[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6eb2885 by Salvatore Bonaccorso at 2024-02-22T07:40:45+01:00 Track fixed version for chromium issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -288,35 +288,35 @@ CVE-2023-42496 (Reflected cross-site scripting (XSS) vulnerability on the add as CVE-2023-40191 (Reflected cross-site scripting (XSS) vulnerability in the instance set ...) NOT-FOR-US: Liferay CVE-2024-1676 (Inappropriate implementation in Navigation in Google Chrome prior to 1 ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1675 (Insufficient policy enforcement in Download in Google Chrome prior to ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1674 (Inappropriate implementation in Navigation in Google Chrome prior to 1 ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1673 (Use after free in Accessibility in Google Chrome prior to 122.0.6261.5 ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1672 (Inappropriate implementation in Content Security Policy in Google Chro ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1671 (Inappropriate implementation in Site Isolation in Google Chrome prior ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1670 (Use after free in Mojo in Google Chrome prior to 122.0.6261.57 allowed ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1669 (Out of bounds memory access in Blink in Google Chrome prior to 122.0.6 ...) - - chromium + - chromium 122.0.6261.57-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-1481 [specially crafted HTTP requests potentially lead to DoS or data exposure] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6eb2885bc1fa7abf6207e8d26a3aeca6bf184c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6eb2885bc1fa7abf6207e8d26a3aeca6bf184c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-26147/helm-kubernetes, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55fb5459 by Salvatore Bonaccorso at 2024-02-22T07:30:59+01:00 Add CVE-2024-26147/helm-kubernetes, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2024-26147 + - helm-kubernetes (bug #910799) CVE-2024-1726 NOT-FOR-US: Quarkus CVE-2024-1722 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55fb54598b29943a634482ded09ff3e71bab0cd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55fb54598b29943a634482ded09ff3e71bab0cd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df10056b by Salvatore Bonaccorso at 2024-02-22T07:29:57+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-1726 + NOT-FOR-US: Quarkus +CVE-2024-1722 + NOT-FOR-US: Keycloak +CVE-2023-6787 + NOT-FOR-US: Keycloak CVE-2024-27215 REJECTED CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a reflect ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df10056b430f32e7f991fe247cd8ee0e835a32fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df10056b430f32e7f991fe247cd8ee0e835a32fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item from CVE-2024-25262
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea8de7e5 by Salvatore Bonaccorso at 2024-02-21T22:30:10+01:00 Remove todo item from CVE-2024-25262 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -356,7 +356,6 @@ CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer o NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 NOTE: https://github.com/TeX-Live/texlive-source/pull/63 - TODO: check CVE-2024-25260 (elfutils v0.189 was discovered to contain a NULL pointer dereference v ...) - elfutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=31058 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8de7e54e4dffdf8c1323d16f70f21416b650a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8de7e54e4dffdf8c1323d16f70f21416b650a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25117/php-dompdf-svg-lib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dd0a8ee by Salvatore Bonaccorso at 2024-02-21T22:29:34+01:00 Add CVE-2024-25117/php-dompdf-svg-lib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,10 @@ CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vu CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote attackers ...) NOT-FOR-US: He3 App for macOS CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...) - TODO: check + - php-dompdf-svg-lib + NOTE: https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273 + NOTE: https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa (0.5.2) + NOTE: https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42 (0.5.2) CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark before v.4.2 ...) TODO: check CVE-2024-24478 (An issue in Wireshark team Wireshark before v.4.2.0 allows a remote at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0a8ee7d589d1d37a2e0a526521c4062c19666 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0a8ee7d589d1d37a2e0a526521c4062c19666 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cc831dc by Salvatore Bonaccorso at 2024-02-21T22:29:05+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2024-26145 (Discourse Calendar adds the ability to create a dynamic calendar CVE-2024-26138 (The XWiki licensor application, which manages and enforce application ...) NOT-FOR-US: XWiki CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store events. ...) - TODO: check + NOT-FOR-US: EventStoreDB (ESDB) CVE-2024-26130 (cryptography is a package designed to expose cryptographic primitives ...) - python-cryptography NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 @@ -51,37 +51,37 @@ CVE-2024-24476 (Buffer Overflow vulnerability in Wireshark team Wireshark before CVE-2024-23346 (Pymatgen (Python Materials Genomics) is an open-source Python library ...) TODO: check CVE-2024-22778 (HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.) - TODO: check + NOT-FOR-US: HackMD CodiMD CVE-2024-22473 (TRNG is used before initialization by ECDSA signing driver when exitin ...) TODO: check CVE-2024-0 (An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 ...) TODO: check CVE-2024-20325 (A vulnerability in the Live Data server of Cisco Unified Intelligence ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-1714 REJECTED CVE-2024-1709 (ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authenti ...) - TODO: check + NOT-FOR-US: ConnectWise ScreenConnect CVE-2024-1708 (ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traver ...) - TODO: check + NOT-FOR-US: ConnectWise ScreenConnect CVE-2024-1707 (A vulnerability, which was classified as problematic, was found in GAR ...) - TODO: check + NOT-FOR-US: GARO WALLBOX GLB+ T2EV7 CVE-2024-1706 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: ZKTeco ZKBio Access IVS CVE-2024-1705 (A vulnerability was found in Shopwind up to 4.6. It has been rated as ...) - TODO: check + NOT-FOR-US: Shopwind CVE-2024-1704 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been de ...) - TODO: check + NOT-FOR-US: ZhongBangKeJi CRMEB CVE-2024-1703 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been cl ...) - TODO: check + NOT-FOR-US: ZhongBangKeJi CRMEB CVE-2024-1702 (A vulnerability was found in keerti1924 PHP-MYSQL-User-Login-System 1. ...) - TODO: check + NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System CVE-2024-1701 (A vulnerability has been found in keerti1924 PHP-MYSQL-User-Login-Syst ...) - TODO: check + NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System CVE-2024-1700 (A vulnerability, which was classified as problematic, was found in kee ...) - TODO: check + NOT-FOR-US: keerti1924 PHP-MYSQL-User-Login-System CVE-2024-1474 (In WS_FTP Server versions before 8.8.5, reflected cross-site scripting ...) - TODO: check + NOT-FOR-US: Progress WS_FTP Server CVE-2024-1212 (Unauthenticated remote attackers can access the system through the Loa ...) TODO: check CVE-2023-7235 (The OpenVPN GUI installer before version 2.6.9 did not set the proper ...) @@ -91,13 +91,13 @@ CVE-2023-6640 (Malformed S2 Nonce Get Command Class packets can be sent to crash CVE-2023-6533 (Malformed Device Reset Locally Command Class packets can be sent to th ...) TODO: check CVE-2023-50975 (The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allow ...) - TODO: check + NOT-FOR-US: TD Bank TD Advanced Dashboard client CVE-2023-50955 (IBM InfoSphere Information Server 11.7 could allow an authenticated pr ...) NOT-FOR-US: IBM CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-boun ...) TODO: check CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the Document and Me ...) - TODO: check + NOT-FOR-US: Liferay CVE-2023-46241 (`discourse-microsoft-auth` is a plugin that enables authentication via ...) TODO: check CVE-2023-33843 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...) @@ -600,87 +600,87 @@ CVE-2024-1156 (Incorrect directory permissions for the shared NI RabbitMQ servic CVE-2024-1155 (Incorrect permissions in the installation directories for shared Syste ...) TODO: check CVE-2024-1133 (The Tutor LMS \u2013 eLearning and online course solution plugin for W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1128 (The Tutor LMS \u2013
[Git][security-tracker-team/security-tracker][master] Add note about openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f180a8d by Salvatore Bonaccorso at 2024-02-21T22:12:07+01:00 Add note about openvswitch - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -54,6 +54,7 @@ nodejs opennds/stable -- openvswitch + Maintainer sent debdiff for CVE-2023-3966, but there are other CVE fixes which might be piggy backed. -- php-cas/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f180a8df5d09c46c9b28b16f3fa2babe7efd293 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f180a8df5d09c46c9b28b16f3fa2babe7efd293 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25262/texlive-bin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 764a4a13 by Salvatore Bonaccorso at 2024-02-21T22:09:45+01:00 Add CVE-2024-25262/texlive-bin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -349,6 +349,10 @@ CVE-2024-25366 (Buffer Overflow vulnerability in mz-automation.de libiec61859 v. CVE-2024-25274 (An arbitrary file upload vulnerability in the component /sysFile/uploa ...) NOT-FOR-US: Novel-Plus CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer overflo ...) + - texlive-bin + NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co + NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 + NOTE: https://github.com/TeX-Live/texlive-source/pull/63 TODO: check CVE-2024-25260 (elfutils v0.189 was discovered to contain a NULL pointer dereference v ...) - elfutils (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/764a4a13199a797be2f43a0a69c75a3bddbbf989 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/764a4a13199a797be2f43a0a69c75a3bddbbf989 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-4380 after confirmation from Red Hat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78e561b7 by Salvatore Bonaccorso at 2024-02-21T21:42:10+01:00 Mark CVE-2023-4380 after confirmation from Red Hat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32127,12 +32127,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3. NOTE: 1. https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd669b79e3 NOTE: 2. https://github.com/python/cpython/commit/592bacb6fc086c0453e818e9b95016e9fd47 CVE-2023-4380 (A logic flaw exists in Ansible Automation platform. Whenever a private ...) - - ansible (bug #1051897) - [bookworm] - ansible (Minor issue) - [bullseye] - ansible (Minor issue) - [buster] - ansible (Minor issue) - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232324 - NOTE: likely in awx component or may be RedHat specific + NOT-FOR-US: automation-eda-controller CVE-2023-4420 (A remote unprivileged attacker can intercept the communication via e.g ...) NOT-FOR-US: SICK LMS5xx CVE-2023-4419 (The LMS5xx uses hard-coded credentials, which potentially allow low-sk ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78e561b7f2a6bff48b4a0da1c97bbfa2ea87398e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78e561b7f2a6bff48b4a0da1c97bbfa2ea87398e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-26130/python-cryptography
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 660a5864 by Salvatore Bonaccorso at 2024-02-21T21:35:34+01:00 Add CVE-2024-26130/python-cryptography - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,11 @@ CVE-2024-26138 (The XWiki licensor application, which manages and enforce applic CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store events. ...) TODO: check CVE-2024-26130 (cryptography is a package designed to expose cryptographic primitives ...) - TODO: check + - python-cryptography + NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 + NOTE: https://github.com/pyca/cryptography/pull/10423 + NOTE: Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (main) + NOTE: Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4) CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, ...) TODO: check CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Ti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660a5864e42db8f90a4e66e7afb2070559c7a7dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660a5864e42db8f90a4e66e7afb2070559c7a7dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df84cdff by Salvatore Bonaccorso at 2024-02-21T21:37:08+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2024-27215 REJECTED CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a reflect ...) - TODO: check + NOT-FOR-US: Archer Platform CVE-2024-26310 (Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an improper acc ...) - TODO: check + NOT-FOR-US: Archer Platform CVE-2024-26145 (Discourse Calendar adds the ability to create a dynamic calendar in th ...) - TODO: check + NOT-FOR-US: Discourse Calendar CVE-2024-26138 (The XWiki licensor application, which manages and enforce application ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store events. ...) TODO: check CVE-2024-26130 (cryptography is a package designed to expose cryptographic primitives ...) @@ -17,29 +17,29 @@ CVE-2024-26130 (cryptography is a package designed to expose cryptographic primi NOTE: Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (main) NOTE: Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4) CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Ti ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25896 (ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection ( ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25895 (A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5. ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25894 (ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25893 (ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injectio ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25892 (ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25891 (ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection ( ...) - TODO: check + NOT-FOR-US: ChurchCRM CVE-2024-25461 (Directory Traversal vulnerability in Terrasoft, Creatio Terrasoft CRM ...) TODO: check CVE-2024-25381 (There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publish ...) - TODO: check + NOT-FOR-US: Emlog Pro CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerab ...) - TODO: check + NOT-FOR-US: SLIMS (Senayan Library Management Systems) CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote attackers ...) - TODO: check + NOT-FOR-US: He3 App for macOS CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...) TODO: check CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark before v.4.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df84cdffc61ece338832b708456f4eed757ae18b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df84cdffc61ece338832b708456f4eed757ae18b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for thunderbird issues from mfsa2024-07
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0985fb97 by Salvatore Bonaccorso at 2024-02-21T21:24:30+01:00 Track fixed version for thunderbird issues from mfsa2024-07 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -451,7 +451,7 @@ CVE-2024-1553 (Memory safety bugs present in Firefox 122, Firefox ESR 115.7, and {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1553 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1553 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1553 @@ -459,7 +459,7 @@ CVE-2024-1552 (Incorrect code generation could have led to unexpected numeric co {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1552 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1552 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1552 @@ -467,7 +467,7 @@ CVE-2024-1551 (Set-Cookie response headers were being incorrectly honored in mul {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1551 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1551 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1551 @@ -475,7 +475,7 @@ CVE-2024-1550 (A malicious website could have used a combination of exiting full {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1550 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1550 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1550 @@ -483,7 +483,7 @@ CVE-2024-1549 (If a website set a large custom cursor, portions of the cursor co {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1549 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1549 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1549 @@ -491,7 +491,7 @@ CVE-2024-1548 (A website could have obscured the fullscreen notification by usin {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1548 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1548 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1548 @@ -499,7 +499,7 @@ CVE-2024-1547 (Through a series of API calls and redirects, an attacker-controll {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1547 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1547 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1547 @@ -507,7 +507,7 @@ CVE-2024-1546 (When storing and re-accessing data on a networking channel, the l {DSA-5627-1} - firefox 123.0-1 - firefox-esr 115.8.0esr-1 - - thunderbird + - thunderbird 1:115.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/#CVE-2024-1546 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1546 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1546 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0985fb978f1dfd798d89706dfe7178d02023d3c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0985fb978f1dfd798d89706dfe7178d02023d3c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 997a1929 by Salvatore Bonaccorso at 2024-02-21T21:19:44+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,7 +89,7 @@ CVE-2023-6533 (Malformed Device Reset Locally Command Class packets can be sent CVE-2023-50975 (The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allow ...) TODO: check CVE-2023-50955 (IBM InfoSphere Information Server 11.7 could allow an authenticated pr ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-boun ...) TODO: check CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the Document and Me ...) @@ -97,7 +97,7 @@ CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the Document CVE-2023-46241 (`discourse-microsoft-auth` is a plugin that enables authentication via ...) TODO: check CVE-2023-33843 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-0410 - gitlab CVE-2023-3509 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/997a192908af5823a442fd3d9d711254ffdd4c95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/997a192908af5823a442fd3d9d711254ffdd4c95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-26134/cbor2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82d8ea2a by Salvatore Bonaccorso at 2024-02-21T21:14:25+01:00 Add Debian bug reference for CVE-2024-26134/cbor2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -742,7 +742,7 @@ CVE-2023-52433 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 (6.6-rc1) CVE-2024-26134 (cbor2 provides encoding and decoding for the Concise Binary Object Rep ...) - - cbor2 + - cbor2 (bug #1064416) [bookworm] - cbor2 (Vulnerable code not present) [bullseye] - cbor2 (Vulnerable code not present) NOTE: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d8ea2ac1157154966e518c7aa32192bbed3dc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d8ea2ac1157154966e518c7aa32192bbed3dc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-2632{7,8}/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d650ed1f by Salvatore Bonaccorso at 2024-02-21T21:13:38+01:00 Update information for CVE-2024-2632{7,8}/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -858,9 +858,15 @@ CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu + [bullseye] - qemu (Vulnerable code introduced later) + [buster] - qemu (Vulnerable code introduced later) + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu + [bullseye] - qemu (Vulnerable code introduced later) + [buster] - qemu (Vulnerable code introduced later) + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because LoginPage.t ...) NOT-FOR-US: Serenity View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d650ed1fa1832e8dec79838bcc933cbe36b98025 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d650ed1fa1832e8dec79838bcc933cbe36b98025 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce231a62 by security tracker role at 2024-02-21T20:12:33+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,103 @@ +CVE-2024-27215 + REJECTED +CVE-2024-26311 (Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a reflect ...) + TODO: check +CVE-2024-26310 (Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an improper acc ...) + TODO: check +CVE-2024-26145 (Discourse Calendar adds the ability to create a dynamic calendar in th ...) + TODO: check +CVE-2024-26138 (The XWiki licensor application, which manages and enforce application ...) + TODO: check +CVE-2024-26133 (EventStoreDB (ESDB) is an operational database built to store events. ...) + TODO: check +CVE-2024-26130 (cryptography is a package designed to expose cryptographic primitives ...) + TODO: check +CVE-2024-25898 (A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, ...) + TODO: check +CVE-2024-25897 (ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Ti ...) + TODO: check +CVE-2024-25896 (ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection ( ...) + TODO: check +CVE-2024-25895 (A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5. ...) + TODO: check +CVE-2024-25894 (ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection ...) + TODO: check +CVE-2024-25893 (ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injectio ...) + TODO: check +CVE-2024-25892 (ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection ...) + TODO: check +CVE-2024-25891 (ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection ( ...) + TODO: check +CVE-2024-25461 (Directory Traversal vulnerability in Terrasoft, Creatio Terrasoft CRM ...) + TODO: check +CVE-2024-25381 (There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publish ...) + TODO: check +CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerab ...) + TODO: check +CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote attackers ...) + TODO: check +CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...) + TODO: check +CVE-2024-24479 (Buffer Overflow vulnerability in Wireshark team Wireshark before v.4.2 ...) + TODO: check +CVE-2024-24478 (An issue in Wireshark team Wireshark before v.4.2.0 allows a remote at ...) + TODO: check +CVE-2024-24476 (Buffer Overflow vulnerability in Wireshark team Wireshark before v.4.2 ...) + TODO: check +CVE-2024-23346 (Pymatgen (Python Materials Genomics) is an open-source Python library ...) + TODO: check +CVE-2024-22778 (HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.) + TODO: check +CVE-2024-22473 (TRNG is used before initialization by ECDSA signing driver when exitin ...) + TODO: check +CVE-2024-0 (An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 ...) + TODO: check +CVE-2024-20325 (A vulnerability in the Live Data server of Cisco Unified Intelligence ...) + TODO: check +CVE-2024-1714 + REJECTED +CVE-2024-1709 (ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authenti ...) + TODO: check +CVE-2024-1708 (ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traver ...) + TODO: check +CVE-2024-1707 (A vulnerability, which was classified as problematic, was found in GAR ...) + TODO: check +CVE-2024-1706 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2024-1705 (A vulnerability was found in Shopwind up to 4.6. It has been rated as ...) + TODO: check +CVE-2024-1704 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been de ...) + TODO: check +CVE-2024-1703 (A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been cl ...) + TODO: check +CVE-2024-1702 (A vulnerability was found in keerti1924 PHP-MYSQL-User-Login-System 1. ...) + TODO: check +CVE-2024-1701 (A vulnerability has been found in keerti1924 PHP-MYSQL-User-Login-Syst ...) + TODO: check +CVE-2024-1700 (A vulnerability, which was classified as problematic, was found in kee ...) + TODO: check +CVE-2024-1474 (In WS_FTP Server versions before 8.8.5, reflected cross-site scripting ...) + TODO: check +CVE-2024-1212 (Unauthenticated remote attackers can access the system through the Loa ...) + TODO: check +CVE-2023-7235 (The OpenVPN GUI installer before version 2.6.9 did not set the proper ...) + TODO: check +CVE-2023-6640 (Malformed S2 Nonce Get Command Class
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for libcommons-compress-java issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ef10fa9 by Salvatore Bonaccorso at 2024-02-21T20:59:20+01:00 Add Debian bug references for libcommons-compress-java issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -734,13 +734,13 @@ CVE-2024-1343 (A weak permission was found in the backup directory in LaborOffic CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) TODO: check CVE-2024-26308 (Allocation of Resources Without Limits or Throttling vulnerability in ...) - - libcommons-compress-java + - libcommons-compress-java (bug #1064414) [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Vulnerable code introduced later) [buster] - libcommons-compress-java (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/2 CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - - libcommons-compress-java + - libcommons-compress-java (bug #1064413) [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef10fa90cd6af094f7eb89ff93b145c2b0644f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef10fa90cd6af094f7eb89ff93b145c2b0644f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-24475 (rejected)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c75b5192 by Salvatore Bonaccorso at 2024-02-21T20:48:45+01:00 Remove notes from CVE-2024-24475 (rejected) Further investigation showed that the underlying issue was not a security issue and the CNA has withdrawn the CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -269,8 +269,6 @@ CVE-2024-24763 (JumpServer is an open source bastion host and an operation and m NOT-FOR-US: JumpServer CVE-2024-24475 REJECTED - - qemu 1:8.2.0+ds-1 - NOTE: https://github.com/qemu/qemu/commit/9d9c06b144da340b9a937ed01d45a936810715be (v8.2.0-rc0) CVE-2024-24474 (QEMU before 8.2.0 has an integer underflow, and resultant buffer overf ...) - qemu 1:8.2.0+ds-1 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1810 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c75b51925f229450b500511a23590853a4d4ce3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c75b51925f229450b500511a23590853a4d4ce3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference complementary fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0293e780 by Sylvain Beucler at 2024-02-21T19:14:50+01:00 CVE-2023-39361/cacti: reference complementary fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30138,6 +30138,7 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) NOTE: Introduced by: https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 (release/1.2.17) NOTE: but the patch still fixes multiple similar issues including one present in earlier versions. + NOTE: Additional hardening with CVE-2023-39365. CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e56496d by Sylvain Beucler at 2024-02-21T19:09:14+01:00 CVE-2023-39361/cacti: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30136,6 +30136,8 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) + NOTE: Introduced by: https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 (release/1.2.17) + NOTE: but the patch still fixes multiple similar issues including one present in earlier versions. CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e31cb631 by Moritz Muehlenhoff at 2024-02-21T18:33:23+01:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2024-0410 + - gitlab +CVE-2023-3509 + - gitlab +CVE-2024-0861 + - gitlab (Specific to EE) +CVE-2023-4895 + - gitlab (Specific to EE) +CVE-2024-1525 + - gitlab +CVE-2023-6477 + - gitlab (Specific to EE) +CVE-2024-1451 + - gitlab (Only affects 16.9) CVE-2024-26585 [tls: fix race between tx work scheduling and socket close] - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31cb6310bcd37b31414b0592c9d5e214f6dd746 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31cb6310bcd37b31414b0592c9d5e214f6dd746 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 902dd979 by Sylvain Beucler at 2024-02-21T18:26:16+01:00 CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable Follow-up to c3cae9377156c963d7b475fda3a82413188d8446 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30124,7 +30124,6 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 - [bookworm] - cacti 1.2.24+ds1-1+deb12u1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) NOTE: Final fix: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 66bb6c34 by Moritz Mühlenhoff at 2024-02-21T18:20:29+01:00 firefox-esr DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[21 Feb 2024] DSA-5627-1 firefox-esr - security update + {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} + [bullseye] - firefox-esr 115.8.0esr-1~deb11u1 + [bookworm] - firefox-esr 115.8.0esr-1~deb12u1 [18 Feb 2024] DSA-5626-1 pdns-recursor - security update {CVE-2023-50387 CVE-2023-50868} [bookworm] - pdns-recursor 4.8.6-1 = data/dsa-needed.txt = @@ -25,8 +25,6 @@ dav1d -- dnsdist (jmm) -- -firefox-esr (jmm) --- frr -- gnutls28/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bb6c34399d097f62dc5ae5947c22427915d13c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bb6c34399d097f62dc5ae5947c22427915d13c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2658{2..5}/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31723422 by Salvatore Bonaccorso at 2024-02-21T17:43:14+01:00 Add CVE-2024-2658{2..5}/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2024-26585 [tls: fix race between tx work scheduling and socket close] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb (6.8-rc5) +CVE-2024-26584 [net: tls: handle backlogging of crypto requests] + - linux + NOTE: https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3 (6.8-rc5) +CVE-2024-26583 [tls: fix race between async notify and socket close] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d (6.8-rc5) +CVE-2024-26582 [net: tls: fix use-after-free with partial reads and async decrypt] + - linux + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f (6.8-rc5) CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS module's p ...) NOT-FOR-US: Liferay CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3172342245c93de10d67ee7bd70d710778fdd497 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3172342245c93de10d67ee7bd70d710778fdd497 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39359/cacti: buster actually not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cad43f5 by Sylvain Beucler at 2024-02-21T17:02:59+01:00 CVE-2023-39359/cacti: buster actually not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30116,8 +30116,10 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem CVE-2023-39359 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h NOTE: https://github.com/cacti/cacti/commit/7459ff57abcd97ab8bc7a19de9e308ca62c17d38 (release/1.2.25) + NOTE: Introduced by: https://github.com/cacti/cacti/commit/518800fdb0bd25f311a530d78bab635b3c96c500 (release/1.2.7) CVE-2023-39358 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1114
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: e4e1232a by Bastien Roucariès at 2024-02-21T12:54:28+00:00 CVE-2022-1114 Tested against poc: convert-im6.q16: insufficient image data in file `poc @ error/dcm.c/ReadDCMImage/3313. convert-im6.q16: no images defined `/dev/null @ error/convert.c/ConvertImageCommand/3258. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135127,7 +135127,7 @@ CVE-2022-1115 (A heap-buffer-overflow flaw was found in ImageMagick\u2019s PushS CVE-2022-1114 (A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInf ...) - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code not present, bail out early) [stretch] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/4947 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f3d9a732 by Moritz Muehlenhoff at 2024-02-21T13:50:25+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,11 +5,11 @@ CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in Li CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to v ...) NOT-FOR-US: Yet Analytics Core LRS Library CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4 ...) - TODO: check + NOT-FOR-US: kedi ElectronCord CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi ...) NOT-FOR-US: Mondula GmbH Multi Step Form CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMC ...) - TODO: check + NOT-FOR-US: TinyMCE addon CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Ma ...) NOT-FOR-US: Liferay CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin module' ...) @@ -47,17 +47,17 @@ CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows attackers CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation vulnerabi ...) NOT-FOR-US: VMware CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 key pair ...) - TODO: check + NOT-FOR-US: agent-js CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is vulnera ...) NOT-FOR-US: WordPress plugin CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to Cross-Site Re ...) NOT-FOR-US: WordPress plugin CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to unauthorized m ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to unauthorize ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52442 (In the Linux kernel, the following vulnerability has been resolved: k ...) - linux 6.5.3-1 [bookworm] - linux 6.1.55-1 @@ -79,69 +79,69 @@ CVE-2023-52440 (In the Linux kernel, the following vulnerability has been resolv CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) ...) TODO: check CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a ...) - TODO: check + NOT-FOR-US: ProjeQtOr CVE-2023-47422 (An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.5 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-46967 (Cross Site Scripting vulnerability in the sanitize function in Enhance ...) - TODO: check + NOT-FOR-US: osTicket CVE-2023-42953 (A permissions issue was addressed with additional restrictions. This i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42952 (The issue was addressed with improved checks. This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42951 (The issue was addressed with improved handling of caches. This issue i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42946 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42945 (A permissions issue was addressed with additional restrictions. This i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42942 (This issue was addressed with improved handling of symlinks. This issu ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42939 (A logic issue was addressed with improved checks. This issue is fixed ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42928 (The issue was addressed with improved bounds checks. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42889 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42878 (A privacy issue was addressed with improved private data redaction for ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42877 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42873 (The issue was addressed with improved bounds checks. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42860 (A permissions issue was addressed with additional restrictions. This i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42859 (The issue was addressed with improved checks. This issue is fixed in
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3736-1 for unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a57f0d7 by Markus Koschany at 2024-02-21T13:11:48+01:00 Reserve DLA-3736-1 for unbound - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Feb 2024] DLA-3736-1 unbound - security update + {CVE-2023-50387 CVE-2023-50868} + [buster] - unbound 1.9.0-2+deb10u4 [19 Feb 2024] DLA-3735-1 runc - security update {CVE-2021-43784 CVE-2024-21626} [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3 = data/dla-needed.txt = @@ -294,9 +294,6 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -unbound (Markus Koschany) - NOTE: 20240214: Added by Front-Desk (lamby) --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3428: mark buster not affected
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: fc5d8e94 by Bastien Roucariès at 2024-02-21T10:28:48+00:00 CVE-2023-3428: mark buster not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39655,6 +39655,7 @@ CVE-2023-3436 (Xpdf 4.04 will deadlock on a PDF object stream whose "Length" fie CVE-2023-3428 (A heap-based buffer overflow vulnerability was found in coders/tiff.c ...) [experimental] - imagemagick 8:6.9.12.98+dfsg1-1 - imagemagick 8:6.9.12.98+dfsg1-2 + [buster] - imagemagick (code is introduced later) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790 (7.1.1-13) NOTE: Prerequisite: https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 (6.9.12-55) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/0d00400727170b0540a355a1bc52787bc7bcdea5 (6.9.12-91) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e55d5bf4 by Salvatore Bonaccorso at 2024-02-21T11:27:19+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,39 +19,39 @@ CVE-2024-25601 (Stored cross-site scripting (XSS) vulnerability in Expando modul CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run ar ...) NOT-FOR-US: MRCMS CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message Board widge ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older u ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in L ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included "allow_i ...) NOT-FOR-US: Apache Airflow Mongo Provider CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin M ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Bui ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24849 (Cross-Site Request Forgery (CSRF) vulnerability in Mark Stockton Quick ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24843 (Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24837 (Cross-Site Request Forgery (CSRF) vulnerability in Fr\xe9d\xe9ric GILL ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24802 (Cross-Site Request Forgery (CSRF) vulnerability in John Tendik JTRT Re ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 2.26.1, an ...) - mantis CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to vi ...) - TODO: check + NOT-FOR-US: Unisys CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation vulnerabi ...) - TODO: check + NOT-FOR-US: VMware CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 key pair ...) TODO: check CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is vulnera ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to Cross-Site Re ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to unauthorized m ...) TODO: check CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for WordPress is ...) @@ -376,81 +376,81 @@ CVE-2024-1546 (When storing and re-accessing data on a networking channel, the l NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/#CVE-2024-1546 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/#CVE-2024-1546 CVE-2024-1519 (The Paid Membership Plugin, Ecommerce, User Registration Form, Login F ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1496 (The Featured Image from URL (FIFU) plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1492 (The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1475 (The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1472 (The WP Maintenance plugin for WordPress is vulnerable to Information E ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1470 (Authorization Bypass Through User-Controlled Key vulnerability in NetI ...) - TODO: check + NOT-FOR-US: Microfocus CVE-2024-1448 (The Social Sharing Plugin \u2013 Sassy Social Share plugin for WordPre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1447 (The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1445 (The Page scroll to id plugin for WordPress is vulnerable to Stored Cro ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1425 (The EmbedPress \u2013 Embed PDF, YouTube, Google Docs, Vimeo, Wistia V ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1411 (The
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23830/mantis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aae5baca by Salvatore Bonaccorso at 2024-02-21T11:26:39+01:00 Add CVE-2024-23830/mantis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,7 @@ CVE-2024-24802 (Cross-Site Request Forgery (CSRF) vulnerability in John Tendik J CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug. ...) TODO: check CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 2.26.1, an ...) - TODO: check + - mantis CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to vi ...) TODO: check CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation vulnerabi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aae5bacaccc1991e2d74f33ccc4eba994166892d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aae5bacaccc1991e2d74f33ccc4eba994166892d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update optee-os CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbbb9667 by Dylan Aïssi at 2024-02-21T10:26:01+01:00 Update optee-os CVEs - - - - - fc6dc7b3 by Salvatore Bonaccorso at 2024-02-21T09:29:15+00:00 Merge branch wip/daissi/optee-os into master Update optee-os CVEs See merge request security-tracker-team/security-tracker!166 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28653,7 +28653,9 @@ CVE-2023-41880 (Wasmtime is a standalone runtime for WebAssembly. Wasmtime versi CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site ...) NOT-FOR-US: Froala Editor CVE-2023-41325 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...) - - optee-os + - optee-os (Fixed before initial upload) + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm + NOTE: https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a CVE-2023-41160 (A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configura ...) NOT-FOR-US: Usermin CVE-2023-41159 (A Stored Cross-Site Scripting (XSS) vulnerability while editing the au ...) @@ -161068,7 +161070,8 @@ CVE-2021-44151 (An issue was discovered in Reprise RLM 14.2. As the session cook CVE-2021-44150 (The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoof ...) NOT-FOR-US: tusdotnet CVE-2021-44149 (An issue was discovered in Trusted Firmware OP-TEE Trusted OS through ...) - - optee-os + - optee-os (Fixed before initial upload) + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464 CVE-2021-44148 (GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allo ...) NOT-FOR-US: GL.iNet CVE-2021-44147 (An XML External Entity issue in Claris FileMaker Pro and Server (inclu ...) @@ -185381,7 +185384,8 @@ CVE-2021-36135 CVE-2021-36134 (Out of bounds write vulnerability in the JPEG parsing code of Netop Vi ...) NOT-FOR-US: McAfee CVE-2021-36133 (The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access ...) - - optee-os + - optee-os + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47 CVE-2021-36132 (An issue was discovered in the FileImporter extension in MediaWiki thr ...) NOT-FOR-US: FileImport MediaWiki extension NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3...fc6dc7b316c37553edbf9374e1361b40eeba549d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3...fc6dc7b316c37553edbf9374e1361b40eeba549d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch wip/daissi/optee-os
Dylan Aïssi deleted branch wip/daissi/optee-os at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][wip/daissi/optee-os] Update optee-os CVEs
Dylan Aïssi pushed to branch wip/daissi/optee-os at Debian Security Tracker / security-tracker Commits: cbbb9667 by Dylan Aïssi at 2024-02-21T10:26:01+01:00 Update optee-os CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28653,7 +28653,9 @@ CVE-2023-41880 (Wasmtime is a standalone runtime for WebAssembly. Wasmtime versi CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site ...) NOT-FOR-US: Froala Editor CVE-2023-41325 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...) - - optee-os + - optee-os (Fixed before initial upload) + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm + NOTE: https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a CVE-2023-41160 (A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configura ...) NOT-FOR-US: Usermin CVE-2023-41159 (A Stored Cross-Site Scripting (XSS) vulnerability while editing the au ...) @@ -161068,7 +161070,8 @@ CVE-2021-44151 (An issue was discovered in Reprise RLM 14.2. As the session cook CVE-2021-44150 (The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoof ...) NOT-FOR-US: tusdotnet CVE-2021-44149 (An issue was discovered in Trusted Firmware OP-TEE Trusted OS through ...) - - optee-os + - optee-os (Fixed before initial upload) + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464 CVE-2021-44148 (GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allo ...) NOT-FOR-US: GL.iNet CVE-2021-44147 (An XML External Entity issue in Claris FileMaker Pro and Server (inclu ...) @@ -185381,7 +185384,8 @@ CVE-2021-36135 CVE-2021-36134 (Out of bounds write vulnerability in the JPEG parsing code of Netop Vi ...) NOT-FOR-US: McAfee CVE-2021-36133 (The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access ...) - - optee-os + - optee-os + NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47 CVE-2021-36132 (An issue was discovered in the FileImporter extension in MediaWiki thr ...) NOT-FOR-US: FileImport MediaWiki extension NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbbb966766fa6adb392f66be3060c6a0094577cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbbb966766fa6adb392f66be3060c6a0094577cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch wip/daissi/optee-os
Dylan Aïssi pushed new branch wip/daissi/optee-os at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/wip/daissi/optee-os You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5244{0,1,2}/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a0ac3f3 by Salvatore Bonaccorso at 2024-02-21T09:46:55+01:00 Add CVE-2023-5244{0,1,2}/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59,11 +59,23 @@ CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for WordPres CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to unauthorize ...) TODO: check CVE-2023-52442 (In the Linux kernel, the following vulnerability has been resolved: k ...) - TODO: check + - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3df0411e132ee74a87aa13142dfd2b190275332e (6.5-rc4) CVE-2023-52441 (In the Linux kernel, the following vulnerability has been resolved: k ...) - TODO: check + - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/536bb492d39bb6c080c92f31e8a55fe9934f452b (6.5-rc4) CVE-2023-52440 (In the Linux kernel, the following vulnerability has been resolved: k ...) - TODO: check + - linux 6.5.3-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/4b081ce0d830b684fdf967abc3696d1261387254 (6.6-rc1) CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) ...) TODO: check CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a0ac3f3d8af8d45b1a4bb03c95a4e1ec6b286a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b084a6e by Salvatore Bonaccorso at 2024-02-21T09:29:10+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,23 +1,23 @@ CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS module's p ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to v ...) - TODO: check + NOT-FOR-US: Yet Analytics Core LRS Library CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4 ...) TODO: check CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi ...) - TODO: check + NOT-FOR-US: Mondula GmbH Multi Step Form CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMC ...) TODO: check CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Ma ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin module' ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25601 (Stored cross-site scripting (XSS) vulnerability in Expando module's ge ...) - TODO: check + NOT-FOR-US: Liferay CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run ar ...) - TODO: check + NOT-FOR-US: MRCMS CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message Board widge ...) TODO: check CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older u ...) @@ -25,7 +25,7 @@ CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and o CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in L ...) TODO: check CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included "allow_i ...) - TODO: check + NOT-FOR-US: Apache Airflow Mongo Provider CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin M ...) TODO: check CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Bui ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b084a6ea3b36970cfe3c470059afbdbea684864 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b084a6ea3b36970cfe3c470059afbdbea684864 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6589665c by security tracker role at 2024-02-21T08:11:42+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,32 +1,164 @@ -CVE-2024-1676 +CVE-2024-26269 (Cross-site scripting (XSS) vulnerability in the Frontend JS module's p ...) + TODO: check +CVE-2024-26266 (Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay ...) + TODO: check +CVE-2024-26140 (com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to v ...) + TODO: check +CVE-2024-26136 (kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4 ...) + TODO: check +CVE-2024-25905 (Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi ...) + TODO: check +CVE-2024-25904 (Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMC ...) + TODO: check +CVE-2024-25603 (Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Ma ...) + TODO: check +CVE-2024-25602 (Stored cross-site scripting (XSS) vulnerability in Users Admin module' ...) + TODO: check +CVE-2024-25601 (Stored cross-site scripting (XSS) vulnerability in Expando module's ge ...) + TODO: check +CVE-2024-25428 (SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run ar ...) + TODO: check +CVE-2024-25152 (Stored cross-site scripting (XSS) vulnerability in Message Board widge ...) + TODO: check +CVE-2024-25151 (The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older u ...) + TODO: check +CVE-2024-25147 (Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in L ...) + TODO: check +CVE-2024-25141 (When sslwas enabled for Mongo Hook, default settings included "allow_i ...) + TODO: check +CVE-2024-24876 (Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin M ...) + TODO: check +CVE-2024-24872 (Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Bui ...) + TODO: check +CVE-2024-24849 (Cross-Site Request Forgery (CSRF) vulnerability in Mark Stockton Quick ...) + TODO: check +CVE-2024-24843 (Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons fo ...) + TODO: check +CVE-2024-24837 (Cross-Site Request Forgery (CSRF) vulnerability in Fr\xe9d\xe9ric GILL ...) + TODO: check +CVE-2024-24802 (Cross-Site Request Forgery (CSRF) vulnerability in John Tendik JTRT Re ...) + TODO: check +CVE-2024-24798 (Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug. ...) + TODO: check +CVE-2024-23830 (MantisBT is an open source issue tracker. Prior to version 2.26.1, an ...) + TODO: check +CVE-2024-23758 (An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to vi ...) + TODO: check +CVE-2024-22235 (VMware Aria Operations contains a local privilege escalation vulnerabi ...) + TODO: check +CVE-2024-1631 (Impact: The library offers a function to generate an ed25519 key pair ...) + TODO: check +CVE-2024-1562 (The WooCommerce Google Sheet Connector plugin for WordPress is vulnera ...) + TODO: check +CVE-2024-1501 (The Database Reset plugin for WordPress is vulnerable to Cross-Site Re ...) + TODO: check +CVE-2024-1108 (The Plugin Groups plugin for WordPress is vulnerable to unauthorized m ...) + TODO: check +CVE-2024-1081 (The 3D FlipBook \u2013 PDF Flipbook WordPress plugin for WordPress is ...) + TODO: check +CVE-2024-0593 (The Simple Job Board plugin for WordPress is vulnerable to unauthorize ...) + TODO: check +CVE-2023-52442 (In the Linux kernel, the following vulnerability has been resolved: k ...) + TODO: check +CVE-2023-52441 (In the Linux kernel, the following vulnerability has been resolved: k ...) + TODO: check +CVE-2023-52440 (In the Linux kernel, the following vulnerability has been resolved: k ...) + TODO: check +CVE-2023-50923 (In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) ...) + TODO: check +CVE-2023-49034 (Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a ...) + TODO: check +CVE-2023-47422 (An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.5 ...) + TODO: check +CVE-2023-46967 (Cross Site Scripting vulnerability in the sanitize function in Enhance ...) + TODO: check +CVE-2023-42953 (A permissions issue was addressed with additional restrictions. This i ...) + TODO: check +CVE-2023-42952 (The issue was addressed with improved checks. This issue is fixed in i ...) + TODO: check +CVE-2023-42951 (The issue was addressed with improved handling of caches. This issue i ...) + TODO: check +CVE-2023-42946 (This issue was addressed with improved redaction of