[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium issues via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c6eb2885 by Salvatore Bonaccorso at 2024-02-22T07:40:45+01:00
Track fixed version for chromium issues via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -288,35 +288,35 @@ CVE-2023-42496 (Reflected cross-site scripting (XSS) 
vulnerability on the add as
 CVE-2023-40191 (Reflected cross-site scripting (XSS) vulnerability in the 
instance set ...)
NOT-FOR-US: Liferay
 CVE-2024-1676 (Inappropriate implementation in Navigation in Google Chrome 
prior to 1 ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1675 (Insufficient policy enforcement in Download in Google Chrome 
prior to  ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1674 (Inappropriate implementation in Navigation in Google Chrome 
prior to 1 ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1673 (Use after free in Accessibility in Google Chrome prior to 
122.0.6261.5 ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1672 (Inappropriate implementation in Content Security Policy in 
Google Chro ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1671 (Inappropriate implementation in Site Isolation in Google Chrome 
prior  ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1670 (Use after free in Mojo in Google Chrome prior to 122.0.6261.57 
allowed ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1669 (Out of bounds memory access in Blink in Google Chrome prior to 
122.0.6 ...)
-   - chromium 
+   - chromium 122.0.6261.57-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-1481 [specially crafted HTTP requests potentially lead to DoS or data 
exposure]



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6eb2885bc1fa7abf6207e8d26a3aeca6bf184c7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6eb2885bc1fa7abf6207e8d26a3aeca6bf184c7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-26147/helm-kubernetes, itp'ed

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
55fb5459 by Salvatore Bonaccorso at 2024-02-22T07:30:59+01:00
Add CVE-2024-26147/helm-kubernetes, itped

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2024-26147
+   - helm-kubernetes  (bug #910799)
 CVE-2024-1726
NOT-FOR-US: Quarkus
 CVE-2024-1722



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55fb54598b29943a634482ded09ff3e71bab0cd4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55fb54598b29943a634482ded09ff3e71bab0cd4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df10056b by Salvatore Bonaccorso at 2024-02-22T07:29:57+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2024-1726
+   NOT-FOR-US: Quarkus
+CVE-2024-1722
+   NOT-FOR-US: Keycloak
+CVE-2023-6787
+   NOT-FOR-US: Keycloak
 CVE-2024-27215
REJECTED
 CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a 
reflect ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df10056b430f32e7f991fe247cd8ee0e835a32fb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df10056b430f32e7f991fe247cd8ee0e835a32fb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove todo item from CVE-2024-25262

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ea8de7e5 by Salvatore Bonaccorso at 2024-02-21T22:30:10+01:00
Remove todo item from CVE-2024-25262

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -356,7 +356,6 @@ CVE-2024-25262 (texlive-bin commit c515e was discovered to 
contain heap buffer o
NOTE: 
https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co
NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912
NOTE: https://github.com/TeX-Live/texlive-source/pull/63
-   TODO: check
 CVE-2024-25260 (elfutils v0.189 was discovered to contain a NULL pointer 
dereference v ...)
- elfutils  (unimportant)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=31058



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8de7e54e4dffdf8c1323d16f70f21416b650a7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8de7e54e4dffdf8c1323d16f70f21416b650a7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25117/php-dompdf-svg-lib

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7dd0a8ee by Salvatore Bonaccorso at 2024-02-21T22:29:34+01:00
Add CVE-2024-25117/php-dompdf-svg-lib

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41,7 +41,10 @@ CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 
Bulian v9.6.1 is vu
 CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote 
attackers  ...)
NOT-FOR-US: He3 App for macOS
 CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file 
parsing/rendering ...)
-   TODO: check
+   - php-dompdf-svg-lib 
+   NOTE: 
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273
+   NOTE: 
https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa
 (0.5.2)
+   NOTE: 
https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42
 (0.5.2)
 CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark 
before v.4.2 ...)
TODO: check
 CVE-2024-24478 (An issue in Wireshark team Wireshark before v.4.2.0 allows a 
remote at ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0a8ee7d589d1d37a2e0a526521c4062c19666

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0a8ee7d589d1d37a2e0a526521c4062c19666
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5cc831dc by Salvatore Bonaccorso at 2024-02-21T22:29:05+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,7 +9,7 @@ CVE-2024-26145 (Discourse Calendar adds the ability to create a 
dynamic calendar
 CVE-2024-26138 (The XWiki licensor application, which manages and enforce 
application  ...)
NOT-FOR-US: XWiki
 CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store 
events.  ...)
-   TODO: check
+   NOT-FOR-US: EventStoreDB (ESDB)
 CVE-2024-26130 (cryptography is a package designed to expose cryptographic 
primitives  ...)
- python-cryptography 
NOTE: 
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
@@ -51,37 +51,37 @@ CVE-2024-24476 (Buffer Overflow vulnerability in Wireshark 
team Wireshark before
 CVE-2024-23346 (Pymatgen (Python Materials Genomics) is an open-source Python 
library  ...)
TODO: check
 CVE-2024-22778 (HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.)
-   TODO: check
+   NOT-FOR-US: HackMD CodiMD
 CVE-2024-22473 (TRNG is used before initialization by ECDSA signing driver 
when exitin ...)
TODO: check
 CVE-2024-0 (An issue was discovered in Terminalfour 7.4 through 7.4.0004 
QP3 and 8 ...)
TODO: check
 CVE-2024-20325 (A vulnerability in the Live Data server of Cisco Unified 
Intelligence  ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2024-1714
REJECTED
 CVE-2024-1709 (ConnectWise ScreenConnect 23.9.7 and prior are affected by an 
Authenti ...)
-   TODO: check
+   NOT-FOR-US: ConnectWise ScreenConnect
 CVE-2024-1708 (ConnectWise ScreenConnect 23.9.7 and prior are affected by 
path-traver ...)
-   TODO: check
+   NOT-FOR-US: ConnectWise ScreenConnect
 CVE-2024-1707 (A vulnerability, which was classified as problematic, was found 
in GAR ...)
-   TODO: check
+   NOT-FOR-US: GARO WALLBOX GLB+ T2EV7
 CVE-2024-1706 (A vulnerability, which was classified as problematic, has been 
found i ...)
-   TODO: check
+   NOT-FOR-US: ZKTeco ZKBio Access IVS
 CVE-2024-1705 (A vulnerability was found in Shopwind up to 4.6. It has been 
rated as  ...)
-   TODO: check
+   NOT-FOR-US: Shopwind
 CVE-2024-1704 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has 
been de ...)
-   TODO: check
+   NOT-FOR-US: ZhongBangKeJi CRMEB
 CVE-2024-1703 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has 
been cl ...)
-   TODO: check
+   NOT-FOR-US: ZhongBangKeJi CRMEB
 CVE-2024-1702 (A vulnerability was found in keerti1924 
PHP-MYSQL-User-Login-System 1. ...)
-   TODO: check
+   NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System
 CVE-2024-1701 (A vulnerability has been found in keerti1924 
PHP-MYSQL-User-Login-Syst ...)
-   TODO: check
+   NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System
 CVE-2024-1700 (A vulnerability, which was classified as problematic, was found 
in kee ...)
-   TODO: check
+   NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System
 CVE-2024-1474 (In WS_FTP Server versions before 8.8.5, reflected cross-site 
scripting ...)
-   TODO: check
+   NOT-FOR-US: Progress WS_FTP Server
 CVE-2024-1212 (Unauthenticated remote attackers can access the system through 
the Loa ...)
TODO: check
 CVE-2023-7235 (The OpenVPN GUI installer before version 2.6.9 did not set the 
proper  ...)
@@ -91,13 +91,13 @@ CVE-2023-6640 (Malformed S2 Nonce Get Command Class packets 
can be sent to crash
 CVE-2023-6533 (Malformed Device Reset Locally Command Class packets can be 
sent to th ...)
TODO: check
 CVE-2023-50975 (The TD Bank TD Advanced Dashboard client through 3.0.3 for 
macOS allow ...)
-   TODO: check
+   NOT-FOR-US: TD Bank TD Advanced Dashboard client
 CVE-2023-50955 (IBM InfoSphere Information Server 11.7 could allow an 
authenticated pr ...)
NOT-FOR-US: IBM
 CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read 
out-of-boun ...)
TODO: check
 CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the 
Document and Me ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2023-46241 (`discourse-microsoft-auth` is a plugin that enables 
authentication via ...)
TODO: check
 CVE-2023-33843 (IBM InfoSphere Information Server 11.7 is vulnerable to 
cross-site scr ...)
@@ -600,87 +600,87 @@ CVE-2024-1156 (Incorrect directory permissions for the 
shared NI RabbitMQ servic
 CVE-2024-1155 (Incorrect permissions in the installation directories for 
shared Syste ...)
TODO: check
 CVE-2024-1133 (The Tutor LMS \u2013 eLearning and online course solution 
plugin for W ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1128 (The Tutor LMS \u2013 

[Git][security-tracker-team/security-tracker][master] Add note about openvswitch

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f180a8d by Salvatore Bonaccorso at 2024-02-21T22:12:07+01:00
Add note about openvswitch

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -54,6 +54,7 @@ nodejs
 opennds/stable
 --
 openvswitch
+  Maintainer sent debdiff for CVE-2023-3966, but there are other CVE fixes 
which might be piggy backed.
 --
 php-cas/oldstable
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f180a8df5d09c46c9b28b16f3fa2babe7efd293

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f180a8df5d09c46c9b28b16f3fa2babe7efd293
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25262/texlive-bin

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
764a4a13 by Salvatore Bonaccorso at 2024-02-21T22:09:45+01:00
Add CVE-2024-25262/texlive-bin

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -349,6 +349,10 @@ CVE-2024-25366 (Buffer Overflow vulnerability in 
mz-automation.de libiec61859 v.
 CVE-2024-25274 (An arbitrary file upload vulnerability in the component 
/sysFile/uploa ...)
NOT-FOR-US: Novel-Plus
 CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer 
overflo ...)
+   - texlive-bin 
+   NOTE: 
https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co
+   NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912
+   NOTE: https://github.com/TeX-Live/texlive-source/pull/63
TODO: check
 CVE-2024-25260 (elfutils v0.189 was discovered to contain a NULL pointer 
dereference v ...)
- elfutils  (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/764a4a13199a797be2f43a0a69c75a3bddbbf989

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/764a4a13199a797be2f43a0a69c75a3bddbbf989
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-4380 after confirmation from Red Hat

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
78e561b7 by Salvatore Bonaccorso at 2024-02-21T21:42:10+01:00
Mark CVE-2023-4380 after confirmation from Red Hat

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -32127,12 +32127,7 @@ CVE-2023-40217 (An issue was discovered in Python 
before 3.8.18, 3.9.x before 3.
NOTE: 1. 
https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd669b79e3
NOTE: 2. 
https://github.com/python/cpython/commit/592bacb6fc086c0453e818e9b95016e9fd47
 CVE-2023-4380 (A logic flaw exists in Ansible Automation platform. Whenever a 
private ...)
-   - ansible  (bug #1051897)
-   [bookworm] - ansible  (Minor issue)
-   [bullseye] - ansible  (Minor issue)
-   [buster] - ansible  (Minor issue)
-   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232324
-   NOTE: likely in awx component or may be RedHat specific
+   NOT-FOR-US: automation-eda-controller
 CVE-2023-4420 (A remote unprivileged attacker can intercept the communication 
via e.g ...)
NOT-FOR-US: SICK LMS5xx
 CVE-2023-4419 (The LMS5xx uses hard-coded credentials, which potentially allow 
low-sk ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78e561b7f2a6bff48b4a0da1c97bbfa2ea87398e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78e561b7f2a6bff48b4a0da1c97bbfa2ea87398e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-26130/python-cryptography

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
660a5864 by Salvatore Bonaccorso at 2024-02-21T21:35:34+01:00
Add CVE-2024-26130/python-cryptography

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11,7 +11,11 @@ CVE-2024-26138 (The XWiki licensor application, which 
manages and enforce applic
 CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store 
events.  ...)
TODO: check
 CVE-2024-26130 (cryptography is a package designed to expose cryptographic 
primitives  ...)
-   TODO: check
+   - python-cryptography 
+   NOTE: 
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
+   NOTE: https://github.com/pyca/cryptography/pull/10423
+   NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
 (main)
+   NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b
 (42.0.4)
 CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 
functionality,  ...)
TODO: check
 CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL 
Injection (Ti ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660a5864e42db8f90a4e66e7afb2070559c7a7dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660a5864e42db8f90a4e66e7afb2070559c7a7dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df84cdff by Salvatore Bonaccorso at 2024-02-21T21:37:08+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,13 +1,13 @@
 CVE-2024-27215
REJECTED
 CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a 
reflect ...)
-   TODO: check
+   NOT-FOR-US: Archer Platform
 CVE-2024-26310 (Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an 
improper acc ...)
-   TODO: check
+   NOT-FOR-US: Archer Platform
 CVE-2024-26145 (Discourse Calendar adds the ability to create a dynamic 
calendar in th ...)
-   TODO: check
+   NOT-FOR-US: Discourse Calendar
 CVE-2024-26138 (The XWiki licensor application, which manages and enforce 
application  ...)
-   TODO: check
+   NOT-FOR-US: XWiki
 CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store 
events.  ...)
TODO: check
 CVE-2024-26130 (cryptography is a package designed to expose cryptographic 
primitives  ...)
@@ -17,29 +17,29 @@ CVE-2024-26130 (cryptography is a package designed to 
expose cryptographic primi
NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
 (main)
NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b
 (42.0.4)
 CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 
functionality,  ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL 
Injection (Ti ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25896 (ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL 
Injection ( ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25895 (A reflected cross-site scripting (XSS) vulnerability in 
ChurchCRM 5.5. ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25894 (ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL 
Injection  ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25893 (ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL 
Injectio ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25892 (ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL 
Injection ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25891 (ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL 
Injection ( ...)
-   TODO: check
+   NOT-FOR-US: ChurchCRM
 CVE-2024-25461 (Directory Traversal vulnerability in Terrasoft, Creatio 
Terrasoft CRM  ...)
TODO: check
 CVE-2024-25381 (There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article 
Publish ...)
-   TODO: check
+   NOT-FOR-US: Emlog Pro
 CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is 
vulnerab ...)
-   TODO: check
+   NOT-FOR-US: SLIMS (Senayan Library Management Systems)
 CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote 
attackers  ...)
-   TODO: check
+   NOT-FOR-US: He3 App for macOS
 CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file 
parsing/rendering ...)
TODO: check
 CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark 
before v.4.2 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df84cdffc61ece338832b708456f4eed757ae18b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df84cdffc61ece338832b708456f4eed757ae18b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for thunderbird issues from mfsa2024-07

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0985fb97 by Salvatore Bonaccorso at 2024-02-21T21:24:30+01:00
Track fixed version for thunderbird issues from mfsa2024-07

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -451,7 +451,7 @@ CVE-2024-1553 (Memory safety bugs present in Firefox 122, 
Firefox ESR 115.7, and
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1553
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1553
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1553
@@ -459,7 +459,7 @@ CVE-2024-1552 (Incorrect code generation could have led to 
unexpected numeric co
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1552
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1552
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1552
@@ -467,7 +467,7 @@ CVE-2024-1551 (Set-Cookie response headers were being 
incorrectly honored in mul
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1551
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1551
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1551
@@ -475,7 +475,7 @@ CVE-2024-1550 (A malicious website could have used a 
combination of exiting full
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1550
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1550
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1550
@@ -483,7 +483,7 @@ CVE-2024-1549 (If a website set a large custom cursor, 
portions of the cursor co
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1549
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1549
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1549
@@ -491,7 +491,7 @@ CVE-2024-1548 (A website could have obscured the fullscreen 
notification by usin
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1548
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1548
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1548
@@ -499,7 +499,7 @@ CVE-2024-1547 (Through a series of API calls and redirects, 
an attacker-controll
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1547
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1547
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1547
@@ -507,7 +507,7 @@ CVE-2024-1546 (When storing and re-accessing data on a 
networking channel, the l
{DSA-5627-1}
- firefox 123.0-1
- firefox-esr 115.8.0esr-1
-   - thunderbird 
+   - thunderbird 1:115.8.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1546
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1546
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1546



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0985fb978f1dfd798d89706dfe7178d02023d3c2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0985fb978f1dfd798d89706dfe7178d02023d3c2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list

[Git][security-tracker-team/security-tracker][master] Process two NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
997a1929 by Salvatore Bonaccorso at 2024-02-21T21:19:44+01:00
Process two NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -89,7 +89,7 @@ CVE-2023-6533 (Malformed Device Reset Locally Command Class 
packets can be sent
 CVE-2023-50975 (The TD Bank TD Advanced Dashboard client through 3.0.3 for 
macOS allow ...)
TODO: check
 CVE-2023-50955 (IBM InfoSphere Information Server 11.7 could allow an 
authenticated pr ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read 
out-of-boun ...)
TODO: check
 CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the 
Document and Me ...)
@@ -97,7 +97,7 @@ CVE-2023-47795 (Stored cross-site scripting (XSS) 
vulnerability in the Document
 CVE-2023-46241 (`discourse-microsoft-auth` is a plugin that enables 
authentication via ...)
TODO: check
 CVE-2023-33843 (IBM InfoSphere Information Server 11.7 is vulnerable to 
cross-site scr ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-0410
- gitlab 
 CVE-2023-3509



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/997a192908af5823a442fd3d9d711254ffdd4c95

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/997a192908af5823a442fd3d9d711254ffdd4c95
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-26134/cbor2

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
82d8ea2a by Salvatore Bonaccorso at 2024-02-21T21:14:25+01:00
Add Debian bug reference for CVE-2024-26134/cbor2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -742,7 +742,7 @@ CVE-2023-52433 (In the Linux kernel, the following 
vulnerability has been resolv
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 (6.6-rc1)
 CVE-2024-26134 (cbor2 provides encoding and decoding for the Concise Binary 
Object Rep ...)
-   - cbor2 
+   - cbor2  (bug #1064416)
[bookworm] - cbor2  (Vulnerable code not present)
[bullseye] - cbor2  (Vulnerable code not present)
NOTE: 
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d8ea2ac1157154966e518c7aa32192bbed3dc1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d8ea2ac1157154966e518c7aa32192bbed3dc1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-2632{7,8}/qemu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d650ed1f by Salvatore Bonaccorso at 2024-02-21T21:13:38+01:00
Update information for CVE-2024-2632{7,8}/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -858,9 +858,15 @@ CVE-2024-22369 (Deserialization of Untrusted Data 
vulnerability in Apache Camel
NOT-FOR-US: Apache Camel
 CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. 
register_vfs in h ...)
- qemu 
+   [bullseye] - qemu  (Vulnerable code introduced later)
+   [buster] - qemu  (Vulnerable code introduced later)
+   NOTE: Introduced by: 
https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6
 (v7.0.0-rc0)
NOTE: 
https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org
 CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. 
register_vfs in h ...)
- qemu 
+   [bullseye] - qemu  (Vulnerable code introduced later)
+   [buster] - qemu  (Vulnerable code introduced later)
+   NOTE: Introduced by: 
https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6
 (v7.0.0-rc0)
NOTE: 
https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/
 CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because 
LoginPage.t ...)
NOT-FOR-US: Serenity



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d650ed1fa1832e8dec79838bcc933cbe36b98025

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d650ed1fa1832e8dec79838bcc933cbe36b98025
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce231a62 by security tracker role at 2024-02-21T20:12:33+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,103 @@
+CVE-2024-27215
+   REJECTED
+CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a 
reflect ...)
+   TODO: check
+CVE-2024-26310 (Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an 
improper acc ...)
+   TODO: check
+CVE-2024-26145 (Discourse Calendar adds the ability to create a dynamic 
calendar in th ...)
+   TODO: check
+CVE-2024-26138 (The XWiki licensor application, which manages and enforce 
application  ...)
+   TODO: check
+CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store 
events.  ...)
+   TODO: check
+CVE-2024-26130 (cryptography is a package designed to expose cryptographic 
primitives  ...)
+   TODO: check
+CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 
functionality,  ...)
+   TODO: check
+CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL 
Injection (Ti ...)
+   TODO: check
+CVE-2024-25896 (ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL 
Injection ( ...)
+   TODO: check
+CVE-2024-25895 (A reflected cross-site scripting (XSS) vulnerability in 
ChurchCRM 5.5. ...)
+   TODO: check
+CVE-2024-25894 (ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL 
Injection  ...)
+   TODO: check
+CVE-2024-25893 (ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL 
Injectio ...)
+   TODO: check
+CVE-2024-25892 (ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL 
Injection ...)
+   TODO: check
+CVE-2024-25891 (ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL 
Injection ( ...)
+   TODO: check
+CVE-2024-25461 (Directory Traversal vulnerability in Terrasoft, Creatio 
Terrasoft CRM  ...)
+   TODO: check
+CVE-2024-25381 (There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article 
Publish ...)
+   TODO: check
+CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is 
vulnerab ...)
+   TODO: check
+CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote 
attackers  ...)
+   TODO: check
+CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file 
parsing/rendering ...)
+   TODO: check
+CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark 
before v.4.2 ...)
+   TODO: check
+CVE-2024-24478 (An issue in Wireshark team Wireshark before v.4.2.0 allows a 
remote at ...)
+   TODO: check
+CVE-2024-24476 (Buffer Overflow vulnerability in Wireshark team Wireshark 
before v.4.2 ...)
+   TODO: check
+CVE-2024-23346 (Pymatgen (Python Materials Genomics) is an open-source Python 
library  ...)
+   TODO: check
+CVE-2024-22778 (HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.)
+   TODO: check
+CVE-2024-22473 (TRNG is used before initialization by ECDSA signing driver 
when exitin ...)
+   TODO: check
+CVE-2024-0 (An issue was discovered in Terminalfour 7.4 through 7.4.0004 
QP3 and 8 ...)
+   TODO: check
+CVE-2024-20325 (A vulnerability in the Live Data server of Cisco Unified 
Intelligence  ...)
+   TODO: check
+CVE-2024-1714
+   REJECTED
+CVE-2024-1709 (ConnectWise ScreenConnect 23.9.7 and prior are affected by an 
Authenti ...)
+   TODO: check
+CVE-2024-1708 (ConnectWise ScreenConnect 23.9.7 and prior are affected by 
path-traver ...)
+   TODO: check
+CVE-2024-1707 (A vulnerability, which was classified as problematic, was found 
in GAR ...)
+   TODO: check
+CVE-2024-1706 (A vulnerability, which was classified as problematic, has been 
found i ...)
+   TODO: check
+CVE-2024-1705 (A vulnerability was found in Shopwind up to 4.6. It has been 
rated as  ...)
+   TODO: check
+CVE-2024-1704 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has 
been de ...)
+   TODO: check
+CVE-2024-1703 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has 
been cl ...)
+   TODO: check
+CVE-2024-1702 (A vulnerability was found in keerti1924 
PHP-MYSQL-User-Login-System 1. ...)
+   TODO: check
+CVE-2024-1701 (A vulnerability has been found in keerti1924 
PHP-MYSQL-User-Login-Syst ...)
+   TODO: check
+CVE-2024-1700 (A vulnerability, which was classified as problematic, was found 
in kee ...)
+   TODO: check
+CVE-2024-1474 (In WS_FTP Server versions before 8.8.5, reflected cross-site 
scripting ...)
+   TODO: check
+CVE-2024-1212 (Unauthenticated remote attackers can access the system through 
the Loa ...)
+   TODO: check
+CVE-2023-7235 (The OpenVPN GUI installer before version 2.6.9 did not set the 
proper  ...)
+   TODO: check
+CVE-2023-6640 (Malformed S2 Nonce Get Command Class 

[Git][security-tracker-team/security-tracker][master] Add Debian bug references for libcommons-compress-java issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ef10fa9 by Salvatore Bonaccorso at 2024-02-21T20:59:20+01:00
Add Debian bug references for libcommons-compress-java issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -734,13 +734,13 @@ CVE-2024-1343 (A weak permission was found in the backup 
directory in LaborOffic
 CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation 
of the  ...)
TODO: check
 CVE-2024-26308 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
-   - libcommons-compress-java 
+   - libcommons-compress-java  (bug #1064414)
[bookworm] - libcommons-compress-java  (Minor issue)
[bullseye] - libcommons-compress-java  (Vulnerable code 
introduced later)
[buster] - libcommons-compress-java  (Vulnerable code 
introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/2
 CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') 
vulnerability i ...)
-   - libcommons-compress-java 
+   - libcommons-compress-java  (bug #1064413)
[bookworm] - libcommons-compress-java  (Minor issue)
[bullseye] - libcommons-compress-java  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef10fa90cd6af094f7eb89ff93b145c2b0644f3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef10fa90cd6af094f7eb89ff93b145c2b0644f3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-24475 (rejected)

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c75b5192 by Salvatore Bonaccorso at 2024-02-21T20:48:45+01:00
Remove notes from CVE-2024-24475 (rejected)

Further investigation showed that the underlying issue was not a
security issue and the CNA has withdrawn the CVE.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -269,8 +269,6 @@ CVE-2024-24763 (JumpServer is an open source bastion host 
and an operation and m
NOT-FOR-US: JumpServer
 CVE-2024-24475
REJECTED
-   - qemu 1:8.2.0+ds-1
-   NOTE: 
https://github.com/qemu/qemu/commit/9d9c06b144da340b9a937ed01d45a936810715be 
(v8.2.0-rc0)
 CVE-2024-24474 (QEMU before 8.2.0 has an integer underflow, and resultant 
buffer overf ...)
- qemu 1:8.2.0+ds-1
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1810



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c75b51925f229450b500511a23590853a4d4ce3b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c75b51925f229450b500511a23590853a4d4ce3b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference complementary fix

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0293e780 by Sylvain Beucler at 2024-02-21T19:14:50+01:00
CVE-2023-39361/cacti: reference complementary fix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -30138,6 +30138,7 @@ CVE-2023-39361 (Cacti is an open source operational 
monitoring and fault managem
NOTE: 
https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 
(release/1.2.25)
NOTE: Introduced by: 
https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 
(release/1.2.17)
NOTE: but the patch still fixes multiple similar issues including one 
present in earlier versions.
+   NOTE: Additional hardening with CVE-2023-39365.
 CVE-2023-39360 (Cacti is an open source operational monitoring and fault 
management fr ...)
- cacti 1.2.25+ds1-1
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference introductory commit

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e56496d by Sylvain Beucler at 2024-02-21T19:09:14+01:00
CVE-2023-39361/cacti: reference introductory commit

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -30136,6 +30136,8 @@ CVE-2023-39361 (Cacti is an open source operational 
monitoring and fault managem
- cacti 1.2.25+ds1-1
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
NOTE: 
https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 
(release/1.2.25)
+   NOTE: Introduced by: 
https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 
(release/1.2.17)
+   NOTE: but the patch still fixes multiple similar issues including one 
present in earlier versions.
 CVE-2023-39360 (Cacti is an open source operational monitoring and fault 
management fr ...)
- cacti 1.2.25+ds1-1
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new gitlab issues

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e31cb631 by Moritz Muehlenhoff at 2024-02-21T18:33:23+01:00
new gitlab issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,17 @@
+CVE-2024-0410
+   - gitlab 
+CVE-2023-3509
+   - gitlab 
+CVE-2024-0861
+   - gitlab  (Specific to EE)
+CVE-2023-4895
+   - gitlab  (Specific to EE)
+CVE-2024-1525
+   - gitlab 
+CVE-2023-6477
+   - gitlab  (Specific to EE)
+CVE-2024-1451
+   - gitlab  (Only affects 16.9)
 CVE-2024-26585 [tls: fix race between tx work scheduling and socket close]
- linux 
[buster] - linux  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31cb6310bcd37b31414b0592c9d5e214f6dd746

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31cb6310bcd37b31414b0592c9d5e214f6dd746
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
902dd979 by Sylvain Beucler at 2024-02-21T18:26:16+01:00
CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable

Follow-up to c3cae9377156c963d7b475fda3a82413188d8446

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -30124,7 +30124,6 @@ CVE-2023-39361 (Cacti is an open source operational 
monitoring and fault managem
NOTE: 
https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 
(release/1.2.25)
 CVE-2023-39360 (Cacti is an open source operational monitoring and fault 
management fr ...)
- cacti 1.2.25+ds1-1
-   [bookworm] - cacti 1.2.24+ds1-1+deb12u1
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4
NOTE: Initial fix: 
https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 
(release/1.2.25)
NOTE: Final fix: 
https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa 
(release/1.2.25)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] firefox-esr DSA

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66bb6c34 by Moritz Mühlenhoff at 2024-02-21T18:20:29+01:00
firefox-esr DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[21 Feb 2024] DSA-5627-1 firefox-esr - security update
+   {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 
CVE-2024-1551 CVE-2024-1552 CVE-2024-1553}
+   [bullseye] - firefox-esr 115.8.0esr-1~deb11u1
+   [bookworm] - firefox-esr 115.8.0esr-1~deb12u1
 [18 Feb 2024] DSA-5626-1 pdns-recursor - security update
{CVE-2023-50387 CVE-2023-50868}
[bookworm] - pdns-recursor 4.8.6-1


=
data/dsa-needed.txt
=
@@ -25,8 +25,6 @@ dav1d
 --
 dnsdist (jmm)
 --
-firefox-esr (jmm)
---
 frr
 --
 gnutls28/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bb6c34399d097f62dc5ae5947c22427915d13c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bb6c34399d097f62dc5ae5947c22427915d13c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2658{2..5}/linux

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
31723422 by Salvatore Bonaccorso at 2024-02-21T17:43:14+01:00
Add CVE-2024-2658{2..5}/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,19 @@
+CVE-2024-26585 [tls: fix race between tx work scheduling and socket close]
+   - linux 
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb (6.8-rc5)
+CVE-2024-26584 [net: tls: handle backlogging of crypto requests]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3 (6.8-rc5)
+CVE-2024-26583 [tls: fix race between async notify and socket close]
+   - linux 
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d (6.8-rc5)
+CVE-2024-26582 [net: tls: fix use-after-free with partial reads and async 
decrypt]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f (6.8-rc5)
 CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS 
module's p ...)
NOT-FOR-US: Liferay
 CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in 
Liferay  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3172342245c93de10d67ee7bd70d710778fdd497

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3172342245c93de10d67ee7bd70d710778fdd497
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-39359/cacti: buster actually not-affected

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cad43f5 by Sylvain Beucler at 2024-02-21T17:02:59+01:00
CVE-2023-39359/cacti: buster actually not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -30116,8 +30116,10 @@ CVE-2023-39360 (Cacti is an open source operational 
monitoring and fault managem
 CVE-2023-39359 (Cacti is an open source operational monitoring and fault 
management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
+   [buster] - cacti  (Vulnerable code introduced later)
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h
NOTE: 
https://github.com/cacti/cacti/commit/7459ff57abcd97ab8bc7a19de9e308ca62c17d38 
(release/1.2.25)
+   NOTE: Introduced by: 
https://github.com/cacti/cacti/commit/518800fdb0bd25f311a530d78bab635b3c96c500 
(release/1.2.7)
 CVE-2023-39358 (Cacti is an open source operational monitoring and fault 
management fr ...)
- cacti 1.2.25+ds1-1
[bookworm] - cacti 1.2.24+ds1-1+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-1114

[@rouca]

Bastien Roucariès pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e4e1232a by Bastien Roucariès at 2024-02-21T12:54:28+00:00
CVE-2022-1114

Tested against poc:
convert-im6.q16: insufficient image data in file `poc @ 
error/dcm.c/ReadDCMImage/3313.
convert-im6.q16: no images defined `/dev/null @ 
error/convert.c/ConvertImageCommand/3258.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -135127,7 +135127,7 @@ CVE-2022-1115 (A heap-buffer-overflow flaw was found 
in ImageMagick\u2019s PushS
 CVE-2022-1114 (A heap-use-after-free flaw was found in ImageMagick's 
RelinquishDCMInf ...)
- imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282)
[bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2
-   [buster] - imagemagick  (Minor issue)
+   [buster] - imagemagick  (Vulnerable code not present, 
bail out early)
[stretch] - imagemagick  (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/4947
NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3d9a732 by Moritz Muehlenhoff at 2024-02-21T13:50:25+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,11 +5,11 @@ CVE-2024-26266 (Multiple stored cross-site scripting (XSS) 
vulnerabilities in Li
 CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. 
Prior to v ...)
NOT-FOR-US: Yet Analytics Core LRS Library
 CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit 
aaaeaf4 ...)
-   TODO: check
+   NOT-FOR-US: kedi ElectronCord
 CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula 
GmbH Multi  ...)
NOT-FOR-US: Mondula GmbH Multi Step Form
 CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David 
Stockl TinyMC ...)
-   TODO: check
+   NOT-FOR-US: TinyMCE addon
 CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic 
Data Ma ...)
NOT-FOR-US: Liferay
 CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin 
module' ...)
@@ -47,17 +47,17 @@ CVE-2024-23758 (An issue discovered in Unisys Stealth 
5.3.062.0 allows attackers
 CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation 
vulnerabi ...)
NOT-FOR-US: VMware
 CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 
key pair  ...)
-   TODO: check
+   NOT-FOR-US: agent-js
 CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is 
vulnera ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to 
Cross-Site Re ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to 
unauthorized m ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for 
WordPress is  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to 
unauthorize ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-52442 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
- linux 6.5.3-1
[bookworm] - linux 6.1.55-1
@@ -79,69 +79,69 @@ CVE-2023-52440 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification 
(section 17.4) ...)
TODO: check
 CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 
allows a  ...)
-   TODO: check
+   NOT-FOR-US: ProjeQtOr
 CVE-2023-47422 (An access control issue in /usr/sbin/httpd in Tenda TX9 V1 
V22.03.02.5 ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2023-46967 (Cross Site Scripting vulnerability in the sanitize function in 
Enhance ...)
-   TODO: check
+   NOT-FOR-US: osTicket
 CVE-2023-42953 (A permissions issue was addressed with additional 
restrictions. This i ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42952 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42951 (The issue was addressed with improved handling of caches. This 
issue i ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42946 (This issue was addressed with improved redaction of sensitive 
informat ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42945 (A permissions issue was addressed with additional 
restrictions. This i ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42942 (This issue was addressed with improved handling of symlinks. 
This issu ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42939 (A logic issue was addressed with improved checks. This issue 
is fixed  ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42928 (The issue was addressed with improved bounds checks. This 
issue is fix ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42889 (The issue was addressed with improved checks. This issue is 
fixed in m ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42878 (A privacy issue was addressed with improved private data 
redaction for ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42877 (The issue was addressed with improved checks. This issue is 
fixed in m ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42873 (The issue was addressed with improved bounds checks. This 
issue is fix ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42860 (A permissions issue was addressed with additional 
restrictions. This i ...)
-   TODO: check
+   NOT-FOR-US: Apple
 CVE-2023-42859 (The issue was addressed with improved checks. This issue is 
fixed in 

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3736-1 for unbound

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a57f0d7 by Markus Koschany at 2024-02-21T13:11:48+01:00
Reserve DLA-3736-1 for unbound

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[21 Feb 2024] DLA-3736-1 unbound - security update
+   {CVE-2023-50387 CVE-2023-50868}
+   [buster] - unbound 1.9.0-2+deb10u4
 [19 Feb 2024] DLA-3735-1 runc - security update
{CVE-2021-43784 CVE-2024-21626}
[buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3


=
data/dla-needed.txt
=
@@ -294,9 +294,6 @@ tinymce
 tomcat9 (Markus Koschany)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-unbound (Markus Koschany)
-  NOTE: 20240214: Added by Front-Desk (lamby)
---
 varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-3428: mark buster not affected

[@rouca]

Bastien Roucariès pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fc5d8e94 by Bastien Roucariès at 2024-02-21T10:28:48+00:00
CVE-2023-3428: mark buster not affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39655,6 +39655,7 @@ CVE-2023-3436 (Xpdf 4.04 will deadlock on a PDF object 
stream whose "Length" fie
 CVE-2023-3428 (A heap-based buffer overflow vulnerability was found  in 
coders/tiff.c ...)
[experimental] - imagemagick 8:6.9.12.98+dfsg1-1
- imagemagick 8:6.9.12.98+dfsg1-2
+   [buster] - imagemagick  (code is introduced later)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790
 (7.1.1-13)
NOTE: Prerequisite: 
https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773
 (6.9.12-55)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick6/commit/0d00400727170b0540a355a1bc52787bc7bcdea5
 (6.9.12-91)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e55d5bf4 by Salvatore Bonaccorso at 2024-02-21T11:27:19+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19,39 +19,39 @@ CVE-2024-25601 (Stored cross-site scripting (XSS) 
vulnerability in Expando modul
 CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers 
to run ar ...)
NOT-FOR-US: MRCMS
 CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message 
Board widge ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and 
older u ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in 
HtmlUtil.escapeJsLink in L ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included 
"allow_i ...)
NOT-FOR-US: Apache Airflow Mongo Provider
 CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts 
Admin M ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify 
Themify Bui ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24849 (Cross-Site Request Forgery (CSRF) vulnerability in Mark 
Stockton Quick ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24843 (Cross-Site Request Forgery (CSRF) vulnerability in PowerPack 
Addons fo ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24837 (Cross-Site Request Forgery (CSRF) vulnerability in 
Fr\xe9d\xe9ric GILL ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24802 (Cross-Site Request Forgery (CSRF) vulnerability in John Tendik 
JTRT Re ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow 
Team Debug. ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 
2.26.1, an  ...)
- mantis 
 CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows 
attackers to vi ...)
-   TODO: check
+   NOT-FOR-US: Unisys
 CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation 
vulnerabi ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 
key pair  ...)
TODO: check
 CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is 
vulnera ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to 
Cross-Site Re ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to 
unauthorized m ...)
TODO: check
 CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for 
WordPress is  ...)
@@ -376,81 +376,81 @@ CVE-2024-1546 (When storing and re-accessing data on a 
networking channel, the l
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1546
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1546
 CVE-2024-1519 (The Paid Membership Plugin, Ecommerce, User Registration Form, 
Login F ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1496 (The Featured Image from URL (FIFU) plugin for WordPress is 
vulnerable  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1492 (The WPify Woo Czech plugin for WordPress is vulnerable to 
unauthorized ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1475 (The Coming Soon Maintenance Mode plugin for WordPress is 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1472 (The WP Maintenance plugin for WordPress is vulnerable to 
Information E ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1470 (Authorization Bypass Through User-Controlled Key vulnerability 
in NetI ...)
-   TODO: check
+   NOT-FOR-US: Microfocus
 CVE-2024-1448 (The Social Sharing Plugin \u2013 Sassy Social Share plugin for 
WordPre ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1447 (The Sydney Toolbox plugin for WordPress is vulnerable to Stored 
Cross- ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1445 (The Page scroll to id plugin for WordPress is vulnerable to 
Stored Cro ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1425 (The EmbedPress \u2013 Embed PDF, YouTube, Google Docs, Vimeo, 
Wistia V ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1411 (The 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23830/mantis

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aae5baca by Salvatore Bonaccorso at 2024-02-21T11:26:39+01:00
Add CVE-2024-23830/mantis

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41,7 +41,7 @@ CVE-2024-24802 (Cross-Site Request Forgery (CSRF) 
vulnerability in John Tendik J
 CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow 
Team Debug. ...)
TODO: check
 CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 
2.26.1, an  ...)
-   TODO: check
+   - mantis 
 CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows 
attackers to vi ...)
TODO: check
 CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation 
vulnerabi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aae5bacaccc1991e2d74f33ccc4eba994166892d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aae5bacaccc1991e2d74f33ccc4eba994166892d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Update optee-os CVEs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cbbb9667 by Dylan Aïssi at 2024-02-21T10:26:01+01:00
Update optee-os CVEs

- - - - -
fc6dc7b3 by Salvatore Bonaccorso at 2024-02-21T09:29:15+00:00
Merge branch wip/daissi/optee-os into master

Update optee-os CVEs

See merge request security-tracker-team/security-tracker!166
- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -28653,7 +28653,9 @@ CVE-2023-41880 (Wasmtime is a standalone runtime for 
WebAssembly. Wasmtime versi
 CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a 
cross-site  ...)
NOT-FOR-US: Froala Editor
 CVE-2023-41325 (OP-TEE is a Trusted Execution Environment (TEE) designed as 
companion  ...)
-   - optee-os 
+   - optee-os  (Fixed before initial upload)
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm
+   NOTE: 
https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a
 CVE-2023-41160 (A Stored Cross-Site Scripting (XSS) vulnerability in the SSH 
configura ...)
NOT-FOR-US: Usermin
 CVE-2023-41159 (A Stored Cross-Site Scripting (XSS) vulnerability while 
editing the au ...)
@@ -161068,7 +161070,8 @@ CVE-2021-44151 (An issue was discovered in Reprise 
RLM 14.2. As the session cook
 CVE-2021-44150 (The client in tusdotnet through 2.5.0 relies on SHA-1 to 
prevent spoof ...)
NOT-FOR-US: tusdotnet
 CVE-2021-44149 (An issue was discovered in Trusted Firmware OP-TEE Trusted OS 
through  ...)
-   - optee-os 
+   - optee-os  (Fixed before initial upload)
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464
 CVE-2021-44148 (GL.iNet GL-AR150 2.x before 3.x devices, configured as 
repeaters, allo ...)
NOT-FOR-US: GL.iNet
 CVE-2021-44147 (An XML External Entity issue in Claris FileMaker Pro and 
Server (inclu ...)
@@ -185381,7 +185384,8 @@ CVE-2021-36135
 CVE-2021-36134 (Out of bounds write vulnerability in the JPEG parsing code of 
Netop Vi ...)
NOT-FOR-US: McAfee
 CVE-2021-36133 (The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks 
security access ...)
-   - optee-os 
+   - optee-os 
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47
 CVE-2021-36132 (An issue was discovered in the FileImporter extension in 
MediaWiki thr ...)
NOT-FOR-US: FileImport MediaWiki extension
NOTE: 
https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3...fc6dc7b316c37553edbf9374e1361b40eeba549d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3...fc6dc7b316c37553edbf9374e1361b40eeba549d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Deleted branch wip/daissi/optee-os

[@daissi]

Dylan Aïssi deleted branch wip/daissi/optee-os at Debian Security Tracker / 
security-tracker

-- 

You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][wip/daissi/optee-os] Update optee-os CVEs

[@daissi]

Dylan Aïssi pushed to branch wip/daissi/optee-os at Debian Security Tracker / 
security-tracker


Commits:
cbbb9667 by Dylan Aïssi at 2024-02-21T10:26:01+01:00
Update optee-os CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -28653,7 +28653,9 @@ CVE-2023-41880 (Wasmtime is a standalone runtime for 
WebAssembly. Wasmtime versi
 CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a 
cross-site  ...)
NOT-FOR-US: Froala Editor
 CVE-2023-41325 (OP-TEE is a Trusted Execution Environment (TEE) designed as 
companion  ...)
-   - optee-os 
+   - optee-os  (Fixed before initial upload)
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm
+   NOTE: 
https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a
 CVE-2023-41160 (A Stored Cross-Site Scripting (XSS) vulnerability in the SSH 
configura ...)
NOT-FOR-US: Usermin
 CVE-2023-41159 (A Stored Cross-Site Scripting (XSS) vulnerability while 
editing the au ...)
@@ -161068,7 +161070,8 @@ CVE-2021-44151 (An issue was discovered in Reprise 
RLM 14.2. As the session cook
 CVE-2021-44150 (The client in tusdotnet through 2.5.0 relies on SHA-1 to 
prevent spoof ...)
NOT-FOR-US: tusdotnet
 CVE-2021-44149 (An issue was discovered in Trusted Firmware OP-TEE Trusted OS 
through  ...)
-   - optee-os 
+   - optee-os  (Fixed before initial upload)
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464
 CVE-2021-44148 (GL.iNet GL-AR150 2.x before 3.x devices, configured as 
repeaters, allo ...)
NOT-FOR-US: GL.iNet
 CVE-2021-44147 (An XML External Entity issue in Claris FileMaker Pro and 
Server (inclu ...)
@@ -185381,7 +185384,8 @@ CVE-2021-36135
 CVE-2021-36134 (Out of bounds write vulnerability in the JPEG parsing code of 
Netop Vi ...)
NOT-FOR-US: McAfee
 CVE-2021-36133 (The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks 
security access ...)
-   - optee-os 
+   - optee-os 
+   NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47
 CVE-2021-36132 (An issue was discovered in the FileImporter extension in 
MediaWiki thr ...)
NOT-FOR-US: FileImport MediaWiki extension
NOTE: 
https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbbb966766fa6adb392f66be3060c6a0094577cd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbbb966766fa6adb392f66be3060c6a0094577cd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Pushed new branch wip/daissi/optee-os

[@daissi]

Dylan Aïssi pushed new branch wip/daissi/optee-os at Debian Security Tracker / 
security-tracker

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/wip/daissi/optee-os
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5244{0,1,2}/linux

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5a0ac3f3 by Salvatore Bonaccorso at 2024-02-21T09:46:55+01:00
Add CVE-2023-5244{0,1,2}/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -59,11 +59,23 @@ CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook 
WordPress plugin for WordPres
 CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to 
unauthorize ...)
TODO: check
 CVE-2023-52442 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
-   TODO: check
+   - linux 6.5.3-1
+   [bookworm] - linux 6.1.55-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/3df0411e132ee74a87aa13142dfd2b190275332e (6.5-rc4)
 CVE-2023-52441 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
-   TODO: check
+   - linux 6.5.3-1
+   [bookworm] - linux 6.1.55-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/536bb492d39bb6c080c92f31e8a55fe9934f452b (6.5-rc4)
 CVE-2023-52440 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
-   TODO: check
+   - linux 6.5.3-1
+   [bookworm] - linux 6.1.52-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/4b081ce0d830b684fdf967abc3696d1261387254 (6.6-rc1)
 CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification 
(section 17.4) ...)
TODO: check
 CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 
allows a  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8b084a6e by Salvatore Bonaccorso at 2024-02-21T09:29:10+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,23 +1,23 @@
 CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS 
module's p ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in 
Liferay  ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. 
Prior to v ...)
-   TODO: check
+   NOT-FOR-US: Yet Analytics Core LRS Library
 CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit 
aaaeaf4 ...)
TODO: check
 CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula 
GmbH Multi  ...)
-   TODO: check
+   NOT-FOR-US: Mondula GmbH Multi Step Form
 CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David 
Stockl TinyMC ...)
TODO: check
 CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic 
Data Ma ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin 
module' ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25601 (Stored cross-site scripting (XSS) vulnerability in Expando 
module's ge ...)
-   TODO: check
+   NOT-FOR-US: Liferay
 CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers 
to run ar ...)
-   TODO: check
+   NOT-FOR-US: MRCMS
 CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message 
Board widge ...)
TODO: check
 CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and 
older u ...)
@@ -25,7 +25,7 @@ CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 
through 7.4.2, and o
 CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in 
HtmlUtil.escapeJsLink in L ...)
TODO: check
 CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included 
"allow_i ...)
-   TODO: check
+   NOT-FOR-US: Apache Airflow Mongo Provider
 CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts 
Admin M ...)
TODO: check
 CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify 
Themify Bui ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b084a6ea3b36970cfe3c470059afbdbea684864

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b084a6ea3b36970cfe3c470059afbdbea684864
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6589665c by security tracker role at 2024-02-21T08:11:42+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,32 +1,164 @@
-CVE-2024-1676
+CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS 
module's p ...)
+   TODO: check
+CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in 
Liferay  ...)
+   TODO: check
+CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. 
Prior to v ...)
+   TODO: check
+CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit 
aaaeaf4 ...)
+   TODO: check
+CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula 
GmbH Multi  ...)
+   TODO: check
+CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David 
Stockl TinyMC ...)
+   TODO: check
+CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic 
Data Ma ...)
+   TODO: check
+CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin 
module' ...)
+   TODO: check
+CVE-2024-25601 (Stored cross-site scripting (XSS) vulnerability in Expando 
module's ge ...)
+   TODO: check
+CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers 
to run ar ...)
+   TODO: check
+CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message 
Board widge ...)
+   TODO: check
+CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and 
older u ...)
+   TODO: check
+CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in 
HtmlUtil.escapeJsLink in L ...)
+   TODO: check
+CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included 
"allow_i ...)
+   TODO: check
+CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts 
Admin M ...)
+   TODO: check
+CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify 
Themify Bui ...)
+   TODO: check
+CVE-2024-24849 (Cross-Site Request Forgery (CSRF) vulnerability in Mark 
Stockton Quick ...)
+   TODO: check
+CVE-2024-24843 (Cross-Site Request Forgery (CSRF) vulnerability in PowerPack 
Addons fo ...)
+   TODO: check
+CVE-2024-24837 (Cross-Site Request Forgery (CSRF) vulnerability in 
Fr\xe9d\xe9ric GILL ...)
+   TODO: check
+CVE-2024-24802 (Cross-Site Request Forgery (CSRF) vulnerability in John Tendik 
JTRT Re ...)
+   TODO: check
+CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow 
Team Debug. ...)
+   TODO: check
+CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 
2.26.1, an  ...)
+   TODO: check
+CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows 
attackers to vi ...)
+   TODO: check
+CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation 
vulnerabi ...)
+   TODO: check
+CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 
key pair  ...)
+   TODO: check
+CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is 
vulnera ...)
+   TODO: check
+CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to 
Cross-Site Re ...)
+   TODO: check
+CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to 
unauthorized m ...)
+   TODO: check
+CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for 
WordPress is  ...)
+   TODO: check
+CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to 
unauthorize ...)
+   TODO: check
+CVE-2023-52442 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
+   TODO: check
+CVE-2023-52441 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
+   TODO: check
+CVE-2023-52440 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
+   TODO: check
+CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification 
(section 17.4) ...)
+   TODO: check
+CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 
allows a  ...)
+   TODO: check
+CVE-2023-47422 (An access control issue in /usr/sbin/httpd in Tenda TX9 V1 
V22.03.02.5 ...)
+   TODO: check
+CVE-2023-46967 (Cross Site Scripting vulnerability in the sanitize function in 
Enhance ...)
+   TODO: check
+CVE-2023-42953 (A permissions issue was addressed with additional 
restrictions. This i ...)
+   TODO: check
+CVE-2023-42952 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
+   TODO: check
+CVE-2023-42951 (The issue was addressed with improved handling of caches. This 
issue i ...)
+   TODO: check
+CVE-2023-42946 (This issue was addressed with improved redaction of