[Git][security-tracker-team/security-tracker][master] Reserve DLA-3532-1 for openssh
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d3f1312 by Utkarsh Gupta at 2023-08-17T06:40:29+05:30 Reserve DLA-3532-1 for openssh - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3562,7 +3562,6 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an - openssh 1:9.3p2-1 (bug #1042460) [bookworm] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) [bullseye] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) - [buster] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9 NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Aug 2023] DLA-3532-1 openssh - security update + {CVE-2023-38408} + [buster] - openssh 1:7.9p1-10+deb10u3 [16 Aug 2023] DLA-3531-1 open-vm-tools - security update {CVE-2023-20867} [buster] - open-vm-tools 2:10.3.10-1+deb10u4 = data/dla-needed.txt = @@ -133,10 +133,6 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssh (utkarsh) - NOTE: 20230814: Added by Front-Desk (ta) - NOTE: 20230816: taking this one as it's high prio, given one of the customers pinged. (utkarsh) --- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d3f13122ea6ebd155d8184c713a2dcd6e6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d3f13122ea6ebd155d8184c713a2dcd6e6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Mark CVE-2017-18641/lxc/jessie as ignored"
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c1e17c4 by Santiago Ruano Rincón at 2023-08-16T21:24:13-03:00 Revert Mark CVE-2017-18641/lxc/jessie as ignored This reverts commit 319b9d38c5ab7f2494ba644ee0284c44e8531487. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -252276,7 +252276,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext H [bullseye] - lxc-templates (Minor issue) [buster] - lxc-templates (Minor issue) - lxc 1:3.0.3-1 (low) - [stretch] - lxc (https://lists.debian.org/debian-lts/2023/08/msg00019.html) + [stretch] - lxc (Minor issue) [jessie] - lxc (https://lists.debian.org/debian-lts/2020/02/msg00102.html) NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c1e17c413bd868014535dafef1cae63a086dfb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c1e17c413bd868014535dafef1cae63a086dfb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-36100/otrs2: Add link to advisory and fixing commits.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: eed1e199 by Guilhem Moulin at 2023-08-17T02:18:57+02:00 CVE-2021-36100/otrs2: Add link to advisory and fixing commits. >From znuny 6.0.41. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -151727,6 +151727,11 @@ CVE-2021-36100 (Specially crafted string in OTRS system configuration can allow [bullseye] - otrs2 (Non-free not supported) [buster] - otrs2 (Non-free not supported) NOTE: https://www.znuny.org/en/releases/znuny-6-3-2 + NOTE: https://www.znuny.org/en/advisories/zsa-2022-02 + NOTE: https://github.com/znuny/Znuny/commit/309ec536540201a5b2741314e928c54a792bb845 (znuny 6.0.41) + NOTE: https://github.com/znuny/Znuny/commit/f6fe8ca2e48a18680ace94df0d84eb1e2c26e685 (znuny 6.0.41) + NOTE: https://github.com/znuny/Znuny/commit/42458dad68f330e3f94294348de29e48cc9432c8 (znuny 6.0.41) + NOTE: https://github.com/znuny/Znuny/commit/02ac202c624bfccfd97e7f4ea95e0fd4adcf7a07 (znuny 6.0.41) CVE-2021-36099 RESERVED CVE-2021-36098 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed1e199c2f90f6571064d34d6204e59a251d61c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed1e199c2f90f6571064d34d6204e59a251d61c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-14889/stretch is being fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bf17820 by Roberto C. Sánchez at 2023-08-16T19:16:52-04:00 CVE-2019-14889/stretch is being fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -288176,7 +288176,6 @@ CVE-2019-14890 (A vulnerability was found in Ansible Tower before 3.6.1 where an CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in version ...) {DLA-3437-1 DLA-2038-1} - libssh 0.9.3-1 (bug #946548) - [stretch] - libssh (Minor issue) NOTE: https://www.libssh.org/security/advisories/CVE-2019-14889.txt NOTE: https://bugs.libssh.org/T181 NOTE: The fix in libssh makes an update in x2goclient necessary, cf: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bf178205e3dae68a4688d54f0efb2b52c88e802 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bf178205e3dae68a4688d54f0efb2b52c88e802 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-21441/otrs2: Add link to fixing commit.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 493dcf07 by Guilhem Moulin at 2023-08-17T01:05:25+02:00 CVE-2021-21441/otrs2: Add link to fixing commit. >From znuny 6.0.34. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189464,6 +189464,7 @@ CVE-2021-21441 (There is a XSS vulnerability in the ticket overview screens. It' [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-11/ + NOTE: Fixed by: https://github.com/znuny/Znuny/commit/48b8d2bc85280d702bd0d21783f5d31e2fa5fa51 (znuny 6.0.34) NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye NOTE: src:otrs2 is the znuny fork) CVE-2021-21440 (Generated Support Bundles contains private S/MIME and PGP keys if cont ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493dcf07b76d0a8ead2b973b5c7a74a908ad47ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493dcf07b76d0a8ead2b973b5c7a74a908ad47ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-21439/otrs2: Add link to fixing commit.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 22924391 by Guilhem Moulin at 2023-08-17T00:24:21+02:00 CVE-2021-21439/otrs2: Add link to fixing commit. For znuny 6.0.33. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189478,6 +189478,7 @@ CVE-2021-21439 (DoS attack can be performed when an email contains specially des [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-09/ + NOTE: Fixed by: https://github.com/znuny/Znuny/commit/b67e43f73dbb3c029504a082c7807677ed091d23 (znuny 6.0.33) NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye NOTE: src:otrs2 is the znuny fork) CVE-2021-21438 (Agents are able to see linked FAQ articles without permissions (define ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22924391308c7ebba77e47c399dc14e3a55b8e0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22924391308c7ebba77e47c399dc14e3a55b8e0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new faad2 issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 624c9397 by Moritz Muehlenhoff at 2023-08-16T23:50:09+02:00 new faad2 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -276,9 +276,15 @@ CVE-2023-38861 (An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a re CVE-2023-38860 (An issue in LangChain v.0.0.231 allows a remote attacker to execute ar ...) NOT-FOR-US: LangChain CVE-2023-38858 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - TODO: check + - faad2 + [bookworm] - faad2 (Minor issue) + [bullseye] - faad2 (Minor issue) + NOTE: https://github.com/knik0/faad2/issues/173 CVE-2023-38857 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - TODO: check + - faad2 + [bookworm] - faad2 (Minor issue) + [bullseye] - faad2 (Minor issue) + NOTE: https://github.com/knik0/faad2/issues/171 CVE-2023-38856 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacke ...) TODO: check CVE-2023-38855 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacke ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624c9397bfc916b1f0fcaf2bd4e67a3e4f8145d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624c9397bfc916b1f0fcaf2bd4e67a3e4f8145d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39975/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 684e28d0 by Salvatore Bonaccorso at 2023-08-16T23:09:12+02:00 Add CVE-2023-39975/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,7 +26,9 @@ CVE-2023-4241 (lol-html can cause panics on certain HTML inputs. Anyone processi CVE-2023-4204 (NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected ...) NOT-FOR-US: NPort IAW5000A-I/O Series firmware CVE-2023-39975 (kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a ...) - TODO: check + - krb5 (Vulnerable code not present) + NOTE: Introduced by: https://github.com/krb5/krb5/commit/a9705a1e0b2cf0cde3e6f8dee14c25ffc074c00a (krb5-1.21-beta1) + NOTE: Fixed by: https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840 CVE-2023-39507 (Improper authorization in the custom URL scheme handler in "Rikunabi N ...) NOT-FOR-US: "Rikunabi NEXT" App for Android CVE-2023-39250 (Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684e28d0dd65e70f3110b135329bc5b8c18b757a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684e28d0dd65e70f3110b135329bc5b8c18b757a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a09e06bf by Salvatore Bonaccorso at 2023-08-16T23:05:36+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,55 +14,55 @@ CVE-2023-4385 (A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs [buster] - linux 4.19.249-1 NOTE: https://git.kernel.org/linus/0d4837fdb796f99369cf7691d33de1b856bcaf1f (5.19-rc1) CVE-2023-4384 (A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.1 ...) - TODO: check + NOT-FOR-US: MaximaTech Portal Executivo CVE-2023-4383 (A vulnerability, which was classified as critical, was found in MicroW ...) - TODO: check + NOT-FOR-US: MicroWorld eScan Anti-Virus CVE-2023-4382 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Hyip Rio CVE-2023-4381 (Unverified Password Change in GitHub repository instantsoft/icms2 prio ...) - TODO: check + NOT-FOR-US: icms2 CVE-2023-4241 (lol-html can cause panics on certain HTML inputs. Anyone processing ar ...) TODO: check CVE-2023-4204 (NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected ...) - TODO: check + NOT-FOR-US: NPort IAW5000A-I/O Series firmware CVE-2023-39975 (kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a ...) TODO: check CVE-2023-39507 (Improper authorization in the custom URL scheme handler in "Rikunabi N ...) - TODO: check + NOT-FOR-US: "Rikunabi NEXT" App for Android CVE-2023-39250 (Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-39115 (install/aiz-uploader/upload in Campcodes Online Matrimonial Website Sy ...) - TODO: check + NOT-FOR-US: Campcodes Online Matrimonial Website System CVE-2023-38904 (A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 a ...) - TODO: check + NOT-FOR-US: Netlify CMS CVE-2023-38737 (IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33663 (In the module \u201cCustomization fields fee for your store\u201d (aic ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2023-32495 (Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive i ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32494 (Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of i ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32493 (Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32492 (Dell PowerScale OneFS 9.5.0.x contains an incorrect default permission ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32491 (Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive info ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32490 (Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege manage ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32489 (Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulne ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32488 (Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosu ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32487 (Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privi ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32486 (Dell PowerScale OneFS 9.5.x version contain a privilege escalation vul ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32453 (Dell BIOS contains an improper authentication vulnerability. A malicio ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-2737 (Improper log permissions in SafeNet Authentication ServiceVersion 3.4. ...) - TODO: check + NOT-FOR-US: SafeNet Authentication ServiceVersion CVE-2023-4302 NOT-FOR-US: Jenkins plugin CVE-2023-4301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09e06bfb619e5cf0795f20f1b6e06d1db140f3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09e06bfb619e5cf0795f20f1b6e06d1db140f3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4387/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a40661f by Salvatore Bonaccorso at 2023-08-16T22:36:27+02:00 Add CVE-2023-4387/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,7 +4,10 @@ CVE-2023-4389 (A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in t [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/168a2f776b9762f4021421008512dd7ab7474df1 (5.18-rc3) CVE-2023-4387 (A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/ ...) - TODO: check + - linux 5.17.11-1 + [bullseye] - linux 5.10.120-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/9e7fef9521e73ca8afd7da9e58c14654b02dfad8 (5.18) CVE-2023-4385 (A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap ...) - linux 5.18.5-1 [bullseye] - linux 5.10.127-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a40661f7b74406adf55288ee4bf29706c207a96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a40661f7b74406adf55288ee4bf29706c207a96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4389/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bdec9ad8 by Salvatore Bonaccorso at 2023-08-16T22:32:40+02:00 Add CVE-2023-4389/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,8 @@ CVE-2023-4389 (A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the bt ...) - TODO: check + - linux 5.17.6-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/168a2f776b9762f4021421008512dd7ab7474df1 (5.18-rc3) CVE-2023-4387 (A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/ ...) TODO: check CVE-2023-4385 (A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdec9ad8db678536626a60bd009f2b2af0bdf391 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdec9ad8db678536626a60bd009f2b2af0bdf391 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4385/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07f489a8 by Salvatore Bonaccorso at 2023-08-16T22:24:01+02:00 Add CVE-2023-4385/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,10 @@ CVE-2023-4389 (A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in t CVE-2023-4387 (A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/ ...) TODO: check CVE-2023-4385 (A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap ...) - TODO: check + - linux 5.18.5-1 + [bullseye] - linux 5.10.127-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/0d4837fdb796f99369cf7691d33de1b856bcaf1f (5.19-rc1) CVE-2023-4384 (A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.1 ...) TODO: check CVE-2023-4383 (A vulnerability, which was classified as critical, was found in MicroW ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07f489a88bb2c71a40f56c661590a3366058282f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07f489a88bb2c71a40f56c661590a3366058282f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1927f825 by Salvatore Bonaccorso at 2023-08-16T22:17:34+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12503,9 +12503,9 @@ CVE-2023-2274 CVE-2023-2273 (Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer fr ...) NOT-FOR-US: Rapid7 CVE-2023-2272 (The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and es ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2271 (The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-31206 (Exposure of Resource to Wrong Sphere Vulnerability in Apache Software ...) NOT-FOR-US: Apache InLong CVE-2023-31205 @@ -12764,7 +12764,7 @@ CVE-2023-2255 (Improper access control in editor components of The Document Foun - libreoffice 4:7.4.5-3 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/ CVE-2023-2254 (The Ko-fi Button WordPress plugin before 1.3.3 does not properly some ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2253 (A flaw was found in the `/v2/_catalog` endpoint in distribution/distri ...) {DSA-5414-1 DLA-3473-1} - docker-registry 2.8.2+ds1-1 (bug #1035956) @@ -13248,7 +13248,7 @@ CVE-2023-2227 (Improper Authorization in GitHub repository modoboa/modoboa prior CVE-2023-2226 (Due to insufficient validation in the PE and OLE parsers in Rapid7's V ...) NOT-FOR-US: Rapid7 CVE-2023-2225 (The SEO ALert WordPress plugin through 1.59 does not sanitise and esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2224 (The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and e ...) NOT-FOR-US: WordPress plugin CVE-2023-2223 (The Login rebuilder WordPress plugin before 2.8.1 does not sanitise an ...) @@ -13811,9 +13811,9 @@ CVE-2023-2124 (An out-of-bounds memory access flaw was found in the Linux kernel NOTE: https://lore.kernel.org/linux-xfs/20230412214034.gl3223...@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d NOTE: https://git.kernel.org/linus/22ed903eee23a5b174e240f1cdfa9acf393a5210 (6.4-rc1) CVE-2023-2123 (The WP Inventory Manager WordPress plugin before 2.1.0.13 does not san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2122 (The Image Optimizer by 10web WordPress plugin before 1.0.27 does not s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2121 (Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer ...) NOT-FOR-US: HashiCorp Vault CVE-2023-2120 (The Thumbnail carousel slider plugin for WordPress is vulnerable to Re ...) @@ -14977,7 +14977,7 @@ CVE-2023-1979 (The Web Stories for WordPress plugin supports the WordPress built CVE-2023-1978 (The ShiftController Employee Shift Scheduling plugin for WordPress is ...) NOT-FOR-US: WordPress plugin CVE-2023-1977 (The Booking Manager WordPress plugin before 2.0.29 does not validate U ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1976 (Password Aging with Long Expiration in GitHub repository answerdev/ans ...) NOT-FOR-US: answer CVE-2023-1975 (Insertion of Sensitive Information Into Sent Data in GitHub repository ...) @@ -20814,7 +20814,7 @@ CVE-2023-1467 (A vulnerability classified as critical has been found in SourceCo CVE-2023-1466 (A vulnerability was found in SourceCodester Student Study Center Desk ...) NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-1465 (The WP EasyPay WordPress plugin before 4.1 does not escape some genera ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-1464 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Medicine Tracker System CVE-2023-1463 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) @@ -24541,7 +24541,7 @@ CVE-2023-1112 (A vulnerability was found in Drag and Drop Multiple File Upload C CVE-2023- RESERVED CVE-2023-1110 (The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not vali ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-4926 (Insufficient policy enforcement in Intents in Google Chrome on Android ...) {DSA-5328-1} - chromium 109.0.5414.119-1 @@ -32023,7 +32023,7 @@ CVE-2023-0581 (The PrivateContent plugin for WordPress is vulnerable to protecti CVE-2023-0580 (Insecure Storage of Sensitive Information vulnerability in ABB My Cont ...) NOT-FOR-US: ABB CVE-2023-0579 (The YARPP WordPress plugin before 5.30.3 does not validate and escape ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3118d130 by security tracker role at 2023-08-16T20:13:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,38 +1,94 @@ +CVE-2023-4389 (A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the bt ...) + TODO: check +CVE-2023-4387 (A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/ ...) + TODO: check +CVE-2023-4385 (A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap ...) + TODO: check +CVE-2023-4384 (A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.1 ...) + TODO: check +CVE-2023-4383 (A vulnerability, which was classified as critical, was found in MicroW ...) + TODO: check +CVE-2023-4382 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-4381 (Unverified Password Change in GitHub repository instantsoft/icms2 prio ...) + TODO: check +CVE-2023-4241 (lol-html can cause panics on certain HTML inputs. Anyone processing ar ...) + TODO: check +CVE-2023-4204 (NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected ...) + TODO: check +CVE-2023-39975 (kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a ...) + TODO: check +CVE-2023-39507 (Improper authorization in the custom URL scheme handler in "Rikunabi N ...) + TODO: check +CVE-2023-39250 (Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain ...) + TODO: check +CVE-2023-39115 (install/aiz-uploader/upload in Campcodes Online Matrimonial Website Sy ...) + TODO: check +CVE-2023-38904 (A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 a ...) + TODO: check +CVE-2023-38737 (IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is ...) + TODO: check +CVE-2023-33663 (In the module \u201cCustomization fields fee for your store\u201d (aic ...) + TODO: check +CVE-2023-32495 (Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive i ...) + TODO: check +CVE-2023-32494 (Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of i ...) + TODO: check +CVE-2023-32493 (Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass ...) + TODO: check +CVE-2023-32492 (Dell PowerScale OneFS 9.5.0.x contains an incorrect default permission ...) + TODO: check +CVE-2023-32491 (Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive info ...) + TODO: check +CVE-2023-32490 (Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege manage ...) + TODO: check +CVE-2023-32489 (Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulne ...) + TODO: check +CVE-2023-32488 (Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosu ...) + TODO: check +CVE-2023-32487 (Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privi ...) + TODO: check +CVE-2023-32486 (Dell PowerScale OneFS 9.5.x version contain a privilege escalation vul ...) + TODO: check +CVE-2023-32453 (Dell BIOS contains an improper authentication vulnerability. A malicio ...) + TODO: check +CVE-2023-2737 (Improper log permissions in SafeNet Authentication ServiceVersion 3.4. ...) + TODO: check CVE-2023-4302 NOT-FOR-US: Jenkins plugin CVE-2023-4301 NOT-FOR-US: Jenkins plugin -CVE-2023-40351 +CVE-2023-40351 (A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40350 +CVE-2023-40350 (Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values re ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40349 +CVE-2023-40349 (Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an optio ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40348 +CVE-2023-40348 (The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provide ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40347 +CVE-2023-40347 (Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earl ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40346 +CVE-2023-40346 (Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortc ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40345 +CVE-2023-40345 (Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40344 +CVE-2023-40344 (A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40343 +CVE-2023-40343 (Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-con ...) NOT-FOR-US: Jenkins plugin -CVE-2023-40342 +CVE-2023-40342 (Jenkins Flaky Test Handler
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2023-34872/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3905c8de by Salvatore Bonaccorso at 2023-08-16T22:08:25+02:00 Track fix via experimental for CVE-2023-34872/poppler Note, while an experimental upload as 23.08.0-2 mentioned the CVE as fixed, the fix is actually already in the 23.08.0-1 instead. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2459,6 +2459,7 @@ CVE-2023-34917 (Fuge CMS v1.0 contains an Open Redirect vulnerability in member/ CVE-2023-34916 (Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/Proce ...) NOT-FOR-US: Fuge CMS CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a re ...) + [experimental] - poppler 23.08.0-1 - poppler (bug #1042811) [bookworm] - poppler (Minor issue) [bullseye] - poppler (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3905c8defb5b1c97e6a2166df864d44fa2195e0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3905c8defb5b1c97e6a2166df864d44fa2195e0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-18641/lxc/jessie as ignored
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 319b9d38 by Santiago Ruano Rincón at 2023-08-16T17:06:44-03:00 Mark CVE-2017-18641/lxc/jessie as ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -252194,7 +252194,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext H [bullseye] - lxc-templates (Minor issue) [buster] - lxc-templates (Minor issue) - lxc 1:3.0.3-1 (low) - [stretch] - lxc (Minor issue) + [stretch] - lxc (https://lists.debian.org/debian-lts/2023/08/msg00019.html) [jessie] - lxc (https://lists.debian.org/debian-lts/2020/02/msg00102.html) NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/319b9d38c5ab7f2494ba644ee0284c44e8531487 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/319b9d38c5ab7f2494ba644ee0284c44e8531487 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2023-1206/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c177d03 by Salvatore Bonaccorso at 2023-08-16T21:00:57+02:00 Add commit reference for CVE-2023-1206/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23162,6 +23162,7 @@ CVE-2023-1207 (This HTTP Headers WordPress plugin before 1.18.8 has an import fu CVE-2023-1206 (A hash collision flaw was found in the IPv6 connection lookup table in ...) - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2175903 + NOTE: https://git.kernel.org/linus/d11b0df7ddf1831f3e170972f43186dad520bfcc (6.5-rc4) CVE-2023-27853 (NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a format s ...) NOT-FOR-US: NETGEAR CVE-2023-27852 (NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a buffer o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c177d03697532db64710574ebee89e812fa382f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c177d03697532db64710574ebee89e812fa382f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-2898/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef6d9d47 by Salvatore Bonaccorso at 2023-08-16T20:48:20+02:00 Update information on CVE-2023-2898/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10111,9 +10111,10 @@ CVE-2023-2922 (A vulnerability classified as problematic has been found in Sourc CVE-2023-2825 (An issue has been discovered in GitLab CE/EE affecting only version 16 ...) - gitlab (Only affects 16.x) CVE-2023-2898 (There is a null-pointer-dereference flaw found in f2fs_write_end_io in ...) - - linux + - linux 6.4.4-1 [buster] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-c...@kernel.org/ + NOTE: https://git.kernel.org/linus/d8189834d4348ae608083e1f1f53792cfcc2a9bc (6.5-rc1) CVE-2023-33780 (A stored cross-site scripting (XSS) vulnerability in TFDi Design smart ...) NOT-FOR-US: TFDi Design smartCARS CVE-2023-33779 (A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef6d9d47374e1b6774c2d226ccc1a58ffde86f26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef6d9d47374e1b6774c2d226ccc1a58ffde86f26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-33250/linux in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 750cb68e by Salvatore Bonaccorso at 2023-08-16T20:38:18+02:00 Track fixed version for CVE-2023-33250/linux in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10614,7 +10614,7 @@ CVE-2023-33252 (iden3 snarkjs through 0.6.11 allows double spending because ther CVE-2023-33251 (When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDi ...) NOT-FOR-US: Akka HTTP CVE-2023-33250 (The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in ...) - - linux + - linux 6.4.4-1 [bookworm] - linux (Vulnerable code introduced later) [bullseye] - linux (Vulnerable code introduced later) [buster] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/750cb68ebba0d802e6c998cc792c7151245cd2a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/750cb68ebba0d802e6c998cc792c7151245cd2a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] efibootguard spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 03643b92 by Moritz Mühlenhoff at 2023-08-16T20:31:40+02:00 efibootguard spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -6,3 +6,5 @@ CVE-2023-35936 [bookworm] - pandoc 2.17.1.1-2~deb12u1 CVE-2023-36054 [bookworm] - krb5 1.20.1-2+deb12u1 +CVE-2023-39950 + [bookworm] - efibootguard 0.13-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03643b92394a5ffaa4052653adc695dc48c9828e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03643b92394a5ffaa4052653adc695dc48c9828e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2023-38898 commits
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d042ac67 by Salvatore Bonaccorso at 2023-08-16T20:29:04+02:00 Add upstream tag information for CVE-2023-38898 commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -187,8 +187,8 @@ CVE-2023-38898 (An issue in Python cpython v.3.7 allows an attacker to obtain se - python3.9 (Vulnerable code not present) - python3.7 (Vulnerable code not present) - python2.7 (Vulnerable code not present) - NOTE: Introduced in https://github.com/python/cpython/commit/a474e04388c2ef6aca75c26cb70a1b6200235feb - NOTE: https://github.com/python/cpython/commit/9e6f8d46150c1a0af09d68ce63c603cf321994aa + NOTE: Introduced in https://github.com/python/cpython/commit/a474e04388c2ef6aca75c26cb70a1b6200235feb (v3.12.0b1) + NOTE: https://github.com/python/cpython/commit/9e6f8d46150c1a0af09d68ce63c603cf321994aa (v3.12.0b4) NOTE: https://github.com/python/cpython/issues/105987 CVE-2023-38896 (An issue in Harrison Chase langchain v.0.0.194 and before allows a rem ...) NOT-FOR-US: Harrison Chase langchain View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d042ac673a23b6c1b1aa292ec8461876cc4175ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d042ac673a23b6c1b1aa292ec8461876cc4175ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-11 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e7fd8c53 by Moritz Mühlenhoff at 2023-08-16T20:15:52+02:00 openjdk-11 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Aug 2023] DSA-5478-1 openjdk-11 - security update + {CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049} + [bullseye] - openjdk-11 11.0.20+8-1~deb11u1 [14 Aug 2023] DSA-5477-1 samba - security update {CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968} [bookworm] - samba 2:4.17.10+dfsg-0+deb12u1 = data/dsa-needed.txt = @@ -39,9 +39,6 @@ nodejs -- nova/oldstable -- -openjdk-11/oldstable (jmm) - needs asmtools backport in bullseye --- openjdk-17/oldstable (jmm) -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7fd8c53322df56f5a442c81c053454b04e9f22e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7fd8c53322df56f5a442c81c053454b04e9f22e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim mediawiki in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8141b724 by Markus Koschany at 2023-08-16T20:05:19+02:00 Claim mediawiki in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ lxc (santiago) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- -mediawiki +mediawiki (Markus Koschany) NOTE: 20230810: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8141b72493faec94295ae3a150ed27f2b7a6ed4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8141b72493faec94295ae3a150ed27f2b7a6ed4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-1776/otrs2: Add link to fixing commit.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 75184deb by Guilhem Moulin at 2023-08-16T19:22:40+02:00 CVE-2020-1776/otrs2: Add link to fixing commit. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -271447,6 +271447,8 @@ CVE-2020-1776 (When an agent user is renamed or set to invalid the session belon [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-13/ + NOTE: Fixed in 7.0.18, 6.0.29 + NOTE: OTRS6: https://github.com/OTRS/otrs/commit/4514f95f747be368c3dc9a9452ff9aa66506648d CVE-2020-1775 (BCC recipients in mails sent from OTRS are visible in article detail o ...) - otrs2 (ONly affects 7.x and 8.x series) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-12/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75184debba6c7af30b9a851954e7b80c1a54ef85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75184debba6c7af30b9a851954e7b80c1a54ef85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3531-1 for open-vm-tools
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: deb3e9e9 by Utkarsh Gupta at 2023-08-16T22:43:36+05:30 Reserve DLA-3531-1 for open-vm-tools - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2023-38898 (An issue in Python cpython v.3.7 allows an attacker to obtain se NOTE: https://github.com/python/cpython/commit/9e6f8d46150c1a0af09d68ce63c603cf321994aa NOTE: https://github.com/python/cpython/issues/105987 CVE-2023-38896 (An issue in Harrison Chase langchain v.0.0.194 and before allows a rem ...) - NOT-FOR-US: Harrison Chase langchain + NOT-FOR-US: Harrison Chase langchain CVE-2023-38889 (An issue in Alluxio v.2.9.3 and before allows an attacker to execute a ...) NOT-FOR-US: Alluxio CVE-2023-38866 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Aug 2023] DLA-3531-1 open-vm-tools - security update + {CVE-2023-20867} + [buster] - open-vm-tools 2:10.3.10-1+deb10u4 [15 Aug 2023] DLA-3530-1 openssl - security update {CVE-2023-3446 CVE-2023-3817} [buster] - openssl 1.1.1n-0+deb10u6 = data/dla-needed.txt = @@ -121,9 +121,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Utkarsh) - NOTE: 20230731: Added by Front-Desk (apo) --- opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb3e9e990d6bd05c59e35591dad6b69f1bb5919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb3e9e990d6bd05c59e35591dad6b69f1bb5919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2009-1143/open-vm-tools as ignored for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c5d8f3ab by Utkarsh Gupta at 2023-08-16T22:38:25+05:30 Mark CVE-2009-1143/open-vm-tools as ignored for buster Its a very minor issue and mount.vmhgfs is not suid in Debian. Also, dropping that from buster entirely might break some users and we dont want that. So lets leave it as-is. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -594931,7 +594931,7 @@ CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf CVE-2009-1143 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) - open-vm-tools 2:12.0.0-1 [bullseye] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) - [buster] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) + [buster] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=372070 NOTE: Removing hgfsmounter/mount.vmhgfs: https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0) CVE-2009-1142 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d8f3abd729786d3c84e44f5edc8c036033265d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d8f3abd729786d3c84e44f5edc8c036033265d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] opensmtpd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35035674 by Moritz Muehlenhoff at 2023-08-16T18:16:11+02:00 opensmtpd fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17899,7 +17899,7 @@ CVE-2023-29325 (Windows OLE Remote Code Execution Vulnerability) CVE-2023-29324 (Windows MSHTML Platform Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2023-29323 (ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 ...) - - opensmtpd (bug #1034178) + - opensmtpd 7.3.0p1-1 (bug #1034178) [bookworm] - opensmtpd (Minor issue) [bullseye] - opensmtpd (Minor issue) [buster] - opensmtpd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35035674b9ac2331616497a95645f5aa3c2877e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35035674b9ac2331616497a95645f5aa3c2877e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] efibootguard fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 404f0f90 by Moritz Muehlenhoff at 2023-08-16T18:13:10+02:00 efibootguard fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -328,7 +328,7 @@ CVE-2023-2606 (The WP Brutal AI WordPress plugin before 2.06 does not sanitise a CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does not f ...) NOT-FOR-US: WordPress plugin CVE-2023-39950 (efibootguard is a simple UEFI boot loader with support for safely swit ...) - - efibootguard (bug #1049436) + - efibootguard 0.15-1 (bug #1049436) [bookworm] - efibootguard (Minor issue, can be fixed via point release) NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/404f0f90a66b02d2a32036bf292741622c94d3cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/404f0f90a66b02d2a32036bf292741622c94d3cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18179/otrs2: Add follow-up commits.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bd8ca57 by Guilhem Moulin at 2023-08-16T17:05:15+02:00 CVE-2019-18179/otrs2: Add follow-up commits. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -278564,6 +278564,8 @@ CVE-2019-18179 (An issue was discovered in Open Ticket Request System (OTRS) 7.0 [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/ NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351 + NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/d873fde85260e50f7e7a9f47c691b1cafd237119 + NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/0ec21884a2a1573987bf77631dc5a54d951280b7 NOTE: OTRS 5.0: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e CVE-2019-18178 (Real Time Engineers FreeRTOS+FAT 160919a has a use after free. The fun ...) NOT-FOR-US: FreeRTOS+FAT View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bd8ca57680bdb303b13c8d187fe0800fc876cd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bd8ca57680bdb303b13c8d187fe0800fc876cd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-{18179,18180}/otrs2: Add links to fixing commits.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 659eb0f6 by Guilhem Moulin at 2023-08-16T16:40:38+02:00 CVE-2019-{18179,18180}/otrs2: Add links to fixing commits. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -278555,12 +278555,16 @@ CVE-2019-18180 (Improper Check for filenames with overly long extensions in Post [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (vulnerable code not present) NOTE: https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/ + NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/da057277c8620f0885c70090f565f1fa81f2c7e9 + NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/799616eb43f7fb53cae4e04c81e2156baaf02e2b CVE-2019-18179 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) {DLA-2053-1} - otrs2 6.0.24-1 (bug #945251) [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/ + NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351 + NOTE: OTRS 5.0: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e CVE-2019-18178 (Real Time Engineers FreeRTOS+FAT 160919a has a use after free. The fun ...) NOT-FOR-US: FreeRTOS+FAT CVE-2019-18177 (In certain Citrix products, information disclosure can be achieved by ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/659eb0f61c533bfa72a2241f27d166c2c2a888d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/659eb0f61c533bfa72a2241f27d166c2c2a888d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b9ed0dc9 by Moritz Muehlenhoff at 2023-08-16T16:00:36+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,39 @@ +CVE-2023-4302 + NOT-FOR-US: Jenkins plugin +CVE-2023-4301 + NOT-FOR-US: Jenkins plugin +CVE-2023-40351 + NOT-FOR-US: Jenkins plugin +CVE-2023-40350 + NOT-FOR-US: Jenkins plugin +CVE-2023-40349 + NOT-FOR-US: Jenkins plugin +CVE-2023-40348 + NOT-FOR-US: Jenkins plugin +CVE-2023-40347 + NOT-FOR-US: Jenkins plugin +CVE-2023-40346 + NOT-FOR-US: Jenkins plugin +CVE-2023-40345 + NOT-FOR-US: Jenkins plugin +CVE-2023-40344 + NOT-FOR-US: Jenkins plugin +CVE-2023-40343 + NOT-FOR-US: Jenkins plugin +CVE-2023-40342 + NOT-FOR-US: Jenkins plugin +CVE-2023-40341 + NOT-FOR-US: Jenkins plugin +CVE-2023-40340 + NOT-FOR-US: Jenkins plugin +CVE-2023-40339 + NOT-FOR-US: Jenkins plugin +CVE-2023-40338 + NOT-FOR-US: Jenkins plugin +CVE-2023-40337 + NOT-FOR-US: Jenkins plugin +CVE-2023-40336 + NOT-FOR-US: Jenkins plugin CVE-2023-4374 (The WP Remote Users Sync plugin for WordPress is vulnerable to unautho ...) NOT-FOR-US: WP Remote Users Sync plugin for WordPress CVE-2023-3958 (The WP Remote Users Sync plugin for WordPress is vulnerable to Server ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ed0dc95a5e600e8da5c24db2e8c3a71124d1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ed0dc95a5e600e8da5c24db2e8c3a71124d1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new Python issue (CVE description is bogus)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fcf7face by Moritz Muehlenhoff at 2023-08-16T15:11:24+02:00 new Python issue (CVE description is bogus) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -145,7 +145,15 @@ CVE-2023-38916 (SQL Injection vulnerability in eVotingSystem-PHP v.1.0 allows a CVE-2023-38915 (File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote ...) NOT-FOR-US: Wolf-leo EasyAdmin8 CVE-2023-38898 (An issue in Python cpython v.3.7 allows an attacker to obtain sensitiv ...) - TODO: check + - python3.12 3.12.0~b4-1 + - python3.11 (Vulnerable code not present) + - python3.10 (Vulnerable code not present) + - python3.9 (Vulnerable code not present) + - python3.7 (Vulnerable code not present) + - python2.7 (Vulnerable code not present) + NOTE: Introduced in https://github.com/python/cpython/commit/a474e04388c2ef6aca75c26cb70a1b6200235feb + NOTE: https://github.com/python/cpython/commit/9e6f8d46150c1a0af09d68ce63c603cf321994aa + NOTE: https://github.com/python/cpython/issues/105987 CVE-2023-38896 (An issue in Harrison Chase langchain v.0.0.194 and before allows a rem ...) NOT-FOR-US: Harrison Chase langchain CVE-2023-38889 (An issue in Alluxio v.2.9.3 and before allows an attacker to execute a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf7face99651c5b8c88f1733b308da8e98711e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf7face99651c5b8c88f1733b308da8e98711e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb47a68e by Moritz Muehlenhoff at 2023-08-16T13:46:41+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -127,43 +127,43 @@ CVE-2023-40028 (Ghost is an open source content management system. Versions prio CVE-2023-40027 (Keystone is an open source headless CMS for Node.js \u2014 built with ...) NOT-FOR-US: Keystone CMS CVE-2023-39843 (Missing encryption in the RFID tag of Suleve 5-in-1 Smart Door Lock v1 ...) - TODO: check + NOT-FOR-US: Suleve 5-in-1 Smart Door Lock CVE-2023-39842 (Missing encryption in the RFID tag of Digoo DG-HAMB Smart Home Securit ...) - TODO: check + NOT-FOR-US: Digoo DG-HAMB Smart Home Security CVE-2023-39841 (Missing encryption in the RFID tag of Etekcity 3-in-1 Smart Door Lock ...) - TODO: check + NOT-FOR-US: Etekcity 3-in-1 Smart Door Lock CVE-2023-39662 (An issue in llama_index v.0.7.13 and before allows a remote attacker t ...) - TODO: check + NOT-FOR-US: llama_index CVE-2023-39661 (An issue in pandas-ai v.0.9.1 and before allows a remote attacker to e ...) - TODO: check + NOT-FOR-US: pandas-ai CVE-2023-39659 (An issue in langchain langchain-ai v.0.0.232 and before allows a remot ...) - TODO: check + NOT-FOR-US: langchain-ai CVE-2023-39438 (A missing authorization check allows an arbitrary authenticated user t ...) - TODO: check + NOT-FOR-US: cla-assistant CVE-2023-38916 (SQL Injection vulnerability in eVotingSystem-PHP v.1.0 allows a remote ...) - TODO: check + NOT-FOR-US: eVotingSystem-PHP CVE-2023-38915 (File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote ...) - TODO: check + NOT-FOR-US: Wolf-leo EasyAdmin8 CVE-2023-38898 (An issue in Python cpython v.3.7 allows an attacker to obtain sensitiv ...) TODO: check CVE-2023-38896 (An issue in Harrison Chase langchain v.0.0.194 and before allows a rem ...) - TODO: check + NOT-FOR-US: Harrison Chase langchain CVE-2023-38889 (An issue in Alluxio v.2.9.3 and before allows an attacker to execute a ...) - TODO: check + NOT-FOR-US: Alluxio CVE-2023-38866 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected ...) - TODO: check + NOT-FOR-US: COMFAST CVE-2023-38865 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected ...) - TODO: check + NOT-FOR-US: COMFAST CVE-2023-38864 (An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbi ...) - TODO: check + NOT-FOR-US: COMFAST CVE-2023-38863 (An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbi ...) - TODO: check + NOT-FOR-US: COMFAST CVE-2023-38862 (An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbi ...) - TODO: check + NOT-FOR-US: COMFAST CVE-2023-38861 (An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote a ...) - TODO: check + NOT-FOR-US: Wavlink CVE-2023-38860 (An issue in LangChain v.0.0.231 allows a remote attacker to execute ar ...) - TODO: check + NOT-FOR-US: LangChain CVE-2023-38858 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) TODO: check CVE-2023-38857 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) @@ -183,13 +183,13 @@ CVE-2023-38851 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote a CVE-2023-38850 (Buffer Overflow vulnerability in Michaelrsweet codedoc v.3.7 allows an ...) TODO: check CVE-2023-38840 (An issue in Bitwarden Bitwarden Desktop v.2023.5.1 allows a local atta ...) - TODO: check + NOT-FOR-US: Bitwarden CVE-2023-38402 (A vulnerability in the HPE Aruba Networking Virtual IntranetAccess (VI ...) - TODO: check + NOT-FOR-US: HPE CVE-2023-38401 (A vulnerability in the HPE Aruba Networking Virtual Intranet Access (V ...) - TODO: check + NOT-FOR-US: HPE CVE-2023-35082 (An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-2916 (The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive ...) NOT-FOR-US: InfiniteWP Client plugin for WordPress CVE-2023-4347 (Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/l ...) @@ -234,7 +234,7 @@ CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set name [bullseye] - xterm (Minor issue) NOTE: https://invisible-island.net/xterm/xterm.log.html#xterm_380 CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) - TODO: check + NOT-FOR-US: Maxscale CVE-2023-40312 (Multiple reflected XSS were found on
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 50054c99 by Moritz Muehlenhoff at 2023-08-16T13:22:36+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -440,6 +440,8 @@ CVE-2023-4105 (Mattermost fails to delete the attachments when deleting a messag CVE-2023-40267 (GitPython before 3.1.32 does not block insecure non-multi options in c ...) {DLA-3502-1} - python-git (bug #1043503) + [bookworm] - python-git (Minor issue) + [bullseye] - python-git (Minor issue) NOTE: https://github.com/gitpython-developers/GitPython/pull/1609 NOTE: https://github.com/gitpython-developers/GitPython/commit/5c59e0d63da6180db8a0b349f0ad36fef42aceed (3.1.32) CVE-2023-40260 (EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi ...) @@ -5825,6 +5827,8 @@ CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cau NOT-FOR-US: AMI SPx CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) - python-mechanicalsoup (bug #1041814) + [bookworm] - python-mechanicalsoup (Minor issue) + [bullseye] - python-mechanicalsoup (Minor issue) NOTE: https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 NOTE: https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e (v1.3.0) CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) @@ -193123,6 +193127,7 @@ CVE-2021-20252 (A flaw was found in Red Hat 3scale API Management Platform 2. Th CVE-2021-20251 (A flaw was found in samba. A race condition in the password lockout co ...) [experimental] - samba 2:4.17.1+dfsg-1 - samba 2:4.17.2+dfsg-3 + [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14611 NOTE: https://gitlab.com/samba-team/samba/-/merge_requests/2708 CVE-2021-20250 (A flaw was found in wildfly. The JBoss EJB client has publicly accessi ...) @@ -345053,7 +345058,7 @@ CVE-2018-14629 (A denial of service vulnerability was discovered in Samba's LDAP CVE-2018-14628 (An information leak vulnerability was discovered in Samba's LDAP serve ...) - samba (bug #1034803) [bookworm] - samba (Minor issue, revisit when fixed upstream) - [bullseye] - samba (Minor issue, revisit when fixed upstream) + [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13595 CVE-2018-14627 (The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not h ...) - wildfly (bug #752018) = data/dsa-needed.txt = @@ -18,6 +18,8 @@ chromium -- cinder/oldstable -- +fastdds +-- frr (aron) maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50054c991c4e62a7de9dd70a49ffd22507ba5e34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50054c991c4e62a7de9dd70a49ffd22507ba5e34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c18ef39d by Salvatore Bonaccorso at 2023-08-16T10:57:06+02:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2023-4374 (The WP Remote Users Sync plugin for WordPress is vulnerable to unautho ...) - TODO: check + NOT-FOR-US: WP Remote Users Sync plugin for WordPress CVE-2023-3958 (The WP Remote Users Sync plugin for WordPress is vulnerable to Server ...) - TODO: check + NOT-FOR-US: WP Remote Users Sync plugin for WordPress CVE-2023-39852 (Doctormms v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Doctormms CVE-2023-39851 (webchess v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: webchess CVE-2023-39850 (Schoolmate v1.3 was discovered to contain multiple SQL injection vulne ...) - TODO: check + NOT-FOR-US: Schoolmate CVE-2023-39849 (Pikachu v1.0 was discovered to contain a SQL injection vulnerability v ...) - TODO: check + NOT-FOR-US: Pikachu CVE-2023-39848 (DVWA v1.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: DVWA CVE-2023-4371 (A vulnerability was found in phpRecDB 1.3.1. It has been rated as prob ...) NOT-FOR-US: phpRecDB CVE-2023-4369 (Insufficient data validation in Systems Extensions in Google Chrome on ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c18ef39d43bdd43c5a622a0f985e2229ed0ee7a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c18ef39d43bdd43c5a622a0f985e2229ed0ee7a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take openssh for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 34e3570a by Utkarsh Gupta at 2023-08-16T13:58:52+05:30 Take openssh for buster - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,8 +136,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssh +openssh (utkarsh) NOTE: 20230814: Added by Front-Desk (ta) + NOTE: 20230816: taking this one as it's high prio, given one of the customers pinged. (utkarsh) -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34e3570ab50342536d5432e8a6563547ac950d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34e3570ab50342536d5432e8a6563547ac950d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dba8b538 by security tracker role at 2023-08-16T08:12:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-4374 (The WP Remote Users Sync plugin for WordPress is vulnerable to unautho ...) + TODO: check +CVE-2023-3958 (The WP Remote Users Sync plugin for WordPress is vulnerable to Server ...) + TODO: check +CVE-2023-39852 (Doctormms v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2023-39851 (webchess v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2023-39850 (Schoolmate v1.3 was discovered to contain multiple SQL injection vulne ...) + TODO: check +CVE-2023-39849 (Pikachu v1.0 was discovered to contain a SQL injection vulnerability v ...) + TODO: check +CVE-2023-39848 (DVWA v1.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check CVE-2023-4371 (A vulnerability was found in phpRecDB 1.3.1. It has been rated as prob ...) NOT-FOR-US: phpRecDB CVE-2023-4369 (Insufficient data validation in Systems Extensions in Google Chrome on ...) @@ -3917,7 +3931,7 @@ CVE-2023-2636 (The AN_GradeBook WordPress plugin through 5.0.1 does not properly NOT-FOR-US: WordPress plugin CVE-2023-2579 (The InventoryPress WordPress plugin through 1.7 does not sanitise and ...) NOT-FOR-US: WordPress plugin -CVE-2023-2330 (The Caldera Forms Google Sheets Connector WordPress plugin through 1.2 ...) +CVE-2023-2330 (The Caldera Forms Google Sheets Connector WordPress plugin before 1.3 ...) NOT-FOR-US: WordPress plugin CVE-2023-2329 (The WooCommerce Google Sheet Connector WordPress plugin before 1.3.6 d ...) NOT-FOR-US: WordPress plugin @@ -27655,8 +27669,8 @@ CVE-2023-26142 RESERVED CVE-2023-26141 RESERVED -CVE-2023-26140 - RESERVED +CVE-2023-26140 (Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerab ...) + TODO: check CVE-2023-26139 (Versions of the package underscore-keypath from 0.0.11 are vulnerable ...) NOT-FOR-US: Node underscore-keypath CVE-2023-26138 (All versions of the package drogonframework/drogon are vulnerable to C ...) @@ -55538,8 +2,7 @@ CVE-2023-20566 RESERVED CVE-2023-20565 RESERVED -CVE-2023-20564 - RESERVED +CVE-2023-20564 (Insufficient validation in the IOCTL (Input Output Control) input buff ...) NOT-FOR-US: AMD CVE-2023-20563 RESERVED @@ -55547,8 +55560,7 @@ CVE-2023-20562 (Insufficient validation in the IOCTL (Input Output Control) inpu NOT-FOR-US: AMD CVE-2023-20561 (Insufficient validation of the IOCTL (Input Output Control) input buff ...) NOT-FOR-US: AMD -CVE-2023-20560 - RESERVED +CVE-2023-20560 (Insufficient validation of the IOCTL (Input Output Control) input buff ...) NOT-FOR-US: AMD CVE-2023-20559 (Insufficient control flow management in AmdCpmGpioInitSmm may allow a ...) NOT-FOR-US: AMD View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba8b5385a3b98754bd3389d1648066f5eeb0772 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba8b5385a3b98754bd3389d1648066f5eeb0772 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVEs for chromium upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5b41c60 by Salvatore Bonaccorso at 2023-08-16T09:03:34+02:00 Track CVEs for chromium upload to unstable Note for reviewers: CVE-2023-2312 is slightly unclear if it is Android specific or not. https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_15.html lists it. But the cve.org CVE record on it mentions only on Android. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,64 +3,64 @@ CVE-2023-4371 (A vulnerability was found in phpRecDB 1.3.1. It has been rated as CVE-2023-4369 (Insufficient data validation in Systems Extensions in Google Chrome on ...) NOT-FOR-US: Systems Extensions in Google Chrome on ChromeOS CVE-2023-4368 (Insufficient policy enforcement in Extensions API in Google Chrome pri ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4367 (Insufficient policy enforcement in Extensions API in Google Chrome pri ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4366 (Use after free in Extensions in Google Chrome prior to 116.0.5845.96 a ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4365 (Inappropriate implementation in Fullscreen in Google Chrome prior to 1 ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4364 (Inappropriate implementation in Permission Prompts in Google Chrome pr ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4363 (Inappropriate implementation in WebShare in Google Chrome on Android p ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4362 (Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845 ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4361 (Inappropriate implementation in Autofill in Google Chrome on Android p ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4360 (Inappropriate implementation in Color in Google Chrome prior to 116.0. ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4359 (Inappropriate implementation in App Launcher in Google Chrome on iOS p ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4358 (Use after free in DNS in Google Chrome prior to 116.0.5845.96 allowed ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4357 (Insufficient validation of untrusted input in XML in Google Chrome pri ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4356 (Use after free in Audio in Google Chrome prior to 116.0.5845.96 allowe ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4355 (Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845 ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4354 (Heap buffer overflow in Skia in Google Chrome prior to 116.0.5845.96 a ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4353 (Heap buffer overflow in ANGLE in Google Chrome prior to 116.0.5845.96 ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4352 (Type confusion in V8 in Google Chrome prior to 116.0.5845.96 allowed a ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4351 (Use after free in Network in Google Chrome prior to 116.0.5845.96 allo ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4350 (Inappropriate implementation in Fullscreen in Google Chrome on Android ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4349 (Use after free in Device Trust Connectors in Google Chrome prior to 11 ...) - - chromium + - chromium 116.0.5845.96-1 [buster] - chromium (see DSA 5046) CVE-2023-4345 (Broadcom RAID Controller web interface is vulnerable client-side contr ...) NOT-FOR-US: Broadcom RAID Controller web interface @@ -12236,7 +12236,7 @@ CVE-2023-2313 (Inappropriate implementation in Sandbox in Google Chrome on Windo - chromium