[Git][security-tracker-team/security-tracker][master] Reserve DLA-3692-1 for curl
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 72c00733 by Adrian Bunk at 2023-12-19T09:16:03+02:00 Reserve DLA-3692-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -42187,7 +42187,6 @@ CVE-2023-28323 (A deserialization of untrusted data exists in EPM 2022 Su3 and a CVE-2023-28322 (An information disclosure vulnerability exists in curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28322.html NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7) NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Dec 2023] DLA-3692-1 curl - security update + {CVE-2023-28322 CVE-2023-46218} + [buster] - curl 7.64.0-4+deb10u8 [18 Dec 2023] DLA-3691-1 spip - security update [buster] - spip 3.2.4-1+deb10u12 [17 Dec 2023] DLA-3686-2 xorg-server - security update = data/dla-needed.txt = @@ -56,10 +56,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl (Adrian Bunk) - NOTE: 20231210: Added by Front-Desk (ta) - NOTE: 20231210: maybe also take care of https://lists.debian.org/debian-lts/2023/12/msg00020.html --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add erlang for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 80c613e8 by Salvatore Bonaccorso at 2023-12-19T08:07:08+01:00 Add erlang for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101,6 +101,7 @@ CVE-2023-46447 [Rogue Session Attack in AsyncSSH] NOTE: https://terrapin-attack.com/ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) - dropbear + - erlang - golang-go.crypto - libssh - libssh2 @@ -112,6 +113,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 + NOTE: Erlang/OTP: https://github.com/erlang/otp/commit/ee67d46285394db95133709cef74b0c462d665aa (OTP-24.3.4.15, OTP-25.3.2.8, OTP-26.2.1) NOTE: golang.org/x/crypto/ssh: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784 NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c613e85d0f408dbb11a1757feaf0da64db2208 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c613e85d0f408dbb11a1757feaf0da64db2208 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6927 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43414a86 by Salvatore Bonaccorso at 2023-12-19T07:53:58+01:00 Add CVE-2023-6927 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-6927 + NOT-FOR-US: Keycloak CVE-2023-6920 REJECTED CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due to impro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43414a861c356af24fb370420be913656597be2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43414a861c356af24fb370420be913656597be2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-6610/linux as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4fbe4f5 by Salvatore Bonaccorso at 2023-12-19T07:28:53+01:00 Mark CVE-2023-6610/linux as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2105,7 +2105,8 @@ CVE-2023-6612 (A vulnerability was found in Totolink X5000R 9.1.0cu.2300_B202301 CVE-2023-6611 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been de ...) NOT-FOR-US: Tongda OA CVE-2023-6610 (An out-of-bounds read vulnerability was found in smb2_dump_detail in f ...) - - linux + - linux (unimportant) + NOTE: CONFIG_CIFS_DEBUG2 not enabled in Debian CVE-2023-6609 (A vulnerability was found in osCommerce 4. It has been classified as p ...) NOT-FOR-US: osCommerce CVE-2023-6608 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4fbe4f56bf50547a3ab48ea878908f5eed2f0a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4fbe4f56bf50547a3ab48ea878908f5eed2f0a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-5178 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 540601a5 by Salvatore Bonaccorso at 2023-12-19T07:27:39+01:00 Sync status for CVE-2023-5178 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10029,6 +10029,7 @@ CVE-2023-46846 (SQUID is vulnerable to HTTP request smuggling, caused by chunked CVE-2023-5178 (A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` ...) - linux 6.5.8-1 [bookworm] - linux 6.1.64-1 + [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241924 NOTE: https://git.kernel.org/linus/d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd NOTE: https://www.openwall.com/lists/oss-security/2023/10/15/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/540601a5c4e435368fc1ec1ebfbbb2cb73bb1291 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/540601a5c4e435368fc1ec1ebfbbb2cb73bb1291 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-46813 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 830bd132 by Salvatore Bonaccorso at 2023-12-19T07:26:53+01:00 Sync status for CVE-2023-46813 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8981,6 +8981,7 @@ CVE-2023-33558 (An information disclosure vulnerability in the component users-g CVE-2023-46813 (An issue was discovered in the Linux kernel before 6.5.9, exploitable ...) - linux 6.5.10-1 [bookworm] - linux 6.1.64-1 + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/63e44bc52047f182601e7817da969a105aa1f721 (6.6-rc7) NOTE: https://git.kernel.org/linus/b9cb9c45583b911e0db71d09caa6b56469eb2bdf (6.6-rc7) NOTE: https://git.kernel.org/linus/a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba (6.6-rc7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/830bd13234acd42efcfb4e73f408063f1a50497c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/830bd13234acd42efcfb4e73f408063f1a50497c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-4273 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7f2ccc by Salvatore Bonaccorso at 2023-12-19T07:26:04+01:00 Sync status for CVE-2023-4273 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21221,6 +21221,7 @@ CVE-2023-38710 (An issue was discovered in Libreswan before 4.12. When an IKEv2 CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The vulnerab ...) {DSA-5492-1 DSA-5480-1 DLA-3623-1} - linux 6.4.11-1 + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/d42334578eba1390859012ebb91e1e556d51db49 (6.5-rc5) NOTE: https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/ CVE-2023-40012 (uthenticode is a small cross-platform library for partially verifying ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7f2ccc8c55d907ef3f33dee33b56a9031bc8ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7f2ccc8c55d907ef3f33dee33b56a9031bc8ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-1192 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e1bf5a3 by Salvatore Bonaccorso at 2023-12-19T07:23:44+01:00 Sync status for CVE-2023-1192 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43883,6 +43883,7 @@ CVE-2023-1193 (A use-after-free flaw was found in setup_async_work in the KSMBD NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS ...) - linux + [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178 CVE-2023-1191 (A vulnerability classified as problematic has been found in fastcms. T ...) NOT-FOR-US: fastcms View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1bf5a384b5ff66b76c5c8f23ef418740af74e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1bf5a384b5ff66b76c5c8f23ef418740af74e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream status for libssh2 for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec316325 by Salvatore Bonaccorso at 2023-12-19T06:27:25+01:00 Track upstream status for libssh2 for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,6 +117,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/0870c8db28be9eb457ee3d4f9a168959d9507efd (libssh-0.10.6) NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/5846e57538c750c5ce67df887d09fa99861c79c6 (libssh-0.10.6) NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/89df759200d31fc79fbbe213d8eda0d329eebf6d (libssh-0.10.6) + NOTE: libssh2: https://github.com/libssh2/libssh2/issues/1290 + NOTE: libssh2: https://github.com/libssh2/libssh2/pull/1291 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec316325903b4014ee973bbba009e71ec7a1f9a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec316325903b4014ee973bbba009e71ec7a1f9a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for libxml2 via experimental
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13fbaaf0 by Salvatore Bonaccorso at 2023-12-19T06:24:50+01:00 Track fixes for libxml2 via experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12859,12 +12859,13 @@ CVE-2023-40631 (In Dialer, there is a possible missing permission check. This co CVE-2023-5182 (Sensitive data could be exposed in logs of subiquity version 23.09.1 a ...) NOT-FOR-US: Subiquity CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only occur after ...) + [experimental] - libxml2 2.12.3+dfsg-0exp1 - libxml2 (bug #1053629) [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) [buster] - libxml2 (Minor issue, very hard/unlikely to trigger) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 - NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 (v2.12.0) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 NOTE: http://www.openwall.com/lists/oss-security/2023/10/06/5 CVE-2023-45199 (Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can ...) @@ -18736,13 +18737,14 @@ CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid re NOTE: For Debian this was initially fixed in Debian unstable with 3.7.0~rc3-1 but reverted with the NOTE: 3.7.0~really3.6.1-1 upload re-introducing the issue. CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds rea ...) + [experimental] - libxml2 2.12.3+dfsg-0exp1 - libxml2 (bug #1051230) [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) [buster] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/535 - NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 - NOTE: Followup: https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 (v2.12.0) + NOTE: Followup: https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129 (v2.12.0) CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected versions ...) NOT-FOR-US: authentik CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead to unau ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fbaaf05d7b15a6c9300ea0d5e5563c4db739d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fbaaf05d7b15a6c9300ea0d5e5563c4db739d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for php-dompdf-svg-lib issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9659a03 by Salvatore Bonaccorso at 2023-12-19T06:21:24+01:00 Track fixed version for php-dompdf-svg-lib issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1458,12 +1458,12 @@ CVE-2023-6753 (Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. CVE-2023-50263 (Nautobot is a Network Source of Truth and Network Automation Platform ...) NOT-FOR-US: Nautobot CVE-2023-50252 (php-svg-lib is an SVG file parsing / rendering library. Prior to versi ...) - - php-dompdf-svg-lib (bug #1058641) + - php-dompdf-svg-lib 0.5.1-1 (bug #1058641) NOTE: https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr NOTE: Fixed by: https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030 (0.5.1) TODO: check, other packages are embedding the library: civicrm, icinga-php-thirdparty and icingaweb2 to be checked CVE-2023-50251 (php-svg-lib is an SVG file parsing / rendering library. Prior to versi ...) - - php-dompdf-svg-lib (bug #1058641) + - php-dompdf-svg-lib 0.5.1-1 (bug #1058641) NOTE: https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2 NOTE: Fixed by: https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0 (0.5.1) TODO: check, other packages are embedding the library: civicrm, icinga-php-thirdparty and icingaweb2 to be checked View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9659a037f36262a15d276a11627ce25404f06c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9659a037f36262a15d276a11627ce25404f06c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed issues in openssh via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42f14593 by Salvatore Bonaccorso at 2023-12-19T06:18:34+01:00 Track fixed issues in openssh via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,11 +35,11 @@ CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin before CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin before ...) NOT-FOR-US: WordPress plugin CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur if a us ...) - - openssh + - openssh 1:9.6p1-1 NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a (V_9_6_P1) CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination constraints ca ...) - - openssh + - openssh 1:9.6p1-1 NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b (V_9_6_P1) CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita C ...) @@ -102,7 +102,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - golang-go.crypto - libssh - libssh2 - - openssh + - openssh 1:9.6p1-1 - paramiko - putty 0.80-1 - proftpd-dfsg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42f14593586f5ad8ca64cd56a87ff09f30249941 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42f14593586f5ad8ca64cd56a87ff09f30249941 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim varnish in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ce4e477 by Abhijith PA at 2023-12-19T10:15:18+05:30 reclaim varnish in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -247,9 +247,10 @@ tomcat9 NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) -- -varnish +varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 + NOTE: 20231219: Continuing work -- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim dropbear and libssh2 in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 405c351b by Guilhem Moulin at 2023-12-19T01:19:27+01:00 LTS: claim dropbear and libssh2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -dropbear +dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- frr @@ -116,7 +116,7 @@ libreswan libssh NOTE: 20231219: Added by Front-Desk (ta) -- -libssh2 +libssh2 (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- libstb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/405c351bbcfe1241ab3ff9678ac83678de47903e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/405c351bbcfe1241ab3ff9678ac83678de47903e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: add openssh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cb7a1cf7 by Thorsten Alteholz at 2023-12-19T00:20:24+01:00 add openssh - - - - - ef35183e by Thorsten Alteholz at 2023-12-19T00:24:29+01:00 add dropbear - - - - - bf93abcd by Thorsten Alteholz at 2023-12-19T00:25:14+01:00 add golang-go.crypto - - - - - 19316c27 by Thorsten Alteholz at 2023-12-19T00:26:00+01:00 add libssh - - - - - a5d1da40 by Thorsten Alteholz at 2023-12-19T00:26:49+01:00 add libssh2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,9 +74,15 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +dropbear + NOTE: 20231219: Added by Front-Desk (ta) +-- frr NOTE: 20231119: Added by Front-Desk (apo) -- +golang-go.crypto + NOTE: 20231219: Added by Front-Desk (ta) +-- haproxy NOTE: 20231217: Added by Front-Desk (utkarsh) -- @@ -107,6 +113,12 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libssh + NOTE: 20231219: Added by Front-Desk (ta) +-- +libssh2 + NOTE: 20231219: Added by Front-Desk (ta) +-- libstb NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20231029: A lot of open CVEs. Maybe duplicates. @@ -150,6 +162,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +openssh + NOTE: 20231219: Added by Front-Desk (ta) +-- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e88892d1 by Sylvain Beucler at 2023-12-18T22:49:16+01:00 dla: cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,7 @@ bouncycastle (Markus Koschany) cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) + NOTE: 20231218: Keep triaging CVEs backlog (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6817/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b39125b6 by Salvatore Bonaccorso at 2023-12-18T21:52:18+01:00 Add CVE-2023-6817/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2023-6920 CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due to impro ...) NOT-FOR-US: WSO2 CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - TODO: check + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/317eb9685095678f2c9f5a8189de698c5354316a (6.7-rc5) CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/cle ...) TODO: check CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code inje ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b39125b652fdbdd32cb9700ec117cc430a91f19f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b39125b652fdbdd32cb9700ec117cc430a91f19f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for ldap-account-manager and adjust bug reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47cb9546 by Salvatore Bonaccorso at 2023-12-18T21:46:50+01:00 Update status for ldap-account-manager and adjust bug reference - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3075,7 +3075,8 @@ phpseclib - icinga-web (embed; bug #781415) php-phpseclib3 - - ldap-account-manager (embed; bug #1057036) + - ldap-account-manager 8.6-1 (embed; bug #1057037) + NOTE: since 8.6-1 linking to php-phpseclib3 and using it doctrine - icinga-web (embed; bug #781415) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47cb9546df4fc44fd571c44edcfbb5eac8c2036d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47cb9546df4fc44fd571c44edcfbb5eac8c2036d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 671371f8 by Salvatore Bonaccorso at 2023-12-18T21:43:23+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,37 +1,37 @@ CVE-2023-6920 REJECTED CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due to impro ...) - TODO: check + NOT-FOR-US: WSO2 CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) TODO: check CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/cle ...) TODO: check CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code inje ...) - TODO: check + NOT-FOR-US: Cambium ePMP Force CVE-2023-6295 (The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6289 (The Swift Performance Lite WordPress plugin before 2.3.6.15 does not p ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6272 (The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6222 (IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6203 (The Events Calendar WordPress plugin before 6.2.8.1 discloses the cont ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6077 (The Slider WordPress plugin before 3.5.12 does not ensure that posts t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6065 (The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn' ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5949 (The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthor ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5886 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5882 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin before ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur if a us ...) - openssh NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 @@ -41,47 +41,47 @@ CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination constrai NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b (V_9_6_P1) CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4311 (The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49855 (Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Men ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49854 (Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49853 (Cross-Site Request Forgery (CSRF) vulnerability in PayTR \xd6deme ve E ...) TODO: check CVE-2023-49844 (Cross-Site Request Forgery (CSRF) vulnerability in Kevin Ohashi WPPerf ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49843 (Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge First O ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49840 (Cross-Site Request Forgery (CSRF) vulnerability in Palscode Multi Curr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48766 (Cross-Site Request Forgery (CSRF) vulnerability in SVGator SVGator \u2 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48762 (Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetEleme ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48755 (Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler tea ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47806 (Cross-Site Request Forgery (CSRF)
[Git][security-tracker-team/security-tracker][master] Add two openssh issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c058a71e by Salvatore Bonaccorso at 2023-12-18T21:42:39+01:00 Add two openssh issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,9 +33,13 @@ CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin before CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin before ...) TODO: check CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur if a us ...) - TODO: check + - openssh + NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 + NOTE: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a (V_9_6_P1) CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination constraints ca ...) - TODO: check + - openssh + NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/2 + NOTE: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b (V_9_6_P1) CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita C ...) TODO: check CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c058a71e8cbcea0e05300cb02940ddf52cb21082 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c058a71e8cbcea0e05300cb02940ddf52cb21082 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 109f92b7 by Salvatore Bonaccorso at 2023-12-18T21:25:20+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,11 +67,11 @@ CVE-2023-47789 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce C CVE-2023-47787 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooComm ...) TODO: check CVE-2023-47741 (IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser cl ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-46617 (Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly AdFoxly \u2 ...) TODO: check CVE-2023-46177 (IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to t ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-39509 (A command injection vulnerability exists in Bosch IP cameras that allo ...) TODO: check CVE-2023-35867 (An improper handling of a malformed API answer packets to API clients ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/109f92b73c7a782b30f995134e40d2fe8b76f8d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/109f92b73c7a782b30f995134e40d2fe8b76f8d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libssh: Reference fixes from stable branch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b7174d6 by Salvatore Bonaccorso at 2023-12-18T21:16:51+01:00 libssh: Reference fixes from stable branch This is fixed both in 0.10.6 *and* 0.9.8 upstream. For now only referncing the commits from the stable-0.10 branch. Same set of commits exists in stable-0.9 branch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107,10 +107,10 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: golang.org/x/crypto/ssh: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784 NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0) - NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4 - NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a - NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891 - NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/a8b9d1368724cb237743ebc98218b7fe713459c8 + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/4cef5e965a46e9271aed62631b152e4bd23c1e3c (libssh-0.10.6) + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/0870c8db28be9eb457ee3d4f9a168959d9507efd (libssh-0.10.6) + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/5846e57538c750c5ce67df887d09fa99861c79c6 (libssh-0.10.6) + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/89df759200d31fc79fbbe213d8eda0d329eebf6d (libssh-0.10.6) NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337 @@ -4708,23 +4708,23 @@ CVE-2023-6007 (The UserPro plugin for WordPress is vulnerable to unauthorized ac NOT-FOR-US: WordPress plugin CVE-2023-6918 - libssh - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/a16f34c57a4034f940c557936fd9434976adabcf - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/10c200037a82218d43c30ff2fcda0af7fbe7168e - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/5c407d2f16ab76c3dbc8324b4138f405177219b6 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/59c00c66c4466bacaddf73dcd853ac1dac95ba39 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/b3de3a33352a78214a534005e3e4f0576dcc9e17 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/610d7a09f99c601224ae2aa3d3de7e75b1d284dd (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/63ff242131c8e6d98917456f71f6d33b9ef3a763 (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/8b66d037d575e5f3ce4d35964547ff8c7e75ff8e (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/8977e246b6d7ae467cab008a49e0a9e3d84bc2a0 (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/622421018b58392ffecc29726b947e089b678221 (libssh-0.10.6) CVE-2023-6004 - libssh - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/57ec9a35c612d416bfc045c48ccb69a5e9b57008 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/1dfde16f49076b255e6370f30abf9f03d48997be - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/b83368b2ed10a3d14344f374d9765d47d1d9f3f7 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/0ff85b034a04d45e79a79cd5666b348b5e27800d - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/2cd971e10e6244c6ffbfadbeba626ef998b4f78e - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/95c6f880ef1539635bb82a134f7b8a06a46887ca - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/7b697d711e2c8b88ca6e15e349caae2dff9cb442 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/92e35c291c9a5c6dbe742a2677bf377597f69cd7 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/2c92e8ce930a428a6fd150ae1ae55c5a365543f5 - NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/f353b39ff2c0e0db51f978f035ac976ff5377413 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/c2c56bacab00766d01671413321d564227aabf19 (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/a66b4a6eae6614d200a3625862d77565b96a7cd3 (libssh-0.10.6) + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/8615c24647f773a5e04203c7459512715d698be1 (libssh-0.10.6) + NOTE:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69cc5e69 by security tracker role at 2023-12-18T20:12:05+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,97 @@ +CVE-2023-6920 + REJECTED +CVE-2023-6911 (Multiple WSO2 products have been identified as vulnerable due to impro ...) + TODO: check +CVE-2023-6817 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) + TODO: check +CVE-2023-6778 (Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/cle ...) + TODO: check +CVE-2023-6691 (Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code inje ...) + TODO: check +CVE-2023-6295 (The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not ...) + TODO: check +CVE-2023-6289 (The Swift Performance Lite WordPress plugin before 2.3.6.15 does not p ...) + TODO: check +CVE-2023-6272 (The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit ...) + TODO: check +CVE-2023-6222 (IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does ...) + TODO: check +CVE-2023-6203 (The Events Calendar WordPress plugin before 6.2.8.1 discloses the cont ...) + TODO: check +CVE-2023-6077 (The Slider WordPress plugin before 3.5.12 does not ensure that posts t ...) + TODO: check +CVE-2023-6065 (The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn' ...) + TODO: check +CVE-2023-5949 (The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthor ...) + TODO: check +CVE-2023-5886 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) + TODO: check +CVE-2023-5882 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) + TODO: check +CVE-2023-5348 (The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 ...) + TODO: check +CVE-2023-5005 (The Autocomplete Location field Contact Form 7 WordPress plugin before ...) + TODO: check +CVE-2023-51385 (In ssh in OpenSSH before 9.6, OS command injection might occur if a us ...) + TODO: check +CVE-2023-51384 (In ssh-agent in OpenSSH before 9.6, certain destination constraints ca ...) + TODO: check +CVE-2023-50372 (Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita C ...) + TODO: check +CVE-2023-4724 (The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0 ...) + TODO: check +CVE-2023-4311 (The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerab ...) + TODO: check +CVE-2023-49855 (Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Men ...) + TODO: check +CVE-2023-49854 (Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive C ...) + TODO: check +CVE-2023-49853 (Cross-Site Request Forgery (CSRF) vulnerability in PayTR \xd6deme ve E ...) + TODO: check +CVE-2023-49844 (Cross-Site Request Forgery (CSRF) vulnerability in Kevin Ohashi WPPerf ...) + TODO: check +CVE-2023-49843 (Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge First O ...) + TODO: check +CVE-2023-49840 (Cross-Site Request Forgery (CSRF) vulnerability in Palscode Multi Curr ...) + TODO: check +CVE-2023-48766 (Cross-Site Request Forgery (CSRF) vulnerability in SVGator SVGator \u2 ...) + TODO: check +CVE-2023-48762 (Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetEleme ...) + TODO: check +CVE-2023-48755 (Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler tea ...) + TODO: check +CVE-2023-47806 (Cross-Site Request Forgery (CSRF) vulnerability in Saint Systems Disab ...) + TODO: check +CVE-2023-47789 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Canada ...) + TODO: check +CVE-2023-47787 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooComm ...) + TODO: check +CVE-2023-47741 (IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser cl ...) + TODO: check +CVE-2023-46617 (Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly AdFoxly \u2 ...) + TODO: check +CVE-2023-46177 (IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to t ...) + TODO: check +CVE-2023-39509 (A command injection vulnerability exists in Bosch IP cameras that allo ...) + TODO: check +CVE-2023-35867 (An improper handling of a malformed API answer packets to API clients ...) + TODO: check +CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox \u201 ...) + TODO: check +CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...) + TODO: check +CVE-2023-32727 (An attacker who has the privilege to configure Zabbix
[Git][security-tracker-team/security-tracker][master] Add missing closing bracket in note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab9d10c0 by Salvatore Bonaccorso at 2023-12-18T21:04:43+01:00 Add missing closing bracket in note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,7 @@ CVE-2023-48795 [General Protocol Flaw] NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 NOTE: golang.org/x/crypto/ssh: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784 - NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0 + NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0) NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4 NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d10c0b2577878a15be523b3aa01763881f0c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d10c0b2577878a15be523b3aa01763881f0c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-48795 for dropbear
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74d228df by Salvatore Bonaccorso at 2023-12-18T20:57:51+01:00 Add reference for CVE-2023-48795 for dropbear - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,6 +13,7 @@ CVE-2023-48795 [General Protocol Flaw] - python-asyncssh NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 + NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 NOTE: golang.org/x/crypto/ssh: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784 NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74d228df2bace4ac464d7e30068123a7c5704dbb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74d228df2bace4ac464d7e30068123a7c5704dbb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-48795 for golang.org/x/crypto/ssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a02a19cf by Salvatore Bonaccorso at 2023-12-18T20:55:10+01:00 Add references for CVE-2023-48795 for golang.org/x/crypto/ssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,6 +13,9 @@ CVE-2023-48795 [General Protocol Flaw] - python-asyncssh NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 + NOTE: golang.org/x/crypto/ssh: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg + NOTE: golang.org/x/crypto/ssh: https://github.com/golang/go/issues/64784 + NOTE: golang.org/x/crypto/ssh: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (v0.17.0 NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4 NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a19cf8bb342201f61362b7fec609cc481fc46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a19cf8bb342201f61362b7fec609cc481fc46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6918 and CVE-2023-6004
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc38b515 by Salvatore Bonaccorso at 2023-12-18T20:53:09+01:00 Add CVE-2023-6918 and CVE-2023-6004 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4610,6 +4610,25 @@ CVE-2023-6008 (The UserPro plugin for WordPress is vulnerable to Cross-Site Requ NOT-FOR-US: WordPress plugin CVE-2023-6007 (The UserPro plugin for WordPress is vulnerable to unauthorized access ...) NOT-FOR-US: WordPress plugin +CVE-2023-6918 + - libssh + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/a16f34c57a4034f940c557936fd9434976adabcf + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/10c200037a82218d43c30ff2fcda0af7fbe7168e + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/5c407d2f16ab76c3dbc8324b4138f405177219b6 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/59c00c66c4466bacaddf73dcd853ac1dac95ba39 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/b3de3a33352a78214a534005e3e4f0576dcc9e17 +CVE-2023-6004 + - libssh + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/57ec9a35c612d416bfc045c48ccb69a5e9b57008 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/1dfde16f49076b255e6370f30abf9f03d48997be + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/b83368b2ed10a3d14344f374d9765d47d1d9f3f7 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/0ff85b034a04d45e79a79cd5666b348b5e27800d + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/2cd971e10e6244c6ffbfadbeba626ef998b4f78e + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/95c6f880ef1539635bb82a134f7b8a06a46887ca + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/7b697d711e2c8b88ca6e15e349caae2dff9cb442 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/92e35c291c9a5c6dbe742a2677bf377597f69cd7 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/2c92e8ce930a428a6fd150ae1ae55c5a365543f5 + NOTE: https://gitlab.com/libssh/libssh-mirror/-/commit/f353b39ff2c0e0db51f978f035ac976ff5377413 CVE-2023-5983 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: Botanik Software Pharmacy Automation CVE-2023-5921 (Improper Enforcement of Behavioral Workflow vulnerability in DECE Soft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc38b5156cc73a2154f665f4674af7702e415241 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc38b5156cc73a2154f665f4674af7702e415241 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libssh references for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c571264 by Salvatore Bonaccorso at 2023-12-18T20:52:26+01:00 Add libssh references for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,6 +13,10 @@ CVE-2023-48795 [General Protocol Flaw] - python-asyncssh NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/7ecc6a704ba30ef65a928742f140e0ee977c9dc4 + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/3876976cedb93450e0e2a4fc8125d05b99c7fe5a + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/bdcdf920965f2fffc8e4ff8fc5675992eacf3891 + NOTE: libssh: https://gitlab.com/libssh/libssh-mirror/-/commit/a8b9d1368724cb237743ebc98218b7fe713459c8 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c571264c8cf99763022b459743f73a69b740778 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c571264c8cf99763022b459743f73a69b740778 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for paramiko for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9964c94 by Salvatore Bonaccorso at 2023-12-18T20:43:42+01:00 Add reference for paramiko for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,6 +15,7 @@ CVE-2023-48795 [General Protocol Flaw] NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) + NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337 NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9964c942658862da3f7ec6cfa6bcef0eb7de884 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9964c942658862da3f7ec6cfa6bcef0eb7de884 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for asyncssh for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fd22f75 by Salvatore Bonaccorso at 2023-12-18T20:38:59+01:00 Add references for asyncssh for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,6 +23,8 @@ CVE-2023-48795 [General Protocol Flaw] NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=0b00e4ce26d89cd010e31e66fd02ac77cb982367 (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=fdc891d17063ab26cf68c74245ab1fd9771556cb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=b80a41d386dbfa1b095c17bd2ed001477f302d46 (0.80) + NOTE: asyncssh: https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55 + NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) CVE-2023-41314 NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd22f75664c41cfafa9604050c542a4dfc3b3be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd22f75664c41cfafa9604050c542a4dfc3b3be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5580-1
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: ccba81f0 by Alberto Garcia at 2023-12-18T20:13:43+01:00 webkit2gtk DSA-5580-1 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[18 Dec 2023] DSA-5580-1 webkit2gtk - security update + {CVE-2023-42883} + [bullseye] - webkit2gtk 2.42.4-1~deb11u1 + [bookworm] - webkit2gtk 2.42.4-1~deb12u1 [17 Dec 2023] DSA-5579-1 freeimage - security update {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} [bullseye] - freeimage 3.18.0+ds2-6+deb11u1 = data/dsa-needed.txt = @@ -97,8 +97,6 @@ squid -- varnish -- -webkit2gtk (berto) --- zbar unfixed upstream, initial aproaches are overly strict and cause zbar's tests to fail, some caution is in order -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccba81f0efa58120f5b5c54474a682136d6fcb7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccba81f0efa58120f5b5c54474a682136d6fcb7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commits for putty for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e1af06c by Salvatore Bonaccorso at 2023-12-18T19:35:22+01:00 Add upstream commits for putty for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,6 +15,14 @@ CVE-2023-48795 [General Protocol Flaw] NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=244be5412728a7334a2d457fbac4e0a2597165e5 (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=58fc33a155ad496bdcf380fa6193302240a15ae9 (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=0b00e4ce26d89cd010e31e66fd02ac77cb982367 (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=fdc891d17063ab26cf68c74245ab1fd9771556cb (0.80) + NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=b80a41d386dbfa1b095c17bd2ed001477f302d46 (0.80) CVE-2023-41314 NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e1af06c6e27a54677d6f3d799a9e7f444165c6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e1af06c6e27a54677d6f3d799a9e7f444165c6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add openssh to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d415ead6 by Salvatore Bonaccorso at 2023-12-18T19:24:25+01:00 Add openssh to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -44,6 +44,9 @@ nbconvert/oldstable nodejs maintainer proposed to follow the upstream 18.x LTS branch -- +openssh (carnil) + maintainer working on updates +-- php-cas/oldstable -- php-horde-mime-viewer/oldstable @@ -52,6 +55,9 @@ php-horde-turba/oldstable -- phppgadmin -- +putty (carnil) + maintainer working on updates +-- py7zr/oldstable -- python3.11/stable (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d415ead6ce817685dd330bb3d17dbe0318f3c932 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d415ead6ce817685dd330bb3d17dbe0318f3c932 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for putty via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b8b547b by Salvatore Bonaccorso at 2023-12-18T19:23:08+01:00 Track fixed version for putty via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,7 @@ CVE-2023-48795 [General Protocol Flaw] - libssh2 - openssh - paramiko - - putty + - putty 0.80-1 - proftpd-dfsg - python-asyncssh NOTE: https://terrapin-attack.com/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b8b547b886b95e8b2225d86e4992203399ef3b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b8b547b886b95e8b2225d86e4992203399ef3b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add further set of packages needing fixes for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21aa766b by Salvatore Bonaccorso at 2023-12-18T18:12:38+01:00 Add further set of packages needing fixes for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,7 +2,14 @@ CVE-2023-46447 [Rogue Session Attack in AsyncSSH] - python-asyncssh NOTE: https://terrapin-attack.com/ CVE-2023-48795 [General Protocol Flaw] + - dropbear + - golang-go.crypto + - libssh + - libssh2 - openssh + - paramiko + - putty + - proftpd-dfsg - python-asyncssh NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21aa766bb5b8a195df6a3cf51be976948e4b777b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21aa766bb5b8a195df6a3cf51be976948e4b777b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commit from OpenSSH implementing strict key exchange
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bca640a by Salvatore Bonaccorso at 2023-12-18T18:05:03+01:00 Reference commit from OpenSSH implementing strict key exchange - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,6 +7,7 @@ CVE-2023-48795 [General Protocol Flaw] NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 + NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) CVE-2023-41314 NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bca640aef34ad1e8bdc447a5c6a0879bf697cb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bca640aef34ad1e8bdc447a5c6a0879bf697cb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove additional space in note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6b8eb04 by Salvatore Bonaccorso at 2023-12-18T17:58:27+01:00 Remove additional space in note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -292955,7 +292955,7 @@ CVE-2020-1736 (A flaw was found in Ansible Engine when a file is moved using ato NOTE: specify a mode in the task briefly go from (666 - umask) to the final mode. NOTE: An alternative workaround if many new files are ansible.builtin.copy mode=preserve NOTE: that preserve file mode from controller to managed host. - NOTE: Documentation fix: https://github.com/ansible/ansible/commit/bc37976df2ac455a4b74d48eb824803ef27df7bc + NOTE: Documentation fix: https://github.com/ansible/ansible/commit/bc37976df2ac455a4b74d48eb824803ef27df7bc CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is used. ...) {DSA-4950-1} - ansible 2.9.7+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b8eb044e806d5ec6106d0116d16d9a11ea2818 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b8eb044e806d5ec6106d0116d16d9a11ea2818 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add oss-security reference for terrapin-attack post
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44cb0645 by Salvatore Bonaccorso at 2023-12-18T17:54:13+01:00 Add oss-security reference for terrapin-attack post - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,6 +5,7 @@ CVE-2023-48795 [General Protocol Flaw] - openssh - python-asyncssh NOTE: https://terrapin-attack.com/ + NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 CVE-2023-41314 NOT-FOR-US: Apache Doris View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44cb0645714871d9178e57bf8c189b7c6d34ba7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44cb0645714871d9178e57bf8c189b7c6d34ba7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2023-4879{5,6,7}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cc91c53 by Salvatore Bonaccorso at 2023-12-18T17:24:52+01:00 Add initial tracking for CVE-2023-4879{5,6,7} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-46447 [Rogue Session Attack in AsyncSSH] + - python-asyncssh + NOTE: https://terrapin-attack.com/ +CVE-2023-48795 [General Protocol Flaw] + - openssh + - python-asyncssh + NOTE: https://terrapin-attack.com/ + NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 CVE-2023-41314 NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) @@ -6312,6 +6320,7 @@ CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to con [bullseye] - python-asyncssh (Minor issue) [buster] - python-asyncssh (Minor issue) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm + NOTE: https://terrapin-attack.com/ CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...) - python-asyncssh (bug #1056000) [bookworm] - python-asyncssh (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc91c5333d8a667ee84589827aef32d55c0b10a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc91c5333d8a667ee84589827aef32d55c0b10a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] freeimage DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a3ef504 by Moritz Mühlenhoff at 2023-12-18T16:50:17+01:00 freeimage DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[17 Dec 2023] DSA-5579-1 freeimage - security update + {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} + [bullseye] - freeimage 3.18.0+ds2-6+deb11u1 + [bookworm] - freeimage 3.18.0+ds2-9+deb12u1 [17 Dec 2023] DSA-5576-2 xorg-server - security update {CVE-2023-6377} [bullseye] - xorg-server 2:1.20.11-1+deb11u10 = data/dsa-needed.txt = @@ -23,8 +23,6 @@ curl -- dnsdist (jmm) -- -freeimage (jmm) --- frr -- gpac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a3ef504b2ebaf62b1b97b5e928c6865dc47da36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a3ef504b2ebaf62b1b97b5e928c6865dc47da36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00 Update notes of squid and bouncycastle in dla-needed.txt and reclaim the packages. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) + NOTE: 20231218: Decision impending. (apo) -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) @@ -205,8 +206,9 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) + NOTE: 20231218: Investigating new CVE. (apo) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f66e7e98 by Roberto C. Sánchez at 2023-12-18T08:33:35-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,7 +37,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle (Markus Koschany) +bouncycastle NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) @@ -205,7 +205,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid (Markus Koschany) +squid NOTE: 20231102: Added by Front-Desk (lamby) -- suricata (Adrian Bunk) @@ -229,7 +229,7 @@ tomcat9 NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) -- -varnish (Abhijith PA) +varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 983b359e by Moritz Muehlenhoff at 2023-12-18T14:17:45+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-41314 + NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) NOT-FOR-US: mlflow CVE-2023-6908 (A vulnerability, which was classified as problematic, was found in DFI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983b359ee03142113d79917cddf5a9ccba4aa871 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983b359ee03142113d79917cddf5a9ccba4aa871 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abcf7697 by Adrian Bunk at 2023-12-18T13:47:40+02:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -236,6 +236,7 @@ varnish (Abhijith PA) wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) + NOTE: 20231218: Debugging a problem with the update. (bunk) -- zabbix NOTE: 20231015: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2023-0012
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cf9ac89 by Alberto Garcia at 2023-12-18T12:38:42+01:00 webkit2gtk / wpewebkit upstream advisory WSA-2023-0012 - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1703,13 +1703,23 @@ CVE-2023-42894 (This issue was addressed with improved redaction of sensitive in CVE-2023-42891 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple CVE-2023-42890 (The issue was addressed with improved memory handling. This issue is f ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.0-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.0-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2023-0012.html CVE-2023-42886 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2023-42884 (This issue was addressed with improved redaction of sensitive informat ...) NOT-FOR-US: Apple CVE-2023-42883 (The issue was addressed with improved memory handling. This issue is f ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.4-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.4-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2023-0012.html CVE-2023-42882 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2023-42874 (This issue was addressed with improved state management. This issue is ...) = data/DSA/list = @@ -199,7 +199,7 @@ [12 Oct 2023] DSA-5522-2 tomcat9 - regression update [bullseye] - tomcat9 9.0.43-2~deb11u8 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update - {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993} + {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890} [bullseye] - webkit2gtk 2.42.1-1~deb11u1 [bookworm] - webkit2gtk 2.42.1-1~deb12u1 [12 Oct 2023] DSA-5526-1 chromium - security update = data/dsa-needed.txt = @@ -93,6 +93,8 @@ squid -- varnish -- +webkit2gtk (berto) +-- zbar unfixed upstream, initial aproaches are overly strict and cause zbar's tests to fail, some caution is in order -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf9ac89ab8083805495c1e9e2e65918fb5e08f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf9ac89ab8083805495c1e9e2e65918fb5e08f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add reference for asterisk
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: edc4b4ae by Moritz Muehlenhoff at 2023-12-18T09:35:25+01:00 add reference for asterisk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -758,6 +758,7 @@ CVE-2023-49786 (Asterisk is an open source private branch exchange and telephony - asterisk NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq NOTE: https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 + NOTE: https://www.openwall.com/lists/oss-security/2023/12/15/7 CVE-2023-49771 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2023-49770 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc4b4ae3b18500b0372a6087e09015dddb4c47d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc4b4ae3b18500b0372a6087e09015dddb4c47d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 213405f8 by Salvatore Bonaccorso at 2023-12-18T09:28:32+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,19 +1,19 @@ CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) - TODO: check + NOT-FOR-US: mlflow CVE-2023-6908 (A vulnerability, which was classified as problematic, was found in DFI ...) - TODO: check + NOT-FOR-US: DFIRKuiper Kuiper CVE-2023-6907 (A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2 ...) - TODO: check + NOT-FOR-US: codelyfe Stupid Simple CMS CVE-2023-6906 (A vulnerability, which was classified as critical, was found in Totoli ...) - TODO: check + NOT-FOR-US: Totolink CVE-2023-6905 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Jahastech NxFilter CVE-2023-6904 (A vulnerability classified as problematic was found in Jahastech NxFil ...) - TODO: check + NOT-FOR-US: Jahastech NxFilter CVE-2023-6903 (A vulnerability classified as critical has been found in Netentsec NS- ...) - TODO: check + NOT-FOR-US: Netentsec NS-ASG Application Security Gateway CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) - TODO: check + NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - libcrypto++ NOTE: https://github.com/weidai11/cryptopp/issues/1249 @@ -25,7 +25,7 @@ CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel - libcrypto++ NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) - TODO: check + NOT-FOR-US: Redpanda CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2 ...) NOT-FOR-US: Stupid Simple CMS CVE-2023-6901 (A vulnerability, which was classified as critical, was found in codely ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213405f89eccac25fb566b95e066182790304243 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213405f89eccac25fb566b95e066182790304243 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new libcrypto++ CVE entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eb4bedb by Salvatore Bonaccorso at 2023-12-18T09:28:05+01:00 Add three new libcrypto++ CVE entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,11 +15,15 @@ CVE-2023-6903 (A vulnerability classified as critical has been found in Netentse CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) TODO: check CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - TODO: check + - libcrypto++ + NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - TODO: check + - libcrypto++ + NOTE: https://github.com/weidai11/cryptopp/issues/1248 + TODO: check details about mitigation applied, but issue in per se "unfixed" CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - TODO: check + - libcrypto++ + NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) TODO: check CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb4bedb9aa4b0699b323372aa07f1a6ff230f3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb4bedb9aa4b0699b323372aa07f1a6ff230f3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dae8f8c2 by security tracker role at 2023-12-18T08:12:01+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) + TODO: check +CVE-2023-6908 (A vulnerability, which was classified as problematic, was found in DFI ...) + TODO: check +CVE-2023-6907 (A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2 ...) + TODO: check +CVE-2023-6906 (A vulnerability, which was classified as critical, was found in Totoli ...) + TODO: check +CVE-2023-6905 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-6904 (A vulnerability classified as problematic was found in Jahastech NxFil ...) + TODO: check +CVE-2023-6903 (A vulnerability classified as critical has been found in Netentsec NS- ...) + TODO: check +CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) + TODO: check +CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) + TODO: check +CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) + TODO: check +CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) + TODO: check +CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) + TODO: check CVE-2023-6902 (A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2 ...) NOT-FOR-US: Stupid Simple CMS CVE-2023-6901 (A vulnerability, which was classified as critical, was found in codely ...) @@ -876,7 +900,7 @@ CVE-2023-3904 (An issue has been discovered in GitLab EE affecting all versions - gitlab (Specific to EE) CVE-2023-3511 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) -CVE-2023-3907 +CVE-2023-3907 (A privilege escalation vulnerability in GitLab EE affecting all versio ...) - gitlab (Specific to EE) CVE-2023-5061 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab @@ -2950,11 +2974,11 @@ CVE-2023-48800 (In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd f NOT-FOR-US: TOTOLINK CVE-2023-48799 (TOTOLINK-X6000R Firmware-V9.4.0cu.852_B20230719 is vulnerable to Comma ...) NOT-FOR-US: TOTOLINK -CVE-2023-44306 (Dell DM5500 contains a path traversal vulnerability in PPOE Component. ...) +CVE-2023-44306 (Dell DM5500 contains a path traversal vulnerability in the appliance. ...) NOT-FOR-US: Dell CVE-2023-44305 (Dell DM5500 5.14.0.0, contains a Stack-based Buffer Overflow Vulnerabi ...) NOT-FOR-US: Dell -CVE-2023-44304 (Dell DM5500 contains a privilege escalation vulnerability in PPOE Comp ...) +CVE-2023-44304 (Dell DM5500 contains a privilege escalation vulnerability in the appli ...) NOT-FOR-US: Dell CVE-2023-44302 (Dell DM5500 5.14.0.0 and prior contain an improper authentication vuln ...) NOT-FOR-US: Dell View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae8f8c290fc6c39c97aa9195321c6c8473eb244 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae8f8c290fc6c39c97aa9195321c6c8473eb244 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits