) TODO: check CVE-2023-3428
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-36191 /sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4447a429 by Salvatore Bonaccorso at 2023-07-02T08:45:59+02:00 Add CVE-2023-36191 /sqlite3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -974,7 +974,11 @@ CVE-2023-36192 (Sngrep v1.6.0 was discovered to contain a heap buffer overflow v NOTE: https://github.com/irontec/sngrep/issues/438 NOTE: https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc CVE-2023-36191 (sqlite3 v3.40.1 was discovered to contain a segmentation violation at ...) - TODO: check + - sqlite3 (unimportant) + - sqlite (unimportant) + NOTE: https://www.sqlite.org/forum/forumpost/19f55ef73b + NOTE: https://sqlite.org/src/info/cd24178bbaad4a1d + NOTE: NOTE: Negligible security impact CVE-2023-35801 (A directory traversal vulnerability in Safe Software FME Server before ...) NOT-FOR-US: Safe Software FME Server CVE-2023-35133 (An issue in the logic used to check 0.0.0.0 against the cURL blocked h ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4447a42999dbaeff8e0cd326088c1d4f6e37639d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4447a42999dbaeff8e0cd326088c1d4f6e37639d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add fix references for CVEless entries
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b5ea0ec9 by Moritz Mühlenhoff at 2023-07-02T08:44:02+02:00 add fix references for CVEless entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -268,18 +268,24 @@ CVE-2023-33190 (Sealos is an open source cloud operating system distribution bas TODO: check CVE-2023- [Heap overwrite in PGS subtitle overlay decoder] - gst-plugins-bad1.0 1.22.4-1 + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u1 + [bullseye] - gst-plugins-bad1.0 1.18.4-3+deb11u1 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0003.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5f3cf0a7d7ae7ab883d0611e85c06354f1e94907 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/60226124ec367c2549e4bf1e6174dfb8eca5a63d CVE-2023- [Integer overflow leading to heap overwrite in FLAC image tag handling] - gst-plugins-good1.0 1.22.4-1 + [bookworm] - gst-plugins-good1.0 1.22.0-5+deb12u1 + [bullseye] - gst-plugins-good1.0 1.18.4-2+deb11u2 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bdc8021c73c16c49d594579c606a4f4771a2670e NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7bcd791fabe03b9ab1c72f494fc86cd0c06c3556 CVE-2023- [Heap overwrite in subtitle parsing] - gst-plugins-base1.0 1.22.4-1 + [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u1 + [bullseye] - gst-plugins-base1.0 1.18.4-2+deb11u1 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0002.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895.patch NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/518ecba8f960137715f776dac6c93e4c4e4179d1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5ea0ec97c453a511182846aff872fab3917bc99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5ea0ec97c453a511182846aff872fab3917bc99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gst-plugins DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 00022cc3 by Moritz Mühlenhoff at 2023-07-02T08:38:17+02:00 gst-plugins DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,12 @@ +[02 Jul 2023] DSA-5445-1 gst-plugins-good1.0 - security update + [bullseye] - gst-plugins-good1.0 1.18.4-2+deb11u2 + [bookworm] - gst-plugins-good1.0 1.22.0-5+deb12u1 +[02 Jul 2023] DSA-5444-1 gst-plugins-bad1.0 - security update + [bullseye] - gst-plugins-bad1.0 1.18.4-3+deb11u1 + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u1 +[02 Jul 2023] DSA-5443-1 gst-plugins-base1.0 - security update + [bullseye] - gst-plugins-base1.0 1.18.4-2+deb11u1 + [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u1 [29 Jun 2023] DSA-5442-1 flask - security update {CVE-2023-30861} [bullseye] - flask 1.1.2-2+deb11u1 = data/dsa-needed.txt = @@ -20,12 +20,6 @@ ghostscript (carnil) -- gpac/oldstable (jmm) -- -gst-plugins-base1.0 (jmm) --- -gst-plugins-bad1.0 (jmm) --- -gst-plugins-bad1.0 (jmm) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00022cc3942c888354dd59565405e6ced95231f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00022cc3942c888354dd59565405e6ced95231f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits