[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f2545a8 by Santiago Ruano Rincón at 2023-09-11T10:57:30+05:30 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares (Utkarsh) +c-ares NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) -- @@ -73,7 +73,7 @@ file (Thorsten Alteholz) firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- -flac (utkarsh) +flac NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- @@ -192,7 +192,7 @@ qt4-x11 NOTE: 20230822: Re-added for one remaining open CVE (roberto) NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) -- -rails (utkarsh) +rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f2545a813c7c6a5543d53db242ba749429f1d8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f2545a813c7c6a5543d53db242ba749429f1d8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b32d1ea0 by Thorsten Alteholz at 2023-09-10T23:41:20+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230827: still testing package (ta) + NOTE: 20230910: still testing package (ta) -- c-ares (Utkarsh) NOTE: 20230826: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32d1ea00e48fc4b3eb3dfad182b49af2f4876bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32d1ea00e48fc4b3eb3dfad182b49af2f4876bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim xrdp in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1347aa6a by Markus Koschany at 2023-09-10T22:49:02+02:00 Claim xrdp in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -84,7 +84,7 @@ trafficserver -- wpewebkit/oldstable -- -xrdp/oldstable +xrdp/oldstable (apo) needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1347aa6a4b2f52c5198aa0454176c51b293b1cee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1347aa6a4b2f52c5198aa0454176c51b293b1cee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49bce77b by Salvatore Bonaccorso at 2023-09-10T22:20:45+02:00 Process two more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-4879 (Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/i ...) - TODO: check + NOT-FOR-US: icms2 CVE-2023-4878 (Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/ic ...) - TODO: check + NOT-FOR-US: icms2 CVE-2023-4877 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) NOT-FOR-US: hamza417/inure CVE-2023-4876 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49bce77b0051ccfe654b8efa2ca8038544c88afe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49bce77b0051ccfe654b8efa2ca8038544c88afe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for freerdp2 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ad65e72 by Salvatore Bonaccorso at 2023-09-10T22:15:39+02:00 Add Debian bug references for freerdp2 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1228,31 +1228,31 @@ CVE-2023-41044 (Graylog is a free and open log management platform. A partial pa CVE-2023-41034 (Eclipse Leshan is a device management server and client Java implement ...) NOT-FOR-US: Eclipse Leshan CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x NOTE: https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416 CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6f9d33a7db0b346195b6a15b5b99944ba41beee CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6 NOTE: https://github.com/FreeRDP/FreeRDP/commit/cd1da25a87358eb3b5512fd259310e95b19a05ec CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh NOTE: https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc CVE-2023-34392 (A Missing Authentication for Critical Function vulnerability in the Sc ...) @@ -1446,7 +1446,7 @@ CVE-2023-40592 (In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an CVE-2023-40582 (find-exec is a utility to discover available shell commands. Versions ...) NOT-FOR-US: Node find-exec CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code introduced in 3.0.0-beta1) @@ -1454,7 +1454,7 @@ CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/f34679397024a67ce6d568aad9ede19a8858b6f3 (3.0.0-beta1) NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/ab31e8ba6ab3b4dd0183929cfb00bd5e797c402c (3.0.0-beta3) CVE-2023-40186 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v CVE-2023-40184 (xrdp is an open source remote desktop protocol (RDP) server. In versio ...) - xrdp (bug #1051061) @@ -1464,7 +1464,7 @@ CVE-2023-40184 (xrdp is an open source remote desktop protocol (RDP) server. In NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq NOTE: https://github.com/neutrinolabs/xrdp/commit/25a1fab5b6c5ef2a8bb109232b765cb8b332ce5e CVE-2023-40181 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxp4-rx7x-h2g8 CVE-2023-3992 (The PostX WordPress plugin before 3.0.6 does not sanitise and escape a ...) NOT-FOR-US: WordPress
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
05576d55 by security tracker role at 2023-09-10T20:12:12+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2023-4879 (Cross-site Scripting (XSS) - Stored in GitHub repository
instantsoft/i ...)
+ TODO: check
+CVE-2023-4878 (Server-Side Request Forgery (SSRF) in GitHub repository
instantsoft/ic ...)
+ TODO: check
CVE-2023-4877 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
NOT-FOR-US: hamza417/inure
CVE-2023-4876 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
@@ -28,12 +32,14 @@ CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before
5.0.1 allows attacke
NOTE:
https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17
(v5.0.1)
TODO: to be checked if affects the embedded copy for openmpi
CVE-2023-4875 (Null pointer dereference when composing from a specially
crafted draft ...)
+ {DSA-5494-1}
- mutt 2.2.12-0.1 (bug #1051563)
NOTE:
https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555
(mutt-2-2-12-rel)
NOTE:
https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6
(mutt-2-2-12-rel)
NOTE:
http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html
NOTE: https://www.openwall.com/lists/oss-security/2023/09/09/1
CVE-2023-4874 (Null pointer dereference when viewing a specially crafted email
in Mut ...)
+ {DSA-5494-1}
- mutt 2.2.12-0.1 (bug #1051563)
NOTE:
https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555
(mutt-2-2-12-rel)
NOTE:
https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0
(mutt-2-2-12-rel)
@@ -56897,6 +56903,7 @@ CVE-2023-20902
CVE-2023-20901
RESERVED
CVE-2023-20900 (A malicious actor that has been granted Guest Operation
Privileges ht ...)
+ {DSA-5493-1}
- open-vm-tools 2:12.3.0-1 (bug #1050970)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/31/1
NOTE:
https://github.com/vmware/open-vm-tools/blob/CVE-2023-20900.patch/CVE-2023-20900.patch
@@ -56968,7 +56975,7 @@ CVE-2023-20869 (VMware Workstation (17.x) and VMware
Fusion (13.x) contain a sta
CVE-2023-20868 (NSX-T contains a reflected cross-site scripting vulnerability
due to a ...)
NOT-FOR-US: VMware
CVE-2023-20867 (A fully compromised ESXi host can force VMware Tools to fail
to authen ...)
- {DLA-3531-1}
+ {DSA-5493-1 DLA-3531-1}
- open-vm-tools 2:12.2.5-1 (bug #1037546)
NOTE: https://www.vmware.com/security/advisories/VMSA-2023-0013.html
NOTE: https://github.com/vmware/open-vm-tools/tree/CVE-2023-20867.patch
@@ -221063,6 +221070,7 @@ CVE-2020-22630
CVE-2020-22629
RESERVED
CVE-2020-22628 (Buffer Overflow vulnerability in LibRaw::stretch() function in
libraw\ ...)
+ {DLA-3560-1}
- libraw 0.20.0-4
NOTE: https://github.com/LibRaw/LibRaw/issues/269
NOTE: Fixed by:
https://github.com/LibRaw/LibRaw/commit/84bbb972d94a965f70302b85738778443540774a
(0.20-RC2)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05576d55aa648e34c333f6b9a99bfbd4b7b2d085
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05576d55aa648e34c333f6b9a99bfbd4b7b2d085
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-40187/freerdp2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d355c29 by Salvatore Bonaccorso at 2023-09-10T21:43:02+02:00 Update information for CVE-2023-40187/freerdp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1443,8 +1443,10 @@ CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 + - freerdp2 (Vulnerable code introduced in 3.0.0-beta1) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pwf9-v5p9-ch4f + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/f34679397024a67ce6d568aad9ede19a8858b6f3 (3.0.0-beta1) + NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/ab31e8ba6ab3b4dd0183929cfb00bd5e797c402c (3.0.0-beta3) CVE-2023-40186 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d355c298b2c50858fe15a843633449372f10c54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d355c298b2c50858fe15a843633449372f10c54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for mutt update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2ea710dc by Salvatore Bonaccorso at 2023-09-10T20:44:20+02:00
Reserve DSA number for mutt update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[10 Sep 2023] DSA-5494-1 mutt - security update
+ {CVE-2023-4874 CVE-2023-4875}
+ [bullseye] - mutt 2.0.5-4.1+deb11u3
+ [bookworm] - mutt 2.2.9-1+deb12u1
[10 Sep 2023] DSA-5493-1 open-vm-tools - security update
{CVE-2023-20867 CVE-2023-20900}
[bullseye] - open-vm-tools 2:11.2.5-2+deb11u2
=
data/dsa-needed.txt
=
@@ -28,8 +28,6 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y and 6.1.y versions
--
-mutt (carnil)
---
nbconvert/oldstable
Guilhem Moulin proposed an update ready for review
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea710dc51ea81fcf66996bd23bb04d658b2edd0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea710dc51ea81fcf66996bd23bb04d658b2edd0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Follow maintainers assessment for CVE-2021-20255/qemu and consider issue fixes...
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e391b1f9 by Salvatore Bonaccorso at 2023-09-10T20:41:23+02:00
Follow maintainers assessment for CVE-2021-20255/qemu and consider issue fixes
with 1:8.1.0+ds-1~exp1 experimental upload
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -196903,13 +196903,12 @@ CVE-2021-20256 (A flaw was found in Red Hat
Satellite. The BMC interface exposes
NOT-FOR-US: Red Hat Satellite
CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was
found in ...)
{DLA-2623-1}
- - qemu (bug #984451)
+ - qemu 1:8.1.0+ds-1 (bug #984451)
[bookworm] - qemu (Minor issue, revisit when fixed upstream)
[bullseye] - qemu (Minor issue, revisit when fixed upstream)
[buster] - qemu (Minor issue, waiting for sanctioned patch,
fixed in stretch-lts)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
NOTE:
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
- NOTE: No sanctioned upstream patch as of 2023-03-09
CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map
Windows ...)
{DLA-2668-1}
- samba 2:4.13.5+dfsg-2 (bug #987811)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e391b1f985e8f626e4e14a76a3595c74421cd2a3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e391b1f985e8f626e4e14a76a3595c74421cd2a3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] open-vm-tools DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
04ac0cad by Moritz Mühlenhoff at 2023-09-10T19:53:40+02:00
open-vm-tools DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -56968,8 +56968,6 @@ CVE-2023-20868 (NSX-T contains a reflected cross-site
scripting vulnerability du
CVE-2023-20867 (A fully compromised ESXi host can force VMware Tools to fail
to authen ...)
{DLA-3531-1}
- open-vm-tools 2:12.2.5-1 (bug #1037546)
- [bookworm] - open-vm-tools (Minor issue)
- [bullseye] - open-vm-tools (Minor issue)
NOTE: https://www.vmware.com/security/advisories/VMSA-2023-0013.html
NOTE: https://github.com/vmware/open-vm-tools/tree/CVE-2023-20867.patch
CVE-2023-20866 (In Spring Session version 3.0.0, the session id can be logged
to the s ...)
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[10 Sep 2023] DSA-5493-1 open-vm-tools - security update
+ {CVE-2023-20867 CVE-2023-20900}
+ [bullseye] - open-vm-tools 2:11.2.5-2+deb11u2
+ [bookworm] - open-vm-tools 2:12.2.0-1+deb12u1
[09 Sep 2023] DSA-5492-1 linux - security update
{CVE-2023-1206 CVE-2023-1989 CVE-2023-2430 CVE-2023-2898 CVE-2023-3611
CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3777 CVE-2023-3863
CVE-2023-4004 CVE-2023-4015 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147
CVE-2023-4155 CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208
CVE-2023-4273 CVE-2023-4569 CVE-2023-4622 CVE-2023-20588 CVE-2023-34319
CVE-2023-40283}
[bookworm] - linux 6.1.52-1
=
data/dsa-needed.txt
=
@@ -38,8 +38,6 @@ nodejs
--
nova/oldstable
--
-open-vm-tools (jmm)
---
openjdk-17/oldstable (jmm)
--
php-cas/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ac0cad02e300b994a2028f4238ce1fa57d46d0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ac0cad02e300b994a2028f4238ce1fa57d46d0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie I'm...
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 74756a30 by Tobias Frost at 2023-09-10T16:16:23+02:00 Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie Im not sure anymore if it has been introduced later and re-evaluation for buster might be necessary. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69658,7 +69658,6 @@ CVE-2022-40627 CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - zabbix 1:6.0.7+dfsg-2 [bullseye] - zabbix (Minor issue) - [buster] - zabbix (Vulnerable backurl code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-21350 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) CVE-2022-40625 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3560-1 for libraw
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
518240ec by Guilhem Moulin at 2023-09-10T16:15:29+02:00
Reserve DLA-3560-1 for libraw
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Sep 2023] DLA-3560-1 libraw - security update
+ {CVE-2020-22628}
+ [buster] - libraw 0.19.2-2+deb10u4
[08 Sep 2023] DLA-3559-1 libssh2 - security update
{CVE-2019-13115 CVE-2019-17498 CVE-2020-22218}
[buster] - libssh2 1.8.0-2.1+deb10u1
=
data/dla-needed.txt
=
@@ -107,10 +107,6 @@ imagemagick
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs
(Beuc/front-desk)
--
-libraw (guilhem)
- NOTE: 20230906: Added by Front-Desk (lamby)
- NOTE: 20230906: Patch for CVE-2023-39615 does not apply cleanly; manually
apply to line 21278 of dcraw/dcraw.c? (lamby)
---
libreswan
NOTE: 20230817: Added by Front-Desk (ta)
NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/518240ec70f9768fd01a2956a49af16d0b9d36e3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/518240ec70f9768fd01a2956a49af16d0b9d36e3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce8838d6 by Salvatore Bonaccorso at 2023-09-10T14:53:15+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25956,7 +25956,7 @@ CVE-2023-28012 (HCL BigFix Mobile is vulnerable to a command injection attack. A CVE-2023-28011 RESERVED CVE-2023-28010 (In some configuration scenarios, the Domino server host name can be ex ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-28009 (HCL Workload Automation is vulnerable to an XML External Entity Inject ...) NOT-FOR-US: HCL CVE-2023-28008 (HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML Ex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8838d6819e301703c40d6bba46eddee6a33c1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8838d6819e301703c40d6bba46eddee6a33c1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41915/pmix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8eb33f9f by Salvatore Bonaccorso at 2023-09-10T14:52:42+02:00 Add CVE-2023-41915/pmix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,10 @@ CVE-2023-4865 (A vulnerability has been found in SourceCodester Take-Note App 1. CVE-2023-4864 (A vulnerability, which was classified as problematic, was found in Sou ...) NOT-FOR-US: SourceCodester Take-Note App CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to ...) - TODO: check + - pmix + NOTE: https://github.com/openpmix/openpmix/commit/da036933c2795c1f40d0835e15f17e204e4daf0f (v4.2.6) + NOTE: https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17 (v5.0.1) + TODO: to be checked if affects the embedded copy for openmpi CVE-2023-4875 (Null pointer dereference when composing from a specially crafted draft ...) - mutt 2.2.12-0.1 (bug #1051563) NOTE: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 (mutt-2-2-12-rel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb33f9f0c15f5455f1900964531170b4e52370e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb33f9f0c15f5455f1900964531170b4e52370e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for mutt CVEs via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12e01e21 by Salvatore Bonaccorso at 2023-09-10T13:57:25+02:00 Track fixed version for mutt CVEs via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,13 +25,13 @@ CVE-2023-4864 (A vulnerability, which was classified as problematic, was found i CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to ...) TODO: check CVE-2023-4875 (Null pointer dereference when composing from a specially crafted draft ...) - - mutt (bug #1051563) + - mutt 2.2.12-0.1 (bug #1051563) NOTE: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 (mutt-2-2-12-rel) NOTE: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6 (mutt-2-2-12-rel) NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html NOTE: https://www.openwall.com/lists/oss-security/2023/09/09/1 CVE-2023-4874 (Null pointer dereference when viewing a specially crafted email in Mut ...) - - mutt (bug #1051563) + - mutt 2.2.12-0.1 (bug #1051563) NOTE: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 (mutt-2-2-12-rel) NOTE: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0 (mutt-2-2-12-rel) NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e01e21d55151be74979ae6bff1980783a1d844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e01e21d55151be74979ae6bff1980783a1d844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2023-32360 an associate with cups
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ebd20ee by Salvatore Bonaccorso at 2023-09-10T12:25:31+02:00 Correct tracking for CVE-2023-32360 an associate with cups Thanks: Thorsten Alteholz - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10446,7 +10446,8 @@ CVE-2023-32365 (The issue was addressed with improved checks. This issue is fixe CVE-2023-32363 (A permissions issue was addressed by removing vulnerable code and addi ...) NOT-FOR-US: Apple CVE-2023-32360 (An authentication issue was addressed with improved state management. ...) - NOT-FOR-US: Apple + - cups + NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3) CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple CVE-2023-32355 (A logic issue was addressed with improved state management. This issue ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ebd20eee48bd3f4ca2a5c58610f6a77830a886b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ebd20eee48bd3f4ca2a5c58610f6a77830a886b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0161fdec by Salvatore Bonaccorso at 2023-09-10T12:06:12+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,27 +1,27 @@ CVE-2023-4877 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - TODO: check + NOT-FOR-US: hamza417/inure CVE-2023-4876 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - TODO: check + NOT-FOR-US: hamza417/inure CVE-2023-4873 (A vulnerability, which was classified as critical, was found in Beijin ...) - TODO: check + NOT-FOR-US: eijing Baichuo Smart S45F Multi-Service Secure Gateway Intelligent Management Platform CVE-2023-4872 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Contact Manager App CVE-2023-4871 (A vulnerability classified as critical was found in SourceCodester Con ...) - TODO: check + NOT-FOR-US: SourceCodester Contact Manager App CVE-2023-4870 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester Contact Manager App CVE-2023-4869 (A vulnerability was found in SourceCodester Contact Manager App 1.0. I ...) - TODO: check + NOT-FOR-US: SourceCodester Contact Manager App CVE-2023-4868 (A vulnerability was found in SourceCodester Contact Manager App 1.0. I ...) - TODO: check + NOT-FOR-US: SourceCodester Contact Manager App CVE-2023-4867 (A vulnerability was found in Xintian Smart Table Integrated Management ...) - TODO: check + NOT-FOR-US: Xintian Smart Table Integrated Management System CVE-2023-4866 (A vulnerability was found in SourceCodester Online Tours & Travels Man ...) - TODO: check + NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-4865 (A vulnerability has been found in SourceCodester Take-Note App 1.0 and ...) - TODO: check + NOT-FOR-US: SourceCodester Take-Note App CVE-2023-4864 (A vulnerability, which was classified as problematic, was found in Sou ...) - TODO: check + NOT-FOR-US: SourceCodester Take-Note App CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to ...) TODO: check CVE-2023-4875 (Null pointer dereference when composing from a specially crafted draft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0161fdec2bb0727a950d60be12837570d0434706 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0161fdec2bb0727a950d60be12837570d0434706 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bf6301e5 by security tracker role at 2023-09-10T08:12:05+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,29 @@
+CVE-2023-4877 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
+ TODO: check
+CVE-2023-4876 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
+ TODO: check
+CVE-2023-4873 (A vulnerability, which was classified as critical, was found in
Beijin ...)
+ TODO: check
+CVE-2023-4872 (A vulnerability, which was classified as critical, has been
found in S ...)
+ TODO: check
+CVE-2023-4871 (A vulnerability classified as critical was found in
SourceCodester Con ...)
+ TODO: check
+CVE-2023-4870 (A vulnerability classified as problematic has been found in
SourceCode ...)
+ TODO: check
+CVE-2023-4869 (A vulnerability was found in SourceCodester Contact Manager App
1.0. I ...)
+ TODO: check
+CVE-2023-4868 (A vulnerability was found in SourceCodester Contact Manager App
1.0. I ...)
+ TODO: check
+CVE-2023-4867 (A vulnerability was found in Xintian Smart Table Integrated
Management ...)
+ TODO: check
+CVE-2023-4866 (A vulnerability was found in SourceCodester Online Tours &
Travels Man ...)
+ TODO: check
+CVE-2023-4865 (A vulnerability has been found in SourceCodester Take-Note App
1.0 and ...)
+ TODO: check
+CVE-2023-4864 (A vulnerability, which was classified as problematic, was found
in Sou ...)
+ TODO: check
+CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows
attackers to ...)
+ TODO: check
CVE-2023-4875 (Null pointer dereference when composing from a specially
crafted draft ...)
- mutt (bug #1051563)
NOTE:
https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555
(mutt-2-2-12-rel)
@@ -199,6 +225,7 @@ CVE-2023-4623 (A use-after-free vulnerability in the Linux
kernel's net/sched: s
- linux
NOTE:
https://git.kernel.org/linus/b3d26c5702c7d6c45456326e56d2ccf3f103e60f
CVE-2023-4622 (A use-after-free vulnerability in the Linux kernel's af_unix
component ...)
+ {DSA-5492-1}
- linux 6.4.13-1
NOTE: https://kernel.dance/790c2f9d15b594350ae9bca7b236f2b1859de02c
CVE-2023-4621
@@ -212,14 +239,17 @@ CVE-2023-4498 (Tenda N300 Wireless N VDSL2 Modem Router
allows unauthenticated a
CVE-2023-4244 (A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tab ...)
NOTE: Duplicate of CVE-2023-4563 (RedHat assigned)
CVE-2023-4208 (A use-after-free vulnerability in the Linux kernel's net/sched:
cls_u3 ...)
+ {DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux 5.10.191-1
NOTE:
https://git.kernel.org/linus/3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 (6.5-rc5)
CVE-2023-4207 (A use-after-free vulnerability in the Linux kernel's net/sched:
cls_fw ...)
+ {DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux 5.10.191-1
NOTE:
https://git.kernel.org/linus/76e42ae831991c828cffa8c37736ebfb831ad5ec (6.5-rc5)
CVE-2023-4206 (A use-after-free vulnerability in the Linux kernel's net/sched:
cls_ro ...)
+ {DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux 5.10.191-1
NOTE:
https://git.kernel.org/linus/b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 (6.5-rc5)
@@ -729,11 +759,13 @@ CVE-2023-41164
NOTE:
https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
(4.2.5)
NOTE:
https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
(3.2.21)
CVE-2023-4015 (A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tab ...)
+ {DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux (Vulnerable code not in a Debian
released version)
[buster] - linux (Vulnerable code not present)
NOTE:
https://git.kernel.org/linus/0a771f7b266b02d262900c75f1e175c7fe76fec2 (6.5-rc4)
CVE-2023-3777 (A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tab ...)
+ {DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux 5.10.191-1
[buster] - linux (Vulnerable code not present)
@@ -1832,6 +1864,7 @@ CVE-2023-34724 (An issue was discovered in TECHView
LA5570 Wireless Gateway 1.0.
CVE-2023-32457 (Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an
improper ...)
NOT-FOR-US: Dell
CVE-2023-4569 (A memory leak flaw was found in nft_set_catchall_flush in
net/netfilte ...)
+ {DSA-5492-1}
- linux 6.4.13-1
NOTE:
https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7)
CVE-2023-4567
@@ -3537,7 +3570,7 @@ CVE-2023-40292 (Harman Infotainment 20190525031613 and
later discloses the IP ad
