[Git][security-tracker-team/security-tracker][master] 3 commits: Claim knot-resolver and wordpress in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c336754 by Markus Koschany at 2024-04-06T07:39:03+02:00 Claim knot-resolver and wordpress in dla-needed.txt - - - - - c9dfd707 by Markus Koschany at 2024-04-06T07:39:56+02:00 Claim jetty9 in dsa-needed.txt - - - - - aa44a82e by Markus Koschany at 2024-04-06T07:49:26+02:00 CVE-2024-21733,tomcat9: buster is postponed Minor issue. Tests fail. Needs more investigation but is not critical. - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -19167,6 +19167,7 @@ CVE-2023-28743 (Improper input validation for some Intel NUC BIOS firmware befor CVE-2024-21733 (Generation of Error Message Containing Sensitive Information vulnerabi ...) - tomcat9 9.0.53-1 [bullseye] - tomcat9 (Minor issue, fix along in next update) + [buster] - tomcat9 (Minor issue, fix along in next update) NOTE: https://www.openwall.com/lists/oss-security/2024/01/19/2 NOTE: https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a (9.0.44) CVE-2024-23387 (FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability ...) = data/dla-needed.txt = @@ -114,7 +114,7 @@ jenkins-htmlunit-core-js jetty9 (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) @@ -301,7 +301,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress +wordpress (Markus Koschany) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) = data/dsa-needed.txt = @@ -31,7 +31,7 @@ gpac/oldstable -- h2o (jmm) -- -jetty9 +jetty9 (apo) -- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3779-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 80daa719 by Markus Koschany at 2024-04-06T07:15:20+02:00 Reserve DLA-3779-1 for tomcat9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Apr 2024] DLA-3779-1 tomcat9 - security update + {CVE-2024-23672 CVE-2024-24549} + [buster] - tomcat9 9.0.31-1~deb10u12 [01 Apr 2024] DLA-3778-1 libvirt - security update {CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631 CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496} [buster] - libvirt 5.0.0-4+deb10u2 = data/dla-needed.txt = @@ -287,9 +287,6 @@ tinymce NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) -- -tomcat9 (Markus Koschany) - NOTE: 20240121: Added by Front-Desk (apo) --- tzdata (Emilio) NOTE: 20240327: Added by pochu -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take org-mode in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 74041693 by Sean Whitton at 2024-04-06T12:27:50+08:00 LTS: take org-mode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -200,7 +200,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- -org-mode +org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- pdns-recursor (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7404169348bac511a2532dc6727f8b7bea5e5218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7404169348bac511a2532dc6727f8b7bea5e5218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take emacs in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: d5dcdb71 by Sean Whitton at 2024-04-06T12:25:05+08:00 LTS: take emacs in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,7 +68,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -emacs +emacs (Sean Whitton) NOTE: 20240403: Added by Front-Desk (lamby) NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5dcdb7126c1bb0036e2bb70ae973058b097c78f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5dcdb7126c1bb0036e2bb70ae973058b097c78f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5692/wordpress
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c6d1022 by Salvatore Bonaccorso at 2024-04-05T22:50:02+02:00 Add CVE-2023-5692/wordpress - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,7 +115,8 @@ CVE-2023-6523 (Authorization Bypass Through User-Controlled Key vulnerability in CVE-2023-6522 (Improper Privilege Management vulnerability in ExtremePacs Extreme XDS ...) NOT-FOR-US: ExtremePacs Extreme XDS CVE-2023-5692 (WordPress Core is vulnerable to Sensitive Information Exposure in vers ...) - TODO: check + - wordpress 6.5+dfsg1-1 + NOTE: https://core.trac.wordpress.org/changeset/57645 CVE-2023-49965 (SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ...) NOT-FOR-US: SpaceX Starlink Wi-Fi router CVE-2023-48426 (u-boot bug that allows for u-boot shell and interrupt over UART) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c6d1022b75ab2c4db616558a16e1af88f875fc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c6d1022b75ab2c4db616558a16e1af88f875fc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2380/check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87ccc4d4 by Salvatore Bonaccorso at 2024-04-05T22:44:34+02:00 Add CVE-2024-2380/check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,7 @@ CVE-2024-2499 (The Squelch Tabs and Accordions Shortcodes plugin for WordPress i CVE-2024-2447 (Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x bef ...) - mattermost-server (bug #823556) CVE-2024-2380 (Stored XSS in graph rendering in Checkmk <2.3.0b4.) - TODO: check + - check-mk CVE-2024-2312 (GRUB2 does not call the module fini functions on exit, leading to Debi ...) - grub2 2.12-2 [bookworm] - grub2 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87ccc4d4dc45fb1bbb0580282a8225f2199100d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87ccc4d4dc45fb1bbb0580282a8225f2199100d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new CVEs for mattermost-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d66ad4b by Salvatore Bonaccorso at 2024-04-05T22:39:57+02:00 Add new CVEs for mattermost-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,7 @@ CVE-2024-31213 (InstantCMS is a free and open source content management system. CVE-2024-2499 (The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vul ...) NOT-FOR-US: WordPress plugin CVE-2024-2447 (Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x bef ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-2380 (Stored XSS in graph rendering in Checkmk <2.3.0b4.) TODO: check CVE-2024-2312 (GRUB2 does not call the module fini functions on exit, leading to Debi ...) @@ -89,9 +89,9 @@ CVE-2024-29739 (In tmu_get_temp_lut of tmu.c, there is a possible out of bounds CVE-2024-29738 (In gov_init, there is a possible out of bounds read due to a missing b ...) NOT-FOR-US: Android CVE-2024-29221 (Improper Access Control in Mattermost Server versions 9.5.x before 9.5 ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-28949 (Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3 ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-28065 (In Unify CP IP Phone firmware 1.10.4.3, files are not encrypted and co ...) NOT-FOR-US: Unify CP IP Phone firmware CVE-2024-27232 (In asn1_ec_pkey_parse of asn1_common.c, there is a possible OOB read d ...) @@ -101,7 +101,7 @@ CVE-2024-27231 (In tmu_get_tr_stats of tmu.c, there is a possible out of bounds CVE-2024-22004 (Due to length check, an attacker with privilege access on a Linux Nons ...) TODO: check CVE-2024-21848 (Improper Access Control in Mattermost Server versions 8.1.x before 8.1 ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-0081 (NVIDIA NeMo framework for Ubuntu contains a vulnerability in tools/asr ...) TODO: check CVE-2024-0080 (NVIDIA nvTIFF Library for Windows and Linux contains a vulnerability w ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d66ad4ba491b105b758dee6b5abcddffb9d7265 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d66ad4ba491b105b758dee6b5abcddffb9d7265 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8b7f0e3 by Salvatore Bonaccorso at 2024-04-05T22:33:24+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2024-3354 (A vulnerability was found in SourceCodester Aplaya Beach Resort Online ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3353 (A vulnerability was found in SourceCodester Aplaya Beach Resort Online ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3352 (A vulnerability has been found in SourceCodester Aplaya Beach Resort O ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3351 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3350 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3349 (A vulnerability classified as critical was found in SourceCodester Apl ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3348 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Aplaya Beach Resort Online Reservation System CVE-2024-3347 (A vulnerability was found in SourceCodester Airline Ticket Reservation ...) - TODO: check + NOT-FOR-US: SourceCodester Airline Ticket Reservation System CVE-2024-3346 (A vulnerability was found in Byzro Smart S80 up to 20240328. It has be ...) - TODO: check + NOT-FOR-US: Byzro Smart S80 CVE-2024-31852 (LLVM before 18.1.3 generates code in which the LR register can be over ...) TODO: check CVE-2024-31851 (A path traversal vulnerability exists in the Java version of CData Syn ...) @@ -27,13 +27,13 @@ CVE-2024-31849 (A path traversal vulnerability exists in the Java version of CDa CVE-2024-31848 (A path traversal vulnerability exists in the Java version of CData API ...) TODO: check CVE-2024-31220 (Sunshine is a self-hosted game stream host for Moonlight. Starting in ...) - TODO: check + NOT-FOR-US: Sunshine CVE-2024-31218 (Webhood is a self-hosted URL scanner used analyzing phishing and malic ...) - TODO: check + NOT-FOR-US: Webhood CVE-2024-31213 (InstantCMS is a free and open source content management system. An ope ...) - TODO: check + NOT-FOR-US: InstantCMS CVE-2024-2499 (The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vul ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2447 (Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x bef ...) TODO: check CVE-2024-2380 (Stored XSS in graph rendering in Checkmk <2.3.0b4.) @@ -45,59 +45,59 @@ CVE-2024-2312 (GRUB2 does not call the module fini functions on exit, leading to [buster] - grub2 (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127 CVE-2024-29783 (In tmu_get_tr_thresholds, there is a possible out of bounds read due t ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29782 (In tmu_get_tr_num_thresholds of tmu.c, there is a possible out of boun ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29757 (there is a possible permission bypass due to Debug certs being allowli ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29756 (In afe_callback of q6afe.c, there is a possible out of bounds write du ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29755 (In tmu_get_pi of tmu.c, there is a possible out of bounds read due to ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29754 (In TMU_IPC_GET_TABLE, there is a possible out of bounds read due to a ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29753 (In tmu_set_control_temp_step of tmu.c, there is a possible out of boun ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29752 (In tmu_set_tr_num_thresholds of tmu.c, there is a possible out of boun ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29751 (In asn1_ec_pkey_parse_p384 of asn1_common.c, there is a possible OOB R ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29750 (In km_exp_did_inner of kmv.c, there is a possible out of bounds read d ...) - TODO: check + NOT-FOR-US: Android CVE-2024-29749 (In tmu_set_tr_thresholds of tmu.c, there is a possible out of bounds w ...) - TODO:
[Git][security-tracker-team/security-tracker][master] 3 commits: Add CVE-2024-2312/grub2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58fc63bd by Salvatore Bonaccorso at 2024-04-05T22:18:09+02:00 Add CVE-2024-2312/grub2 - - - - - 30951a10 by Salvatore Bonaccorso at 2024-04-05T22:18:12+02:00 Add two c-blosc2 issues (but retain TODO item) - - - - - 00b46a71 by Salvatore Bonaccorso at 2024-04-05T22:18:14+02:00 Add CVE-2020-25730/zoneminder - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,11 @@ CVE-2024-2447 (Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4. CVE-2024-2380 (Stored XSS in graph rendering in Checkmk <2.3.0b4.) TODO: check CVE-2024-2312 (GRUB2 does not call the module fini functions on exit, leading to Debi ...) - TODO: check + - grub2 2.12-2 + [bookworm] - grub2 (Vulnerable code not present) + [bullseye] - grub2 (Vulnerable code not present) + [buster] - grub2 (Vulnerable code not present) + NOTE: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127 CVE-2024-29783 (In tmu_get_tr_thresholds, there is a possible out of bounds read due t ...) TODO: check CVE-2024-29782 (In tmu_get_tr_num_thresholds of tmu.c, there is a possible out of boun ...) @@ -1244,8 +1248,10 @@ CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classif NOTE: https://vuldb.com/?submit.304561 NOTE: https://github.com/yaml/libyaml/issues/289 CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ...) + - c-blosc2 TODO: check CVE-2024-3203 (A vulnerability, which was classified as critical, was found in c-blos ...) + - c-blosc2 TODO: check CVE-2024-3202 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: codelyfe Stupid Simple CMS @@ -256994,7 +257000,8 @@ CVE-2020-25732 CVE-2020-25731 RESERVED CVE-2020-25730 (Cross Site Scripting (XSS) vulnerability in ZoneMinder before version ...) - TODO: check + - zoneminder 1.34.21-1 + NOTE: Fixed by: https://github.com/ZoneMinder/zoneminder/commit/9268db14a79c4ccd444c2bf8d24e62b13207b413 (1.34.21) CVE-2020-25729 (ZoneMinder before 1.34.21 has XSS via the connkey parameter to downloa ...) - zoneminder 1.34.21-1 (unimportant) NOTE: https://github.com/ZoneMinder/zoneminder/commit/9268db14a79c4ccd444c2bf8d24e62b13207b413 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5467c83017e246ff2f48d84d96a2716fa5727cdb...00b46a7148e0f68c6860ce966d100c5b68251c99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5467c83017e246ff2f48d84d96a2716fa5727cdb...00b46a7148e0f68c6860ce966d100c5b68251c99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5467c830 by security tracker role at 2024-04-05T20:12:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,135 @@ -CVE-2024-27437 [vfio/pci: Disable auto-enable of exclusive INTx IRQ] +CVE-2024-3354 (A vulnerability was found in SourceCodester Aplaya Beach Resort Online ...) + TODO: check +CVE-2024-3353 (A vulnerability was found in SourceCodester Aplaya Beach Resort Online ...) + TODO: check +CVE-2024-3352 (A vulnerability has been found in SourceCodester Aplaya Beach Resort O ...) + TODO: check +CVE-2024-3351 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-3350 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-3349 (A vulnerability classified as critical was found in SourceCodester Apl ...) + TODO: check +CVE-2024-3348 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2024-3347 (A vulnerability was found in SourceCodester Airline Ticket Reservation ...) + TODO: check +CVE-2024-3346 (A vulnerability was found in Byzro Smart S80 up to 20240328. It has be ...) + TODO: check +CVE-2024-31852 (LLVM before 18.1.3 generates code in which the LR register can be over ...) + TODO: check +CVE-2024-31851 (A path traversal vulnerability exists in the Java version of CData Syn ...) + TODO: check +CVE-2024-31850 (A path traversal vulnerability exists in the Java version of CData Arc ...) + TODO: check +CVE-2024-31849 (A path traversal vulnerability exists in the Java version of CData Con ...) + TODO: check +CVE-2024-31848 (A path traversal vulnerability exists in the Java version of CData API ...) + TODO: check +CVE-2024-31220 (Sunshine is a self-hosted game stream host for Moonlight. Starting in ...) + TODO: check +CVE-2024-31218 (Webhood is a self-hosted URL scanner used analyzing phishing and malic ...) + TODO: check +CVE-2024-31213 (InstantCMS is a free and open source content management system. An ope ...) + TODO: check +CVE-2024-2499 (The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vul ...) + TODO: check +CVE-2024-2447 (Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x bef ...) + TODO: check +CVE-2024-2380 (Stored XSS in graph rendering in Checkmk <2.3.0b4.) + TODO: check +CVE-2024-2312 (GRUB2 does not call the module fini functions on exit, leading to Debi ...) + TODO: check +CVE-2024-29783 (In tmu_get_tr_thresholds, there is a possible out of bounds read due t ...) + TODO: check +CVE-2024-29782 (In tmu_get_tr_num_thresholds of tmu.c, there is a possible out of boun ...) + TODO: check +CVE-2024-29757 (there is a possible permission bypass due to Debug certs being allowli ...) + TODO: check +CVE-2024-29756 (In afe_callback of q6afe.c, there is a possible out of bounds write du ...) + TODO: check +CVE-2024-29755 (In tmu_get_pi of tmu.c, there is a possible out of bounds read due to ...) + TODO: check +CVE-2024-29754 (In TMU_IPC_GET_TABLE, there is a possible out of bounds read due to a ...) + TODO: check +CVE-2024-29753 (In tmu_set_control_temp_step of tmu.c, there is a possible out of boun ...) + TODO: check +CVE-2024-29752 (In tmu_set_tr_num_thresholds of tmu.c, there is a possible out of boun ...) + TODO: check +CVE-2024-29751 (In asn1_ec_pkey_parse_p384 of asn1_common.c, there is a possible OOB R ...) + TODO: check +CVE-2024-29750 (In km_exp_did_inner of kmv.c, there is a possible out of bounds read d ...) + TODO: check +CVE-2024-29749 (In tmu_set_tr_thresholds of tmu.c, there is a possible out of bounds w ...) + TODO: check +CVE-2024-29748 (there is a possible way to bypass due to a logic error in the code. T ...) + TODO: check +CVE-2024-29747 (In _dvfs_get_lv of dvfs.c, there is a possible out of bounds read due ...) + TODO: check +CVE-2024-29746 (In lpm_req_handler of lpm.c, there is a possible out of bounds write d ...) + TODO: check +CVE-2024-29745 (there is a possible Information Disclosure due to uninitialized data. ...) + TODO: check +CVE-2024-29744 (In tmu_get_gov_time_windows, there is a possible out of bounds read du ...) + TODO: check +CVE-2024-29743 (In tmu_set_temp_lut of tmu.c, there is a possible out of bounds write ...) + TODO: check +CVE-2024-29742 (In apply_minlock_constraint of dvfs.c, there is a possible out of boun ...) + TODO: check +CVE-2024-29741 (In pblS2mpuResume of s2mpu.c, there is a possible mitigation bypass du ...) + TODO: check +CVE-2024-29740 (In tmu_set_table of tmu.c, there is a
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-3209/upx-ucl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f55066a9 by Salvatore Bonaccorso at 2024-04-05T21:55:56+02:00 Add CVE-2024-3209/upx-ucl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1117,7 +1117,8 @@ CVE-2024-3221 (A vulnerability classified as critical was found in SourceCodeste CVE-2024-3218 (A vulnerability classified as critical has been found in Shibang Commu ...) NOT-FOR-US: Shibang Communications IP Network Intercom Broadcasting System CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated as cri ...) - TODO: check + - upx-ucl + TODO: check upstream report status, seems not filled as issue CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...) NOT-FOR-US: ermig1979 Simd CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classified a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f55066a9fcaa3603f065356699cc591438c81dfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f55066a9fcaa3603f065356699cc591438c81dfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28871/libhtp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9100fb6 by Salvatore Bonaccorso at 2024-04-05T21:52:18+02:00 Add CVE-2024-28871/libhtp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -143,7 +143,13 @@ CVE-2024-29191 (gotortc is a camera streaming application. Versions 1.8.5 and pr CVE-2024-29182 (Collabora Online is a collaborative online office suite based on Libre ...) NOT-FOR-US: Collabora Online CVE-2024-28871 (LibHTP is a security-aware parser for the HTTP protocol and the relate ...) - TODO: check + - libhtp 1:0.5.47-1 + [bookworm] - libhtp (Vulnerable code introduced in 0.5.46) + [bullseye] - libhtp (Vulnerable code introduced in 0.5.46) + NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-ffr2-45w9-7wmg + NOTE: Introduced by: https://github.com/OISF/libhtp/commit/bf618ec7f243cebfb0f7e84c3cb158955cb32b4d (0.5.46) + NOTE: Fixed by: https://github.com/OISF/libhtp/commit/79e713f3e527593a45f545e854cd9e6fbb3cd3ed (0.5.47) + NOTE: https://redmine.openinfosecfoundation.org/issues/6757 CVE-2024-28787 (IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application G ...) NOT-FOR-US: IBM CVE-2024-27575 (Directory Traversal vulnerability in INOTEC Sicherheitstechnik GmbH IN ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9100fb6b7837f0e3e2d3d859d2bb0c96900c509 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9100fb6b7837f0e3e2d3d859d2bb0c96900c509 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2024-31498 with yubikey-manager-qt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a02a1890 by Salvatore Bonaccorso at 2024-04-05T20:54:47+02:00 Associate CVE-2024-31498 with yubikey-manager-qt Issue is in the src:yubikey-manager-qt providing the ykman-gui tool itself. But retain the not-affected status as it is very specific to the Qt GUI running on Windows and when Edge is missing. So handle is similar to firefox, firefox-esr when issue is Windows specific. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,8 @@ CVE-2024-3311 (A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has be CVE-2024-3217 (The WP Directory Kit plugin for WordPress is vulnerable to SQL Injecti ...) NOT-FOR-US: WordPress plugin CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge ...) - NOT-FOR-US: ykman-gui + - yubikey-manager-qt (Only affects ykman-gui on Windows) + NOTE: https://www.yubico.com/support/security-advisories/ysa-2024-01/ CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) NOT-FOR-US: InstantCMS CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a189003ccd1868b6ade237ec7fc35e39578c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02a189003ccd1868b6ade237ec7fc35e39578c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-22189 yet as unfixed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b2d601 by Salvatore Bonaccorso at 2024-04-05T20:50:41+02:00 Mark CVE-2024-22189 yet as unfixed Please double-check if you agree with me. But the current 0.38.2-1 code fetched from unstable, does not containt the required changes connection.go, framer.go and the test. Link: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -182,7 +182,7 @@ CVE-2024-25690 (There is an HTML injection vulnerability in Esri Portal for ArcG CVE-2024-25007 (Ericsson Network Manager (ENM), versions prior to 23.1, contains a vul ...) NOT-FOR-US: Ericsson Network Manager CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...) - - golang-github-lucas-clemente-quic-go 0.38.2-1 + - golang-github-lucas-clemente-quic-go [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b2d601754e84b06b1b23d93a3f6a07ae50efe0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b2d601754e84b06b1b23d93a3f6a07ae50efe0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1991234a by Salvatore Bonaccorso at 2024-04-05T20:37:10+02:00 Add Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2024-27437 [vfio/pci: Disable auto-enable of exclusive INTx IRQ] + - linux + NOTE: https://git.kernel.org/linus/fe9a7082684eb059b925c535682e68c34d487d43 (6.9-rc1) +CVE-2024-26814 [vfio/fsl-mc: Block calling interrupt handler without trigger] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/7447d911af699a15f8d050dfcb7c680a86f87012 (6.9-rc1) +CVE-2024-26813 [vfio/platform: Create persistent IRQ handlers] + - linux + NOTE: https://git.kernel.org/linus/675daf435e9f8e5a5eab140a9864dfad6668b375 (6.9-rc1) +CVE-2024-26812 [vfio/pci: Create persistent INTx handler] + - linux + NOTE: https://git.kernel.org/linus/18c198c96a815c962adc2b9b77909eec0be7df4d (6.9-rc1) +CVE-2024-26810 [vfio/pci: Lock external INTx masking ops] + - linux + NOTE: https://git.kernel.org/linus/810cd4bb53456d0503cc4e7934e063835152c1b7 (6.9-rc1) CVE-2024-24746 NOT-FOR-US: Apache NimBLE CVE-2024-3321 (A vulnerability classified as problematic has been found in SourceCode ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1991234af55456dcf32a0081423f26843e3bbc6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1991234af55456dcf32a0081423f26843e3bbc6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to regression bug for xorg-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bc45566 by Salvatore Bonaccorso at 2024-04-05T20:27:36+02:00 Add reference to regression bug for xorg-server - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -94,7 +94,7 @@ wpa -- xorg-server (carnil) Regression by last round: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 - Holding back update until addressed + Holding back update until addressed, cf. #1068470 -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bc45566df674169ac45cebaa2512036e8c7b934 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bc45566df674169ac45cebaa2512036e8c7b934 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 434878ad by Moritz Muehlenhoff at 2024-04-05T20:19:39+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3748,18 +3748,26 @@ CVE-2024-28386 (An issue in Home-Made.io fastmagsync v.1.7.51 and before allows NOT-FOR-US: PrestaShop module CVE-2024-28246 (KaTeX is a JavaScript library for TeX math rendering on the web. Code ...) - node-katex 0.16.10+~cs6.1.0-1 (bug #1067805) + [bookworm] - node-katex (Minor issue) + [bullseye] - node-katex (Minor issue) NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329 NOTE: https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de (v0.16.10) CVE-2024-28245 (KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX ...) - node-katex 0.16.10+~cs6.1.0-1 (bug #1067805) + [bookworm] - node-katex (Minor issue) + [bullseye] - node-katex (Minor issue) NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h NOTE: https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770 (v0.16.10) CVE-2024-28244 (KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX ...) - node-katex 0.16.10+~cs6.1.0-1 (bug #1067805) + [bookworm] - node-katex (Minor issue) + [bullseye] - node-katex (Minor issue) NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc NOTE: https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2 (v0.16.10) CVE-2024-28243 (KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX ...) - node-katex 0.16.10+~cs6.1.0-1 (bug #1067805) + [bookworm] - node-katex (Minor issue) + [bullseye] - node-katex (Minor issue) NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w NOTE: https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34 (v0.16.10) CVE-2024-28183 (ESP-IDF is the development framework for Espressif SoCs supported on W ...) @@ -4057,11 +4065,10 @@ CVE-2024-27280 [Buffer overread vulnerability in StringIO] TODO: check details CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may acce ...) - qt6-base (bug #1068454) - - qtbase-opensource-src - - qtbase-opensource-src-gles + - qtbase-opensource-src (Only affects Qt6) + - qtbase-opensource-src-gles (Only affects Qt6) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/544314 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365 - TODO: check details CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...) - varnish (bug #1068455) [bookworm] - varnish (Minor issue, too intrusive to backport) @@ -4596,6 +4603,8 @@ CVE-2024-29026 (Owncast is an open source, self-hosted, decentralized, single us NOT-FOR-US: Owncast CVE-2024-29018 (Moby is an open source container framework that is a key component of ...) - docker.io (bug #1068460) + [bookworm] - docker.io (Minor issue) + [bullseye] - docker.io (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx NOTE: https://github.com/moby/moby/pull/46609 CVE-2024-28916 (Xbox Gaming Services Elevation of Privilege Vulnerability) @@ -5364,6 +5373,7 @@ CVE-2024-22453 (Dell PowerEdge Server BIOS contains a heap-based buffer overflow NOT-FOR-US: Dell CVE-2024-22412 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1067178) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r NOTE: https://github.com/ClickHouse/ClickHouse/pull/58611 CVE-2024-21504 (Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434878adcf5c83f25c56abbc6f1f1caf7884b32d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434878adcf5c83f25c56abbc6f1f1caf7884b32d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xorg-server update will be hold back due to regression
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a47baacf by Salvatore Bonaccorso at 2024-04-05T20:13:37+02:00 xorg-server update will be hold back due to regression - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -93,6 +93,8 @@ webkit2gtk (berto) wpa -- xorg-server (carnil) + Regression by last round: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 + Holding back update until addressed -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47baacf9ad36ff3c1db072d22ae9b8759cf774d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47baacf9ad36ff3c1db072d22ae9b8759cf774d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove duplicate intel-microcode tracking
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6252d75b by Salvatore Bonaccorso at 2024-04-05T20:10:46+02:00 Remove duplicate intel-microcode tracking - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -420,15 +420,5 @@ CVE-2024-2004 [bookworm] - curl 7.88.1-10+deb12u6 CVE-2024-2398 [bookworm] - curl 7.88.1-10+deb12u6 -CVE-2023-22655 - [bookworm] - intel-microcode 3.20240312.1~deb12u1 -CVE-2023-22655 - [bookworm] - intel-microcode 3.20240312.1~deb12u1 -CVE-2023-38575 - [bookworm] - intel-microcode 3.20240312.1~deb12u1 -CVE-2023-39368 - [bookworm] - intel-microcode 3.20240312.1~deb12u1 -CVE-2023-43490 - [bookworm] - intel-microcode 3.20240312.1~deb12u1 CVE-2023-36328 [bookworm] - libtommath 1.2.0-6+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6252d75b41b6e41c90580130bd900342593b3826 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6252d75b41b6e41c90580130bd900342593b3826 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim util-linux in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: f947af41 by Guilhem Moulin at 2024-04-05T18:48:28+02:00 LTS: claim util-linux in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -293,7 +293,7 @@ tomcat9 (Markus Koschany) tzdata (Emilio) NOTE: 20240327: Added by pochu -- -util-linux +util-linux (guilhem) NOTE: 20240405: Added by Front-Desk (lamby) -- varnish View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f947af41b54ec8150b8722dbc3930bd143615bd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f947af41b54ec8150b8722dbc3930bd143615bd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage util-linux for buster LTS (CVE-2024-28085)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 51644175 by Chris Lamb at 2024-04-05T17:29:37+01:00 data/dla-needed.txt: Triage util-linux for buster LTS (CVE-2024-28085) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -293,6 +293,9 @@ tomcat9 (Markus Koschany) tzdata (Emilio) NOTE: 20240327: Added by pochu -- +util-linux + NOTE: 20240405: Added by Front-Desk (lamby) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5164417582c505bfa41a8d07ad428f22cb5e9f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5164417582c505bfa41a8d07ad428f22cb5e9f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage org-mode for buster LTS (CVE-2024-30205)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d7d0512 by Chris Lamb at 2024-04-05T17:25:13+01:00 data/dla-needed.txt: Triage org-mode for buster LTS (CVE-2024-30205) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -200,6 +200,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- +org-mode + NOTE: 20240405: Added by Front-Desk (lamby) +-- pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7d05124c7cb1547205aa24add78521c9b35e90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7d05124c7cb1547205aa24add78521c9b35e90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add offending commit for CVE-2024-30202/emacs.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 50cb1e64 by Chris Lamb at 2024-04-05T17:22:09+01:00 Add offending commit for CVE-2024-30202/emacs. - - - - - 35aa10ed by Chris Lamb at 2024-04-05T17:23:19+01:00 Triage CVE-2024-30202 in emacs for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3710,11 +3710,13 @@ CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp code is evaluated as part o - emacs 1:29.3+1-1 (bug #1067630) - org-mode 9.6.23+dfsg-1 (bug #1067663) [bookworm] - org-mode (Produces only a dependency binary package) + [buster] - org-mode (Vulnerable code not present; added in tag release_9.5) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=befa9fcaae29a6c9a283ba371c3c5234c7f644eb NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9 + NOTE: Introduced by: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1 NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced binary packages NOTE: making an empty dependency package only. CVE-2024-2865 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/448af4d061ce1f57359a5779d6418b8bdfd89606...35aa10ed36622f1dca7f6d3c54dd548111f14e7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/448af4d061ce1f57359a5779d6418b8bdfd89606...35aa10ed36622f1dca7f6d3c54dd548111f14e7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 448af4d0 by Moritz Muehlenhoff at 2024-04-05T17:16:16+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,8 +66,8 @@ CVE-2024-3299 (Out-Of-Bounds Write, Use of Uninitialized Resource and Use-After- CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the fi ...) NOT-FOR-US: Solidworks CVE-2024-3262 (Information exposure vulnerability in RT software affecting version 4. ...) - - request-tracker4 - - request-tracker5 + - request-tracker4 (bug #1068452) + - request-tracker5 (bug #1068453) NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a NOTE: https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe CVE-2024-3250 (It was discovered that Canonical's Pebble service manager read-file AP ...) @@ -3641,7 +3641,7 @@ CVE-2024-29199 (Nautobot is a Network Source of Truth and Network Automation Pla CVE-2024-29196 (phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, ...) NOT-FOR-US: phpMyFAQ CVE-2024-29195 (The azure-c-shared-utility is a C library for AMQP/MQTT communication ...) - - azure-uamqp-python + - azure-uamqp-python (bug #1068457) NOTE: https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg NOTE: https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 CVE-2024-29189 (PyAnsys Geometry is a Python client library for the Ansys Geometry ser ...) @@ -4054,14 +4054,14 @@ CVE-2024-27280 [Buffer overread vulnerability in StringIO] NOTE: https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ TODO: check details CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may acce ...) - - qt6-base + - qt6-base (bug #1068454) - qtbase-opensource-src - qtbase-opensource-src-gles NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/544314 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365 TODO: check details CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...) - - varnish + - varnish (bug #1068455) [bookworm] - varnish (Minor issue, too intrusive to backport) [bullseye] - varnish (Minor issue, too intrusive to backport) NOTE: https://varnish-cache.org/security/VSV00014.html @@ -4593,7 +4593,7 @@ CVE-2024-29032 (Qiskit IBM Runtime is an environment that streamlines quantum co CVE-2024-29026 (Owncast is an open source, self-hosted, decentralized, single user liv ...) NOT-FOR-US: Owncast CVE-2024-29018 (Moby is an open source container framework that is a key component of ...) - - docker.io + - docker.io (bug #1068460) NOTE: https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx NOTE: https://github.com/moby/moby/pull/46609 CVE-2024-28916 (Xbox Gaming Services Elevation of Privilege Vulnerability) @@ -4863,117 +4863,117 @@ CVE-2024-2124 (The Translate WordPress and go Multilingual \u2013 Weglot plugin CVE-2024-28715 (Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows ...) NOT-FOR-US: DOraCMS CVE-2024-28584 (Null Pointer Dereference vulnerability in open source FreeImage v.3.19 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28583 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28582 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28581 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE:
[Git][security-tracker-team/security-tracker][master] libtommath spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dddb9983 by Moritz Mühlenhoff at 2024-04-05T16:40:11+02:00 libtommath spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -430,3 +430,5 @@ CVE-2023-39368 [bookworm] - intel-microcode 3.20240312.1~deb12u1 CVE-2023-43490 [bookworm] - intel-microcode 3.20240312.1~deb12u1 +CVE-2023-36328 + [bookworm] - libtommath 1.2.0-6+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dddb9983c53eea820a67eb7109f466d69931329b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dddb9983c53eea820a67eb7109f466d69931329b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl, intel-microcode spus
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e2efcd30 by Moritz Mühlenhoff at 2024-04-05T16:10:19+02:00 curl, intel-microcode spus - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -416,3 +416,17 @@ CVE-2024-26804 [bookworm] - linux 6.1.82-1 CVE-2024-26805 [bookworm] - linux 6.1.82-1 +CVE-2024-2004 + [bookworm] - curl 7.88.1-10+deb12u6 +CVE-2024-2398 + [bookworm] - curl 7.88.1-10+deb12u6 +CVE-2023-22655 + [bookworm] - intel-microcode 3.20240312.1~deb12u1 +CVE-2023-22655 + [bookworm] - intel-microcode 3.20240312.1~deb12u1 +CVE-2023-38575 + [bookworm] - intel-microcode 3.20240312.1~deb12u1 +CVE-2023-39368 + [bookworm] - intel-microcode 3.20240312.1~deb12u1 +CVE-2023-43490 + [bookworm] - intel-microcode 3.20240312.1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2efcd305c59acdecf1cf257b567599e66934953 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2efcd305c59acdecf1cf257b567599e66934953 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a4f5e667 by Moritz Muehlenhoff at 2024-04-05T15:59:05+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -88,12 +88,14 @@ CVE-2024-30263 (macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pd NOT-FOR-US: PDF Viewer Macro for XWiki CVE-2024-30261 (Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ...) - node-undici 5.28.4+dfsg1+~cs23.12.11-1 + [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 NOTE: https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 (v6.11.1) NOTE: https://hackerone.com/reports/2377760 CVE-2024-30260 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - node-undici 5.28.4+dfsg1+~cs23.12.11-1 + [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 NOTE: https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1) @@ -446,7 +448,9 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun - golang-1.22 1.22.2-1 - golang-1.21 1.21.9-1 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 + [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - golang-golang-x-net 1:0.23.0+dfsg-1 NOTE: https://github.com/golang/go/issues/65051 @@ -1920,6 +1924,7 @@ CVE-2024- [mediawiki: XSS in edit summary parser] CVE-2024- [mediawiki: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages] - mediawiki 1:1.39.7-1 [bookworm] - mediawiki 1:1.39.7-1~deb12u1 + [bullseye] - mediawiki 1:1.35.13-1+deb11u2 NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/ NOTE: https://phabricator.wikimedia.org/T357760 NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423 @@ -3269,11 +3274,12 @@ CVE-2023-46046 (An issue in MiniZinc before 2.8.0 allows a NULL pointer derefere NOTE: https://github.com/MiniZinc/libminizinc/commit/afe67acc20898e4308044b54c4acf7a08df544f0 (2.8.0) NOTE: Negligible security impact, crash in CLI tool CVE-2023-45935 (Qt 6 through 6.6 was discovered to contain a NULL pointer dereference ...) - - qt6-base - - qtbase-opensource-src - - qtbase-opensource-src-gles + - qt6-base (unimportant) + - qtbase-opensource-src (unimportant) + - qtbase-opensource-src-gles (unimportant) NOTE: https://bugreports.qt.io/browse/QTBUG-115599 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=df77d8939d1c04aa18833fe1e141bb71af1f8e04 (v6.5.3) + NOTE: No security impact CVE-2023-45931 (Mesa 23.0.4 was discovered to contain a NULL pointer dereference in ch ...) - mesa (unimportant) NOTE: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859 @@ -4056,6 +4062,8 @@ CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component ma TODO: check details CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...) - varnish + [bookworm] - varnish (Minor issue, too intrusive to backport) + [bullseye] - varnish (Minor issue, too intrusive to backport) NOTE: https://varnish-cache.org/security/VSV00014.html NOTE: https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156 NOTE: https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551 (varnish-7.5.0) @@ -5198,6 +5206,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c - python3.11 3.11.8-1 - python3.10 - python3.9 + [bullseye] - python3.9 (Minor issue) - python3.7 - python2.7 (tempfile.TemporaryDirectory added in 3.2) NOTE: https://github.com/python/cpython/pull/99930 @@ -7324,6 +7333,7 @@ CVE-2023-28746 (Information exposure through microarchitectural state after tran [buster] - intel-microcode (Decide after exposure on unstable for update) - linux 6.7.9-2 - xen + [bookworm] - xen (Minor issue, fix along in next DSA) [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1)
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e2b6b534 by Moritz Muehlenhoff at 2024-04-05T15:07:19+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2024-24746 + NOT-FOR-US: Apache NimBLE CVE-2024-3321 (A vulnerability classified as problematic has been found in SourceCode ...) NOT-FOR-US: SourceCodester eLearning System CVE-2024-3320 (A vulnerability was found in SourceCodester eLearning System 1.0. It h ...) @@ -75344,7 +75346,7 @@ CVE-2023-25701 CVE-2023-25700 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-25699 (Improper Neutralization of Special Elements used in an OS Command ('OS ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25698 (Cross-Site Request Forgery (CSRF) vulnerability in Studio Wombat Shopp ...) NOT-FOR-US: WordPress plugin CVE-2023-25697 @@ -76981,9 +76983,9 @@ CVE-2023-25202 CVE-2023-25201 (Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit A ...) NOT-FOR-US: MultiTech Conduit AP MTCAP2-L4E1 CVE-2023-25200 (An HTML injection vulnerability exists in the MT Safeline X-Ray X3310 ...) - TODO: check + NOT-FOR-US: MT Safeline X-Ray CVE-2023-25199 (A reflected cross-site scripting (XSS) vulnerability exists in the MT ...) - TODO: check + NOT-FOR-US: MT Safeline X-Ray CVE-2023-0687 (A vulnerability was found in GNU C Library 2.38. It has been declared ...) NOTE: Not considered a security issue NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29444 @@ -221082,7 +221084,7 @@ CVE-2021-27314 (SQL injection in admin.php in doctor appointment system 1.0 allo CVE-2021-27313 RESERVED CVE-2021-27312 (Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, a ...) - TODO: check + NOT-FOR-US: Gleez Cms CVE-2021-27311 RESERVED CVE-2021-27310 (Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "langua ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2b6b5341d0aef09423ad75303b9bb2fd8c5f53c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2b6b5341d0aef09423ad75303b9bb2fd8c5f53c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-undici fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a89342c3 by Moritz Muehlenhoff at 2024-04-05T14:53:15+02:00 node-undici fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,13 +85,13 @@ CVE-2024-30266 (wasmtime is a runtime for WebAssembly. The 19.0.0 release of Was CVE-2024-30263 (macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. ...) NOT-FOR-US: PDF Viewer Macro for XWiki CVE-2024-30261 (Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ...) - - node-undici + - node-undici 5.28.4+dfsg1+~cs23.12.11-1 NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 NOTE: https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 (v6.11.1) NOTE: https://hackerone.com/reports/2377760 CVE-2024-30260 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - - node-undici + - node-undici 5.28.4+dfsg1+~cs23.12.11-1 NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 NOTE: https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1) @@ -13216,7 +13216,7 @@ CVE-2024-25113 CVE-2024-25083 (An issue was discovered in BeyondTrust Privilege Management for Window ...) NOT-FOR-US: BeyondTrust CVE-2024-24758 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - - node-undici (bug #1064312) + - node-undici 5.28.4+dfsg1+~cs23.12.11-1 (bug #1064312) [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 NOTE: https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef (v6.6.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89342c36c8eb6085720538f1c760321b56aeff3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a89342c36c8eb6085720538f1c760321b56aeff3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] apache2 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 04fbea48 by Moritz Muehlenhoff at 2024-04-05T14:50:35+02:00 apache2 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -338,15 +338,15 @@ CVE-2024-26745 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/09a3c1e46142199adcee372a420b024b4fc61051 (6.8-rc7) CVE-2024-24795 (HTTP Response splitting in multiple modules in Apache HTTP Server allo ...) - - apache2 (bug #1068412) + - apache2 2.4.59-1 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795 CVE-2023-38709 (Faulty input validation in the core of Apache allows malicious or expl ...) - - apache2 (bug #1068412) + - apache2 2.4.59-1 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/3 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-38709 CVE-2024-27316 (HTTP/2 incoming headers exceeding the limit are temporarily buffered i ...) - - apache2 (bug #1068412) + - apache2 2.4.59-1 (bug #1068412) NOTE: https://www.kb.cert.org/vuls/id/421644 NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-27316 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04fbea48826254275aee0759c0c8d38e255abc01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04fbea48826254275aee0759c0c8d38e255abc01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c2f14b1 by Moritz Muehlenhoff at 2024-04-05T14:39:03+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110,57 +110,57 @@ CVE-2024-2660 (Vault and Vault Enterprise TLS certificates auth method did not c CVE-2024-2103 (Inclusion of undocumented features vulnerability accessible when logge ...) NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2024-29387 (projeqtor up to 11.2.0 was discovered to contain a remote code executi ...) - TODO: check + NOT-FOR-US: projeqtor CVE-2024-29386 (projeqtor up to 11.2.0 was discovered to contain a SQL injection vulne ...) - TODO: check + NOT-FOR-US: projeqtor CVE-2024-29193 (gotortc is a camera streaming application. Versions 1.8.5 and prior ar ...) - TODO: check + NOT-FOR-US: gotortc CVE-2024-29192 (gotortc is a camera streaming application. Versions 1.8.5 and prior ar ...) - TODO: check + NOT-FOR-US: gotortc CVE-2024-29191 (gotortc is a camera streaming application. Versions 1.8.5 and prior ar ...) - TODO: check + NOT-FOR-US: gotortc CVE-2024-29182 (Collabora Online is a collaborative online office suite based on Libre ...) - TODO: check + NOT-FOR-US: Collabora Online CVE-2024-28871 (LibHTP is a security-aware parser for the HTTP protocol and the relate ...) TODO: check CVE-2024-28787 (IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application G ...) NOT-FOR-US: IBM CVE-2024-27575 (Directory Traversal vulnerability in INOTEC Sicherheitstechnik GmbH IN ...) - TODO: check + NOT-FOR-US: INOTEC CVE-2024-27268 (IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.3 is ...) NOT-FOR-US: IBM CVE-2024-25709 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25708 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25706 (There is an HTML injection vulnerability in Esri Portal for ArcGIS <=1 ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25705 (There is a cross site scripting vulnerability in the Esri Portal for A ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25704 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25703 (There is a reflected cross site scripting vulnerability in the home ap ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25700 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25699 (There is a difficult to exploit improper authentication issue in the H ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25698 (There is a reflected cross site scripting vulnerability in the home ap ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25697 (There is a Cross-site Scripting vulnerabilityin Portal for ArcGIS in v ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25696 (There is a Cross-site Scripting vulnerability in Portal for ArcGIS in ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25695 (There is a Cross-site Scripting vulnerability in Portal for ArcGIS in ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25693 (There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25692 (There is a cross-site-request forgery vulnerability in Esri Portal for ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25690 (There is an HTML injection vulnerability in Esri Portal for ArcGIS ver ...) - TODO: check + NOT-FOR-US: Esri Portal CVE-2024-25007 (Ericsson Network Manager (ENM), versions prior to 23.1, contains a vul ...) - TODO: check + NOT-FOR-US: Ericsson Network Manager CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...) - golang-github-lucas-clemente-quic-go 0.38.2-1 [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) @@ -169,21 +169,21 @@ CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior t NOTE: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a (v0.42.0) NOTE: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management CVE-2024-22053 (A heap overflow vulnerability in IPSec component of Ivanti Connect Sec ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-22052 (A null pointer dereference
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bc6c1ce0 by Moritz Muehlenhoff at 2024-04-05T13:52:22+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2024-3311 (A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has be CVE-2024-3217 (The WP Directory Kit plugin for WordPress is vulnerable to SQL Injecti ...) NOT-FOR-US: WordPress plugin CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge ...) - TODO: check + NOT-FOR-US: ykman-gui CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) NOT-FOR-US: InstantCMS CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) @@ -22,43 +22,43 @@ CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possi NOTE: https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x79f-xrjv-jx5r CVE-2024-31206 (dectalk-tts is a Node package to interact with the aeiou Dectalk web A ...) - TODO: check + NOT-FOR-US: Node dectalk-tts CVE-2024-31204 (mailcow: dockerized is an open source groupware/email suite based on d ...) - TODO: check + NOT-FOR-US: mailcow CVE-2024-30891 (A command injection vulnerability exists in /goform/exeCommand in Tend ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-30849 (Arbitrary file upload vulnerability in Sourcecodester Complete E-Comme ...) - TODO: check + NOT-FOR-US: Sourcecodester CVE-2024-30270 (mailcow: dockerized is an open source groupware/email suite based on d ...) - TODO: check + NOT-FOR-US: mailcow CVE-2024-30264 (Typebot is an open-source chatbot builder. A reflected cross-site scri ...) - TODO: check + NOT-FOR-US: Typebot CVE-2024-2509 (The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2115 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vul ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29981 (Microsoft Edge (Chromium-based) Spoofing Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-29863 (A race condition in the installer executable in Qlik Qlikview before v ...) - TODO: check + NOT-FOR-US: Qlikview CVE-2024-29672 (Directory Traversal vulnerability in zly2006 Reden before v.0.2.514 al ...) - TODO: check + NOT-FOR-US: zly2006 Reden CVE-2024-29049 (Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-27981 (A Command Injection vulnerability found in a Self-Hosted UniFi Network ...) - TODO: check + NOT-FOR-US: Unifi CVE-2024-27448 (MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Con ...) - TODO: check + NOT-FOR-US: MailDev 2 CVE-2024-26329 (Chilkat before v9.5.0.98, allows attackers to obtain sensitive informa ...) - TODO: check + NOT-FOR-US: Chilkat CVE-2024-22363 (SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expre ...) - TODO: check + NOT-FOR-US: SheetJS CVE-2024-21894 (A heap overflow vulnerability in IPSec component of Ivanti Connect Sec ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-5973 (Brocade Web Interface in Brocade Fabric OS v9.x and before v9.2.0 doe ...) - TODO: check + NOT-FOR-US: Brocade CVE-2023-52235 (SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish ...) - TODO: check + NOT-FOR-US: SpaceX CVE-2024-3299 (Out-Of-Bounds Write, Use of Uninitialized Resource and Use-After-Free ...) NOT-FOR-US: Solidworks CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the fi ...) @@ -69,15 +69,15 @@ CVE-2024-3262 (Information exposure vulnerability in RT software affecting versi NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a NOTE: https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe CVE-2024-3250 (It was discovered that Canonical's Pebble service manager read-file AP ...) - TODO: check + NOT-FOR-US: Canonical pebble CVE-2024-3116 (pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerabi ...) - pgadmin4 (bug #834129) CVE-2024-31215 (Mobile Security Framework (MobSF) is a security research platform for ...) NOT-FOR-US: Mobile Security Framework (MobSF) CVE-2024-31209 (oidcc is the OpenID Connect client library for Erlang. Denial of Servi ...) - TODO: check + NOT-FOR-US: oidcc
[Git][security-tracker-team/security-tracker][master] new quic-go issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 15515a64 by Moritz Muehlenhoff at 2024-04-05T13:09:43+02:00 new quic-go issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -162,7 +162,12 @@ CVE-2024-25690 (There is an HTML injection vulnerability in Esri Portal for ArcG CVE-2024-25007 (Ericsson Network Manager (ENM), versions prior to 23.1, contains a vul ...) TODO: check CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...) - TODO: check + - golang-github-lucas-clemente-quic-go 0.38.2-1 + [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) + [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue) + NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 + NOTE: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a (v0.42.0) + NOTE: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management CVE-2024-22053 (A heap overflow vulnerability in IPSec component of Ivanti Connect Sec ...) TODO: check CVE-2024-22052 (A null pointer dereference vulnerability in IPSec component of Ivanti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15515a64c3b96964dfe53e157f3c567e1d6da235 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15515a64c3b96964dfe53e157f3c567e1d6da235 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new undertow issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eae0cbec by Moritz Muehlenhoff at 2024-04-05T13:07:08+02:00 new undertow issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60948,6 +60948,8 @@ CVE-2023-30468 RESERVED CVE-2023-1973 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2185662 CVE-2023-30467 (This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS- ...) NOT-FOR-US: Milesight CVE-2023-30466 (This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS- ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eae0cbec4b3436c98e709317f3d9aacf8dfa3b9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eae0cbec4b3436c98e709317f3d9aacf8dfa3b9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take xorg-server
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab5df7be by Adrian Bunk at 2024-04-05T13:43:48+03:00 dla: take xorg-server - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -303,7 +303,7 @@ wordpress NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- -xorg-server +xorg-server (Adrian Bunk) NOTE: 20240404: Added by Front-Desk (lamby) NOTE: 20240404: Similar to the fixes within DLA-3721-1, these did not warrant a NOTE: 20240404: DSA to src:xwayland as it does not run as root, but they View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5df7be4deda167535516e17de39f64b73097e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5df7be4deda167535516e17de39f64b73097e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31210/wordpress assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79c9c55f by Salvatore Bonaccorso at 2024-04-05T11:13:05+02:00 CVE-2024-31210/wordpress assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,10 @@ CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, whe CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) NOT-FOR-US: InstantCMS CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) - TODO: check + - wordpress 6.4.3+dfsg1-1 + [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 + NOTE: https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x79f-xrjv-jx5r CVE-2024-31206 (dectalk-tts is a Node package to interact with the aeiou Dectalk web A ...) TODO: check CVE-2024-31204 (mailcow: dockerized is an open source groupware/email suite based on d ...) @@ -15245,9 +15248,6 @@ CVE-2024-0985 (Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d541ce3b6f0582723150f45d52eab119985d3c19 (REL_13_14) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2699fc035a75d0774c1f013e9320882287f78adb (REL_12_18) NOTE: Commits have wrong CVE mentioned but the correct one is CVE-2024-0985 -CVE-2024- [wordpress 6.4.3 security issues] - - wordpress 6.4.3+dfsg1-1 - NOTE: https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ CVE-2024-25148 (In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, ...) NOT-FOR-US: Liferay Portal CVE-2024-25146 (Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79c9c55f6487ffe4ba6315af8a8f185c564c7fe8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79c9c55f6487ffe4ba6315af8a8f185c564c7fe8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31211/wordpress assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5153f32b by Salvatore Bonaccorso at 2024-04-05T11:10:21+02:00 CVE-2024-31211/wordpress assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,8 +16,6 @@ CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, whe TODO: check CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) NOT-FOR-US: InstantCMS -CVE-2024-31211 (WordPress is an open publishing platform for the Web. Unserialization ...) - TODO: check CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) TODO: check CVE-2024-31206 (dectalk-tts is a Node package to interact with the aeiou Dectalk web A ...) @@ -27026,11 +27024,12 @@ CVE-2022-48616 (A Huawei data communication product has a command injection vuln NOT-FOR-US: Huawei CVE-2022-48615 (An improper access control vulnerability exists in a Huawei datacom pr ...) NOT-FOR-US: Huawei -CVE-2023- [RCE vulnerability in WP_HTML_Token class] +CVE-2024-31211 [RCE vulnerability in WP_HTML_Token class] - wordpress 6.4.2+dfsg1-1 [bookworm] - wordpress (Vulnerable code not present) [bullseye] - wordpress (Vulnerable code not present) [buster] - wordpress (Vulnerable code not present) + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m257-q4m5-j653 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-4-2/#installation-update-information NOTE: https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2/ CVE-2023-6536 (A flaw was found in the Linux kernel's NVMe driver. This issue may all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5153f32b63a3be05cd5897ef40ed68dbe78aa559 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5153f32b63a3be05cd5897ef40ed68dbe78aa559 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 791f5b34 by Salvatore Bonaccorso at 2024-04-05T10:35:25+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2024-3321 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester eLearning System CVE-2024-3320 (A vulnerability was found in SourceCodester eLearning System 1.0. It h ...) - TODO: check + NOT-FOR-US: SourceCodester eLearning System CVE-2024-3316 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) - TODO: check + NOT-FOR-US: SourceCodester Computer Laboratory Management System CVE-2024-3315 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) - TODO: check + NOT-FOR-US: SourceCodester Computer Laboratory Management System CVE-2024-3314 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) - TODO: check + NOT-FOR-US: SourceCodester Computer Laboratory Management System CVE-2024-3311 (A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been de ...) - TODO: check + NOT-FOR-US: Dreamer CMS CVE-2024-3217 (The WP Directory Kit plugin for WordPress is vulnerable to SQL Injecti ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge ...) TODO: check CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) - TODO: check + NOT-FOR-US: InstantCMS CVE-2024-31211 (WordPress is an open publishing platform for the Web. Unserialization ...) TODO: check CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/791f5b34beb6394e1acae038cb4fa149e266039a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/791f5b34beb6394e1acae038cb4fa149e266039a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad12f23c by security tracker role at 2024-04-05T08:11:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,63 @@ +CVE-2024-3321 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2024-3320 (A vulnerability was found in SourceCodester eLearning System 1.0. It h ...) + TODO: check +CVE-2024-3316 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) + TODO: check +CVE-2024-3315 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) + TODO: check +CVE-2024-3314 (A vulnerability was found in SourceCodester Computer Laboratory Manage ...) + TODO: check +CVE-2024-3311 (A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been de ...) + TODO: check +CVE-2024-3217 (The WP Directory Kit plugin for WordPress is vulnerable to SQL Injecti ...) + TODO: check +CVE-2024-31498 (ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge ...) + TODO: check +CVE-2024-31212 (InstantCMS is a free and open source content management system. A SQL ...) + TODO: check +CVE-2024-31211 (WordPress is an open publishing platform for the Web. Unserialization ...) + TODO: check +CVE-2024-31210 (WordPress is an open publishing platform for the Web. It's possible fo ...) + TODO: check +CVE-2024-31206 (dectalk-tts is a Node package to interact with the aeiou Dectalk web A ...) + TODO: check +CVE-2024-31204 (mailcow: dockerized is an open source groupware/email suite based on d ...) + TODO: check +CVE-2024-30891 (A command injection vulnerability exists in /goform/exeCommand in Tend ...) + TODO: check +CVE-2024-30849 (Arbitrary file upload vulnerability in Sourcecodester Complete E-Comme ...) + TODO: check +CVE-2024-30270 (mailcow: dockerized is an open source groupware/email suite based on d ...) + TODO: check +CVE-2024-30264 (Typebot is an open-source chatbot builder. A reflected cross-site scri ...) + TODO: check +CVE-2024-2509 (The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 ...) + TODO: check +CVE-2024-2115 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vul ...) + TODO: check +CVE-2024-29981 (Microsoft Edge (Chromium-based) Spoofing Vulnerability) + TODO: check +CVE-2024-29863 (A race condition in the installer executable in Qlik Qlikview before v ...) + TODO: check +CVE-2024-29672 (Directory Traversal vulnerability in zly2006 Reden before v.0.2.514 al ...) + TODO: check +CVE-2024-29049 (Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability) + TODO: check +CVE-2024-27981 (A Command Injection vulnerability found in a Self-Hosted UniFi Network ...) + TODO: check +CVE-2024-27448 (MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Con ...) + TODO: check +CVE-2024-26329 (Chilkat before v9.5.0.98, allows attackers to obtain sensitive informa ...) + TODO: check +CVE-2024-22363 (SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expre ...) + TODO: check +CVE-2024-21894 (A heap overflow vulnerability in IPSec component of Ivanti Connect Sec ...) + TODO: check +CVE-2023-5973 (Brocade Web Interface in Brocade Fabric OS v9.x and before v9.2.0 doe ...) + TODO: check +CVE-2023-52235 (SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish ...) + TODO: check CVE-2024-3299 (Out-Of-Bounds Write, Use of Uninitialized Resource and Use-After-Free ...) NOT-FOR-US: Solidworks CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the fi ...) @@ -7,7 +67,7 @@ CVE-2024-3262 (Information exposure vulnerability in RT software affecting versi - request-tracker5 NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a NOTE: https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe -CVE-2024-3250 (It was discovered that Pebble's read-file API and the associated pebbl ...) +CVE-2024-3250 (It was discovered that Canonical's Pebble service manager read-file AP ...) TODO: check CVE-2024-3116 (pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerabi ...) - pgadmin4 (bug #834129) @@ -374,7 +434,7 @@ CVE-2024-1418 (The CGC Maintenance Mode plugin for WordPress is vulnerable to Se NOT-FOR-US: WordPress plugin CVE-2023-52043 (An issue in D-Link COVR 1100, 1102, 1103 AC1200 Dual-Band Whole-Home M ...) NOT-FOR-US: D-Link -CVE-2023-45288 +CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of ...) - golang-1.22