[Git][security-tracker-team/security-tracker][master] Reserve DLA-3692-1 for curl

[Adrian Bunk (@bunk)]

Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72c00733 by Adrian Bunk at 2023-12-19T09:16:03+02:00
Reserve DLA-3692-1 for curl

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -42187,7 +42187,6 @@ CVE-2023-28323 (A deserialization of untrusted data 
exists in EPM 2022 Su3 and a
 CVE-2023-28322 (An information disclosure vulnerability exists in curl  (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28322.html
NOTE: Introduced by: 
https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec 
(curl-7_7)
NOTE: Fixed by: 
https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b 
(curl-8_1_0)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Dec 2023] DLA-3692-1 curl - security update
+   {CVE-2023-28322 CVE-2023-46218}
+   [buster] - curl 7.64.0-4+deb10u8
 [18 Dec 2023] DLA-3691-1 spip - security update
[buster] - spip 3.2.4-1+deb10u12
 [17 Dec 2023] DLA-3686-2 xorg-server - security update


=
data/dla-needed.txt
=
@@ -56,10 +56,6 @@ cinder
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
-curl (Adrian Bunk)
-  NOTE: 20231210: Added by Front-Desk (ta)
-  NOTE: 20231210: maybe also take care of 
https://lists.debian.org/debian-lts/2023/12/msg00020.html
---
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add erlang for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
80c613e8 by Salvatore Bonaccorso at 2023-12-19T08:07:08+01:00
Add erlang for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -101,6 +101,7 @@ CVE-2023-46447 [Rogue Session Attack in AsyncSSH]
NOTE: https://terrapin-attack.com/
 CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, 
found in O ...)
- dropbear 
+   - erlang 
- golang-go.crypto 
- libssh 
- libssh2 
@@ -112,6 +113,7 @@ CVE-2023-48795 (The SSH transport protocol with certain 
OpenSSH extensions, foun
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: dropbear: 
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+   NOTE: Erlang/OTP: 
https://github.com/erlang/otp/commit/ee67d46285394db95133709cef74b0c462d665aa 
(OTP-24.3.4.15, OTP-25.3.2.8, OTP-26.2.1)
NOTE: golang.org/x/crypto/ssh: 
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784
NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c613e85d0f408dbb11a1757feaf0da64db2208

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c613e85d0f408dbb11a1757feaf0da64db2208
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6927 as NFU

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
43414a86 by Salvatore Bonaccorso at 2023-12-19T07:53:58+01:00
Add CVE-2023-6927 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2023-6927
+   NOT-FOR-US: Keycloak
 CVE-2023-6920
REJECTED
 CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due 
to impro ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43414a861c356af24fb370420be913656597be2f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43414a861c356af24fb370420be913656597be2f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-6610/linux as unimportant

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c4fbe4f5 by Salvatore Bonaccorso at 2023-12-19T07:28:53+01:00
Mark CVE-2023-6610/linux as unimportant

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2105,7 +2105,8 @@ CVE-2023-6612 (A vulnerability was found in Totolink 
X5000R 9.1.0cu.2300_B202301
 CVE-2023-6611 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has 
been de ...)
NOT-FOR-US: Tongda OA
 CVE-2023-6610 (An out-of-bounds read vulnerability was found in 
smb2_dump_detail in f ...)
-   - linux 
+   - linux  (unimportant)
+   NOTE: CONFIG_CIFS_DEBUG2 not enabled in Debian
 CVE-2023-6609 (A vulnerability was found in osCommerce 4. It has been 
classified as p ...)
NOT-FOR-US: osCommerce
 CVE-2023-6608 (A vulnerability was found in Tongda OA 2017 up to 11.9 and 
classified  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4fbe4f56bf50547a3ab48ea878908f5eed2f0a4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4fbe4f56bf50547a3ab48ea878908f5eed2f0a4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-5178 with kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
540601a5 by Salvatore Bonaccorso at 2023-12-19T07:27:39+01:00
Sync status for CVE-2023-5178 with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10029,6 +10029,7 @@ CVE-2023-46846 (SQUID is vulnerable to HTTP request 
smuggling, caused by chunked
 CVE-2023-5178 (A use-after-free vulnerability was found in 
drivers/nvme/target/tcp.c` ...)
- linux 6.5.8-1
[bookworm] - linux 6.1.64-1
+   [buster] - linux  (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241924
NOTE: 
https://git.kernel.org/linus/d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd
NOTE: https://www.openwall.com/lists/oss-security/2023/10/15/1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/540601a5c4e435368fc1ec1ebfbbb2cb73bb1291

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/540601a5c4e435368fc1ec1ebfbbb2cb73bb1291
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-46813 with kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
830bd132 by Salvatore Bonaccorso at 2023-12-19T07:26:53+01:00
Sync status for CVE-2023-46813 with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8981,6 +8981,7 @@ CVE-2023-33558 (An information disclosure vulnerability 
in the component users-g
 CVE-2023-46813 (An issue was discovered in the Linux kernel before 6.5.9, 
exploitable  ...)
- linux 6.5.10-1
[bookworm] - linux 6.1.64-1
+   [buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/63e44bc52047f182601e7817da969a105aa1f721 (6.6-rc7)
NOTE: 
https://git.kernel.org/linus/b9cb9c45583b911e0db71d09caa6b56469eb2bdf (6.6-rc7)
NOTE: 
https://git.kernel.org/linus/a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba (6.6-rc7)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/830bd13234acd42efcfb4e73f408063f1a50497c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/830bd13234acd42efcfb4e73f408063f1a50497c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-4273 with kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce7f2ccc by Salvatore Bonaccorso at 2023-12-19T07:26:04+01:00
Sync status for CVE-2023-4273 with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21221,6 +21221,7 @@ CVE-2023-38710 (An issue was discovered in Libreswan 
before 4.12. When an IKEv2
 CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The 
vulnerab ...)
{DSA-5492-1 DSA-5480-1 DLA-3623-1}
- linux 6.4.11-1
+   [buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/d42334578eba1390859012ebb91e1e556d51db49 (6.5-rc5)
NOTE: 
https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/
 CVE-2023-40012 (uthenticode is a small cross-platform library for partially 
verifying  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7f2ccc8c55d907ef3f33dee33b56a9031bc8ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7f2ccc8c55d907ef3f33dee33b56a9031bc8ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-1192 with kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1e1bf5a3 by Salvatore Bonaccorso at 2023-12-19T07:23:44+01:00
Sync status for CVE-2023-1192 with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -43883,6 +43883,7 @@ CVE-2023-1193 (A use-after-free flaw was found in 
setup_async_work in the KSMBD
NOTE: 
https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6)
 CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() 
in CIFS ...)
- linux 
+   [buster] - linux  (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178
 CVE-2023-1191 (A vulnerability classified as problematic has been found in 
fastcms. T ...)
NOT-FOR-US: fastcms



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1bf5a384b5ff66b76c5c8f23ef418740af74e5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1bf5a384b5ff66b76c5c8f23ef418740af74e5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream status for libssh2 for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec316325 by Salvatore Bonaccorso at 2023-12-19T06:27:25+01:00
Track upstream status for libssh2 for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -117,6 +117,8 @@ CVE-2023-48795 (The SSH transport protocol with certain 
OpenSSH extensions, foun
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/0870c8db28be9eb457ee3d4f9a168959d9507efd
 (libssh-0.10.6)
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/5846e57538c750c5ce67df887d09fa99861c79c6
 (libssh-0.10.6)
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/89df759200d31fc79fbbe213d8eda0d329eebf6d
 (libssh-0.10.6)
+   NOTE: libssh2: https://github.com/libssh2/libssh2/issues/1290
+   NOTE: libssh2: https://github.com/libssh2/libssh2/pull/1291
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec316325903b4014ee973bbba009e71ec7a1f9a7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec316325903b4014ee973bbba009e71ec7a1f9a7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixes for libxml2 via experimental

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
13fbaaf0 by Salvatore Bonaccorso at 2023-12-19T06:24:50+01:00
Track fixes for libxml2 via experimental

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12859,12 +12859,13 @@ CVE-2023-40631 (In Dialer, there is a possible 
missing permission check. This co
 CVE-2023-5182 (Sensitive data could be exposed in logs of subiquity version 
23.09.1 a ...)
NOT-FOR-US: Subiquity
 CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only 
occur after  ...)
+   [experimental] - libxml2 2.12.3+dfsg-0exp1
- libxml2  (bug #1053629)
[bookworm] - libxml2  (Minor issue)
[bullseye] - libxml2  (Minor issue)
[buster] - libxml2  (Minor issue, very hard/unlikely to 
trigger)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
-   NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9
+   NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9
 (v2.12.0)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
NOTE: http://www.openwall.com/lists/oss-security/2023/10/06/5
 CVE-2023-45199 (Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow 
that can ...)
@@ -18736,13 +18737,14 @@ CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was 
discovered to contain an invalid re
NOTE: For Debian this was initially fixed in Debian unstable with 
3.7.0~rc3-1 but reverted with the
NOTE: 3.7.0~really3.6.1-1 upload re-introducing the issue.
 CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain an 
out-of-bounds rea ...)
+   [experimental] - libxml2 2.12.3+dfsg-0exp1
- libxml2  (bug #1051230)
[bookworm] - libxml2  (Minor issue)
[bullseye] - libxml2  (Minor issue)
[buster] - libxml2  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/535
-   NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9
-   NOTE: Followup: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129
+   NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9
 (v2.12.0)
+   NOTE: Followup: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129
 (v2.12.0)
 CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected 
versions  ...)
NOT-FOR-US: authentik
 CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead 
to unau ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fbaaf05d7b15a6c9300ea0d5e5563c4db739d1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fbaaf05d7b15a6c9300ea0d5e5563c4db739d1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for php-dompdf-svg-lib issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9659a03 by Salvatore Bonaccorso at 2023-12-19T06:21:24+01:00
Track fixed version for php-dompdf-svg-lib issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1458,12 +1458,12 @@ CVE-2023-6753 (Path Traversal in GitHub repository 
mlflow/mlflow prior to 2.9.2.
 CVE-2023-50263 (Nautobot is a Network Source of Truth and Network Automation 
Platform  ...)
NOT-FOR-US: Nautobot
 CVE-2023-50252 (php-svg-lib is an SVG file parsing / rendering library. Prior 
to versi ...)
-   - php-dompdf-svg-lib  (bug #1058641)
+   - php-dompdf-svg-lib 0.5.1-1 (bug #1058641)
NOTE: 
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr
NOTE: Fixed by: 
https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030
 (0.5.1)
TODO: check, other packages are embedding  the library: civicrm, 
icinga-php-thirdparty and icingaweb2 to be checked
 CVE-2023-50251 (php-svg-lib is an SVG file parsing / rendering library. Prior 
to versi ...)
-   - php-dompdf-svg-lib  (bug #1058641)
+   - php-dompdf-svg-lib 0.5.1-1 (bug #1058641)
NOTE: 
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2
NOTE: Fixed by: 
https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0
 (0.5.1)
TODO: check, other packages are embedding  the library: civicrm, 
icinga-php-thirdparty and icingaweb2 to be checked



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9659a037f36262a15d276a11627ce25404f06c3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9659a037f36262a15d276a11627ce25404f06c3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed issues in openssh via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
42f14593 by Salvatore Bonaccorso at 2023-12-19T06:18:34+01:00
Track fixed issues in openssh via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -35,11 +35,11 @@ CVE-2023-5348 (The Product Catalog Mode For WooCommerce 
WordPress plugin before
 CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin 
before ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur 
if a us ...)
-   - openssh 
+   - openssh 1:9.6p1-1
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: 
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
 (V_9_6_P1)
 CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination 
constraints ca ...)
-   - openssh 
+   - openssh 1:9.6p1-1
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: 
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
 (V_9_6_P1)
 CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki 
Miyashita C ...)
@@ -102,7 +102,7 @@ CVE-2023-48795 (The SSH transport protocol with certain 
OpenSSH extensions, foun
- golang-go.crypto 
- libssh 
- libssh2 
-   - openssh 
+   - openssh 1:9.6p1-1
- paramiko 
- putty 0.80-1
- proftpd-dfsg 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42f14593586f5ad8ca64cd56a87ff09f30249941

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42f14593586f5ad8ca64cd56a87ff09f30249941
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] reclaim varnish in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6ce4e477 by Abhijith PA at 2023-12-19T10:15:18+05:30
reclaim varnish in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -247,9 +247,10 @@ tomcat9
   NOTE: 20231129: Added by Front-Desk (Beuc)
   NOTE: 20131217: I have made a fix, tests are ok but due to high popcon 
prefer a review by apo (rouca)
 --
-varnish
+varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
+  NOTE: 20231219: Continuing work
 --
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim dropbear and libssh2 in dla-needed.txt

[Guilhem Moulin (@guilhem)]

Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
405c351b by Guilhem Moulin at 2023-12-19T01:19:27+01:00
LTS: claim dropbear and libssh2 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,7 +74,7 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
-dropbear
+dropbear (guilhem)
   NOTE: 20231219: Added by Front-Desk (ta)
 --
 frr
@@ -116,7 +116,7 @@ libreswan
 libssh
   NOTE: 20231219: Added by Front-Desk (ta)
 --
-libssh2
+libssh2 (guilhem)
   NOTE: 20231219: Added by Front-Desk (ta)
 --
 libstb



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/405c351bbcfe1241ab3ff9678ac83678de47903e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/405c351bbcfe1241ab3ff9678ac83678de47903e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: add openssh

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb7a1cf7 by Thorsten Alteholz at 2023-12-19T00:20:24+01:00
add openssh

- - - - -
ef35183e by Thorsten Alteholz at 2023-12-19T00:24:29+01:00
add dropbear

- - - - -
bf93abcd by Thorsten Alteholz at 2023-12-19T00:25:14+01:00
add golang-go.crypto

- - - - -
19316c27 by Thorsten Alteholz at 2023-12-19T00:26:00+01:00
add libssh

- - - - -
a5d1da40 by Thorsten Alteholz at 2023-12-19T00:26:49+01:00
add libssh2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,9 +74,15 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
+dropbear
+  NOTE: 20231219: Added by Front-Desk (ta)
+--
 frr
   NOTE: 20231119: Added by Front-Desk (apo)
 --
+golang-go.crypto
+  NOTE: 20231219: Added by Front-Desk (ta)
+--
 haproxy
   NOTE: 20231217: Added by Front-Desk (utkarsh)
 --
@@ -107,6 +113,12 @@ libreswan
   NOTE: 20230909: all due to code refactoring. I intend to package the version
   NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the 
fix. (apo)
 --
+libssh
+  NOTE: 20231219: Added by Front-Desk (ta)
+--
+libssh2
+  NOTE: 20231219: Added by Front-Desk (ta)
+--
 libstb
   NOTE: 20231029: Added by Front-Desk (gladk)
   NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
@@ -150,6 +162,9 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
+openssh
+  NOTE: 20231219: Added by Front-Desk (ta)
+--
 osslsigncode
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Maybe a new upstream release should just do the trick here.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: cacti status

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e88892d1 by Sylvain Beucler at 2023-12-18T22:49:16+01:00
dla: cacti status

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,6 +46,7 @@ bouncycastle (Markus Koschany)
 cacti (Sylvain Beucler)
   NOTE: 20230906: Added by Front-Desk (lamby)
   NOTE: 20231205: Triaging CVEs backlog (Beuc)
+  NOTE: 20231218: Keep triaging CVEs backlog (Beuc)
 --
 cairosvg
   NOTE: 20230323: Added by Front-Desk (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6817/linux

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b39125b6 by Salvatore Bonaccorso at 2023-12-18T21:52:18+01:00
Add CVE-2023-6817/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,9 @@ CVE-2023-6920
 CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due 
to impro ...)
NOT-FOR-US: WSO2
 CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: 
nf_tab ...)
-   TODO: check
+   - linux 
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/317eb9685095678f2c9f5a8189de698c5354316a (6.7-rc5)
 CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository 
allegroai/cle ...)
TODO: check
 CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a 
code inje ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b39125b652fdbdd32cb9700ec117cc430a91f19f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b39125b652fdbdd32cb9700ec117cc430a91f19f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for ldap-account-manager and adjust bug reference

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47cb9546 by Salvatore Bonaccorso at 2023-12-18T21:46:50+01:00
Update status for ldap-account-manager and adjust bug reference

- - - - -


1 changed file:

- data/embedded-code-copies


Changes:

=
data/embedded-code-copies
=
@@ -3075,7 +3075,8 @@ phpseclib
- icinga-web  (embed; bug #781415)
 
 php-phpseclib3
-   - ldap-account-manager  (embed; bug #1057036)
+   - ldap-account-manager 8.6-1 (embed; bug #1057037)
+   NOTE: since 8.6-1 linking to php-phpseclib3 and using it
 
 doctrine
- icinga-web  (embed; bug #781415)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47cb9546df4fc44fd571c44edcfbb5eac8c2036d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47cb9546df4fc44fd571c44edcfbb5eac8c2036d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
671371f8 by Salvatore Bonaccorso at 2023-12-18T21:43:23+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,37 +1,37 @@
 CVE-2023-6920
REJECTED
 CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due 
to impro ...)
-   TODO: check
+   NOT-FOR-US: WSO2
 CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: 
nf_tab ...)
TODO: check
 CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository 
allegroai/cle ...)
TODO: check
 CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a 
code inje ...)
-   TODO: check
+   NOT-FOR-US: Cambium ePMP Force
 CVE-2023-6295 (The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 
does not  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6289 (The Swift Performance Lite WordPress plugin before 2.3.6.15 
does not p ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6272 (The Theme My Login 2FA WordPress plugin before 1.2 does not 
rate limit ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6222 (IThe Quttera Web Malware Scanner WordPress plugin before 
3.4.2.1 does  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6203 (The Events Calendar WordPress plugin before 6.2.8.1 discloses 
the cont ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6077 (The Slider WordPress plugin before 3.5.12 does not ensure that 
posts t ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6065 (The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 
doesn' ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5949 (The SmartCrawl WordPress plugin before 3.8.3 does not prevent 
unauthor ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5886 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5882 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin 
before 5.0.3 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin 
before ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur 
if a us ...)
- openssh 
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
@@ -41,47 +41,47 @@ CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain 
destination constrai
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: 
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
 (V_9_6_P1)
 CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki 
Miyashita C ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4311 (The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is 
vulnerab ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49855 (Cross-Site Request Forgery (CSRF) vulnerability in 
BinaryCarpenter Men ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49854 (Cross-Site Request Forgery (CSRF) vulnerability in Tribe 
Interactive C ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49853 (Cross-Site Request Forgery (CSRF) vulnerability in PayTR 
\xd6deme ve E ...)
TODO: check
 CVE-2023-49844 (Cross-Site Request Forgery (CSRF) vulnerability in Kevin 
Ohashi WPPerf ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49843 (Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge 
First O ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49840 (Cross-Site Request Forgery (CSRF) vulnerability in Palscode 
Multi Curr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-48766 (Cross-Site Request Forgery (CSRF) vulnerability in SVGator 
SVGator \u2 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-48762 (Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock 
JetEleme ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-48755 (Cross-Site Request Forgery (CSRF) vulnerability in Michael 
Winkler tea ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-47806 (Cross-Site Request Forgery (CSRF) 

[Git][security-tracker-team/security-tracker][master] Add two openssh issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c058a71e by Salvatore Bonaccorso at 2023-12-18T21:42:39+01:00
Add two openssh issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33,9 +33,13 @@ CVE-2023-5348 (The Product Catalog Mode For WooCommerce 
WordPress plugin before
 CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin 
before ...)
TODO: check
 CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur 
if a us ...)
-   TODO: check
+   - openssh 
+   NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
+   NOTE: 
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
 (V_9_6_P1)
 CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination 
constraints ca ...)
-   TODO: check
+   - openssh 
+   NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2
+   NOTE: 
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
 (V_9_6_P1)
 CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki 
Miyashita C ...)
TODO: check
 CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c058a71e8cbcea0e05300cb02940ddf52cb21082

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c058a71e8cbcea0e05300cb02940ddf52cb21082
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
109f92b7 by Salvatore Bonaccorso at 2023-12-18T21:25:20+01:00
Process two NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -67,11 +67,11 @@ CVE-2023-47789 (Cross-Site Request Forgery (CSRF) 
vulnerability in WooCommerce C
 CVE-2023-47787 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce 
WooComm ...)
TODO: check
 CVE-2023-47741 (IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web 
browser cl ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-46617 (Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly 
AdFoxly \u2 ...)
TODO: check
 CVE-2023-46177 (IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote 
attacker to t ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-39509 (A command injection vulnerability exists in Bosch IP cameras 
that allo ...)
TODO: check
 CVE-2023-35867 (An improper handling of a malformed API answer packets to API 
clients  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/109f92b73c7a782b30f995134e40d2fe8b76f8d6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/109f92b73c7a782b30f995134e40d2fe8b76f8d6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] libssh: Reference fixes from stable branch

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3b7174d6 by Salvatore Bonaccorso at 2023-12-18T21:16:51+01:00
libssh: Reference fixes from stable branch

This is fixed both in 0.10.6 *and* 0.9.8 upstream. For now only
referncing the commits from the stable-0.10 branch. Same set of commits
exists in stable-0.9 branch.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -107,10 +107,10 @@ CVE-2023-48795 (The SSH transport protocol with certain 
OpenSSH extensions, foun
NOTE: golang.org/x/crypto/ssh: 
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784
NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0)
-   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4
-   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a
-   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891
-   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/a8b9d1368724cb237743ebc98218b7fe713459c8
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/4cef5e965a46e9271aed62631b152e4bd23c1e3c
 (libssh-0.10.6)
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/0870c8db28be9eb457ee3d4f9a168959d9507efd
 (libssh-0.10.6)
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/5846e57538c750c5ce67df887d09fa99861c79c6
 (libssh-0.10.6)
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/89df759200d31fc79fbbe213d8eda0d329eebf6d
 (libssh-0.10.6)
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337
@@ -4708,23 +4708,23 @@ CVE-2023-6007 (The UserPro plugin for WordPress is 
vulnerable to unauthorized ac
NOT-FOR-US: WordPress plugin
 CVE-2023-6918
- libssh 
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/a16f34c57a4034f940c557936fd9434976adabcf
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/10c200037a82218d43c30ff2fcda0af7fbe7168e
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/5c407d2f16ab76c3dbc8324b4138f405177219b6
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/59c00c66c4466bacaddf73dcd853ac1dac95ba39
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/b3de3a33352a78214a534005e3e4f0576dcc9e17
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/610d7a09f99c601224ae2aa3d3de7e75b1d284dd
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/63ff242131c8e6d98917456f71f6d33b9ef3a763
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/8b66d037d575e5f3ce4d35964547ff8c7e75ff8e
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/8977e246b6d7ae467cab008a49e0a9e3d84bc2a0
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/622421018b58392ffecc29726b947e089b678221
 (libssh-0.10.6)
 CVE-2023-6004
- libssh 
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/57ec9a35c612d416bfc045c48ccb69a5e9b57008
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/1dfde16f49076b255e6370f30abf9f03d48997be
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/b83368b2ed10a3d14344f374d9765d47d1d9f3f7
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/0ff85b034a04d45e79a79cd5666b348b5e27800d
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/2cd971e10e6244c6ffbfadbeba626ef998b4f78e
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/95c6f880ef1539635bb82a134f7b8a06a46887ca
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7b697d711e2c8b88ca6e15e349caae2dff9cb442
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/92e35c291c9a5c6dbe742a2677bf377597f69cd7
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/2c92e8ce930a428a6fd150ae1ae55c5a365543f5
-   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/f353b39ff2c0e0db51f978f035ac976ff5377413
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/c2c56bacab00766d01671413321d564227aabf19
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/a66b4a6eae6614d200a3625862d77565b96a7cd3
 (libssh-0.10.6)
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/8615c24647f773a5e04203c7459512715d698be1
 (libssh-0.10.6)
+   NOTE: 

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
69cc5e69 by security tracker role at 2023-12-18T20:12:05+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,97 @@
+CVE-2023-6920
+   REJECTED
+CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due 
to impro ...)
+   TODO: check
+CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: 
nf_tab ...)
+   TODO: check
+CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository 
allegroai/cle ...)
+   TODO: check
+CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a 
code inje ...)
+   TODO: check
+CVE-2023-6295 (The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 
does not  ...)
+   TODO: check
+CVE-2023-6289 (The Swift Performance Lite WordPress plugin before 2.3.6.15 
does not p ...)
+   TODO: check
+CVE-2023-6272 (The Theme My Login 2FA WordPress plugin before 1.2 does not 
rate limit ...)
+   TODO: check
+CVE-2023-6222 (IThe Quttera Web Malware Scanner WordPress plugin before 
3.4.2.1 does  ...)
+   TODO: check
+CVE-2023-6203 (The Events Calendar WordPress plugin before 6.2.8.1 discloses 
the cont ...)
+   TODO: check
+CVE-2023-6077 (The Slider WordPress plugin before 3.5.12 does not ensure that 
posts t ...)
+   TODO: check
+CVE-2023-6065 (The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 
doesn' ...)
+   TODO: check
+CVE-2023-5949 (The SmartCrawl WordPress plugin before 3.8.3 does not prevent 
unauthor ...)
+   TODO: check
+CVE-2023-5886 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
+   TODO: check
+CVE-2023-5882 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
+   TODO: check
+CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin 
before 5.0.3 ...)
+   TODO: check
+CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin 
before ...)
+   TODO: check
+CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur 
if a us ...)
+   TODO: check
+CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination 
constraints ca ...)
+   TODO: check
+CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki 
Miyashita C ...)
+   TODO: check
+CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin 
before 1.4.0 ...)
+   TODO: check
+CVE-2023-4311 (The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is 
vulnerab ...)
+   TODO: check
+CVE-2023-49855 (Cross-Site Request Forgery (CSRF) vulnerability in 
BinaryCarpenter Men ...)
+   TODO: check
+CVE-2023-49854 (Cross-Site Request Forgery (CSRF) vulnerability in Tribe 
Interactive C ...)
+   TODO: check
+CVE-2023-49853 (Cross-Site Request Forgery (CSRF) vulnerability in PayTR 
\xd6deme ve E ...)
+   TODO: check
+CVE-2023-49844 (Cross-Site Request Forgery (CSRF) vulnerability in Kevin 
Ohashi WPPerf ...)
+   TODO: check
+CVE-2023-49843 (Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge 
First O ...)
+   TODO: check
+CVE-2023-49840 (Cross-Site Request Forgery (CSRF) vulnerability in Palscode 
Multi Curr ...)
+   TODO: check
+CVE-2023-48766 (Cross-Site Request Forgery (CSRF) vulnerability in SVGator 
SVGator \u2 ...)
+   TODO: check
+CVE-2023-48762 (Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock 
JetEleme ...)
+   TODO: check
+CVE-2023-48755 (Cross-Site Request Forgery (CSRF) vulnerability in Michael 
Winkler tea ...)
+   TODO: check
+CVE-2023-47806 (Cross-Site Request Forgery (CSRF) vulnerability in Saint 
Systems Disab ...)
+   TODO: check
+CVE-2023-47789 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce 
Canada  ...)
+   TODO: check
+CVE-2023-47787 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce 
WooComm ...)
+   TODO: check
+CVE-2023-47741 (IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web 
browser cl ...)
+   TODO: check
+CVE-2023-46617 (Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly 
AdFoxly \u2 ...)
+   TODO: check
+CVE-2023-46177 (IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote 
attacker to t ...)
+   TODO: check
+CVE-2023-39509 (A command injection vulnerability exists in Bosch IP cameras 
that allo ...)
+   TODO: check
+CVE-2023-35867 (An improper handling of a malformed API answer packets to API 
clients  ...)
+   TODO: check
+CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox 
Tagbox \u201 ...)
+   TODO: check
+CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize 
its param ...)
+   TODO: check
+CVE-2023-32727 (An attacker who has the privilege to configure Zabbix 

[Git][security-tracker-team/security-tracker][master] Add missing closing bracket in note

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ab9d10c0 by Salvatore Bonaccorso at 2023-12-18T21:04:43+01:00
Add missing closing bracket in note

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16,7 +16,7 @@ CVE-2023-48795 [General Protocol Flaw]
NOTE: dropbear: 
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
NOTE: golang.org/x/crypto/ssh: 
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784
-   NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0
+   NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0)
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d10c0b2577878a15be523b3aa01763881f0c4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d10c0b2577878a15be523b3aa01763881f0c4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-48795 for dropbear

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74d228df by Salvatore Bonaccorso at 2023-12-18T20:57:51+01:00
Add reference for CVE-2023-48795 for dropbear

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,6 +13,7 @@ CVE-2023-48795 [General Protocol Flaw]
- python-asyncssh 
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
+   NOTE: dropbear: 
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
NOTE: golang.org/x/crypto/ssh: 
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784
NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74d228df2bace4ac464d7e30068123a7c5704dbb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74d228df2bace4ac464d7e30068123a7c5704dbb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-48795 for golang.org/x/crypto/ssh

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a02a19cf by Salvatore Bonaccorso at 2023-12-18T20:55:10+01:00
Add references for CVE-2023-48795 for golang.org/x/crypto/ssh

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,6 +13,9 @@ CVE-2023-48795 [General Protocol Flaw]
- python-asyncssh 
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
+   NOTE: golang.org/x/crypto/ssh: 
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
+   NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784
+   NOTE: golang.org/x/crypto/ssh: 
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
 (v0.17.0
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a
NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a19cf8bb342201f61362b7fec609cc481fc46

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a19cf8bb342201f61362b7fec609cc481fc46
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6918 and CVE-2023-6004

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dc38b515 by Salvatore Bonaccorso at 2023-12-18T20:53:09+01:00
Add CVE-2023-6918 and CVE-2023-6004

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4610,6 +4610,25 @@ CVE-2023-6008 (The UserPro plugin for WordPress is 
vulnerable to Cross-Site Requ
NOT-FOR-US: WordPress plugin
 CVE-2023-6007 (The UserPro plugin for WordPress is vulnerable to unauthorized 
access  ...)
NOT-FOR-US: WordPress plugin
+CVE-2023-6918
+   - libssh 
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/a16f34c57a4034f940c557936fd9434976adabcf
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/10c200037a82218d43c30ff2fcda0af7fbe7168e
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/5c407d2f16ab76c3dbc8324b4138f405177219b6
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/59c00c66c4466bacaddf73dcd853ac1dac95ba39
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/b3de3a33352a78214a534005e3e4f0576dcc9e17
+CVE-2023-6004
+   - libssh 
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/57ec9a35c612d416bfc045c48ccb69a5e9b57008
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/1dfde16f49076b255e6370f30abf9f03d48997be
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/b83368b2ed10a3d14344f374d9765d47d1d9f3f7
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/0ff85b034a04d45e79a79cd5666b348b5e27800d
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/2cd971e10e6244c6ffbfadbeba626ef998b4f78e
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/95c6f880ef1539635bb82a134f7b8a06a46887ca
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7b697d711e2c8b88ca6e15e349caae2dff9cb442
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/92e35c291c9a5c6dbe742a2677bf377597f69cd7
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/2c92e8ce930a428a6fd150ae1ae55c5a365543f5
+   NOTE: 
https://gitlab.com/libssh/libssh-mirror/-/commit/f353b39ff2c0e0db51f978f035ac976ff5377413
 CVE-2023-5983 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
NOT-FOR-US: Botanik Software Pharmacy Automation
 CVE-2023-5921 (Improper Enforcement of Behavioral Workflow vulnerability in 
DECE Soft ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc38b5156cc73a2154f665f4674af7702e415241

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc38b5156cc73a2154f665f4674af7702e415241
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add libssh references for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1c571264 by Salvatore Bonaccorso at 2023-12-18T20:52:26+01:00
Add libssh references for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,6 +13,10 @@ CVE-2023-48795 [General Protocol Flaw]
- python-asyncssh 
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891
+   NOTE: libssh: 
https://gitlab.com/libssh/libssh-mirror/-/commit/a8b9d1368724cb237743ebc98218b7fe713459c8
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c571264c8cf99763022b459743f73a69b740778

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c571264c8cf99763022b459743f73a69b740778
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add reference for paramiko for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9964c94 by Salvatore Bonaccorso at 2023-12-18T20:43:42+01:00
Add reference for paramiko for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -15,6 +15,7 @@ CVE-2023-48795 [General Protocol Flaw]
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
+   NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb
 (0.80)
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e
 (0.80)
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62
 (0.80)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9964c942658862da3f7ec6cfa6bcef0eb7de884

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9964c942658862da3f7ec6cfa6bcef0eb7de884
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add references for asyncssh for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9fd22f75 by Salvatore Bonaccorso at 2023-12-18T20:38:59+01:00
Add references for asyncssh for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23,6 +23,8 @@ CVE-2023-48795 [General Protocol Flaw]
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=0b00e4ce26d89cd010e31e66fd02ac77cb982367
 (0.80)
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=fdc891d17063ab26cf68c74245ab1fd9771556cb
 (0.80)
NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=b80a41d386dbfa1b095c17bd2ed001477f302d46
 (0.80)
+   NOTE: asyncssh: 
https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55
+   NOTE: asyncssh: 
https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b
 (v2.14.2)
 CVE-2023-41314
NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd22f75664c41cfafa9604050c542a4dfc3b3be

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd22f75664c41cfafa9604050c542a4dfc3b3be
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5580-1

[Alberto Garcia (@berto)]

Alberto Garcia pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ccba81f0 by Alberto Garcia at 2023-12-18T20:13:43+01:00
webkit2gtk DSA-5580-1

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[18 Dec 2023] DSA-5580-1 webkit2gtk - security update
+   {CVE-2023-42883}
+   [bullseye] - webkit2gtk 2.42.4-1~deb11u1
+   [bookworm] - webkit2gtk 2.42.4-1~deb12u1
 [17 Dec 2023] DSA-5579-1 freeimage - security update
{CVE-2020-21427 CVE-2020-21428 CVE-2020-22524}
[bullseye] - freeimage 3.18.0+ds2-6+deb11u1


=
data/dsa-needed.txt
=
@@ -97,8 +97,6 @@ squid
 --
 varnish
 --
-webkit2gtk (berto)
---
 zbar
   unfixed upstream, initial aproaches are overly strict and cause zbar's tests 
to fail, some caution is in order
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccba81f0efa58120f5b5c54474a682136d6fcb7d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccba81f0efa58120f5b5c54474a682136d6fcb7d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commits for putty for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e1af06c by Salvatore Bonaccorso at 2023-12-18T19:35:22+01:00
Add upstream commits for putty for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -15,6 +15,14 @@ CVE-2023-48795 [General Protocol Flaw]
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=244be5412728a7334a2d457fbac4e0a2597165e5
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=58fc33a155ad496bdcf380fa6193302240a15ae9
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=0b00e4ce26d89cd010e31e66fd02ac77cb982367
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=fdc891d17063ab26cf68c74245ab1fd9771556cb
 (0.80)
+   NOTE: PuTTY: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=b80a41d386dbfa1b095c17bd2ed001477f302d46
 (0.80)
 CVE-2023-41314
NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e1af06c6e27a54677d6f3d799a9e7f444165c6f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e1af06c6e27a54677d6f3d799a9e7f444165c6f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add openssh to dsa-needed list

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d415ead6 by Salvatore Bonaccorso at 2023-12-18T19:24:25+01:00
Add openssh to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -44,6 +44,9 @@ nbconvert/oldstable
 nodejs
   maintainer proposed to follow the upstream 18.x LTS branch
 --
+openssh (carnil)
+  maintainer working on updates
+--
 php-cas/oldstable
 --
 php-horde-mime-viewer/oldstable
@@ -52,6 +55,9 @@ php-horde-turba/oldstable
 --
 phppgadmin
 --
+putty (carnil)
+  maintainer working on updates
+--
 py7zr/oldstable
 --
 python3.11/stable (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d415ead6ce817685dd330bb3d17dbe0318f3c932

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d415ead6ce817685dd330bb3d17dbe0318f3c932
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for putty via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b8b547b by Salvatore Bonaccorso at 2023-12-18T19:23:08+01:00
Track fixed version for putty via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8,7 +8,7 @@ CVE-2023-48795 [General Protocol Flaw]
- libssh2 
- openssh 
- paramiko 
-   - putty 
+   - putty 0.80-1
- proftpd-dfsg 
- python-asyncssh 
NOTE: https://terrapin-attack.com/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b8b547b886b95e8b2225d86e4992203399ef3b0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b8b547b886b95e8b2225d86e4992203399ef3b0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add further set of packages needing fixes for CVE-2023-48795

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
21aa766b by Salvatore Bonaccorso at 2023-12-18T18:12:38+01:00
Add further set of packages needing fixes for CVE-2023-48795

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2,7 +2,14 @@ CVE-2023-46447 [Rogue Session Attack in AsyncSSH]
- python-asyncssh 
NOTE: https://terrapin-attack.com/
 CVE-2023-48795 [General Protocol Flaw]
+   - dropbear 
+   - golang-go.crypto 
+   - libssh 
+   - libssh2 
- openssh 
+   - paramiko 
+   - putty 
+   - proftpd-dfsg 
- python-asyncssh 
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21aa766bb5b8a195df6a3cf51be976948e4b777b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21aa766bb5b8a195df6a3cf51be976948e4b777b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference commit from OpenSSH implementing strict key exchange

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6bca640a by Salvatore Bonaccorso at 2023-12-18T18:05:03+01:00
Reference commit from OpenSSH implementing strict key exchange

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7,6 +7,7 @@ CVE-2023-48795 [General Protocol Flaw]
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
+   NOTE: OpenSSH (strict key exchange): 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 (V_9_6_P1)
 CVE-2023-41314
NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bca640aef34ad1e8bdc447a5c6a0879bf697cb5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bca640aef34ad1e8bdc447a5c6a0879bf697cb5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove additional space in note

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6b8eb04 by Salvatore Bonaccorso at 2023-12-18T17:58:27+01:00
Remove additional space in note

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -292955,7 +292955,7 @@ CVE-2020-1736 (A flaw was found in Ansible Engine 
when a file is moved using ato
NOTE: specify a mode in the task briefly go from (666 - umask) to the 
final mode.
NOTE: An alternative workaround if many new files are 
ansible.builtin.copy mode=preserve
NOTE: that preserve file mode from controller to managed host.
-   NOTE: Documentation fix:  
https://github.com/ansible/ansible/commit/bc37976df2ac455a4b74d48eb824803ef27df7bc
+   NOTE: Documentation fix: 
https://github.com/ansible/ansible/commit/bc37976df2ac455a4b74d48eb824803ef27df7bc
 CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is 
used.  ...)
{DSA-4950-1}
- ansible 2.9.7+dfsg-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b8eb044e806d5ec6106d0116d16d9a11ea2818

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b8eb044e806d5ec6106d0116d16d9a11ea2818
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add oss-security reference for terrapin-attack post

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
44cb0645 by Salvatore Bonaccorso at 2023-12-18T17:54:13+01:00
Add oss-security reference for terrapin-attack post

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,6 +5,7 @@ CVE-2023-48795 [General Protocol Flaw]
- openssh 
- python-asyncssh 
NOTE: https://terrapin-attack.com/
+   NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
 CVE-2023-41314
NOT-FOR-US: Apache Doris



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44cb0645714871d9178e57bf8c189b7c6d34ba7f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44cb0645714871d9178e57bf8c189b7c6d34ba7f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2023-4879{5,6,7}

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5cc91c53 by Salvatore Bonaccorso at 2023-12-18T17:24:52+01:00
Add initial tracking for CVE-2023-4879{5,6,7}

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,11 @@
+CVE-2023-46447 [Rogue Session Attack in AsyncSSH]
+   - python-asyncssh 
+   NOTE: https://terrapin-attack.com/
+CVE-2023-48795 [General Protocol Flaw]
+   - openssh 
+   - python-asyncssh 
+   NOTE: https://terrapin-attack.com/
+   NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2
 CVE-2023-41314
NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)
@@ -6312,6 +6320,7 @@ CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier 
allows attackers to con
[bullseye] - python-asyncssh  (Minor issue)
[buster] - python-asyncssh  (Minor issue)
NOTE: 
https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
+   NOTE: https://terrapin-attack.com/
 CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to 
control t ...)
- python-asyncssh  (bug #1056000)
[bookworm] - python-asyncssh  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc91c5333d8a667ee84589827aef32d55c0b10a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc91c5333d8a667ee84589827aef32d55c0b10a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] freeimage DSA

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a3ef504 by Moritz Mühlenhoff at 2023-12-18T16:50:17+01:00
freeimage DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[17 Dec 2023] DSA-5579-1 freeimage - security update
+   {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524}
+   [bullseye] - freeimage 3.18.0+ds2-6+deb11u1
+   [bookworm] - freeimage 3.18.0+ds2-9+deb12u1
 [17 Dec 2023] DSA-5576-2 xorg-server - security update
{CVE-2023-6377}
[bullseye] - xorg-server 2:1.20.11-1+deb11u10


=
data/dsa-needed.txt
=
@@ -23,8 +23,6 @@ curl
 --
 dnsdist (jmm)
 --
-freeimage (jmm)
---
 frr
 --
 gpac/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a3ef504b2ebaf62b1b97b5e928c6865dc47da36

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a3ef504b2ebaf62b1b97b5e928c6865dc47da36
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00
Update notes of squid and bouncycastle in dla-needed.txt and reclaim the

packages.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231217: almost done with testing
 --
-bouncycastle
+bouncycastle (Markus Koschany)
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 
was fixed in stretch-lts (Beuc/front-desk)
   NOTE: 20231128: I can't find changes in PEMParser.java related to 
CVE-2023-33202, maybe contact upstream (Beuc/front-desk)
+  NOTE: 20231218: Decision impending. (apo)
 --
 cacti (Sylvain Beucler)
   NOTE: 20230906: Added by Front-Desk (lamby)
@@ -205,8 +206,9 @@ salt
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-squid
+squid (Markus Koschany)
   NOTE: 20231102: Added by Front-Desk (lamby)
+  NOTE: 20231218: Investigating new CVE. (apo)
 --
 suricata (Adrian Bunk)
   NOTE: 20230620: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[@roberto]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f66e7e98 by Roberto C. Sánchez at 2023-12-18T08:33:35-05:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Roberto C. Sánchez robe...@connexer.com

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -37,7 +37,7 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231217: almost done with testing
 --
-bouncycastle (Markus Koschany)
+bouncycastle
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 
was fixed in stretch-lts (Beuc/front-desk)
   NOTE: 20231128: I can't find changes in PEMParser.java related to 
CVE-2023-33202, maybe contact upstream (Beuc/front-desk)
@@ -205,7 +205,7 @@ salt
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-squid (Markus Koschany)
+squid
   NOTE: 20231102: Added by Front-Desk (lamby)
 --
 suricata (Adrian Bunk)
@@ -229,7 +229,7 @@ tomcat9
   NOTE: 20231129: Added by Front-Desk (Beuc)
   NOTE: 20131217: I have made a fix, tests are ok but due to high popcon 
prefer a review by apo (rouca)
 --
-varnish (Abhijith PA)
+varnish
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFU

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
983b359e by Moritz Muehlenhoff at 2023-12-18T14:17:45+01:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2023-41314
+   NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)
NOT-FOR-US: mlflow
 CVE-2023-6908 (A vulnerability, which was classified as problematic, was found 
in DFI ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983b359ee03142113d79917cddf5a9ccba4aa871

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983b359ee03142113d79917cddf5a9ccba4aa871
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add note

[Adrian Bunk (@bunk)]

Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
abcf7697 by Adrian Bunk at 2023-12-18T13:47:40+02:00
dla: add note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -236,6 +236,7 @@ varnish (Abhijith PA)
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)
   NOTE: 20231204: DLA pending (bunk)
+  NOTE: 20231218: Debugging a problem with the update. (bunk)
 --
 zabbix
   NOTE: 20231015: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2023-0012

[Alberto Garcia (@berto)]

Alberto Garcia pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4cf9ac89 by Alberto Garcia at 2023-12-18T12:38:42+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2023-0012

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1703,13 +1703,23 @@ CVE-2023-42894 (This issue was addressed with improved 
redaction of sensitive in
 CVE-2023-42891 (An authentication issue was addressed with improved state 
management.  ...)
NOT-FOR-US: Apple
 CVE-2023-42890 (The issue was addressed with improved memory handling. This 
issue is f ...)
-   NOT-FOR-US: Apple
+   - webkit2gtk 2.42.0-1
+   [buster] - webkit2gtk  (EOL in buster LTS)
+   - wpewebkit 2.42.0-1
+   [bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
+   [bullseye] - wpewebkit  (wpewebkit >= 2.40 can no longer be 
sensibly backported)
+   NOTE: https://webkitgtk.org/security/WSA-2023-0012.html
 CVE-2023-42886 (An out-of-bounds read was addressed with improved bounds 
checking. Thi ...)
NOT-FOR-US: Apple
 CVE-2023-42884 (This issue was addressed with improved redaction of sensitive 
informat ...)
NOT-FOR-US: Apple
 CVE-2023-42883 (The issue was addressed with improved memory handling. This 
issue is f ...)
-   NOT-FOR-US: Apple
+   - webkit2gtk 2.42.4-1
+   [buster] - webkit2gtk  (EOL in buster LTS)
+   - wpewebkit 2.42.4-1
+   [bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
+   [bullseye] - wpewebkit  (wpewebkit >= 2.40 can no longer be 
sensibly backported)
+   NOTE: https://webkitgtk.org/security/WSA-2023-0012.html
 CVE-2023-42882 (The issue was addressed with improved memory handling. This 
issue is f ...)
NOT-FOR-US: Apple
 CVE-2023-42874 (This issue was addressed with improved state management. This 
issue is ...)


=
data/DSA/list
=
@@ -199,7 +199,7 @@
 [12 Oct 2023] DSA-5522-2 tomcat9 - regression update
[bullseye] - tomcat9 9.0.43-2~deb11u8
 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update
-   {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993}
+   {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 
CVE-2023-42890}
[bullseye] - webkit2gtk 2.42.1-1~deb11u1
[bookworm] - webkit2gtk 2.42.1-1~deb12u1
 [12 Oct 2023] DSA-5526-1 chromium - security update


=
data/dsa-needed.txt
=
@@ -93,6 +93,8 @@ squid
 --
 varnish
 --
+webkit2gtk (berto)
+--
 zbar
   unfixed upstream, initial aproaches are overly strict and cause zbar's tests 
to fail, some caution is in order
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf9ac89ab8083805495c1e9e2e65918fb5e08f9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf9ac89ab8083805495c1e9e2e65918fb5e08f9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add reference for asterisk

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
edc4b4ae by Moritz Muehlenhoff at 2023-12-18T09:35:25+01:00
add reference for asterisk

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -758,6 +758,7 @@ CVE-2023-49786 (Asterisk is an open source private branch 
exchange and telephony
- asterisk 
NOTE: 
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
NOTE: 
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
+   NOTE: https://www.openwall.com/lists/oss-security/2023/12/15/7
 CVE-2023-49771 (Improper Neutralization of Input During Web Page Generation 
('Cross-si ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-49770 (Improper Neutralization of Input During Web Page Generation 
('Cross-si ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc4b4ae3b18500b0372a6087e09015dddb4c47d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc4b4ae3b18500b0372a6087e09015dddb4c47d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
213405f8 by Salvatore Bonaccorso at 2023-12-18T09:28:32+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,19 +1,19 @@
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)
-   TODO: check
+   NOT-FOR-US: mlflow
 CVE-2023-6908 (A vulnerability, which was classified as problematic, was found 
in DFI ...)
-   TODO: check
+   NOT-FOR-US: DFIRKuiper Kuiper
 CVE-2023-6907 (A vulnerability has been found in codelyfe Stupid Simple CMS up 
to 1.2 ...)
-   TODO: check
+   NOT-FOR-US: codelyfe Stupid Simple CMS
 CVE-2023-6906 (A vulnerability, which was classified as critical, was found in 
Totoli ...)
-   TODO: check
+   NOT-FOR-US: Totolink
 CVE-2023-6905 (A vulnerability, which was classified as problematic, has been 
found i ...)
-   TODO: check
+   NOT-FOR-US: Jahastech NxFilter
 CVE-2023-6904 (A vulnerability classified as problematic was found in 
Jahastech NxFil ...)
-   TODO: check
+   NOT-FOR-US: Jahastech NxFilter
 CVE-2023-6903 (A vulnerability classified as critical has been found in 
Netentsec NS- ...)
-   TODO: check
+   NOT-FOR-US: Netentsec NS-ASG Application Security Gateway
 CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated 
Tool-as ...)
-   TODO: check
+   NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service)
 CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 
allows atta ...)
- libcrypto++ 
NOTE: https://github.com/weidai11/cryptopp/issues/1249
@@ -25,7 +25,7 @@ CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a 
Marvin side channel
- libcrypto++ 
NOTE: https://github.com/weidai11/cryptopp/issues/1247
 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing 
authoriz ...)
-   TODO: check
+   NOT-FOR-US: Redpanda
 CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up 
to 1.2 ...)
NOT-FOR-US: Stupid Simple CMS
 CVE-2023-6901 (A vulnerability, which was classified as critical, was found in 
codely ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213405f89eccac25fb566b95e066182790304243

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213405f89eccac25fb566b95e066182790304243
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add three new libcrypto++ CVE entries

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6eb4bedb by Salvatore Bonaccorso at 2023-12-18T09:28:05+01:00
Add three new libcrypto++ CVE entries

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -15,11 +15,15 @@ CVE-2023-6903 (A vulnerability classified as critical has 
been found in Netentse
 CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated 
Tool-as ...)
TODO: check
 CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 
allows atta ...)
-   TODO: check
+   - libcrypto++ 
+   NOTE: https://github.com/weidai11/cryptopp/issues/1249
 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows 
attackers to  ...)
-   TODO: check
+   - libcrypto++ 
+   NOTE: https://github.com/weidai11/cryptopp/issues/1248
+   TODO: check details about mitigation applied, but issue in per se 
"unfixed"
 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side 
channel during ...)
-   TODO: check
+   - libcrypto++ 
+   NOTE: https://github.com/weidai11/cryptopp/issues/1247
 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing 
authoriz ...)
TODO: check
 CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up 
to 1.2 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb4bedb9aa4b0699b323372aa07f1a6ff230f3e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb4bedb9aa4b0699b323372aa07f1a6ff230f3e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dae8f8c2 by security tracker role at 2023-12-18T08:12:01+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,27 @@
+CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository 
mlflow/mlflow prio ...)
+   TODO: check
+CVE-2023-6908 (A vulnerability, which was classified as problematic, was found 
in DFI ...)
+   TODO: check
+CVE-2023-6907 (A vulnerability has been found in codelyfe Stupid Simple CMS up 
to 1.2 ...)
+   TODO: check
+CVE-2023-6906 (A vulnerability, which was classified as critical, was found in 
Totoli ...)
+   TODO: check
+CVE-2023-6905 (A vulnerability, which was classified as problematic, has been 
found i ...)
+   TODO: check
+CVE-2023-6904 (A vulnerability classified as problematic was found in 
Jahastech NxFil ...)
+   TODO: check
+CVE-2023-6903 (A vulnerability classified as critical has been found in 
Netentsec NS- ...)
+   TODO: check
+CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated 
Tool-as ...)
+   TODO: check
+CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 
allows atta ...)
+   TODO: check
+CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows 
attackers to  ...)
+   TODO: check
+CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side 
channel during ...)
+   TODO: check
+CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing 
authoriz ...)
+   TODO: check
 CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up 
to 1.2 ...)
NOT-FOR-US: Stupid Simple CMS
 CVE-2023-6901 (A vulnerability, which was classified as critical, was found in 
codely ...)
@@ -876,7 +900,7 @@ CVE-2023-3904 (An issue has been discovered in GitLab EE 
affecting all versions
- gitlab  (Specific to EE)
 CVE-2023-3511 (An issue has been discovered in GitLab EE affecting all 
versions start ...)
- gitlab  (Specific to EE)
-CVE-2023-3907
+CVE-2023-3907 (A privilege escalation vulnerability in GitLab EE affecting all 
versio ...)
- gitlab  (Specific to EE)
 CVE-2023-5061 (An issue has been discovered in GitLab affecting all versions 
starting ...)
- gitlab 
@@ -2950,11 +2974,11 @@ CVE-2023-48800 (In TOTOLINK X6000R_Firmware 
V9.4.0cu.852_B20230719, the shttpd f
NOT-FOR-US: TOTOLINK
 CVE-2023-48799 (TOTOLINK-X6000R Firmware-V9.4.0cu.852_B20230719 is vulnerable 
to Comma ...)
NOT-FOR-US: TOTOLINK
-CVE-2023-44306 (Dell DM5500 contains a path traversal vulnerability in PPOE 
Component. ...)
+CVE-2023-44306 (Dell DM5500 contains a path traversal vulnerability in the 
appliance.  ...)
NOT-FOR-US: Dell
 CVE-2023-44305 (Dell DM5500 5.14.0.0, contains a Stack-based Buffer Overflow 
Vulnerabi ...)
NOT-FOR-US: Dell
-CVE-2023-44304 (Dell DM5500 contains a privilege escalation vulnerability in 
PPOE Comp ...)
+CVE-2023-44304 (Dell DM5500 contains a privilege escalation vulnerability in 
the appli ...)
NOT-FOR-US: Dell
 CVE-2023-44302 (Dell DM5500 5.14.0.0 and prior contain an improper 
authentication vuln ...)
NOT-FOR-US: Dell



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae8f8c290fc6c39c97aa9195321c6c8473eb244

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae8f8c290fc6c39c97aa9195321c6c8473eb244
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits