[Git][security-tracker-team/security-tracker][master] Add CVE-2024-24786/golang-google-protobuf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e305f44a by Salvatore Bonaccorso at 2024-03-07T07:27:22+01:00 Add CVE-2024-24786/golang-google-protobuf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -157,7 +157,8 @@ CVE-2024-25612 (Authenticated command injection vulnerabilities exist in the Aru CVE-2024-25611 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) NOT-FOR-US: Aruba CVE-2024-24786 (The protojson.Unmarshal function can enter an infinite loop when unmar ...) - TODO: check + - golang-google-protobuf + NOTE: https://go-review.googlesource.com/c/protobuf/+/569356 CVE-2024-24278 (An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 al ...) NOT-FOR-US: Teamwire Windows desktop client CVE-2024-24276 (Cross Site Scripting (XSS) vulnerability in Teamwire Windows desktop c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e305f44a60397f5d913adabe2a3ff8960ad3c7ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e305f44a60397f5d913adabe2a3ff8960ad3c7ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2236/libgcrypt20
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de11f16a by Salvatore Bonaccorso at 2024-03-07T07:16:03+01:00 Add CVE-2024-2236/libgcrypt20 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-2236 [timing based side-channel in RSA implementation] + - libgcrypt20 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268 CVE-2024-1299 - gitlab CVE-2024-0199 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de11f16a9fca5e4825cbf21131a8fee9eb25d3f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de11f16a9fca5e4825cbf21131a8fee9eb25d3f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2021-3420/newlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d09dfb5 by Salvatore Bonaccorso at 2024-03-07T07:04:44+01:00 Track fix via experimental for CVE-2021-3420/newlib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -211243,6 +211243,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an NOTE: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw NOTE: https://github.com/golang/go/issues/44913 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...) + [experimental] - newlib 4.4.0.20231231-1 - newlib (bug #984446) [bookworm] - newlib (Minor issue) [bullseye] - newlib (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d09dfb5a0e39f4609c4168e3ee582cb9a29 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d09dfb5a0e39f4609c4168e3ee582cb9a29 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-25117/php-dompdf-svg-lib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c50200bd by Salvatore Bonaccorso at 2024-03-07T07:03:09+01:00 Track fixed version for CVE-2024-25117/php-dompdf-svg-lib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4131,7 +4131,7 @@ CVE-2024-25288 (SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vu CVE-2024-25249 (An issue in He3 App for macOS version 2.0.17, allows remote attackers ...) NOT-FOR-US: He3 App for macOS CVE-2024-25117 (php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...) - - php-dompdf-svg-lib (bug #1064781) + - php-dompdf-svg-lib 0.5.2-1 (bug #1064781) [bookworm] - php-dompdf-svg-lib (Minor issue) NOTE: https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273 NOTE: https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa (0.5.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c50200bd24b0282a39f458c35dfd6cf4cab0da7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c50200bd24b0282a39f458c35dfd6cf4cab0da7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a109c83c by Moritz Muehlenhoff at 2024-03-06T23:03:00+01:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-1299 + - gitlab +CVE-2024-0199 + - gitlab CVE-2024-2211 (Cross-Site Scripting stored vulnerability in Gophish affecting version ...) NOT-FOR-US: Gophish CVE-2024-28174 (In JetBrains TeamCity before 2023.11.4 presigned URL generation reques ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a109c83c728c5ebb83560e4467ea2418d495d65e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a109c83c728c5ebb83560e4467ea2418d495d65e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-35{09,10}/gitlab
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01711314 by Salvatore Bonaccorso at 2024-03-06T22:31:53+01:00 Track fixed version for CVE-2023-35{09,10}/gitlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4204,9 +4204,9 @@ CVE-2023-46241 (`discourse-microsoft-auth` is a plugin that enables authenticati CVE-2023-33843 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2024-0410 (An authorization bypass vulnerability was discovered in GitLab affecti ...) - - gitlab + - gitlab 16.8.3-1 CVE-2023-3509 (An issue has been discovered in GitLab affecting all versions before 1 ...) - - gitlab + - gitlab 16.8.3-1 CVE-2024-0861 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-4895 (An issue has been discovered in GitLab EE affecting all versions start ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0171131479babd8085948432bfe993780d4a5ee9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0171131479babd8085948432bfe993780d4a5ee9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take ruby-rack
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab07e09e by Adrian Bunk at 2024-03-06T23:22:21+02:00 dla: take ruby-rack - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -277,7 +277,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-rack +ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab07e09ea26b4cc21bcace49182c17724a424733 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab07e09ea26b4cc21bcace49182c17724a424733 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2023-50716/fastdds
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97e83bce by Salvatore Bonaccorso at 2024-03-06T22:01:14+01:00 Add CVE-2023-50716/fastdds - - - - - 6827ee5f by Salvatore Bonaccorso at 2024-03-06T22:01:16+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,29 +61,30 @@ CVE-2024-20301 (A vulnerability in Cisco Duo Authentication for Windows Logon an CVE-2024-20292 (A vulnerability in the logging component of Cisco Duo Authentication f ...) NOT-FOR-US: Cisco CVE-2024-1224 (This vulnerability exists in USB Pratirodh due to the usage of a weake ...) - TODO: check + NOT-FOR-US: USB Pratirodh CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remote au ...) - TODO: check + NOT-FOR-US: Sonatype CVE-2023-50716 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) - TODO: check + - fastdds + NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h CVE-2023-50167 (Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with ed ...) - TODO: check + NOT-FOR-US: Pega Platform CVE-2023-49985 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49984 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49983 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49982 (Broken access control in the component /admin/management/users of Scho ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49981 (A directory listing vulnerability in School Fees Management System v1. ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49980 (A directory listing vulnerability in Best Student Result Management Sy ...) - TODO: check + NOT-FOR-US: Best Student Result Management System CVE-2023-49979 (A directory listing vulnerability in Customer Support System v1 allows ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49978 (Incorrect access control in Customer Support System v1 allows non-admi ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-48703 (RobotsAndPencils go-saml, a SAML client library written in Go, contain ...) TODO: check CVE-2023-38825 (SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allow ...) @@ -245506,7 +245507,7 @@ CVE-2020-26944 (An issue was discovered in Aptean Product Configurator 4.61. CVE-2020-26943 (An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2. ...) NOT-FOR-US: blazar-dashboard CVE-2020-26942 (An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and ...) - TODO: check + NOT-FOR-US: Axigen Mail Server CVE-2020-26941 (A local (authenticated) low-privileged user can exploit a behavior in ...) NOT-FOR-US: IBM CVE-2020-26940 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab218ce143bc3a837758a3e2d36a3ce62ca26c46...6827ee5f3654397fc83326d3050fb2ee1991bf33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab218ce143bc3a837758a3e2d36a3ce62ca26c46...6827ee5f3654397fc83326d3050fb2ee1991bf33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take fontforge
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab218ce1 by Adrian Bunk at 2024-03-06T22:58:43+02:00 dla: take fontforge - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,7 +105,7 @@ exiftags expat NOTE: 20240306: Added by Front-Desk (opal) -- -fontforge +fontforge (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab218ce143bc3a837758a3e2d36a3ce62ca26c46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab218ce143bc3a837758a3e2d36a3ce62ca26c46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Treat CVE-2024-2002 as minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 256a9424 by Ola Lundqvist at 2024-03-06T21:56:38+01:00 Treat CVE-2024-2002 as minor issue for buster. - - - - - 9cc8914a by Ola Lundqvist at 2024-03-06T21:56:38+01:00 Added expat to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -589,6 +589,7 @@ CVE-2023-41827 (An improper export vulnerability was reported in the Motorola OT NOT-FOR-US: Motorola CVE-2024-2002 - dwarfutils (bug #1065511) + [buster] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW202402-002 NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] = data/dla-needed.txt = @@ -102,6 +102,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +expat + NOTE: 20240306: Added by Front-Desk (opal) +-- fontforge NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a40a82117256760ce6a04c471294c059cefc53c...9cc8914a108290641956fbf617d852579223c6df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a40a82117256760ce6a04c471294c059cefc53c...9cc8914a108290641956fbf617d852579223c6df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fc56f07 by Salvatore Bonaccorso at 2024-03-06T21:53:50+01:00 Process some NFUs - - - - - 15b87118 by Salvatore Bonaccorso at 2024-03-06T21:53:52+01:00 Add CVE-2024-27289/golang-github-jackc-pgx - - - - - 4a40a821 by Salvatore Bonaccorso at 2024-03-06T21:53:54+01:00 Add CVE-2024-24761/galette - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-2211 (Cross-Site Scripting stored vulnerability in Gophish affecting version ...) - TODO: check + NOT-FOR-US: Gophish CVE-2024-28174 (In JetBrains TeamCity before 2023.11.4 presigned URL generation reques ...) NOT-FOR-US: JetBrains TeamCity CVE-2024-28173 (In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build param ...) @@ -23,41 +23,43 @@ CVE-2024-27303 (electron-builder is a solution to package and build a ready for CVE-2024-27302 (go-zero is a web and rpc framework. Go-zero allows user to specify a C ...) TODO: check CVE-2024-27289 (pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2 ...) - TODO: check + - golang-github-jackc-pgx + NOTE: https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p + NOTE: https://github.com/jackc/pgx/commit/826a89229b8b1cdf18e4190afa437d3df9901b9c (v4.18.2) CVE-2024-27288 (1Panel is an open source Linux server operation and maintenance manage ...) NOT-FOR-US: 1Panel CVE-2024-27287 (ESPHome is a system to control your ESP8266/ESP32 for Home Automation ...) NOT-FOR-US: ESPHome CVE-2024-25359 (An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execu ...) - TODO: check + NOT-FOR-US: zuoxingdong lagom CVE-2024-25103 (This vulnerability exists in AppSamvid software due to the usage of vu ...) - TODO: check + NOT-FOR-US: AppSamvid software CVE-2024-25102 (This vulnerability exists in AppSamvid software due to the usage of a ...) - TODO: check + NOT-FOR-US: AppSamvid software CVE-2024-24767 (CasaOS-UserService provides user management functionalities to CasaOS. ...) - TODO: check + NOT-FOR-US: CasaOS CVE-2024-24766 (CasaOS-UserService provides user management functionalities to CasaOS. ...) - TODO: check + NOT-FOR-US: CasaOS CVE-2024-24765 (CasaOS-UserService provides user management functionalities to CasaOS. ...) - TODO: check + NOT-FOR-US: CasaOS CVE-2024-24761 (Galette is a membership management web application for non profit orga ...) - TODO: check + - galette CVE-2024-20346 (A vulnerability in the web-based management interface of Cisco AppDyna ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20345 (A vulnerability in the file upload functionality of Cisco AppDynamics ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20338 (A vulnerability in the ISE Posture (System Scan) module of Cisco Secur ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20337 (A vulnerability in the SAML authentication process of Cisco Secure Cli ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20336 (A vulnerability in the web-based user interface of Cisco Small Busines ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20335 (A vulnerability in the web-based management interface of Cisco Small B ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20301 (A vulnerability in Cisco Duo Authentication for Windows Logon and RDP ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20292 (A vulnerability in the logging component of Cisco Duo Authentication f ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-1224 (This vulnerability exists in USB Pratirodh due to the usage of a weake ...) TODO: check CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remote au ...) @@ -4152,7 +4154,7 @@ CVE-2024-0 (An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 CVE-2024-20325 (A vulnerability in the Live Data server of Cisco Unified Intelligence ...) NOT-FOR-US: Cisco CVE-2024-1714 (An issue exists in all supported versions of IdentityIQ Lifecycle Mana ...) - TODO: check + NOT-FOR-US: IdentityIQ Lifecycle Manager CVE-2024-1709 (ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authenti ...) NOT-FOR-US: ConnectWise ScreenConnect CVE-2024-1708 (ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/73dedb18d9cf68d1327125f6c252a37a4cb0d846...4a40a82117256760ce6a04c471294c059cefc53c -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] 2 commits: Treat CVE-2024-27351 as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b498faf by Ola Lundqvist at 2024-03-06T21:51:53+01:00 Treat CVE-2024-27351 as a minor issue for buster. - - - - - 73dedb18 by Ola Lundqvist at 2024-03-06T21:51:53+01:00 Added ruby-rack to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -591,6 +591,7 @@ CVE-2024-2002 NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] - python-django 3:4.2.11-1 + [buster] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ NOTE: https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e (5.0.3) NOTE: https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a (4.2.11) = data/dla-needed.txt = @@ -274,6 +274,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +ruby-rack + NOTE: 20240306: Added by Front-Desk (opal) +-- runc NOTE: 20240204: Added by Front-Desk (ta) NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/426c289a0216367ef5eccf220234906db282329d...73dedb18d9cf68d1327125f6c252a37a4cb0d846 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/426c289a0216367ef5eccf220234906db282329d...73dedb18d9cf68d1327125f6c252a37a4cb0d846 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27304/golang-github-jackc-pgx
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 426c289a by Salvatore Bonaccorso at 2024-03-06T21:45:22+01:00 Add CVE-2024-27304/golang-github-jackc-pgx - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,11 @@ CVE-2024-27915 (Sulu is a PHP content management system. Starting in verson 2.2. CVE-2024-27307 (JSONata is a JSON query and transformation language. Starting in versi ...) TODO: check CVE-2024-27304 (pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur ...) - TODO: check + - golang-github-jackc-pgx + NOTE: https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv + NOTE: https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4 (v5.5.4) + NOTE: https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8 (v5.5.4) + NOTE: https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df (v4.18.2) CVE-2024-27303 (electron-builder is a solution to package and build a ready for distri ...) TODO: check CVE-2024-27302 (go-zero is a web and rpc framework. Go-zero allows user to specify a C ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/426c289a0216367ef5eccf220234906db282329d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/426c289a0216367ef5eccf220234906db282329d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked three CVEs for suricata as minor issues for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: caf78ea3 by Ola Lundqvist at 2024-03-06T21:37:13+01:00 Marked three CVEs for suricata as minor issues for buster following bullseye. - - - - - 233c5ee0 by Ola Lundqvist at 2024-03-06T21:37:14+01:00 Marked CVE-2024-23837 as minor issue for buster. Suricata is the only tool in reverse depends for buster and suricata has many similar vulnerabilities as this. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3302,6 +3302,7 @@ CVE-2024-23839 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: https://redmine.openinfosecfoundation.org/issues/6657 CVE-2024-23837 (LibHTP is a security-aware parser for the HTTP protocol. Crafted traff ...) - libhtp 1:0.5.46-1 + [buster] - libhtp (Minor issue) NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-f9wf-rrjj-qx8m NOTE: https://github.com/OISF/libhtp/commit/20ac301d801cdf01b3f021cca08a22a87f477c4a (0.5.46) NOTE: https://redmine.openinfosecfoundation.org/issues/6444 @@ -3309,6 +3310,7 @@ CVE-2024-23836 (Suricata is a network Intrusion Detection System, Intrusion Prev - suricata 1:7.0.3-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-q33q-45cr-3cpc NOTE: https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7 (suricata-6.0.16) NOTE: https://github.com/OISF/suricata/commit/8efaebe293e2a74c8e323fa85a6f5fadf82801bc (suricata-6.0.16) @@ -45073,11 +45075,13 @@ CVE-2023-35853 (In Suricata before 6.0.13, an adversary who controls an external - suricata 1:6.0.13-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da CVE-2023-35852 (In Suricata before 6.0.13 (when there is an adversary who controls an ...) - suricata 1:6.0.13-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335 NOTE: https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17 CVE-2023-35849 (VirtualSquare picoTCP (aka PicoTCP-NG) through 2.1 does not properly c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d...233c5ee019074dbce8d30b0dae81e0f61310e461 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d...233c5ee019074dbce8d30b0dae81e0f61310e461 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffebe25b by Salvatore Bonaccorso at 2024-03-06T21:36:43+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2024-2211 (Cross-Site Scripting stored vulnerability in Gophish affecting version ...) TODO: check CVE-2024-28174 (In JetBrains TeamCity before 2023.11.4 presigned URL generation reques ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2024-28173 (In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build param ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2024-27917 (Shopware is an open commerce platform based on Symfony Framework and V ...) - TODO: check + NOT-FOR-US: Shopware CVE-2024-27916 (Minder is a software supply chain security platform. Prior to version ...) - TODO: check + NOT-FOR-US: Minder CVE-2024-27915 (Sulu is a PHP content management system. Starting in verson 2.2.0 and ...) - TODO: check + NOT-FOR-US: Sulu CVE-2024-27307 (JSONata is a JSON query and transformation language. Starting in versi ...) TODO: check CVE-2024-27304 (pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur ...) @@ -21,9 +21,9 @@ CVE-2024-27302 (go-zero is a web and rpc framework. Go-zero allows user to speci CVE-2024-27289 (pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2 ...) TODO: check CVE-2024-27288 (1Panel is an open source Linux server operation and maintenance manage ...) - TODO: check + NOT-FOR-US: 1Panel CVE-2024-27287 (ESPHome is a system to control your ESP8266/ESP32 for Home Automation ...) - TODO: check + NOT-FOR-US: ESPHome CVE-2024-25359 (An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execu ...) TODO: check CVE-2024-25103 (This vulnerability exists in AppSamvid software due to the usage of vu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-28084/iwd does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abcaca2e by Adrian Bunk at 2024-03-06T22:35:37+02:00 CVE-2024-28084/iwd does not affect buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -826,8 +826,10 @@ CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an ac NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) - iwd 2.16-1 (bug #1065443) + [buster] - iwd (Vulnerable code not present) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d (2.16) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb (2.16) + NOTE: first version of p2putil in 0.19, P2P is supported since 1.8 CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) NOT-FOR-US: OpenHarmony CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) = data/dla-needed.txt = @@ -133,9 +133,6 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- -iwd (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) --- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcaca2e26273641969616cfcb4badfdd8ec3eb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcaca2e26273641969616cfcb4badfdd8ec3eb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Treat CVE-2024-25269 as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c1ad0d65 by Ola Lundqvist at 2024-03-06T21:29:21+01:00 Treat CVE-2024-25269 as a minor issue for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -490,6 +490,7 @@ CVE-2024-25731 (The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for NOT-FOR-US: Elink Smart eSmartCam (com.cn.dq.ipc) application CVE-2024-25269 (libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:: ...) - libheif + [buster] - libheif (Minor issue) NOTE: https://github.com/strukturag/libheif/issues/1073 NOTE: https://github.com/strukturag/libheif/pull/1074 NOTE: https://github.com/strukturag/libheif/commit/877de6b398198bca387df791b9232922c5721c80 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1ad0d65002bd8cee03507975bb81dd49df28c97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1ad0d65002bd8cee03507975bb81dd49df28c97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e8cb44e by security tracker role at 2024-03-06T20:28:05+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,38 +1,122 @@ -CVE-2024-28160 +CVE-2024-2211 (Cross-Site Scripting stored vulnerability in Gophish affecting version ...) + TODO: check +CVE-2024-28174 (In JetBrains TeamCity before 2023.11.4 presigned URL generation reques ...) + TODO: check +CVE-2024-28173 (In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build param ...) + TODO: check +CVE-2024-27917 (Shopware is an open commerce platform based on Symfony Framework and V ...) + TODO: check +CVE-2024-27916 (Minder is a software supply chain security platform. Prior to version ...) + TODO: check +CVE-2024-27915 (Sulu is a PHP content management system. Starting in verson 2.2.0 and ...) + TODO: check +CVE-2024-27307 (JSONata is a JSON query and transformation language. Starting in versi ...) + TODO: check +CVE-2024-27304 (pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur ...) + TODO: check +CVE-2024-27303 (electron-builder is a solution to package and build a ready for distri ...) + TODO: check +CVE-2024-27302 (go-zero is a web and rpc framework. Go-zero allows user to specify a C ...) + TODO: check +CVE-2024-27289 (pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2 ...) + TODO: check +CVE-2024-27288 (1Panel is an open source Linux server operation and maintenance manage ...) + TODO: check +CVE-2024-27287 (ESPHome is a system to control your ESP8266/ESP32 for Home Automation ...) + TODO: check +CVE-2024-25359 (An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execu ...) + TODO: check +CVE-2024-25103 (This vulnerability exists in AppSamvid software due to the usage of vu ...) + TODO: check +CVE-2024-25102 (This vulnerability exists in AppSamvid software due to the usage of a ...) + TODO: check +CVE-2024-24767 (CasaOS-UserService provides user management functionalities to CasaOS. ...) + TODO: check +CVE-2024-24766 (CasaOS-UserService provides user management functionalities to CasaOS. ...) + TODO: check +CVE-2024-24765 (CasaOS-UserService provides user management functionalities to CasaOS. ...) + TODO: check +CVE-2024-24761 (Galette is a membership management web application for non profit orga ...) + TODO: check +CVE-2024-20346 (A vulnerability in the web-based management interface of Cisco AppDyna ...) + TODO: check +CVE-2024-20345 (A vulnerability in the file upload functionality of Cisco AppDynamics ...) + TODO: check +CVE-2024-20338 (A vulnerability in the ISE Posture (System Scan) module of Cisco Secur ...) + TODO: check +CVE-2024-20337 (A vulnerability in the SAML authentication process of Cisco Secure Cli ...) + TODO: check +CVE-2024-20336 (A vulnerability in the web-based user interface of Cisco Small Busines ...) + TODO: check +CVE-2024-20335 (A vulnerability in the web-based management interface of Cisco Small B ...) + TODO: check +CVE-2024-20301 (A vulnerability in Cisco Duo Authentication for Windows Logon and RDP ...) + TODO: check +CVE-2024-20292 (A vulnerability in the logging component of Cisco Duo Authentication f ...) + TODO: check +CVE-2024-1224 (This vulnerability exists in USB Pratirodh due to the usage of a weake ...) + TODO: check +CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remote au ...) + TODO: check +CVE-2023-50716 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) + TODO: check +CVE-2023-50167 (Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with ed ...) + TODO: check +CVE-2023-49985 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) + TODO: check +CVE-2023-49984 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) + TODO: check +CVE-2023-49983 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) + TODO: check +CVE-2023-49982 (Broken access control in the component /admin/management/users of Scho ...) + TODO: check +CVE-2023-49981 (A directory listing vulnerability in School Fees Management System v1. ...) + TODO: check +CVE-2023-49980 (A directory listing vulnerability in Best Student Result Management Sy ...) + TODO: check +CVE-2023-49979 (A directory listing vulnerability in Customer Support System v1 allows ...) + TODO: check +CVE-2023-49978 (Incorrect access control in Customer Support System v1 allows non-admi ...) + TODO: check +CVE-2023-48703 (RobotsAndPencils go-saml, a SAML client library written
[Git][security-tracker-team/security-tracker][master] Treat CVE-2023-5685 as minor issue in buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d6e6b82e by Ola Lundqvist at 2024-03-06T21:24:02+01:00 Treat CVE-2023-5685 as minor issue in buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -253,6 +253,7 @@ CVE-2024-1979 NOT-FOR-US: Quarkus CVE-2023-5685 [StackOverflowException when the chain of notifier states becomes problematically big] - jboss-xnio + [buster] - jboss-xnio (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241822 CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.ParseMul ...) - golang-1.22 1.22.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e6b82e869c644af6eded49c5fc4f0a8c37d4a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e6b82e869c644af6eded49c5fc4f0a8c37d4a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take iwd
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8b52fc by Adrian Bunk at 2024-03-06T22:21:11+02:00 dla: take iwd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,7 +133,7 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- -iwd +iwd (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- jenkins-htmlunit-core-js View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b52fc7b9199be95ef129b1ad676a5c49c4d91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b52fc7b9199be95ef129b1ad676a5c49c4d91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added thunderbird to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e85cf6c by Ola Lundqvist at 2024-03-06T21:19:02+01:00 Added thunderbird to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -310,6 +310,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird + NOTE: 20240306: Added by Front-Desk (opal) +-- tiff (Abhijith PA) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e85cf6c5ff025b3ed2ad28ba86be66a1b017211 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e85cf6c5ff025b3ed2ad28ba86be66a1b017211 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added wordpress to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 8446e86f by Ola Lundqvist at 2024-03-06T21:17:01+01:00 Added wordpress to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -332,6 +332,9 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- +wordpress + NOTE: 20240306: Added by Front-Desk (opal) +-- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8446e86f67fd396b3f5b806c15c27250230e0c92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8446e86f67fd396b3f5b806c15c27250230e0c92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3753-1 for yard
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 72dabf92 by Adrian Bunk at 2024-03-06T22:11:22+02:00 Reserve DLA-3753-1 for yard - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -329064,7 +329064,6 @@ CVE-2019-1020002 (Pterodactyl before 0.7.14 with 2FA allows credential sniffing. NOT-FOR-US: Pterodactyl CVE-2019-1020001 (yard before 0.9.20 allows path traversal.) - yard 0.9.20-1 (low; bug #945369) - [buster] - yard (Minor issue) [stretch] - yard (Minor issue) [jessie] - yard (Bug was introduced in 0.9.6) NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Mar 2024] DLA-3753-1 yard - security update + {CVE-2019-1020001 CVE-2024-27285} + [buster] - yard 0.9.16-1+deb10u1 [05 Mar 2024] DLA-3752-1 libuv1 - security update {CVE-2024-24806} [buster] - libuv1 1.24.1-1+deb10u2 = data/dla-needed.txt = @@ -332,9 +332,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -yard (Adrian Bunk) - NOTE: 20240303: Added by Front-Desk (apo) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72dabf922fd5d03bcbaa624bca60975d06b61ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72dabf922fd5d03bcbaa624bca60975d06b61ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Added iwd to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d22028c4 by Ola Lundqvist at 2024-03-06T21:03:48+01:00 Added iwd to dla-needed. - - - - - ccb877a4 by Ola Lundqvist at 2024-03-06T21:09:22+01:00 Added pdns-recursor to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,6 +133,9 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- +iwd + NOTE: 20240306: Added by Front-Desk (opal) +-- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance @@ -228,6 +231,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. -- +pdns-recursor + NOTE: 20240306: Added by Front-Desk (opal) +-- postgresql-11 NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e44b0e5eac812ef5938a46fb981d9e9ba6a04090...ccb877a4ba87c3d0b6ccdea15b7d61409a3fa66a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e44b0e5eac812ef5938a46fb981d9e9ba6a04090...ccb877a4ba87c3d0b6ccdea15b7d61409a3fa66a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added shim to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: e44b0e5e by Ola Lundqvist at 2024-03-06T21:00:57+01:00 Added shim to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -286,6 +286,9 @@ sendmail NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches NOTE: 20240217: Patch extracted and being reviewed (rouca) -- +shim + NOTE: 20240306: Added by Front-Desk (opal) +-- squid NOTE: 20240109: Added by Front-Desk (apo) NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e44b0e5eac812ef5938a46fb981d9e9ba6a04090 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e44b0e5eac812ef5938a46fb981d9e9ba6a04090 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2024-26621 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d173b23a by Salvatore Bonaccorso at 2024-03-06T20:50:19+01:00 Sync status for CVE-2024-26621 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -854,7 +854,6 @@ CVE-2024-0795 (If an attacked was given access to an instance with the admin or NOT-FOR-US: AnythingLLM CVE-2024-26621 (In the Linux kernel, the following vulnerability has been resolved: m ...) - linux 6.7.7-1 (bug #1024149) - [bookworm] - linux (Vulnerable code not present) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4ef9ad19e17676b9ef071309bc62020e2373705d (6.8-rc3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d173b23aa58a3462780d24da005ca3a87c6f58d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d173b23aa58a3462780d24da005ca3a87c6f58d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-27507 concluded as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 560f20fe by Ola Lundqvist at 2024-03-06T20:48:52+01:00 CVE-2024-27507 concluded as a minor issue for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2749,6 +2749,7 @@ CVE-2024-27508 (Atheme 7.2.12 contains a memory leak vulnerability in /atheme/sr NOTE: Also not a real issue: https://github.com/atheme/atheme/issues/921 CVE-2024-27507 (libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/apps/ts2l ...) - liblas + [buster] - liblas (Minor issue) CVE-2024-27099 (The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Ser ...) - azure-uamqp-python (bug #1064996) NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560f20fe4374ce70e7a149cf6482e73be19d57ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560f20fe4374ce70e7a149cf6482e73be19d57ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVEs for golang-1.11 as postponed with limited support.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ba3d969f by Ola Lundqvist at 2024-03-06T20:45:06+01:00 Marked CVEs for golang-1.11 as postponed with limited support. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225,6 +225,7 @@ CVE-2024-24785 (If errors returned from MarshalJSON methods contain user control - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65697 NOTE: https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992 (go1.22.1) NOTE: https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e (go1.21.8) @@ -234,6 +235,7 @@ CVE-2024-24784 (The ParseAddressList function incorrectly handles comments (text - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65083 NOTE: https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c (go1.22.1) NOTE: https://github.com/golang/go/commit/263c059b09fdd40d9dd945f2ecb20c89ea28efe5 (go1.21.8) @@ -243,6 +245,7 @@ CVE-2024-24783 (Verifying a certificate chain which contains a certificate with - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65390 NOTE: https://github.com/golang/go/commit/337b8e9cbfa749d9d5c899e0dc358e2208d5e54f (go1.22.1) NOTE: https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (go1.21.8) @@ -257,6 +260,7 @@ CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.Pa - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65383 NOTE: https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82 (go1.22.1) NOTE: https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 (go1.21.8) @@ -266,6 +270,7 @@ CVE-2023-45289 (When following an HTTP redirect to a domain which is not a subdo - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65065 NOTE: https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be (go1.22.1) NOTE: https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 (go1.21.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba3d969f7990add7ae54e9dec101c27dd55357c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba3d969f7990add7ae54e9dec101c27dd55357c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Added fontforge to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 42024d4f by Ola Lundqvist at 2024-03-06T20:42:23+01:00 Added fontforge to dla-needed. Arbitrary command execution is tricky even if this is an editor application and you should not load untrusted files. - - - - - 85dcb981 by Ola Lundqvist at 2024-03-06T20:42:25+01:00 Marked CVE-2019-9515 as minor issue for buster following bookworm decision. - - - - - e69488da by Ola Lundqvist at 2024-03-06T20:42:25+01:00 Added postgresql-11 to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -344479,6 +344479,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote - h2o 2.2.5+dfsg2-3 (bug #934886) - rust-h2 0.3.24-1 (bug #1062667) [bookworm] - rust-h2 (Minor issue) + [buster] - rust-h2 (Minor issue) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) = data/dla-needed.txt = @@ -102,6 +102,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +fontforge + NOTE: 20240306: Added by Front-Desk (opal) +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- @@ -225,6 +228,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. -- +postgresql-11 + NOTE: 20240306: Added by Front-Desk (opal) +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0112cce0c6cf71931b7319a1dffb32e463f0fc06...e69488dacb99e1f4cd63a5b9bb1c8ca65f1197cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0112cce0c6cf71931b7319a1dffb32e463f0fc06...e69488dacb99e1f4cd63a5b9bb1c8ca65f1197cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2024-26621
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0112cce0 by Salvatore Bonaccorso at 2024-03-06T20:28:44+01:00 Update information on CVE-2024-26621 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -848,7 +848,10 @@ CVE-2024-0968 (Cross-site Scripting (XSS) - DOM in GitHub repository langchain-a CVE-2024-0795 (If an attacked was given access to an instance with the admin or manag ...) NOT-FOR-US: AnythingLLM CVE-2024-26621 (In the Linux kernel, the following vulnerability has been resolved: m ...) - - linux (Vulnerable code not present) + - linux 6.7.7-1 (bug #1024149) + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4ef9ad19e17676b9ef071309bc62020e2373705d (6.8-rc3) CVE-2023-52582 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.5.6-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0112cce0c6cf71931b7319a1dffb32e463f0fc06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0112cce0c6cf71931b7319a1dffb32e463f0fc06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: 3970dc0c by Andres Salomon at 2024-03-06T13:02:57-05:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[06 Mar 2024] DSA-5636-1 chromium - security update + {CVE-2024-2173 CVE-2024-2174 CVE-2024-2176} + [bookworm] - chromium 122.0.6261.111-1~deb12u1 [04 Mar 2024] DSA-5635-1 yard - security update {CVE-2024-27285} [bullseye] - yard 0.9.24-1+deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- -chromium (dilinger) --- cryptojs -- dav1d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3970dc0ca8d6c56da0caa3b825b0dc7231c9072c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3970dc0ca8d6c56da0caa3b825b0dc7231c9072c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 46faf2a3 by Moritz Muehlenhoff at 2024-03-06T18:55:41+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,35 @@ +CVE-2024-28160 + NOT-FOR-US: Jenkins plugin +CVE-2024-28159 + NOT-FOR-US: Jenkins plugin +CVE-2024-28158 + NOT-FOR-US: Jenkins plugin +CVE-2024-28157 + NOT-FOR-US: Jenkins plugin +CVE-2024-28156 + NOT-FOR-US: Jenkins plugin +CVE-2024-2215 + NOT-FOR-US: Jenkins plugin +CVE-2024-2216 + NOT-FOR-US: Jenkins plugin +CVE-2024-28161 + NOT-FOR-US: Jenkins plugin +CVE-2024-28162 + NOT-FOR-US: Jenkins plugin +CVE-2024-28155 + NOT-FOR-US: Jenkins plugin +CVE-2024-28154 + NOT-FOR-US: Jenkins plugin +CVE-2024-28153 + NOT-FOR-US: Jenkins plugin +CVE-2024-28152 + NOT-FOR-US: Jenkins plugin +CVE-2024-28151 + NOT-FOR-US: Jenkins plugin +CVE-2024-28150 + NOT-FOR-US: Jenkins plugin +CVE-2024-28149 + NOT-FOR-US: Jenkins plugin CVE-2023-50740 NOT-FOR-US: Apache Linkis CVE-2024-26580 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46faf2a3765a8a390dd9f04039c72d0b7cd3c9a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46faf2a3765a8a390dd9f04039c72d0b7cd3c9a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ae928773 by Moritz Muehlenhoff at 2024-03-06T16:47:05+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-50740 + NOT-FOR-US: Apache Linkis +CVE-2024-26580 + NOT-FOR-US: Apache InLong CVE-2024-2179 (Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via th ...) NOT-FOR-US: Concrete CMS CVE-2024-27765 (Directory Traversal vulnerability in Jeewms v.3.7 and before allows a ...) @@ -278,13 +282,13 @@ CVE-2024-26334 (swftools v0.9.2 was discovered to contain a segmentation violati CVE-2024-24098 (Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Inject ...) NOT-FOR-US: Code-projects Scholars Tracking System CVE-2024-23296 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23256 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23243 (A privacy issue was addressed with improved private data redaction for ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23225 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-22352 (IBM InfoSphere Information Server 11.7 stores potentially sensitive in ...) NOT-FOR-US: IBM CVE-2024-22255 (VMware ESXi, Workstation, and Fusion contain an information disclosure ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9287732ff7d86da5b7f32bb212eeed4aa52227 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9287732ff7d86da5b7f32bb212eeed4aa52227 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note on CVE-2019-12290/libidn2
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b67cb4d by Santiago Ruano Rincón at 2024-03-06T12:44:40-03:00 Add note on CVE-2019-12290/libidn2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -335470,6 +335470,7 @@ CVE-2019-12290 (GNU libidn2 before 2.2.0 fails to perform the roundtrip checks s [buster] - libidn2 (Minor issue; intrusive to backport) NOTE: https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5 (2.2.0) NOTE: https://gitlab.com/libidn/libidn2/merge_requests/71 + NOTE: Backport available: https://git.launchpad.net/ubuntu/+source/libidn2/commit/?id=0aa447342fbf0fc37d7887982e0daf817db08b1d CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C782 ...) NOT-FOR-US: VStarcam CVE-2019-12288 (An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67cb4d0b3d44871d5a16a4bf31c6ca7abfe87d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67cb4d0b3d44871d5a16a4bf31c6ca7abfe87d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about CVE-2018-14550
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: d2e8f6b3 by Santiago Ruano Rincón at 2024-03-06T10:07:38-03:00 Add note about CVE-2018-14550 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -383834,6 +383834,7 @@ CVE-2018-14550 (An issue has been found in third-party PNM decoding associated w - libpng (unimportant) NOTE: https://github.com/glennrp/libpng/issues/246 NOTE: https://github.com/glennrp/libpng/commit/1f0221fad7e7888ada87eda511dcbfd701de7d21 + NOTE: pnm2png is not shipped in Debian CVE-2018-14549 (An issue has been found in libwav through 2017-04-20. It is a SEGV in ...) NOT-FOR-US: libwav CVE-2018-14548 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2e8f6b316d79d5b07ea772df252f8e5089638ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2e8f6b316d79d5b07ea772df252f8e5089638ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23645a3e by Salvatore Bonaccorso at 2024-03-06T09:42:22+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51,11 +51,11 @@ CVE-2024-1356 (Authenticated command injection vulnerabilities exist in the Arub CVE-2024-1220 (A stack-based buffer overflow in the built-in web server in Moxa NPort ...) NOT-FOR-US: Moxa CVE-2023-49977 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49976 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49974 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49973 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) NOT-FOR-US: Customer Support System CVE-2023-49971 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) @@ -300,29 +300,29 @@ CVE-2024-1202 (Authentication Bypass by Primary Weakness vulnerability in XPodas CVE-2023-7103 (Authentication Bypass by Primary Weakness vulnerability in ZKSoftware ...) NOT-FOR-US: ZKSoftware Biometric Security Solutions UFace CVE-2023-5457 (A CWE-1269 \u201cProduct Released in Non-Release Configuration\u201d v ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-5456 (A CWE-798 \u201cUse of Hard-coded Credentials\u201d vulnerability in t ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45600 (A CWE-613 \u201cInsufficient Session Expiration\u201d vulnerability in ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45599 (A CWE-646 \u201cReliance on File Name or Extension of Externally-Suppl ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45598 (A CWE-862 \u201cMissing Authorization\u201d vulnerability in the \u201 ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45597 (A CWE-1236 \u201cImproper Neutralization of Formula Elements in a CSV ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45596 (A CWE-862 \u201cMissing Authorization\u201d vulnerability in the \u201 ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45595 (A CWE-434 \u201cUnrestricted Upload of File with Dangerous Type\u201d ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45594 (A CWE-552 \u201cFiles or Directories Accessible to External Parties\u2 ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45593 (A CWE-693 \u201cProtection Mechanism Failure\u201d vulnerability in th ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45592 (A CWE-250 \u201cExecution with Unnecessary Privileges\u201d vulnerabil ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-45591 (A CWE-122 \u201cHeap-based Buffer Overflow\u201d vulnerability in the ...) - TODO: check + NOT-FOR-US: AiLux imx6 CVE-2023-35899 (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 1 ...) NOT-FOR-US: IBM CVE-2022-48630 (In the Linux kernel, the following vulnerability has been resolved: c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23645a3e1054dce7aba6c839fde8d5c52a0a1d05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23645a3e1054dce7aba6c839fde8d5c52a0a1d05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee373b23 by Salvatore Bonaccorso at 2024-03-06T09:21:58+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-2179 (Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via th ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2024-27765 (Directory Traversal vulnerability in Jeewms v.3.7 and before allows a ...) NOT-FOR-US: Jeewms CVE-2024-27764 (An issue in Jeewms v.3.7 and before allows a remote attacker to escala ...) @@ -33,23 +33,23 @@ CVE-2024-24275 (Cross Site Scripting vulnerability in Teamwire Windows desktop c CVE-2024-22889 (Due to incorrect access control in Plone version v6.0.9, remote attack ...) TODO: check CVE-2024-1989 (The Social Sharing Plugin \u2013 Sassy Social Share plugin for WordPre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1901 (Denial of service in PAM password rotation during the check-in process ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2024-1900 (Improper session management in the identity provider authentication fl ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2024-1898 (Improper access control in the notification feature in Devolutions Ser ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2024-1771 (The Total theme for WordPress is vulnerable to unauthorized modificati ...) - TODO: check + NOT-FOR-US: WordPress theme CVE-2024-1764 (Improper privilege management in Just-in-time (JIT) elevation module i ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2024-1760 (The Appointment Booking Calendar \u2014 Simply Schedule Appointments B ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1356 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-1220 (A stack-based buffer overflow in the built-in web server in Moxa NPort ...) - TODO: check + NOT-FOR-US: Moxa CVE-2023-49977 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) TODO: check CVE-2023-49976 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) @@ -57,21 +57,21 @@ CVE-2023-49976 (A cross-site scripting (XSS) vulnerability in Customer Support S CVE-2023-49974 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) TODO: check CVE-2023-49973 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49971 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-48644 (An issue was discovered in the Archibus app 4.0.3 for iOS. There is an ...) - TODO: check + NOT-FOR-US: Archibus app for iOS CVE-2023-43318 (TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows at ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2023-38946 (An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_p ...) - TODO: check + NOT-FOR-US: Multilaser RE160 firmware CVE-2023-38945 (Multilaser RE160 v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01, Multilaser R ...) - TODO: check + NOT-FOR-US: Multilaser CVE-2023-38944 (An issue in Multilaser RE160V firmware v12.03.01.09_pt and Multilaser ...) - TODO: check + NOT-FOR-US: Multilaser CVE-2023-33677 (Sourcecodester Lost and Found Information System's Version 1.0 is vuln ...) - TODO: check + NOT-FOR-US: Sourcecodester Lost and Found Information System CVE-2024-2176 - chromium 122.0.6261.111-1 [bullseye] - chromium (see #1061268) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee373b2331ca03a2fceff7384c72edcad152c256 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee373b2331ca03a2fceff7384c72edcad152c256 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3200d565 by Salvatore Bonaccorso at 2024-03-06T09:16:48+01:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,35 +1,35 @@ CVE-2024-2179 (Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via th ...) TODO: check CVE-2024-27765 (Directory Traversal vulnerability in Jeewms v.3.7 and before allows a ...) - TODO: check + NOT-FOR-US: Jeewms CVE-2024-27764 (An issue in Jeewms v.3.7 and before allows a remote attacker to escala ...) - TODO: check + NOT-FOR-US: Jeewms CVE-2024-27278 (OpenPNE Plugin "opTimelinePlugin" 1.2.11 and earlier contains a cross- ...) - TODO: check + NOT-FOR-US: OpenPNE Plugin CVE-2024-25858 (In Foxit PDF Reader before 2024.1 and PDF Editor before 2024.1, code e ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-25817 (Buffer Overflow vulnerability in eza before version 0.18.2, allows loc ...) TODO: check CVE-2024-25616 (Aruba has identified certain configurations of ArubaOS that can lead t ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-25615 (An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-25614 (There is an arbitrary file deletion vulnerability in the CLI used by A ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-25613 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-25612 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-25611 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) - TODO: check + NOT-FOR-US: Aruba CVE-2024-24786 (The protojson.Unmarshal function can enter an infinite loop when unmar ...) TODO: check CVE-2024-24278 (An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 al ...) - TODO: check + NOT-FOR-US: Teamwire Windows desktop client CVE-2024-24276 (Cross Site Scripting (XSS) vulnerability in Teamwire Windows desktop c ...) - TODO: check + NOT-FOR-US: Teamwire Windows desktop client CVE-2024-24275 (Cross Site Scripting vulnerability in Teamwire Windows desktop client ...) - TODO: check + NOT-FOR-US: Teamwire Windows desktop client CVE-2024-22889 (Due to incorrect access control in Plone version v6.0.9, remote attack ...) TODO: check CVE-2024-1989 (The Social Sharing Plugin \u2013 Sassy Social Share plugin for WordPre ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3200d56575a356cdf6bd96b56b410acfe317846a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3200d56575a356cdf6bd96b56b410acfe317846a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c2441ca by security tracker role at 2024-03-06T08:12:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,77 @@ +CVE-2024-2179 (Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via th ...) + TODO: check +CVE-2024-27765 (Directory Traversal vulnerability in Jeewms v.3.7 and before allows a ...) + TODO: check +CVE-2024-27764 (An issue in Jeewms v.3.7 and before allows a remote attacker to escala ...) + TODO: check +CVE-2024-27278 (OpenPNE Plugin "opTimelinePlugin" 1.2.11 and earlier contains a cross- ...) + TODO: check +CVE-2024-25858 (In Foxit PDF Reader before 2024.1 and PDF Editor before 2024.1, code e ...) + TODO: check +CVE-2024-25817 (Buffer Overflow vulnerability in eza before version 0.18.2, allows loc ...) + TODO: check +CVE-2024-25616 (Aruba has identified certain configurations of ArubaOS that can lead t ...) + TODO: check +CVE-2024-25615 (An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ...) + TODO: check +CVE-2024-25614 (There is an arbitrary file deletion vulnerability in the CLI used by A ...) + TODO: check +CVE-2024-25613 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) + TODO: check +CVE-2024-25612 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) + TODO: check +CVE-2024-25611 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) + TODO: check +CVE-2024-24786 (The protojson.Unmarshal function can enter an infinite loop when unmar ...) + TODO: check +CVE-2024-24278 (An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 al ...) + TODO: check +CVE-2024-24276 (Cross Site Scripting (XSS) vulnerability in Teamwire Windows desktop c ...) + TODO: check +CVE-2024-24275 (Cross Site Scripting vulnerability in Teamwire Windows desktop client ...) + TODO: check +CVE-2024-22889 (Due to incorrect access control in Plone version v6.0.9, remote attack ...) + TODO: check +CVE-2024-1989 (The Social Sharing Plugin \u2013 Sassy Social Share plugin for WordPre ...) + TODO: check +CVE-2024-1901 (Denial of service in PAM password rotation during the check-in process ...) + TODO: check +CVE-2024-1900 (Improper session management in the identity provider authentication fl ...) + TODO: check +CVE-2024-1898 (Improper access control in the notification feature in Devolutions Ser ...) + TODO: check +CVE-2024-1771 (The Total theme for WordPress is vulnerable to unauthorized modificati ...) + TODO: check +CVE-2024-1764 (Improper privilege management in Just-in-time (JIT) elevation module i ...) + TODO: check +CVE-2024-1760 (The Appointment Booking Calendar \u2014 Simply Schedule Appointments B ...) + TODO: check +CVE-2024-1356 (Authenticated command injection vulnerabilities exist in the ArubaOS c ...) + TODO: check +CVE-2024-1220 (A stack-based buffer overflow in the built-in web server in Moxa NPort ...) + TODO: check +CVE-2023-49977 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) + TODO: check +CVE-2023-49976 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) + TODO: check +CVE-2023-49974 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) + TODO: check +CVE-2023-49973 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) + TODO: check +CVE-2023-49971 (A cross-site scripting (XSS) vulnerability in Customer Support System ...) + TODO: check +CVE-2023-48644 (An issue was discovered in the Archibus app 4.0.3 for iOS. There is an ...) + TODO: check +CVE-2023-43318 (TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows at ...) + TODO: check +CVE-2023-38946 (An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_p ...) + TODO: check +CVE-2023-38945 (Multilaser RE160 v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01, Multilaser R ...) + TODO: check +CVE-2023-38944 (An issue in Multilaser RE160V firmware v12.03.01.09_pt and Multilaser ...) + TODO: check +CVE-2023-33677 (Sourcecodester Lost and Found Information System's Version 1.0 is vuln ...) + TODO: check CVE-2024-2176 - chromium 122.0.6261.111-1 [bullseye] - chromium (see #1061268) @@ -10,106 +84,106 @@ CVE-2024-2173 - chromium 122.0.6261.111-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-26628 [drm/amdkfd: Fix lock dependency warning] +CVE-2024-26628 (In the Linux kernel, the following vulnerability has been resolved: d ...) - linux 6.7.7-1
[Git][security-tracker-team/security-tracker][master] golang-1.21 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bb36f2f by Moritz Muehlenhoff at 2024-03-06T08:58:53+01:00 golang-1.21 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -111,7 +111,7 @@ CVE-2023-52583 [ceph: fix deadlock or deadcode of misusing dget()] NOTE: https://git.kernel.org/linus/b493ad718b1f0357394d2cdecbf00a44a36fa085 (6.8-rc1) CVE-2024-24785 [html/template: errors returned from MarshalJSON methods may break template escaping] - golang-1.22 1.22.1-1 - - golang-1.21 + - golang-1.21 1.21.8-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -120,7 +120,7 @@ CVE-2024-24785 [html/template: errors returned from MarshalJSON methods may brea NOTE: https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e (go1.21.8) CVE-2024-24784 [net/mail: comments in display names are incorrectly handled] - golang-1.22 1.22.1-1 - - golang-1.21 + - golang-1.21 1.21.8-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -129,7 +129,7 @@ CVE-2024-24784 [net/mail: comments in display names are incorrectly handled] NOTE: https://github.com/golang/go/commit/263c059b09fdd40d9dd945f2ecb20c89ea28efe5 (go1.21.8) CVE-2024-24783 [golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm] - golang-1.22 1.22.1-1 - - golang-1.21 + - golang-1.21 1.21.8-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -143,7 +143,7 @@ CVE-2023-5685 [StackOverflowException when the chain of notifier states becomes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241822 CVE-2023-45290 [golang: net/http: memory exhaustion in Request.ParseMultipartFor] - golang-1.22 1.22.1-1 - - golang-1.21 + - golang-1.21 1.21.8-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -152,7 +152,7 @@ CVE-2023-45290 [golang: net/http: memory exhaustion in Request.ParseMultipartFor NOTE: https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 (go1.21.8) CVE-2023-45289 [golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect] - golang-1.22 1.22.1-1 - - golang-1.21 + - golang-1.21 1.21.8-1 - golang-1.19 - golang-1.15 - golang-1.11 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bb36f2fddc026e85886835b867d27df33b29118 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bb36f2fddc026e85886835b867d27df33b29118 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits