[Git][security-tracker-team/security-tracker][master] Track fixed version for nodejs issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f757bdef by Salvatore Bonaccorso at 2024-04-04T07:55:06+02:00 Track fixed version for nodejs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -616,10 +616,10 @@ CVE-2024-31080 [Heap buffer overread/data leakage in ProcXIGetSelectedEvents] NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-27983 - - nodejs (bug #1068347) + - nodejs 18.20.1+dfsg-1 (bug #1068347) NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982 - - nodejs (bug #1068347) + - nodejs 18.20.1+dfsg-1 (bug #1068347) NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-3248 (In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f757bdef76c5b3639aa935619227b2f7837b2886 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f757bdef76c5b3639aa935619227b2f7837b2886 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add golang-golang-x-net for CVE-2023-45288
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f51762b6 by Salvatore Bonaccorso at 2024-04-04T06:43:52+02:00 Add golang-golang-x-net for CVE-2023-45288 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,7 @@ CVE-2023-45288 - golang-1.19 - golang-1.15 - golang-1.11 + - golang-golang-x-net 1:0.23.0+dfsg-1 NOTE: https://github.com/golang/go/issues/65051 NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2) NOTE: https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3 (go1.21.9) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f51762b6c6639fc3f4ff87fc6b4cb92dcb46dfcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f51762b6c6639fc3f4ff87fc6b4cb92dcb46dfcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-45288/golang-1.22 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce147da1 by Salvatore Bonaccorso at 2024-04-04T06:42:22+02:00 Track fixed version for CVE-2023-45288/golang-1.22 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-45288 - - golang-1.22 + - golang-1.22 1.22.2-1 - golang-1.21 1.21.9-1 - golang-1.19 - golang-1.15 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce147da1a41463982f7866ce0c46e97cc0c5592a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce147da1a41463982f7866ce0c46e97cc0c5592a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-29041/node-express
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4672c3bb by Salvatore Bonaccorso at 2024-04-04T05:48:40+02:00 Add Debian bug reference for CVE-2024-29041/node-express - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3185,7 +3185,7 @@ CVE-2024-29189 (PyAnsys Geometry is a Python client library for the Ansys Geomet CVE-2024-29179 (phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, ...) NOT-FOR-US: phpMyFAQ CVE-2024-29041 (Express.js minimalist web framework for node. Versions of Express.js p ...) - - node-express + - node-express (bug #1068346) [bookworm] - node-express (Minor issue) [bullseye] - node-express (Minor issue) NOTE: https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4672c3bb7de639835d427d3d9ed36c6d6c260c5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4672c3bb7de639835d427d3d9ed36c6d6c260c5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for nodejs issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16495237 by Salvatore Bonaccorso at 2024-04-04T05:47:27+02:00 Add Debian bug reference for nodejs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -615,10 +615,10 @@ CVE-2024-31080 [Heap buffer overread/data leakage in ProcXIGetSelectedEvents] NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-27983 - - nodejs + - nodejs (bug #1068347) NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982 - - nodejs + - nodejs (bug #1068347) NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-3248 (In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164952376aab2ca6d343c25c939b7037e3d5323d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164952376aab2ca6d343c25c939b7037e3d5323d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45288/go
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39379215 by Salvatore Bonaccorso at 2024-04-03T23:16:34+02:00 Add CVE-2023-45288/go - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,12 @@ +CVE-2023-45288 + - golang-1.22 + - golang-1.21 1.21.9-1 + - golang-1.19 + - golang-1.15 + - golang-1.11 + NOTE: https://github.com/golang/go/issues/65051 + NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2) + NOTE: https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3 (go1.21.9) CVE-2024-3259 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3258 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/393792156fc7dfb44f4d8d79684755ceaef398e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/393792156fc7dfb44f4d8d79684755ceaef398e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for xorg-server issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 965fb917 by Salvatore Bonaccorso at 2024-04-03T23:07:40+02:00 Track fixed version for xorg-server issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -583,24 +583,24 @@ CVE-2023-52637 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/efe7cf828039aedb297c1f9920b638fffee6aabc (6.8-rc5) CVE-2024-31083 [User-after-free in ProcRenderAddGlyphs] - - xorg-server + - xorg-server 2:21.1.11-3 - xwayland [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb31609b1280fc93237b00c77 NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-31082 [Heap buffer overread/data leakage in ProcAppleDRICreatePixmap] - - xorg-server (unimportant) + - xorg-server 2:21.1.11-3 (unimportant) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html NOTE: Affects the XQuartz (X11 server and client libraries for macOS) component CVE-2024-31081 [Heap buffer overread/data leakage in ProcXIPassiveGrabDevice] - - xorg-server + - xorg-server 2:21.1.11-3 - xwayland [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-31080 [Heap buffer overread/data leakage in ProcXIGetSelectedEvents] - - xorg-server + - xorg-server 2:21.1.11-3 - xwayland [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/965fb9174919c8440edc2faf51fe3119c08628a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/965fb9174919c8440edc2faf51fe3119c08628a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-24506/limesurvey
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 116bd6c3 by Salvatore Bonaccorso at 2024-04-03T23:06:22+02:00 Add CVE-2024-24506/limesurvey - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -760,7 +760,7 @@ CVE-2024-25075 (An issue was discovered in Softing uaToolkit Embedded before 1.4 CVE-2024-24724 (Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSetting ...) NOT-FOR-US: GibbonEdu Gibbon CVE-2024-24506 (Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edit ...) - TODO: check + - limesurvey (bug #472802) CVE-2024-1327 (The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cro ...) NOT-FOR-US: WordPress plugin CVE-2023-35764 (Insufficient verification of data authenticity issue in Survey Maker p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116bd6c37946d3f24a96122bc8d9a5a01d813c58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116bd6c37946d3f24a96122bc8d9a5a01d813c58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 536cec60 by Salvatore Bonaccorso at 2024-04-03T23:05:24+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,13 +17,13 @@ CVE-2024-3252 (A vulnerability classified as critical has been found in SourceCo CVE-2024-3251 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) NOT-FOR-US: SourceCodester Computer Laboratory Management System CVE-2024-3181 (Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8 ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2024-3180 (Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2024-3179 (Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.1 ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2024-3178 (Concrete CMS versions 9 below 9.2.8 and versions below8.5.16 are vulne ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2024-31420 (A NULL pointer dereference flaw was found in KubeVirt. This flaw allow ...) TODO: check CVE-2024-31419 (An information disclosure flaw was found in OpenShift Virtualization. ...) @@ -33,51 +33,51 @@ CVE-2024-31393 (Dragging Javascript URLs to the address bar could cause them to CVE-2024-31392 (If an insecure element was added to a page after a delay, Firefox woul ...) TODO: check CVE-2024-31390 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31380 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-30572 (Netgear R6850 1.1.0.88 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-30571 (An information leak in the BRS_top.html component of Netgear R6850 v1. ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-30570 (An information leak in debuginfo.htm of Netgear R6850 v1.1.0.88 allows ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-30569 (An information leak in currentsetting.htm of Netgear R6850 v1.1.0.88 a ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-30568 (Netgear R6850 1.1.0.88 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-30366 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30334 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30333 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30332 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30331 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30330 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30329 (Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vuln ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30328 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30327 (Foxit PDF Reader template Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30326 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30325 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30324 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30323 (Foxit PDF Reader template Out-Of-Bounds Read Remote Code Execution Vul ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30322 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-2758 (Tempesta FW rate limits are not enabled by default. They are either se ...) - TODO: check + NOT-FOR-US: Tempesta FW CVE-2024-2753 (Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5 ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9013f2dd by Salvatore Bonaccorso at 2024-04-03T22:54:55+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2024-3259 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3258 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3257 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3256 (A vulnerability has been found in SourceCodester Internship Portal Man ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3255 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3254 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3253 (A vulnerability classified as critical was found in SourceCodester Int ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3252 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Internship Portal Management System CVE-2024-3251 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) - TODO: check + NOT-FOR-US: SourceCodester Computer Laboratory Management System CVE-2024-3181 (Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8 ...) TODO: check CVE-2024-3180 (Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9013f2dd7d293d61dae266ad18fb592c65499196 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9013f2dd7d293d61dae266ad18fb592c65499196 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a05de6d0 by Salvatore Bonaccorso at 2024-04-03T22:32:15+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,7 +83,7 @@ CVE-2024-2653 (amphp/http will collect CONTINUATION frames in an unbounded buffe CVE-2024-29477 (Lack of sanitization during Installation Process in Dolibarr ERP CRM u ...) TODO: check CVE-2024-28782 (IBM QRadar Suite Software 1.10.12.0 through 1.10.18.0 and IBM Cloud Pa ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-28275 (Puwell Cloud Tech Co, Ltd 360Eyes Pro v3.9.5.16(3090516) was discovere ...) TODO: check CVE-2024-27972 (Improper Neutralization of Special Elements used in a Command ('Comman ...) @@ -119,7 +119,7 @@ CVE-2024-27336 (Kofax Power PDF PNG File Parsing Out-Of-Bounds Read Information CVE-2024-27335 (Kofax Power PDF PNG File Parsing Out-Of-Bounds Read Remote Code Execut ...) TODO: check CVE-2024-27254 (IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-27201 (An improper input validation vulnerability exists in the OAS Engine Us ...) TODO: check CVE-2024-27191 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) @@ -131,9 +131,9 @@ CVE-2024-25918 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2024-25096 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) TODO: check CVE-2024-25046 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-25030 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-24976 (A denial of service vulnerability exists in the OAS Engine File Data S ...) TODO: check CVE-2024-24707 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) @@ -141,7 +141,7 @@ CVE-2024-24707 (Improper Control of Generation of Code ('Code Injection') vulner CVE-2024-23540 (The HCL BigFix Inventory server is vulnerable to path traversal which ...) TODO: check CVE-2024-22360 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-22178 (A file write vulnerability exists in the OAS Engine Save Security Conf ...) TODO: check CVE-2024-21870 (A file write vulnerability exists in the OAS Engine Tags Configuration ...) @@ -183,7 +183,7 @@ CVE-2024-0172 (Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain a CVE-2023-5755 REJECTED CVE-2023-52296 (IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-45552 (In VeridiumID before 3.5.0, a stored cross-site scripting (XSS) vulner ...) TODO: check CVE-2023-44040 (In VeridiumID before 3.5.0, the identity provider page is susceptible ...) @@ -193,7 +193,7 @@ CVE-2023-44039 (In VeridiumID before 3.5.0, the WebAuthn API allows an internal CVE-2023-44038 (In VeridiumID before 3.5.0, the identity provider page allows an unaut ...) TODO: check CVE-2023-38729 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server)10.5, ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-35812 (An issue was discovered in the Amazon Linux packages of OpenSSH 7.4 fo ...) TODO: check CVE-2024-26779 (In the Linux kernel, the following vulnerability has been resolved: w ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a05de6d0f16446ec6ba3a32c719227a15f224aa0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a05de6d0f16446ec6ba3a32c719227a15f224aa0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3aac4063 by security tracker role at 2024-04-03T20:11:53+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,386 +1,584 @@ -CVE-2024-26779 [wifi: mac80211: fix race condition on enabling fast-xmit] +CVE-2024-3259 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) + TODO: check +CVE-2024-3258 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) + TODO: check +CVE-2024-3257 (A vulnerability was found in SourceCodester Internship Portal Manageme ...) + TODO: check +CVE-2024-3256 (A vulnerability has been found in SourceCodester Internship Portal Man ...) + TODO: check +CVE-2024-3255 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-3254 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-3253 (A vulnerability classified as critical was found in SourceCodester Int ...) + TODO: check +CVE-2024-3252 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2024-3251 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) + TODO: check +CVE-2024-3181 (Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8 ...) + TODO: check +CVE-2024-3180 (Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 ...) + TODO: check +CVE-2024-3179 (Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.1 ...) + TODO: check +CVE-2024-3178 (Concrete CMS versions 9 below 9.2.8 and versions below8.5.16 are vulne ...) + TODO: check +CVE-2024-31420 (A NULL pointer dereference flaw was found in KubeVirt. This flaw allow ...) + TODO: check +CVE-2024-31419 (An information disclosure flaw was found in OpenShift Virtualization. ...) + TODO: check +CVE-2024-31393 (Dragging Javascript URLs to the address bar could cause them to be loa ...) + TODO: check +CVE-2024-31392 (If an insecure element was added to a page after a delay, Firefox woul ...) + TODO: check +CVE-2024-31390 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) + TODO: check +CVE-2024-31380 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) + TODO: check +CVE-2024-30572 (Netgear R6850 1.1.0.88 was discovered to contain a command injection v ...) + TODO: check +CVE-2024-30571 (An information leak in the BRS_top.html component of Netgear R6850 v1. ...) + TODO: check +CVE-2024-30570 (An information leak in debuginfo.htm of Netgear R6850 v1.1.0.88 allows ...) + TODO: check +CVE-2024-30569 (An information leak in currentsetting.htm of Netgear R6850 v1.1.0.88 a ...) + TODO: check +CVE-2024-30568 (Netgear R6850 1.1.0.88 was discovered to contain a command injection v ...) + TODO: check +CVE-2024-30366 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30334 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) + TODO: check +CVE-2024-30333 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) + TODO: check +CVE-2024-30332 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) + TODO: check +CVE-2024-30331 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30330 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30329 (Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vuln ...) + TODO: check +CVE-2024-30328 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30327 (Foxit PDF Reader template Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30326 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) + TODO: check +CVE-2024-30325 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30324 (Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulne ...) + TODO: check +CVE-2024-30323 (Foxit PDF Reader template Out-Of-Bounds Read Remote Code Execution Vul ...) + TODO: check +CVE-2024-30322 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-2758 (Tempesta FW rate limits are not enabled by default. They are either se ...) + TODO: check +CVE-2024-2753 (Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5 ...) + TODO: check +CVE-2024-2653
[Git][security-tracker-team/security-tracker][master] Merge Linux kernel CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 622e1df6 by Salvatore Bonaccorso at 2024-04-03T21:35:12+02:00 Merge Linux kernel CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,389 @@ +CVE-2024-26779 [wifi: mac80211: fix race condition on enabling fast-xmit] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f (6.8-rc2) +CVE-2024-26778 [fbdev: savage: Error out if pixclock equals zero] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 (6.8-rc2) +CVE-2024-26777 [fbdev: sis: Error out if pixclock equals zero] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/e421946be7d9bf545147bea8419ef8239cb7ca52 (6.8-rc2) +CVE-2024-26776 [spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/de8b6e1c231a95abf95ad097b993d34b31458ec9 (6.8-rc2) +CVE-2024-26775 [aoe: avoid potential deadlock at set_capacity] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86 (6.8-rc2) +CVE-2024-26774 [ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/993bf0f4c393b3667830918f9247438a8f6fdb5b (6.8-rc3) +CVE-2024-26773 [ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/4530b3660d396a646aad91a787b6ab37cf604b53 (6.8-rc3) +CVE-2024-26772 [ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/832698373a25950942c04a512daa652c18a9b513 (6.8-rc3) +CVE-2024-26771 [dmaengine: ti: edma: Add some null pointer checks to the edma_probe] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/6e2276203ac9ff10fc76917ec9813c660f627369 (6.8-rc3) +CVE-2024-26770 [HID: nvidia-shield: Add missing null pointer checks to LED initialization] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/b6eda11c44dc89a681e1c105f0f4660e69b1e183 (6.8-rc3) +CVE-2024-26769 [nvmet-fc: avoid deadlock on delete association path] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/710c69dbaccdac312e32931abcb8499c1525d397 (6.8-rc3) +CVE-2024-26768 [LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/4551b30525cf3d2f026b92401ffe241eb04dfebe (6.8-rc4) +CVE-2024-26767 [drm/amd/display: fixed integer types and null check locations] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/0484e05d048b66d01d1f3c1d2306010bb57d8738 (6.8-rc5) +CVE-2024-26766 [IB/hfi1: Fix sdma.h tx->num_descs off-by-one error] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/e6f57c6881916df39db7d95981a8ad2b9c3458d6 (6.8-rc6) +CVE-2024-26765 [LoongArch: Disable IRQ before init_fn() for nonboot CPUs] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/1001db6c42e4012b55e5ee19405490f23e033b5a (6.8-rc6) +CVE-2024-26764 [fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/b820de741ae48ccf50dd95e297889c286ff4f760 (6.8-rc6) +CVE-2024-26763 [dm-crypt: don't modify the data when using authenticated encryption] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/50c70240097ce41fe6bce6478b80478281e4d0f7 (6.8-rc6) +CVE-2024-26762 [cxl/pci: Skip to handle RAS errors if CXL.mem device is detached] + - linux 6.7.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/eef5c7b28dbecd6b141987a96db6c54e49828102 (6.8-rc6) +CVE-2024-26761 [cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window] + - linux 6.7.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/0cab687205986491302cd2e440ef1d253031c221 (6.8-rc6) +CVE-2024-26760 [scsi: target: pscsi: Fix bio_put() for error case] + - linux 6.7.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/de959094eb2197636f7c803af0943cb9d3b35804 (6.8-rc6) +CVE-2024-26759 [mm/swap: fix race when skipping swapcache] + - linux 6.7.7-1 + NOTE: https://git.kernel.org/linus/13ddaf26be324a7f951891ecd9ccd04466d27458 (6.8-rc6) +CVE-2024-26758 [md:
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-31083/{xorg-server,wayland}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d515b56 by Salvatore Bonaccorso at 2024-04-03T21:33:03+02:00 Add CVE-2024-31083/{xorg-server,wayland} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-31083 [User-after-free in ProcRenderAddGlyphs] + - xorg-server + - xwayland + [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb31609b1280fc93237b00c77 + NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-31082 [Heap buffer overread/data leakage in ProcAppleDRICreatePixmap] - xorg-server (unimportant) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d515b5695676a65fa79fcf11417e3e9aea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d515b5695676a65fa79fcf11417e3e9aea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-31082/xorg-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a2dcb16 by Salvatore Bonaccorso at 2024-04-03T21:27:16+02:00 Add CVE-2024-31082/xorg-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2024-31082 [Heap buffer overread/data leakage in ProcAppleDRICreatePixmap] + - xorg-server (unimportant) + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef + NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html + NOTE: Affects the XQuartz (X11 server and client libraries for macOS) component CVE-2024-31081 [Heap buffer overread/data leakage in ProcXIPassiveGrabDevice] - xorg-server - xwayland View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a2dcb16194dbba6cba8628caed6b401e4054918 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a2dcb16194dbba6cba8628caed6b401e4054918 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-31081/{xorg-server,wayland}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c0a588f by Salvatore Bonaccorso at 2024-04-03T21:22:59+02:00 Add CVE-2024-31081/{xorg-server,wayland} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-31081 [Heap buffer overread/data leakage in ProcXIPassiveGrabDevice] + - xorg-server + - xwayland + [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee + NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-31080 [Heap buffer overread/data leakage in ProcXIGetSelectedEvents] - xorg-server - xwayland View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c0a588f87bcfa9fe96871835fc391f373eb361d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c0a588f87bcfa9fe96871835fc391f373eb361d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-31080/{xorg-server,wayland}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7958fe72 by Salvatore Bonaccorso at 2024-04-03T21:20:42+02:00 Add CVE-2024-31080/{xorg-server,wayland} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-31080 [Heap buffer overread/data leakage in ProcXIGetSelectedEvents] + - xorg-server + - xwayland + [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b + NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html CVE-2024-27983 - nodejs NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7958fe7227fbdcf15a8b96ff46ae1d9a2828648a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7958fe7227fbdcf15a8b96ff46ae1d9a2828648a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium dsa
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: f22b02aa by Andres Salomon at 2024-04-03T15:11:15-04:00 chromium dsa - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[03 Apr 2024] DSA-5654-1 chromium - security update + {CVE-2024-3156 CVE-2024-3158 CVE-2024-3159} + [bookworm] - chromium 123.0.6312.105-1~deb12u1 [03 Apr 2024] DSA-5653-1 gtkwave - security update {CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444} [bullseye] - gtkwave 3.3.104+really3.3.118-0+deb11u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -chromium (dilinger) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f22b02aa4e1aa3d00d182a70da931b4f8f69e5ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f22b02aa4e1aa3d00d182a70da931b4f8f69e5ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gtkwave DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cc7aa23 by Moritz Mühlenhoff at 2024-04-03T20:50:58+02:00 gtkwave DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[03 Apr 2024] DSA-5653-1 gtkwave - security update + {CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444} + [bullseye] - gtkwave 3.3.104+really3.3.118-0+deb11u1 + [bookworm] - gtkwave 3.3.118-0.1~deb12u1 [02 Apr 2024] DSA-5652-1 py7zr - security update {CVE-2022-44900} [bullseye] - py7zr 0.11.3+dfsg-1+deb11u1 = data/dsa-needed.txt = @@ -30,8 +30,6 @@ frr -- gpac/oldstable -- -gtkwave (jmm) --- h2o (jmm) -- jetty9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc7aa234dd4167cc9d0910b0fa09e175fb4f238 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc7aa234dd4167cc9d0910b0fa09e175fb4f238 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag reference for CVE-2024-28834
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98857d7e by Salvatore Bonaccorso at 2024-04-03T20:38:34+02:00 Add upstream tag reference for CVE-2024-28834 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3521,7 +3521,7 @@ CVE-2024-28834 (A flaw was found in GnuTLS. The Minerva attack is a cryptographi NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1516 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 - NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5 + NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5 (3.8.4) NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/merge_requests/1051 (gnutls_3_6_10) CVE-2024-28635 (Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v. ...) NOT-FOR-US: SurveyJS Survey Creator View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98857d7e421db7eea0e5a13d74a277a0f093d0a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98857d7e421db7eea0e5a13d74a277a0f093d0a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2024-28835
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a47dc328 by Salvatore Bonaccorso at 2024-04-03T20:32:51+02:00 Add upstream tag information for CVE-2024-28835 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3512,7 +3512,7 @@ CVE-2024-28835 (A flaw has been discovered in GnuTLS where an application crash NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1527 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 - NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d + NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d (3.8.4) NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/d268f19510a95f92d11d8f8dc7d94fcae4d765cc (3.7.0) CVE-2024-28834 (A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln ...) [experimental] - gnutls28 3.8.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47dc3280c3cf96faa3ff4643d3919ad61c1a310 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47dc3280c3cf96faa3ff4643d3919ad61c1a310 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-25291/pillow does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab866516 by Adrian Bunk at 2024-04-03T21:01:30+03:00 CVE-2021-25291/pillow does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225149,7 +225149,7 @@ CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser a NOTE: Introduced in: https://github.com/python-pillow/Pillow/commit/6207b44ab1ff4a91d8ddc7579619876d0bb191a4 (5.1.0) CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...) - pillow 8.1.1-1 - [buster] - pillow (Minor issue) + [buster] - pillow (Vulnerable code introduced later) [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html NOTE: https://github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab866516c39a669ad03d93921c666fb8060944c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab866516c39a669ad03d93921c666fb8060944c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new nodejs issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d94dd8d by Salvatore Bonaccorso at 2024-04-03T19:22:15+02:00 Add two new nodejs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-27983 + - nodejs + NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ +CVE-2024-27982 + - nodejs + NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-3248 (In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads ...) TODO: check CVE-2024-3247 (In Xpdf 4.05 (and earlier), a PDF object loop in an object stream lead ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d94dd8da35b3398e94abafaeec6327322b15f76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d94dd8da35b3398e94abafaeec6327322b15f76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take pillow
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba5fb9d by Adrian Bunk at 2024-04-03T15:57:05+03:00 dla: take pillow - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,7 +204,7 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -pillow +pillow (Adrian Bunk) NOTE: 20240403: Added by Front-Desk (lamby) -- putty (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba5fb9db32872949fe3baf6c06f6b41def7c905 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba5fb9db32872949fe3baf6c06f6b41def7c905 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Reassign dnsmasq to dleidert.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 31c0ebef by Chris Lamb at 2024-04-03T12:50:41+01:00 dla-needed.txt: Reassign dnsmasq to dleidert. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,8 +40,11 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -dnsmasq (Chris Lamb) +dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240325: Automatically unassigned (lamby) + NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) + NOTE: 20240403: Re-assigned back to dleidert; see thread. (lamby) -- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31c0ebef59d1b6ce89f00e89b15e988b161d7d9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31c0ebef59d1b6ce89f00e89b15e988b161d7d9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3b3865 by Adrian Bunk at 2024-04-03T14:24:44+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,10 +87,11 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -gtkwave +gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) + NOTE: 20240403: will be submitted for DLA review when the pending DSA is published (bunk) -- h2o (Adrian Bunk) NOTE: 20231228: Added by Front-Desk (lamby) @@ -260,7 +261,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b3865935a0c04e7428dc9eba9a8ea5a60aa37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b3865935a0c04e7428dc9eba9a8ea5a60aa37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-28834/gnutls28 for buster LTS.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: f4cd486e by Guilhem Moulin at 2024-04-03T13:18:32+02:00 Triage CVE-2024-28834/gnutls28 for buster LTS. Deterministic ECDSA/DSA [RFC6979] support was added in 3.6.10 https://lists.gnupg.org/pipermail/gnutls-help/2019-September/004574.html - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3511,9 +3511,12 @@ CVE-2024-28835 (A flaw has been discovered in GnuTLS where an application crash CVE-2024-28834 (A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln ...) [experimental] - gnutls28 3.8.4-1 - gnutls28 3.8.4-2 (bug #1067464) + [buster] - gnutls28 (Vulnerable code not present) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1516 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 + NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5 + NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/merge_requests/1051 (gnutls_3_6_10) CVE-2024-28635 (Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v. ...) NOT-FOR-US: SurveyJS Survey Creator CVE-2024-25294 (An SSRF issue in REBUILD v.3.5 allows a remote attacker to obtain sens ...) = data/dla-needed.txt = @@ -87,9 +87,6 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -gnutls28 (guilhem) - NOTE: 20240323: Added by Front-Desk (ta) --- gtkwave NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4cd486e5e92d36c48f328d150c08e0eb8fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4cd486e5e92d36c48f328d150c08e0eb8fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add an emacs note.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fcad6410 by Chris Lamb at 2024-04-03T12:12:27+01:00 Add an emacs note. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,10 @@ edk2 -- emacs NOTE: 20240403: Added by Front-Desk (lamby) + NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my + NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to, + NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable + NOTE: 20240403: to CVE-2024-30203. (lamby) -- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcad6410006df4c605343b5a411b587176653cde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcad6410006df4c605343b5a411b587176653cde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for gnutls28 via unstable
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: d23808f7 by Guilhem Moulin at 2024-04-03T13:03:41+02:00 Track fixed version for gnutls28 via unstable - - - - - 9f2fe389 by Guilhem Moulin at 2024-04-03T13:03:41+02:00 Triage CVE-2024-28835/gnutls28 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3499,15 +3499,18 @@ CVE-2024-28916 (Xbox Gaming Services Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2024-28835 (A flaw has been discovered in GnuTLS where an application crash can be ...) [experimental] - gnutls28 3.8.4-1 - - gnutls28 (bug #1067463) + - gnutls28 3.8.4-2 (bug #1067463) + [buster] - gnutls28 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2269084 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1525 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1527 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 + NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d + NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/d268f19510a95f92d11d8f8dc7d94fcae4d765cc (3.7.0) CVE-2024-28834 (A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln ...) [experimental] - gnutls28 3.8.4-1 - - gnutls28 (bug #1067464) + - gnutls28 3.8.4-2 (bug #1067464) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1516 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/629d78c693ffb754c909e3d529b440d55a20330d...9f2fe38981959d8cf73873194da84640e0adf617 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/629d78c693ffb754c909e3d529b440d55a20330d...9f2fe38981959d8cf73873194da84640e0adf617 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage emacs for buster LTS (CVE-2024-30202,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 629d78c6 by Chris Lamb at 2024-04-03T11:50:14+01:00 data/dla-needed.txt: Triage emacs for buster LTS (CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 CVE-2024-30205) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -65,6 +65,9 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- +emacs + NOTE: 20240403: Added by Front-Desk (lamby) +-- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/629d78c693ffb754c909e3d529b440d55a20330d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/629d78c693ffb754c909e3d529b440d55a20330d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage pillow for buster LTS (CVE-2024-28219)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c382a956 by Chris Lamb at 2024-04-03T11:42:59+01:00 data/dla-needed.txt: Triage pillow for buster LTS (CVE-2024-28219) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -196,6 +196,9 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- +pillow + NOTE: 20240403: Added by Front-Desk (lamby) +-- putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c382a9561269fe28f6ddff26925ca1905514a571 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c382a9561269fe28f6ddff26925ca1905514a571 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b887e69a by Salvatore Bonaccorso at 2024-04-03T11:37:16+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,41 +115,41 @@ CVE-2024-30336 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution V CVE-2024-30166 (In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can c ...) TODO: check CVE-2024-2879 (The LayerSlider plugin for WordPress is vulnerable to SQL Injection vi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2322 (The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29734 (Uncontrolled search path element issue exists in SonicDICOM Media View ...) - TODO: check + NOT-FOR-US: SonicDICOM Media Viewer CVE-2024-29434 (An issue in the system image upload interface of Alldata v0.4.6 allows ...) - TODO: check + NOT-FOR-US: Alldata CVE-2024-29432 (Alldata v0.4.6 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Alldata CVE-2024-28836 (An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiati ...) TODO: check CVE-2024-28755 (An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL co ...) TODO: check CVE-2024-28589 (An issue was discovered in Axigen Mail Server for Windows versions 10. ...) - TODO: check + NOT-FOR-US: Axigen Mail Server for Windows CVE-2024-28515 (Buffer Overflow vulnerability in CSAPP_Lab CSAPP Lab3 15-213 Fall 20xx ...) - TODO: check + NOT-FOR-US: CSAPP_Lab CSAPP Lab3 15-213 Fall 20xx CVE-2024-27605 (Alldata V0.4.6 is vulnerable to Insecure Permissions. Using users (tes ...) - TODO: check + NOT-FOR-US: Alldata CVE-2024-27604 (Alldata V0.4.6 is vulnerable to Command execution vulnerability. Syste ...) - TODO: check + NOT-FOR-US: Alldata CVE-2024-27602 (Alldata V0.4.6 is vulnerable to Incorrect Access Control. A total of m ...) - TODO: check + NOT-FOR-US: Alldata CVE-2024-26495 (Cross Site Scripting (XSS) vulnerability in Friendica versions after v ...) - TODO: check + NOT-FOR-US: Friendica CVE-2024-25864 (Server Side Request Forgery (SSRF) vulnerability in Friendica versions ...) - TODO: check + NOT-FOR-US: Friendica CVE-2024-25075 (An issue was discovered in Softing uaToolkit Embedded before 1.41.1. W ...) - TODO: check + NOT-FOR-US: Softing uaToolkit Embedded CVE-2024-24724 (Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSetting ...) TODO: check CVE-2024-24506 (Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edit ...) TODO: check CVE-2024-1327 (The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cro ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-35764 (Insufficient verification of data authenticity issue in Survey Maker p ...) TODO: check CVE-2023-34423 (Survey Maker prior to 3.6.4 contains a stored cross-site scripting vul ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b887e69ab96b79d7fcbaaf06c702a196f71ae198 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b887e69ab96b79d7fcbaaf06c702a196f71ae198 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f4b16bb by Salvatore Bonaccorso at 2024-04-03T10:46:56+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,25 +3,25 @@ CVE-2024-3248 (In Xpdf 4.05 (and earlier), a PDF object loop in the attachments CVE-2024-3247 (In Xpdf 4.05 (and earlier), a PDF object loop in an object stream lead ...) TODO: check CVE-2024-3227 (A vulnerability was found in Panwei eoffice OA up to 9.5. It has been ...) - TODO: check + NOT-FOR-US: Panwei eoffice OA CVE-2024-3226 (A vulnerability was found in Campcodes Online Patient Record Managemen ...) - TODO: check + NOT-FOR-US: Campcodes Online Patient Record Management System CVE-2024-3225 (A vulnerability was found in SourceCodester PHP Task Management System ...) - TODO: check + NOT-FOR-US: SourceCodester PHP Task Management System CVE-2024-3224 (A vulnerability has been found in SourceCodester PHP Task Management S ...) - TODO: check + NOT-FOR-US: SourceCodester PHP Task Management System CVE-2024-3223 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester PHP Task Management System CVE-2024-3222 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester PHP Task Management System CVE-2024-3221 (A vulnerability classified as critical was found in SourceCodester PHP ...) - TODO: check + NOT-FOR-US: SourceCodester PHP Task Management System CVE-2024-3218 (A vulnerability classified as critical has been found in Shibang Commu ...) - TODO: check + NOT-FOR-US: Shibang Communications IP Network Intercom Broadcasting System CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated as cri ...) TODO: check CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...) - TODO: check + NOT-FOR-US: ermig1979 Simd CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classified a ...) TODO: check CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ...) @@ -29,89 +29,89 @@ CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and class CVE-2024-3203 (A vulnerability, which was classified as critical, was found in c-blos ...) TODO: check CVE-2024-3202 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: codelyfe Stupid Simple CMS CVE-2024-3162 (The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cro ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31013 (Cross Site Scripting (XSS) vulnerability in emlog version Pro 2.3, all ...) - TODO: check + NOT-FOR-US: emlog CVE-2024-31012 (An issue was discovered in SEMCMS v.4.8, allows remote attackers to ex ...) - TODO: check + NOT-FOR-US: SEMCMS CVE-2024-31011 (Arbitrary file write vulnerability in beescms v.4.0, allows a remote a ...) - TODO: check + NOT-FOR-US: beescms CVE-2024-31010 (SQL injection vulnerability in SEMCMS v.4.8, allows a remote attacker ...) - TODO: check + NOT-FOR-US: SEMCMS CVE-2024-31009 (SQL injection vulnerability in SEMCMS v.4.8, allows a remote attacker ...) - TODO: check + NOT-FOR-US: SEMCMS CVE-2024-31008 (An issue was discovered in WUZHICMS version 4.1.0, allows an attacker ...) - TODO: check + NOT-FOR-US: WUZHICMS CVE-2024-30998 (SQL Injection vulnerability in PHPGurukul Men Salon Management System ...) - TODO: check + NOT-FOR-US: PHPGurukul Men Salon Management System CVE-2024-30371 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30370 (RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability. This vulnerability ...) TODO: check CVE-2024-30367 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30365 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30364 (Foxit PDF Reader U3D File Parsing Out-Of-Bounds Read Information Discl ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30363 (Foxit PDF Reader U3D File Parsing Out-Of-Bounds Read Information Discl ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader CVE-2024-30362 (Foxit PDF Reader PDF File Parsing Use-After-Free Remote Code Execution ...) - TODO: check + NOT-FOR-US: Foxit PDF Reader
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbf589b9 by security tracker role at 2024-04-03T08:11:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,159 @@ +CVE-2024-3248 (In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads ...) + TODO: check +CVE-2024-3247 (In Xpdf 4.05 (and earlier), a PDF object loop in an object stream lead ...) + TODO: check +CVE-2024-3227 (A vulnerability was found in Panwei eoffice OA up to 9.5. It has been ...) + TODO: check +CVE-2024-3226 (A vulnerability was found in Campcodes Online Patient Record Managemen ...) + TODO: check +CVE-2024-3225 (A vulnerability was found in SourceCodester PHP Task Management System ...) + TODO: check +CVE-2024-3224 (A vulnerability has been found in SourceCodester PHP Task Management S ...) + TODO: check +CVE-2024-3223 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-3222 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-3221 (A vulnerability classified as critical was found in SourceCodester PHP ...) + TODO: check +CVE-2024-3218 (A vulnerability classified as critical has been found in Shibang Commu ...) + TODO: check +CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated as cri ...) + TODO: check +CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...) + TODO: check +CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classified a ...) + TODO: check +CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ...) + TODO: check +CVE-2024-3203 (A vulnerability, which was classified as critical, was found in c-blos ...) + TODO: check +CVE-2024-3202 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2024-3162 (The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cro ...) + TODO: check +CVE-2024-31013 (Cross Site Scripting (XSS) vulnerability in emlog version Pro 2.3, all ...) + TODO: check +CVE-2024-31012 (An issue was discovered in SEMCMS v.4.8, allows remote attackers to ex ...) + TODO: check +CVE-2024-31011 (Arbitrary file write vulnerability in beescms v.4.0, allows a remote a ...) + TODO: check +CVE-2024-31010 (SQL injection vulnerability in SEMCMS v.4.8, allows a remote attacker ...) + TODO: check +CVE-2024-31009 (SQL injection vulnerability in SEMCMS v.4.8, allows a remote attacker ...) + TODO: check +CVE-2024-31008 (An issue was discovered in WUZHICMS version 4.1.0, allows an attacker ...) + TODO: check +CVE-2024-30998 (SQL Injection vulnerability in PHPGurukul Men Salon Management System ...) + TODO: check +CVE-2024-30371 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30370 (RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability. This vulnerability ...) + TODO: check +CVE-2024-30367 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30365 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30364 (Foxit PDF Reader U3D File Parsing Out-Of-Bounds Read Information Discl ...) + TODO: check +CVE-2024-30363 (Foxit PDF Reader U3D File Parsing Out-Of-Bounds Read Information Discl ...) + TODO: check +CVE-2024-30362 (Foxit PDF Reader PDF File Parsing Use-After-Free Remote Code Execution ...) + TODO: check +CVE-2024-30361 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30360 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30359 (Foxit PDF Reader AcroForm 3D Out-Of-Bounds Read Remote Code Execution ...) + TODO: check +CVE-2024-30358 (Foxit PDF Reader AcroForm User-After-Free Remote Code Execution Vulner ...) + TODO: check +CVE-2024-30357 (Foxit PDF Reader AcroForm Annotation Type Confusion Remote Code Execut ...) + TODO: check +CVE-2024-30356 (Foxit PDF Reader AcroForm Out-Of-Bounds Read Information Disclosure Vu ...) + TODO: check +CVE-2024-30355 (Foxit PDF Reader AcroForm Out-Of-Bounds Write Remote Code Execution Vu ...) + TODO: check +CVE-2024-30354 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) + TODO: check +CVE-2024-30353 (Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vul ...) + TODO: check +CVE-2024-30352 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) +
[Git][security-tracker-team/security-tracker][master] Track fixed versions for chromium via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0352852 by Salvatore Bonaccorso at 2024-04-03T08:23:23+02:00 Track fixed versions for chromium via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2024-3159 - - chromium + - chromium 123.0.6312.105-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-3158 - - chromium + - chromium 123.0.6312.105-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-3156 - - chromium + - chromium 123.0.6312.105-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-3151 (A vulnerability, which was classified as problematic, was found in Bdt ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0352852eaf9f6c47e201f5c6737183caef85cb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0352852eaf9f6c47e201f5c6737183caef85cb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits