[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3084970d by Thorsten Alteholz at 2023-10-29T23:26:44+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,6 +103,7 @@ libreswan -- libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) + NOTE: 20231029: upstream does not know yet, whether available patch is enough (ta) -- libstb NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3084970d457e06315b65ad7ef42146fd85861787 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3084970d457e06315b65ad7ef42146fd85861787 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3638-1 for h2o
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: afc552e0 by Anton Gladky at 2023-10-29T21:57:19+01:00 Reserve DLA-3638-1 for h2o - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3638-1 h2o - security update + {CVE-2023-44487} + [buster] - h2o 2.2.5+dfsg2-2+deb10u2 [29 Oct 2023] DLA-3637-1 thunderbird - security update {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} [buster] - thunderbird 1:115.4.1-1~deb10u1 = data/dla-needed.txt = @@ -78,9 +78,6 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- -h2o (gladk) - NOTE: 20231013: Added by Front-Desk (ta) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for mysql-8.0 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5791938c by Salvatore Bonaccorso at 2023-10-29T21:18:57+01:00 Add Debian bug reference for mysql-8.0 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54125,11 +54125,11 @@ CVE-2023-22116 CVE-2023-22115 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22114 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22113 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22112 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22111 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22110 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -54147,7 +54147,7 @@ CVE-2023-22105 (Vulnerability in the BI Publisher product of Oracle Analytics (c CVE-2023-22104 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.33-1 CVE-2023-22103 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22102 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) - mysql-connector-java CVE-2023-22101 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -54159,7 +54159,7 @@ CVE-2023-22099 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2023-22098 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.12-dfsg-1 CVE-2023-22097 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22096 (Vulnerability in the Java VM component of Oracle Database Server. Sup ...) NOT-FOR-US: Oracle CVE-2023-22095 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -54169,7 +54169,7 @@ CVE-2023-22094 (Vulnerability in the MySQL Installer product of Oracle MySQL (co CVE-2023-22093 (Vulnerability in the Oracle iRecruitment product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2023-22092 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22091 (Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE ...) - openjdk-17 17.0.9+9-1 CVE-2023-22090 (Vulnerability in the PeopleSoft Enterprise CC Common Application Objec ...) @@ -54185,7 +54185,7 @@ CVE-2023-22086 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2023-22085 (Vulnerability in the Hospitality OPERA 5 Property Services product of ...) NOT-FOR-US: Oracle CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22083 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) NOT-FOR-US: Oracle CVE-2023-22082 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) @@ -54199,9 +54199,9 @@ CVE-2023-22081 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK prod CVE-2023-22080 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2023-22079 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22078 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22077 (Vulnerability in the Oracle Database Recovery Manager component of Ora ...) NOT-FOR-US: Oracle CVE-2023-22076 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) @@ -54217,19 +54217,19 @@ CVE-2023-22072 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2023-22071 (Vulnerability in the PL/SQL component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2023-22070 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22069 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2023-22068 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1055034) CVE-2023-22067 (Vulnerability in Oracle
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72ba6d11 by Salvatore Bonaccorso at 2023-10-29T21:15:47+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2007-10003 (A vulnerability, which was classified as critical, has been found in T ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2005-10002 (A vulnerability, which was classified as critical, was found in almost ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5840 (Weak Password Recovery Mechanism for Forgotten Password in GitHub repo ...) NOT-FOR-US: LinkStack CVE-2023-5839 (Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ba6d11f2f040b990eb8d49101bbbd6ae39dd9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ba6d11f2f040b990eb8d49101bbbd6ae39dd9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 190a039c by security tracker role at 2023-10-29T20:12:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2007-10003 (A vulnerability, which was classified as critical, has been found in T ...) + TODO: check +CVE-2005-10002 (A vulnerability, which was classified as critical, was found in almost ...) + TODO: check CVE-2023-5840 (Weak Password Recovery Mechanism for Forgotten Password in GitHub repo ...) NOT-FOR-US: LinkStack CVE-2023-5839 (Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8 ...) @@ -1014,7 +1018,7 @@ CVE-2023-39619 (ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to ca CVE-2023-39231 (PingFederate using the PingOne MFA adapter allows a new MFA device to ...) NOT-FOR-US: PingFederate CVE-2023-5732 (An attacker could have created a malicious link using bidirectional ch ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-46/#CVE-2023-5732 @@ -1023,7 +1027,7 @@ CVE-2023-5731 (Memory safety bugs present in Firefox 118. Some of these bugs sho - firefox 119.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/#CVE-2023-5731 CVE-2023-5730 (Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thun ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox 119.0-1 - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 @@ -1034,7 +1038,7 @@ CVE-2023-5729 (A malicious web site can enter fullscreen mode while simultaneous - firefox 119.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/#CVE-2023-5729 CVE-2023-5728 (During garbage collection extra operations were performed on a object ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox 119.0-1 - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 @@ -1056,7 +1060,7 @@ CVE-2023-5726 (A website could have obscured the full screen notification by usi NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-46/#CVE-2023-5726 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-47/#CVE-2023-5726 CVE-2023-5725 (A malicious installed WebExtension could open arbitrary URLs, which un ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox 119.0-1 - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 @@ -1064,7 +1068,7 @@ CVE-2023-5725 (A malicious installed WebExtension could open arbitrary URLs, whi NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-46/#CVE-2023-5725 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-47/#CVE-2023-5725 CVE-2023-5724 (Drivers are not always robust to extremely large draw calls and in som ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox 119.0-1 - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 @@ -1078,7 +1082,7 @@ CVE-2023-5722 (Using iterative requests an attacker was able to learn the size o - firefox 119.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/#CVE-2023-5722 CVE-2023-5721 (It was possible for certain browser prompts and dialogs to be activate ...) - {DSA-5538-1 DSA-5535-1 DLA-3632-1} + {DSA-5538-1 DSA-5535-1 DLA-3637-1 DLA-3632-1} - firefox 119.0-1 - firefox-esr 115.4.0esr-1 - thunderbird 1:115.4.1-1 @@ -54187,7 +54191,7 @@ CVE-2023-22083 (Vulnerability in the Oracle Enterprise Session Border Controller CVE-2023-22082 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2023-22081 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of ...) - {DSA-5537-1} + {DSA-5537-1 DLA-3636-1} - openjdk-8 8u392-ga-1 - openjdk-11 11.0.21+9-1 - openjdk-17 17.0.9+9-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/190a039c48b66be4966c08aeed1440aa15edc63f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/190a039c48b66be4966c08aeed1440aa15edc63f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ebbcd9a5 by Salvatore Bonaccorso at 2023-10-29T21:04:49+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-5840 (Weak Password Recovery Mechanism for Forgotten Password in GitHub repo ...) - TODO: check + NOT-FOR-US: LinkStack CVE-2023-5839 (Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8 ...) NOT-FOR-US: Hestia Control Panel CVE-2023-5838 (Insufficient Session Expiration in GitHub repository linkstackorg/link ...) - TODO: check + NOT-FOR-US: LinkStack CVE-2023-5837 (A vulnerability classified as problematic was found in AlexanderLivano ...) NOT-FOR-US: AlexanderLivanov FotosCMS2 CVE-2023-5836 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) @@ -169595,15 +169595,15 @@ CVE-2021-33640 (After tar_close(), libtar.c releases the memory pointed to by po CVE-2021-33639 (REMAP cmd of SVM driver can be used to remap read only memory as read- ...) NOT-FOR-US: OpenEuler CVE-2021-33638 (When the isula cp command is used to copy files from a container to a ...) - TODO: check + NOT-FOR-US: OpenEuler iSulad CVE-2021-33637 (When the isula export command is used to export a container to an imag ...) - TODO: check + NOT-FOR-US: OpenEuler iSulad CVE-2021-33636 (When the isula load command is used to load malicious images, attacker ...) - TODO: check + NOT-FOR-US: OpenEuler iSulad CVE-2021-33635 (When malicious images are pulled by isula pull, attackers can execute ...) - TODO: check + NOT-FOR-US: OpenEuler iSulad CVE-2021-33634 (iSulad uses the lcr+lxc runtime (default) to run malicious images, whi ...) - TODO: check + NOT-FOR-US: OpenEuler lcr CVE-2021-33633 RESERVED CVE-2021-33632 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebbcd9a57e9f75d72ab1b84525c57bf787b7c803 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebbcd9a57e9f75d72ab1b84525c57bf787b7c803 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS add memcached
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ba968ee5 by Anton Gladky at 2023-10-29T20:55:01+01:00 LTS add memcached - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,9 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +memcached + NOTE: 20231029: Added by Front-Desk (gladk) +-- mosquitto NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-42445 as no-dsa for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a6540828 by Anton Gladky at 2023-10-29T20:49:01+01:00 Mark CVE-2023-42445 as no-dsa for buster - - - - - 2ae22b88 by Anton Gladky at 2023-10-29T20:49:45+01:00 LTS add knot-resolver - - - - - 8be5dbb5 by Anton Gladky at 2023-10-29T20:53:46+01:00 LTS add libstb - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4080,6 +4080,7 @@ CVE-2023-42445 (Gradle is a build tool with a focus on build automation and supp - gradle [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) + [buster] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8 CVE-2023-41950 (Cross-Site Request Forgery (CSRF) vulnerability in Laposta - Roel Bous ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -93,6 +93,9 @@ imagemagick jetty9 (Markus Koschany) NOTE: 20231011: Added by Front-Desk (ta) -- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -104,6 +107,11 @@ libreswan libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) -- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-1193/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f92b09c1 by Salvatore Bonaccorso at 2023-10-29T20:47:48+01:00 Update status for CVE-2023-1193/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34777,10 +34777,11 @@ CVE-2023-1194 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154176 CVE-2023-1193 RESERVED - - linux + - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154177 + NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 RESERVED - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-5158/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5120d69e by Salvatore Bonaccorso at 2023-10-29T20:41:58+01:00 Update status for CVE-2023-5158/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6159,7 +6159,7 @@ CVE-2023-5166 (Docker Desktop before 4.23.0 allows Access Token theft via a craf CVE-2023-5165 (Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enh ...) NOT-FOR-US: Docker Desktop CVE-2023-5158 (A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in t ...) - - linux + - linux 6.5.8-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/virtualization/20230925103057.104541-1-sgarz...@redhat.com/T/#u View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5120d69e8e34cdb7ca8dd8bafe3df61b3bdb2df0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5120d69e8e34cdb7ca8dd8bafe3df61b3bdb2df0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-4610/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a59f13b by Salvatore Bonaccorso at 2023-10-29T20:40:14+01:00 Update status for CVE-2023-4610/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4520,9 +4520,10 @@ CVE-2023-5366 (A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Adve NOTE: https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 (v3.1.2) NOTE: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c (v3.2.0) CVE-2023-4610 - - linux + - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229691 NOTE: https://www.spinics.net/lists/kernel/msg4920917.html + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1215932 CVE-2023-5353 (Improper Access Control in GitHub repository salesagility/suitecrm pri ...) NOT-FOR-US: suitecrm CVE-2023-5351 (Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a59f13bf407a062a32403363424374a720c43c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a59f13bf407a062a32403363424374a720c43c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via unstable for CVE-2023-35827/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5ae7d54 by Salvatore Bonaccorso at 2023-10-29T19:29:46+01:00 Track fix via unstable for CVE-2023-35827/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19093,7 +19093,7 @@ CVE-2023-35828 (An issue was discovered in the Linux kernel before 6.3.2. A use- NOTE: USB_RENESAS_USB3 not enabled in Debian NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-35827 (An issue was discovered in the Linux kernel through 6.3.8. A use-after ...) - - linux + - linux 6.5.8-1 NOTE: https://lore.kernel.org/lkml/cca0b40b-d6f8-54c7-1e46-83cb62d0a2f1%40huawei.com/T/ CVE-2023-35826 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - linux 6.3.7-1 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5ae7d54a3b0eb3f10d72ace7334c1decc8016ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5ae7d54a3b0eb3f10d72ace7334c1decc8016ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-42295/openimageio
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f26ee29 by Salvatore Bonaccorso at 2023-10-29T17:13:09+01:00 Track fixed version via unstable for CVE-2023-42295/openimageio - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1160,7 +1160,7 @@ CVE-2023-43065 (Dell Unity prior to 5.3 contains a Cross-site scripting vulnerab CVE-2023-43045 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could ...) NOT-FOR-US: IBM CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to ex ...) - - openimageio (bug #1054873) + - openimageio 2.4.16.0+dfsg-1 (bug #1054873) NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3947 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3948 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636 (v2.5.3.0-beta1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f26ee295083e9eb80232545dc7405b5dbb1e4d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f26ee295083e9eb80232545dc7405b5dbb1e4d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-45897/exfatprogs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e51e211f by Salvatore Bonaccorso at 2023-10-29T14:16:31+01:00 Track fixed version via unstable for CVE-2023-45897/exfatprogs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,7 @@ CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= re CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) NOT-FOR-US: Proxmox proxmox-widget-toolkit CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) - - exfatprogs + - exfatprogs 1.2.2-1 NOTE: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf (1.2.2) NOTE: https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4 (1.2.2) NOTE: https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae (1.2.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51e211fbea9b3e87cc14c98022a936da280d834 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51e211fbea9b3e87cc14c98022a936da280d834 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two maradns issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: afe12245 by Salvatore Bonaccorso at 2023-10-29T13:33:28+01:00 Track fixed version for two maradns issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24024,7 +24024,7 @@ CVE-2023-31138 (DHIS2 Core contains the service layer and Web API for DHIS2, an NOT-FOR-US: DHIS2 CVE-2023-31137 (MaraDNS is open-source software that implements the Domain Name System ...) {DSA-5441-1 DLA-3457-1} - - maradns (bug #1035936) + - maradns 2.0.13-1.5 (bug #1035936) NOTE: https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58 NOTE: https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c CVE-2023-31136 (PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO ...) @@ -106721,7 +106721,7 @@ CVE-2022-30257 (An issue was discovered in Technitium DNS Server through 8.0.2 t NOT-FOR-US: Technitium DNS Server CVE-2022-30256 (An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allo ...) {DSA-5441-1 DLA-3457-1} - - maradns (bug #1033252) + - maradns 2.0.13-1.5 (bug #1033252) NOTE: https://maradns.samiam.org/security.html#CVE-2022-30256 NOTE: https://raw.githubusercontent.com/samboy/MaraDNS/73af12e71890055f1728c1b7ccd900401f2fdf03/deadwood-github/update/3.4.03/deadwood-3.4.02-manylabel-TTL.patch NOTE: https://raw.githubusercontent.com/samboy/MaraDNS/73af12e71890055f1728c1b7ccd900401f2fdf03/deadwood-github/update/3.4.03/deadwood-3.4.02-cname-TTL.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afe1224502f0eb7fad4db28bdb6d6dc6be0598d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afe1224502f0eb7fad4db28bdb6d6dc6be0598d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2023-46129
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03b2da62 by Salvatore Bonaccorso at 2023-10-29T11:46:14+01:00 Add Debian bug references for CVE-2023-46129 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,11 +35,11 @@ CVE-2023-5426 (The Post Meta Data Manager plugin for WordPress is vulnerable to CVE-2023-5425 (The Post Meta Data Manager plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption] - - golang-github-nats-io-nkeys + - golang-github-nats-io-nkeys (bug #1055010) [bookworm] - golang-github-nats-io-nkeys (Vulnerable code not present) [bullseye] - golang-github-nats-io-nkeys (Vulnerable code not present) [buster] - golang-github-nats-io-nkeys (Vulnerable code not present) - - nats-server + - nats-server (bug #1055011) [bookworm] - nats-server (Vulnerable code not present) NOTE: https://advisories.nats.io/CVE/secnote-2023-02.txt NOTE: https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b2da62b32f26bc80b3624a38eb9d34e298df8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b2da62b32f26bc80b3624a38eb9d34e298df8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for requsest-tracker4 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f39b4db2 by Salvatore Bonaccorso at 2023-10-29T11:43:48+01:00 Track fixed version for requsest-tracker4 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1851,12 +1851,12 @@ CVE-2023-45024 NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 CVE-2023-41260 - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - - request-tracker4 (bug #1054516) + - request-tracker4 4.4.7+dfsg-1 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 CVE-2023-41259 - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - - request-tracker4 (bug #1054516) + - request-tracker4 4.4.7+dfsg-1 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 CVE-2023-5639 (The Team Showcase plugin for WordPress is vulnerable to Stored Cross-S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f39b4db291886824359dab9c7ab35d6848fd7294 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f39b4db291886824359dab9c7ab35d6848fd7294 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 118cc1f1 by Salvatore Bonaccorso at 2023-10-29T11:38:46+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92,23 +92,23 @@ CVE-2023-43322 (ZPE Systems, Inc Nodegrid OS v5.0.0 to v5.0.17, v5.2.0 to v5.2.1 CVE-2023-40140 (In android_view_InputDevice_create of android_view_InputDevice.cpp, th ...) NOT-FOR-US: Android CVE-2023-40139 (In FillUi of FillUi.java, there is a possible way to view another user ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40138 (In FillUi of FillUi.java, there is a possible way to view another user ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40137 (In multiple functions of DialogFillUi.java, there is a possible way to ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40136 (In setHeader of DialogFillUi.java, there is a possible way to view ano ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40135 (In applyCustomDescription of SaveUi.java, there is a possible way to v ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40134 (In isFullScreen of FillUi.java, there is a possible way to view anothe ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40133 (In multiple locations of DialogFillUi.java, there is a possible way to ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40131 (In GpuService of GpuService.cpp, there is a possible use after free du ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40130 (In onBindingDied of CallRedirectionProcessor.java, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2023-40129 (In build_read_multi_rsp of gatt_sr.cc, there is a possible out of boun ...) NOT-FOR-US: Android CVE-2023-40128 (In several functions of xmlregexp.c, there is a possible out of bounds ...) @@ -46651,7 +46651,7 @@ CVE-2023-23769 CVE-2023-23768 RESERVED CVE-2023-23767 (Incorrect Permission Assignment for Critical Resource in GitHub Enterp ...) - TODO: check + NOT-FOR-US: Github Enterprise Server CVE-2023-23766 (An incorrect comparison vulnerability was identified in GitHub Enterpr ...) NOT-FOR-US: Github Enterprise Server CVE-2023-23765 (An incorrect comparison vulnerability was identified in GitHub Enterpr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/118cc1f15c6cee1fd9a43d92d01f664cfcff2226 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/118cc1f15c6cee1fd9a43d92d01f664cfcff2226 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for request-tracker5 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86448606 by Salvatore Bonaccorso at 2023-10-29T11:09:00+01:00 Track fixed version for request-tracker5 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1847,15 +1847,15 @@ CVE-2023-35126 (An out-of-bounds write vulnerability exists within the parsers f CVE-2023-34366 (A use-after-free vulnerability exists in the Figure stream parsing fun ...) NOT-FOR-US: Ichitaro CVE-2023-45024 - - request-tracker5 (bug #1054517) + - request-tracker5 5.0.5+dfsg-1 (bug #1054517) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 CVE-2023-41260 - - request-tracker5 (bug #1054517) + - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - request-tracker4 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 CVE-2023-41259 - - request-tracker5 (bug #1054517) + - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - request-tracker4 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8644860675594c463bdf42b66f1b27295858b470 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8644860675594c463bdf42b66f1b27295858b470 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3637-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 737b371c by Emilio Pozuelo Monfort at 2023-10-29T10:05:16+01:00 Reserve DLA-3637-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3637-1 thunderbird - security update + {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} + [buster] - thunderbird 1:115.4.1-1~deb10u1 [29 Oct 2023] DLA-3636-1 openjdk-11 - security update {CVE-2023-22081} [buster] - openjdk-11 11.0.21+9-1~deb10u1 = data/dla-needed.txt = @@ -226,9 +226,6 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20231025: Added by pochu --- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45897/exfatprogs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de600216 by Salvatore Bonaccorso at 2023-10-29T09:36:46+01:00 Add CVE-2023-45897/exfatprogs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,10 @@ CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= re CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) NOT-FOR-US: Proxmox proxmox-widget-toolkit CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) - TODO: check + - exfatprogs + NOTE: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf (1.2.2) + NOTE: https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4 (1.2.2) + NOTE: https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae (1.2.2) CVE-2023-43041 (IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a d ...) NOT-FOR-US: IBM CVE-2023-40686 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de600216111cf49b5d590580fe0832e4516e325d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de600216111cf49b5d590580fe0832e4516e325d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46858/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad666de by Salvatore Bonaccorso at 2023-10-29T09:36:23+01:00 Add CVE-2023-46858/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,7 +14,7 @@ CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. Durin NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=218032#c4 NOTE: https://git.kernel.org/linus/7644b1a1c9a7ae8ab99175989bfc8676055edb46 CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflecte ...) - TODO: check + - moodle CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) NOT-FOR-US: Proxmox proxmox-widget-toolkit CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad666decde4bd315f4ae1b6173d8a6632313eaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad666decde4bd315f4ae1b6173d8a6632313eaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a04fe5c by Salvatore Bonaccorso at 2023-10-29T09:35:22+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-5840 (Weak Password Recovery Mechanism for Forgotten Password in GitHub repo ...) TODO: check CVE-2023-5839 (Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8 ...) - TODO: check + NOT-FOR-US: Hestia Control Panel CVE-2023-5838 (Insufficient Session Expiration in GitHub repository linkstackorg/link ...) TODO: check CVE-2023-5837 (A vulnerability classified as problematic was found in AlexanderLivano ...) - TODO: check + NOT-FOR-US: AlexanderLivanov FotosCMS2 CVE-2023-5836 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) - TODO: check + NOT-FOR-US: SourceCodester Task Reminder System CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. During a ra ...) - linux [buster] - linux (Vulnerable code not present) @@ -16,7 +16,7 @@ CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. Durin CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflecte ...) TODO: check CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) - TODO: check + NOT-FOR-US: Proxmox proxmox-widget-toolkit CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) TODO: check CVE-2023-43041 (IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a d ...) @@ -26,11 +26,11 @@ CVE-2023-40686 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navig CVE-2023-40685 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) NOT-FOR-US: IBM CVE-2023-5835 (A vulnerability classified as problematic was found in hu60t hu60wap6. ...) - TODO: check + NOT-FOR-US: hu60t hu60wap6 CVE-2023-5426 (The Post Meta Data Manager plugin for WordPress is vulnerable to unaut ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5425 (The Post Meta Data Manager plugin for WordPress is vulnerable to unaut ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption] - golang-github-nats-io-nkeys [bookworm] - golang-github-nats-io-nkeys (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a04fe5c9f7ff3607a6e4e96ce2c05382982b96b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a04fe5c9f7ff3607a6e4e96ce2c05382982b96b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcf3f37d by Salvatore Bonaccorso at 2023-10-29T09:31:07+01:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,11 +20,11 @@ CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) TODO: check CVE-2023-43041 (IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a d ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-40686 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-40685 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-5835 (A vulnerability classified as problematic was found in hu60t hu60wap6. ...) TODO: check CVE-2023-5426 (The Post Meta Data Manager plugin for WordPress is vulnerable to unaut ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcf3f37d818a4a3c9898c17022b95876e606069c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcf3f37d818a4a3c9898c17022b95876e606069c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46862/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 047a29cc by Salvatore Bonaccorso at 2023-10-29T09:29:13+01:00 Add CVE-2023-46862/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,10 @@ CVE-2023-5837 (A vulnerability classified as problematic was found in AlexanderL CVE-2023-5836 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) TODO: check CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. During a ra ...) - TODO: check + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=218032#c4 + NOTE: https://git.kernel.org/linus/7644b1a1c9a7ae8ab99175989bfc8676055edb46 CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflecte ...) TODO: check CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/047a29ccb982f930be0af36bdfdb39af3c2eebd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/047a29ccb982f930be0af36bdfdb39af3c2eebd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take node-browserify-sign for DSA release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb3afd9d by Salvatore Bonaccorso at 2023-10-29T09:20:54+01:00 Take node-browserify-sign for DSA release - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -38,7 +38,7 @@ nbconvert/oldstable -- nghttp2 -- -node-browserify-sign +node-browserify-sign (carnil) Yadd proposed an update -- nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb3afd9da34be11bba21c5ffac74114e2e078686 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb3afd9da34be11bba21c5ffac74114e2e078686 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3636-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 47feabec by Emilio Pozuelo Monfort at 2023-10-29T09:13:43+01:00 Reserve DLA-3636-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3636-1 openjdk-11 - security update + {CVE-2023-22081} + [buster] - openjdk-11 11.0.21+9-1~deb10u1 [29 Oct 2023] DLA-3635-1 node-browserify-sign - security update {CVE-2023-46234} [buster] - node-browserify-sign 4.0.4-2+deb10u1 = data/dla-needed.txt = @@ -144,9 +144,6 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- -openjdk-11 (Emilio) - NOTE: 20231019: Added by pochu --- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b835b1fd by security tracker role at 2023-10-29T08:11:52+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2023-5840 (Weak Password Recovery Mechanism for Forgotten Password in GitHub repo ...) + TODO: check +CVE-2023-5839 (Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8 ...) + TODO: check +CVE-2023-5838 (Insufficient Session Expiration in GitHub repository linkstackorg/link ...) + TODO: check +CVE-2023-5837 (A vulnerability classified as problematic was found in AlexanderLivano ...) + TODO: check +CVE-2023-5836 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) + TODO: check +CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. During a ra ...) + TODO: check +CVE-2023-46858 (Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflecte ...) + TODO: check +CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxm ...) + TODO: check +CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...) + TODO: check +CVE-2023-43041 (IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a d ...) + TODO: check +CVE-2023-40686 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) + TODO: check +CVE-2023-40685 (Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator c ...) + TODO: check CVE-2023-5835 (A vulnerability classified as problematic was found in hu60t hu60wap6. ...) TODO: check CVE-2023-5426 (The Post Meta Data Manager plugin for WordPress is vulnerable to unaut ...) @@ -330,6 +354,7 @@ CVE-2023-46435 (Sourcecodester Packers and Movers Management System v1.0 is vuln CVE-2023-46238 (ZITADEL is an identity infrastructure management system. ZITADEL users ...) NOT-FOR-US: ZITADEL CVE-2023-46234 (browserify-sign is a package to duplicate the functionality of node's ...) + {DLA-3635-1} - node-browserify-sign 4.2.2-1 (bug #1054667) NOTE: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw NOTE: https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 (v4.2.2) @@ -169560,16 +169585,16 @@ CVE-2021-33640 (After tar_close(), libtar.c releases the memory pointed to by po NOT-FOR-US: OpenEuler CVE-2021-33639 (REMAP cmd of SVM driver can be used to remap read only memory as read- ...) NOT-FOR-US: OpenEuler -CVE-2021-33638 - RESERVED -CVE-2021-33637 - RESERVED -CVE-2021-33636 - RESERVED -CVE-2021-33635 - RESERVED -CVE-2021-33634 - RESERVED +CVE-2021-33638 (When the isula cp command is used to copy files from a container to a ...) + TODO: check +CVE-2021-33637 (When the isula export command is used to export a container to an imag ...) + TODO: check +CVE-2021-33636 (When the isula load command is used to load malicious images, attacker ...) + TODO: check +CVE-2021-33635 (When malicious images are pulled by isula pull, attackers can execute ...) + TODO: check +CVE-2021-33634 (iSulad uses the lcr+lxc runtime (default) to run malicious images, whi ...) + TODO: check CVE-2021-33633 RESERVED CVE-2021-33632 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b835b1fdc41bd58af6cc62ac842dc688edd3dfc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b835b1fdc41bd58af6cc62ac842dc688edd3dfc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add node-browserify-sign to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb008102 by Salvatore Bonaccorso at 2023-10-29T08:46:09+01:00 Add node-browserify-sign to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -38,6 +38,9 @@ nbconvert/oldstable -- nghttp2 -- +node-browserify-sign + Yadd proposed an update +-- nodejs maintainer proposed to follow the upstream 18.x LTS branch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb00810205378c2765500b7d43aec067549492c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb00810205378c2765500b7d43aec067549492c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for zookeeper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a27a900 by Salvatore Bonaccorso at 2023-10-29T08:45:00+01:00 Add note for zookeeper - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -99,4 +99,5 @@ wpewebkit/oldstable xen (jmm) -- zookeeper + Pierre Gruet proposed debdiff, reviewed, question asked back -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a27a900e127e7ff71c821866217bd6eecb5b9f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a27a900e127e7ff71c821866217bd6eecb5b9f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits