[Git][security-tracker-team/security-tracker][master] Track fixed version for freerdp3 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57d95c9b by Salvatore Bonaccorso at 2024-04-30T06:01:14+02:00 Track fixed version for freerdp3 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1208,7 +1208,7 @@ CVE-2024-32677 (Missing Authorization vulnerability in LoginPress LoginPress Pro CVE-2024-32675 (Missing Authorization vulnerability in Xfinity Soft Order Limit for Wo ...) NOT-FOR-US: WordPress plugin CVE-2024-32662 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - - freerdp3 + - freerdp3 3.5.1+dfsg1-1 - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vffh-j6hh-95f4 NOTE: https://github.com/FreeRDP/FreeRDP/commit/626d10a94a88565d957ddc30768ed08b320049a7 (3.5.1) @@ -1342,22 +1342,22 @@ CVE-2024-33211 (Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack CVE-2024-32679 (Missing Authorization vulnerability in Shared Files PRO Shared Files.T ...) NOT-FOR-US: WordPress plugin CVE-2024-32661 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - - freerdp3 (bug #1069752) + - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p5m5-342g-pv9m NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793 (3.5.1) CVE-2024-32660 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...) - - freerdp3 (bug #1069752) + - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47 (3.5.1) CVE-2024-32659 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - - freerdp3 (bug #1069752) + - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e24d454d8566f54aae1b6b617b (3.5.1) CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - - freerdp3 (bug #1069752) + - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1a755d898ddc028cc818d0dd9d49d5acff4c44bf (3.5.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57d95c9b03b0c5eb21627dff805666fc3ab6bab6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57d95c9b03b0c5eb21627dff805666fc3ab6bab6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about bind9 in dla-needed
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bffabfa by Santiago Ruano Rincón at 2024-04-29T20:56:18-03:00 Add note about bind9 in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,6 +48,7 @@ bind9 (Santiago) NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and package builds fine. NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 NOTE: 20240418: All testing activities remains. + NOTE: 20240929: Waiting some days to get more information about CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago) -- dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bffabfadb4550540c86edb4abfaf840eb1ebe1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bffabfadb4550540c86edb4abfaf840eb1ebe1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim runc in dla-needed.txt
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 63ccc448 by Daniel Leidert at 2024-04-30T01:07:27+02:00 LTS: claim runc in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -246,7 +246,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -runc +runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ccc4481f2cde28ebfeddcf04f9d11589cc478b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ccc4481f2cde28ebfeddcf04f9d11589cc478b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: release claim on runc in dla-needed.txt
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e63d00b by Daniel Leidert at 2024-04-30T01:06:46+02:00 LTS: release claim on runc in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -246,7 +246,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -runc (dleidert) +runc NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e63d00babf1e43eb882be6f1a0b18c6435348b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e63d00babf1e43eb882be6f1a0b18c6435348b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-25809 does not affect Buster
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 92dbe571 by Daniel Leidert at 2024-04-30T01:05:10+02:00 CVE-2023-25809 does not affect Buster The code is not present and seems to be in the code handling cgroup2 mounts. That code was added later, and these mountpoints are ignored anyway. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82265,7 +82265,7 @@ CVE-2023-25810 (Uptime Kuma is a self-hosted monitoring tool. In versions prior CVE-2023-25809 (runc is a CLI tool for spawning and running containers according to th ...) - runc 1.1.5+ds1-1 [bullseye] - runc (Minor issue) - [buster] - runc (Minor issue) + [buster] - runc (Vulnerable code not present) NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc NOTE: https://github.com/opencontainers/runc/commit/0e6b818a2b0d24fdb6697614e5c5f115bbe8e3a5 (v1.1.5) CVE-2023-25808 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92dbe5710671af12c19e714a34a39ad3c32971fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92dbe5710671af12c19e714a34a39ad3c32971fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27322/r-base
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
aaa32c18 by Salvatore Bonaccorso at 2024-04-29T23:30:06+02:00
Add CVE-2024-27322/r-base
Needs some additional review for assessment.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -105,7 +105,9 @@ CVE-2024-28961 (Dell OpenManage Enterprise, versions 4.0.0
and 4.0.1, contains a
CVE-2024-28320 (Insecure Direct Object References (IDOR) vulnerability in
Hospital Man ...)
TODO: check
CVE-2024-27322 (Deserialization of untrusted data can occur in the R
statistical progr ...)
- TODO: check
+ - r-base 4.4.0-2
+ NOTE: https://hiddenlayer.com/research/r-bitrary-code-execution/
+ NOTE: https://kb.cert.org/vuls/id/238194
CVE-2024-23995 (Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and
earlier allo ...)
TODO: check
CVE-2024-1969 (Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow') ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa32c18b8ff194e31af3499eae15470ea0669b6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa32c18b8ff194e31af3499eae15470ea0669b6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6597/python: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8267dca4 by Sylvain Beucler at 2024-04-29T23:10:41+02:00 CVE-2023-6597/python: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12408,6 +12408,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c NOTE: https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82 (v3.10.14) NOTE: https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b (v3.9.19) NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/ + NOTE: Introduced by: https://github.com/python/cpython/commit/e9b51c0ad81da1da11ae65840ac8b50a8521373c (v3.8.0b1) CVE-2023-50966 (erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow atta ...) - erlang-jose (bug #1067456) NOTE: https://github.com/potatosalad/erlang-jose/issues/156 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8267dca495cbcd673ce4e3b6114070415fc100cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8267dca495cbcd673ce4e3b6114070415fc100cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31031/libcoap: buster not-affected + UB-related commits
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f4efcf2 by Sylvain Beucler at 2024-04-29T22:40:40+02:00 CVE-2024-31031/libcoap: buster not-affected + UB-related commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2455,13 +2455,16 @@ CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function in NOT-FOR-US: NanoMQ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause un ...) - libcoap + [buster] - libcoap (Vulnerable code not present) - libcoap2 [bullseye] - libcoap2 (Minor issue) [buster] - libcoap2 (Vulnerable code not present) - libcoap3 [bookworm] - libcoap3 (Minor issue) NOTE: https://github.com/obgm/libcoap/issues/1351 - NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 + NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (develop) + NOTE: Introduced by: https://github.com/obgm/libcoap/commit/7033555d2978b8d4d5e16d43cfbfe1b1781c418f (v4.3.0-rc1) + NOTE: Introduced by: https://github.com/obgm/libcoap/commit/47a83549a80dad9a83f84cdfaba54c54defb5444 (v4.3.2-rc1) CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...) NOT-FOR-US: phpgurukul Client Management System CVE-2024-30989 (Cross Site Scripting vulnerability in /edit-client-details.php of phpg ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4efcf2a3c006d9a56b2de7b5e9a4a0160e515c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4efcf2a3c006d9a56b2de7b5e9a4a0160e515c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8baa332 by Salvatore Bonaccorso at 2024-04-29T22:24:09+02:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,89 +1,89 @@ CVE-2024-4310 (Cross-site Scripting (XSS) vulnerability in HubBank affecting version ...) - TODO: check + NOT-FOR-US: HubBank CVE-2024-4309 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) - TODO: check + NOT-FOR-US: HubBank CVE-2024-4308 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) - TODO: check + NOT-FOR-US: HubBank CVE-2024-4307 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) - TODO: check + NOT-FOR-US: HubBank CVE-2024-4306 (Critical unrestricted file upload vulnerability in HubBank affecting v ...) - TODO: check + NOT-FOR-US: HubBank CVE-2024-4304 (A Cross-Site Scripting XSS vulnerability has been detected on GT3 Solu ...) - TODO: check + NOT-FOR-US: GT3 Soluciones SWAL CVE-2024-3375 (Incorrect Permission Assignment for Critical Resource vulnerability in ...) - TODO: check + NOT-FOR-US: Havelsan Inc. Dialogue CVE-2024-34020 (A stack-based buffer overflow was found in the putSDN() function of ma ...) TODO: check CVE-2024-34011 (Local privilege escalation due to insecure folder permissions. The fol ...) - TODO: check + NOT-FOR-US: Acronis Cyber Protect Cloud Agent CVE-2024-34010 (Local privilege escalation due to unquoted search path vulnerability. ...) - TODO: check + NOT-FOR-US: Acronis Cyber Protect Cloud Agent CVE-2024-33684 (Missing Authorization vulnerability in Pdfcrowd Save as PDF plugin by ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33652 (Missing Authorization vulnerability in Real Big Plugins Client Dash.Th ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33636 (Missing Authorization vulnerability in Mahesh Vora WP Page Post Widget ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33635 (Missing Authorization vulnerability in Piotnet Piotnet Addons For Elem ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33597 (Missing Authorization vulnerability in ProFaceOff SSU.This issue affec ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33596 (Missing Authorization vulnerability in Five Star Plugins Five Star Res ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33595 (Missing Authorization vulnerability in Jewel Theme Master Addons for E ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33594 (Missing Authorization vulnerability in Leaky Paywall.This issue affect ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33593 (Missing Authorization vulnerability in RedNao Smart Forms.This issue a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33591 (Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33590 (Server-Side Request Forgery (SSRF) vulnerability in codeSavory Knowled ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33589 (Missing Authorization vulnerability in WPOmnia KB Support.This issue a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33588 (Missing Authorization vulnerability in codeSavory Knowledge Base docum ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33587 (Missing Authorization vulnerability in Copy Content Protection Team Se ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33586 (Missing Authorization vulnerability in Photo Gallery Team Photo Galler ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33585 (Missing Authorization vulnerability in Tyche Softwares Payment Gateway ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33558 (Missing Authorization vulnerability in 8theme XStore Core.This issue a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-33449 (An SSRF issue in the PDFMyURL service allows a remote attacker to obta ...) - TODO: check + NOT-FOR-US: PDFMyURL CVE-2024-33445 (An issue in hisiphp v2.0.111 allows a remote attacker to execute arbit ...) TODO: check CVE-2024-33444 (SQL injection vulnerability in onethink v.1.1 allows a remote attacker ...) - TODO: check + NOT-FOR-US: onethink CVE-2024-33443 (An issue in onethink v.1.1 allows a remote attacker to execute arbitra ...) - TODO: check + NOT-FOR-US: onethink CVE-2024-33438 (File Upload vulnerability in CubeCart before 6.5.5 all
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 796f8713 by security tracker role at 2024-04-29T20:12:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,133 @@ +CVE-2024-4310 (Cross-site Scripting (XSS) vulnerability in HubBank affecting version ...) + TODO: check +CVE-2024-4309 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) + TODO: check +CVE-2024-4308 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) + TODO: check +CVE-2024-4307 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) + TODO: check +CVE-2024-4306 (Critical unrestricted file upload vulnerability in HubBank affecting v ...) + TODO: check +CVE-2024-4304 (A Cross-Site Scripting XSS vulnerability has been detected on GT3 Solu ...) + TODO: check +CVE-2024-3375 (Incorrect Permission Assignment for Critical Resource vulnerability in ...) + TODO: check +CVE-2024-34020 (A stack-based buffer overflow was found in the putSDN() function of ma ...) + TODO: check +CVE-2024-34011 (Local privilege escalation due to insecure folder permissions. The fol ...) + TODO: check +CVE-2024-34010 (Local privilege escalation due to unquoted search path vulnerability. ...) + TODO: check +CVE-2024-33684 (Missing Authorization vulnerability in Pdfcrowd Save as PDF plugin by ...) + TODO: check +CVE-2024-33652 (Missing Authorization vulnerability in Real Big Plugins Client Dash.Th ...) + TODO: check +CVE-2024-33636 (Missing Authorization vulnerability in Mahesh Vora WP Page Post Widget ...) + TODO: check +CVE-2024-33635 (Missing Authorization vulnerability in Piotnet Piotnet Addons For Elem ...) + TODO: check +CVE-2024-33597 (Missing Authorization vulnerability in ProFaceOff SSU.This issue affec ...) + TODO: check +CVE-2024-33596 (Missing Authorization vulnerability in Five Star Plugins Five Star Res ...) + TODO: check +CVE-2024-33595 (Missing Authorization vulnerability in Jewel Theme Master Addons for E ...) + TODO: check +CVE-2024-33594 (Missing Authorization vulnerability in Leaky Paywall.This issue affect ...) + TODO: check +CVE-2024-33593 (Missing Authorization vulnerability in RedNao Smart Forms.This issue a ...) + TODO: check +CVE-2024-33591 (Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept ...) + TODO: check +CVE-2024-33590 (Server-Side Request Forgery (SSRF) vulnerability in codeSavory Knowled ...) + TODO: check +CVE-2024-33589 (Missing Authorization vulnerability in WPOmnia KB Support.This issue a ...) + TODO: check +CVE-2024-33588 (Missing Authorization vulnerability in codeSavory Knowledge Base docum ...) + TODO: check +CVE-2024-33587 (Missing Authorization vulnerability in Copy Content Protection Team Se ...) + TODO: check +CVE-2024-33586 (Missing Authorization vulnerability in Photo Gallery Team Photo Galler ...) + TODO: check +CVE-2024-33585 (Missing Authorization vulnerability in Tyche Softwares Payment Gateway ...) + TODO: check +CVE-2024-33558 (Missing Authorization vulnerability in 8theme XStore Core.This issue a ...) + TODO: check +CVE-2024-33449 (An SSRF issue in the PDFMyURL service allows a remote attacker to obta ...) + TODO: check +CVE-2024-33445 (An issue in hisiphp v2.0.111 allows a remote attacker to execute arbit ...) + TODO: check +CVE-2024-33444 (SQL injection vulnerability in onethink v.1.1 allows a remote attacker ...) + TODO: check +CVE-2024-33443 (An issue in onethink v.1.1 allows a remote attacker to execute arbitra ...) + TODO: check +CVE-2024-33438 (File Upload vulnerability in CubeCart before 6.5.5 allows an authentic ...) + TODO: check +CVE-2024-33435 (Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Tec ...) + TODO: check +CVE-2024-33345 (D-Link DIR-823G A1V1.0.2B05 was found to contain a Null-pointer derefe ...) + TODO: check +CVE-2024-8 (Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote ...) + TODO: check +CVE-2024-33276 (SQL Injection vulnerability in FME Modules preorderandnotication v.3.1 ...) + TODO: check +CVE-2024-33272 (SQL injection vulnerability in KnowBand for PrestaShop autosuggest bef ...) + TODO: check +CVE-2024-33271 (An issue in FME Modules eventsmanager before 4.4.0 allows an attacker ...) + TODO: check +CVE-2024-33269 (SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before ...) + TODO: check +CVE-2024-33268 (SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 al ...) + TODO: check +CVE-2024-33266 (SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8 ...) +
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-42521/vtk9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb0a05f1 by Salvatore Bonaccorso at 2024-04-29T21:15:26+02:00 Track fixed version via unstable for CVE-2021-42521/vtk9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188987,7 +188987,7 @@ CVE-2021-42522 (There is a Information Disclosure vulnerability in anjuta/plugin NOTE: https://gitlab.gnome.org/Archive/anjuta/-/issues/12 NOTE: Memory leak in GUI application, no security impact CVE-2021-42521 (There is a NULL pointer dereference vulnerability in VTK before 9.2.5, ...) - - vtk9 (bug #1031877) + - vtk9 9.1.0+really9.1.0+dfsg2-8 (bug #1031877) [bookworm] - vtk9 (Minor issue) [bullseye] - vtk9 (Minor issue) - vtk7 (bug #1034844) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb0a05f18ffad19522ed72334e3a4f79923cb759 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb0a05f18ffad19522ed72334e3a4f79923cb759 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim apache2 in dla-needed.txt
Lee Garrett pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ec5d605 by "Lee Garrett" at 2024-04-29T21:10:44+02:00 LTS: claim apache2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ ansible (Lee Garrett) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -apache2 +apache2 (debian) NOTE: 20240418: Added by Front-Desk (apo) -- astropy (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ec5d6057e214fb4c997623ba2f6e4c480ceac9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ec5d6057e214fb4c997623ba2f6e4c480ceac9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-52160/wpa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7afd2984 by Salvatore Bonaccorso at 2024-04-29T20:59:01+02:00
Track fixed version via unstable for CVE-2023-52160/wpa
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -20582,7 +20582,7 @@ CVE-2023-40085 (In convertSubgraphFromHAL of
ShimConverter.cpp, there is a possi
NOT-FOR-US: Android
CVE-2023-52160 (The implementation of PEAP in wpa_supplicant through 2.10
allows authe ...)
{DLA-3743-1}
- - wpa (bug #1064061)
+ - wpa 2:2.10-21.1 (bug #1064061)
NOTE:
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
NOTE: https://www.top10vpn.com/research/wifi-vulnerabilities/
NOTE:
https://lists.infradead.org/pipermail/hostap/2024-February/042362.html
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7afd298436c2475e45c906fc5c1b1d391f722f0c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7afd298436c2475e45c906fc5c1b1d391f722f0c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2024-31497
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e7ac05d by Salvatore Bonaccorso at 2024-04-29T19:14:31+02:00 Add upstream tag information for CVE-2024-31497 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3673,7 +3673,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener [buster] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html - NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=c193fe9848f50a88a4089aac647fecc31ae96d27 + NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81) CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) NOT-FOR-US: Vesystem Cloud Desktop CVE-2024-3803 (A vulnerability classified as critical was found in Vesystem Cloud Des ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7ac05db6bccecb62f963ceaabd0acdf6a8c76c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7ac05db6bccecb62f963ceaabd0acdf6a8c76c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2024-0985
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a0410a5 by Salvatore Bonaccorso at 2024-04-29T18:45:07+02:00 Add reference for CVE-2024-0985 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22412,6 +22412,7 @@ CVE-2024-0985 (Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in - postgresql-15 - postgresql-13 - postgresql-11 + NOTE: https://github.com/google/security-research/security/advisories/GHSA-9984-7hcf-v553 NOTE: https://www.postgresql.org/support/security/CVE-2024-0985/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d6a61cb3bef3c8fbc35c2a6182e75a8c1d351e41 (REL_16_2) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=f2fdea198b3d0ab30b9e8478a762488ecebabd88 (REL_15_6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a0410a53b9192a609bfab3cbc4c6478646c7500 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a0410a53b9192a609bfab3cbc4c6478646c7500 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Take wpa/dsa-needed"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2d6627e2 by Salvatore Bonaccorso at 2024-04-29T17:48:33+02:00
Revert "Take wpa/dsa-needed"
This reverts commit 0aa44d8ad309f1dabb497928681692a70c0b43d5.
As explained already in c7deddcc1fc8 ("Revert "Add myself for
wpa/dsa-needed"").
- - - - -
1 changed file:
- data/dsa-needed.txt
Changes:
=
data/dsa-needed.txt
=
@@ -88,7 +88,7 @@ squid
--
webkit2gtk (berto)
--
-wpa (rouca)
+wpa
--
zabbix
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d6627e23519e289bc908116a21d0fd42521ba33
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d6627e23519e289bc908116a21d0fd42521ba33
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31497
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f9357ca by Bastien Roucariès at 2024-04-29T15:25:30+00:00 CVE-2024-31497 Add patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3673,6 +3673,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener [buster] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html + NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=c193fe9848f50a88a4089aac647fecc31ae96d27 CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) NOT-FOR-US: Vesystem Cloud Desktop CVE-2024-3803 (A vulnerability classified as critical was found in Vesystem Cloud Des ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9357ca2048a1cfc9f4bfb3e2a3f92dbd56e642 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9357ca2048a1cfc9f4bfb3e2a3f92dbd56e642 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take wpa/dsa-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 0aa44d8a by Bastien Roucariès at 2024-04-29T15:19:26+00:00 Take wpa/dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -88,7 +88,7 @@ squid -- webkit2gtk (berto) -- -wpa +wpa (rouca) -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa44d8ad309f1dabb497928681692a70c0b43d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa44d8ad309f1dabb497928681692a70c0b43d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-33904/hyprland
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 088af36e by Salvatore Bonaccorso at 2024-04-29T16:55:19+02:00 Add CVE-2024-33904/hyprland - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2024-3191 (A vulnerability, which was classified as critical, has been found CVE-2024-33905 (In Telegram WebK before 2.0.0 (488), a crafted Mini Web App allows XSS ...) NOT-FOR-US: Telegram WebK CVE-2024-33904 (In plugins/HookSystem.cpp in Hyprland through 0.39.1 (before 28c8561), ...) - TODO: check + - hyprland (bug #1040971) CVE-2024-33903 (In CARLA through 0.9.15.2, the collision sensor mishandles some situat ...) NOT-FOR-US: CARLA (carla-simulator) CVE-2024-33899 (RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attacke ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/088af36e631f30703c002e0995caa188c7dd66ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/088af36e631f30703c002e0995caa188c7dd66ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86b96ef9 by Salvatore Bonaccorso at 2024-04-29T16:54:40+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,41 +1,41 @@ CVE-2024-4303 (ArmorX Android APP's multi-factor authentication (MFA) for the login f ...) - TODO: check + NOT-FOR-US: ArmorX Android APP's multi-factor authentication (MFA) CVE-2024-4302 (Super 8 Live Chat online customer service platform fails to properly f ...) NOT-FOR-US: Super 8 Live Chat online customer service platform CVE-2024-4301 (N-Reporter and N-Cloud, products of the N-Partner, have an OS Command ...) - TODO: check + NOT-FOR-US: N-Reporter CVE-2024-4300 (E-WEBInformationCo. FS-EZViewer(Web) exposes sensitive information in ...) - TODO: check + NOT-FOR-US: E-WEBInformationCo. FS-EZViewer(Web) CVE-2024-4299 (The system configuration interface of HGiga iSherlock (including MailS ...) - TODO: check + NOT-FOR-US: HGiga iSherlock CVE-2024-4298 (The email search interface of HGiga iSherlock (including MailSherlock, ...) - TODO: check + NOT-FOR-US: HGiga iSherlock CVE-2024-4297 (The system configuration interface of HGiga iSherlock (including MailS ...) - TODO: check + NOT-FOR-US: HGiga iSherlock CVE-2024-4296 (The account management interface of HGiga iSherlock (including MailShe ...) - TODO: check + NOT-FOR-US: HGiga iSherlock CVE-2024-3196 (A vulnerability was found in MailCleaner up to 2023.03.14. It has been ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-3195 (A vulnerability was found in MailCleaner up to 2023.03.14. It has been ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-3194 (A vulnerability was found in MailCleaner up to 2023.03.14 and classifi ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-3193 (A vulnerability has been found in MailCleaner up to 2023.03.14 and cla ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-3192 (A vulnerability, which was classified as problematic, was found in Mai ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-3191 (A vulnerability, which was classified as critical, has been found in M ...) - TODO: check + NOT-FOR-US: MailCleaner CVE-2024-33905 (In Telegram WebK before 2.0.0 (488), a crafted Mini Web App allows XSS ...) - TODO: check + NOT-FOR-US: Telegram WebK CVE-2024-33904 (In plugins/HookSystem.cpp in Hyprland through 0.39.1 (before 28c8561), ...) TODO: check CVE-2024-33903 (In CARLA through 0.9.15.2, the collision sensor mishandles some situat ...) - TODO: check + NOT-FOR-US: CARLA (carla-simulator) CVE-2024-33899 (RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attacke ...) TODO: check CVE-2024-33891 (Delinea Secret Server before 11.7.01 allows attackers to bypass au ...) - TODO: check + NOT-FOR-US: Delinea Secret Server CVE-2024-33686 (Missing Authorization vulnerability in Extend Themes Pathway, Extend T ...) NOT-FOR-US: WordPress themes CVE-2024-33681 (Cross-Site Request Forgery (CSRF) vulnerability in Sandor Kovacs Regen ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86b96ef978028d25628936ec5a9fed96838bee82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86b96ef978028d25628936ec5a9fed96838bee82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-20203, CVE-2024-20204 affect Org-mode too -- same code
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 50131006 by Sean Whitton at 2024-04-29T14:10:06+01:00 CVE-2024-20203, CVE-2024-20204 affect Org-mode too -- same code - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10696,6 +10696,9 @@ CVE-2024-30204 (In Emacs before 29.3, LaTeX preview is enabled by default for e- - emacs 1:29.3+1-1 (bug #1067630) [bookworm] - emacs (Minor issue, will be fixed via point release) [bullseye] - emacs (Minor issue, will be fixed via point release) + - org-mode 9.6.23+dfsg-1 (bug #1067663) + [bookworm] - org-mode (Produces only a dependency binary package) + [bullseye] - org-mode (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c (emacs-29.3) @@ -10705,6 +10708,9 @@ CVE-2024-30203 (In Emacs before 29.3, Gnus treats inline MIME contents as truste - emacs 1:29.3+1-1 (bug #1067630) [bookworm] - emacs (Minor issue, will be fixed via point release) [bullseye] - emacs (Minor issue, will be fixed via point release) + - org-mode 9.6.23+dfsg-1 (bug #1067663) + [bookworm] - org-mode (Produces only a dependency binary package) + [bullseye] - org-mode (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 (emacs-29.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50131006a9159cb9bed10204a62de0e015810de2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50131006a9159cb9bed10204a62de0e015810de2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3801-1 for emacs
Sean Whitton pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
71c6a7ff by Sean Whitton at 2024-04-29T13:50:47+01:00
Reserve DLA-3801-1 for emacs
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Apr 2024] DLA-3801-1 emacs - security update
+ {CVE-2024-30203 CVE-2024-30204 CVE-2024-30205}
+ [buster] - emacs 1:26.1+1-3.2+deb10u5
[29 Apr 2024] DLA-3800-1 ruby-rack - security update
{CVE-2024-25126 CVE-2024-26141 CVE-2024-26146}
[buster] - ruby-rack 2.0.6-3+deb10u4
=
data/dla-needed.txt
=
@@ -81,15 +81,6 @@ edk2
NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby)
NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk)
--
-emacs (Sean Whitton)
- NOTE: 20240403: Added by Front-Desk (lamby)
- NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my
- NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to,
- NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable
- NOTE: 20240403: to CVE-2024-30203. (lamby)
- NOTE: 20240422: Making progress through bookworm,bullseye,buster.
- NOTE: 20240422: No major blockers, just taking some backporting. (spwhitton)
---
freeimage
NOTE: 20240320: Added by Front-Desk (ta)
NOTE: 20240320: lots of postponed issue could be fixed as well
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71c6a7ffaa6c4244d67cd0f25c4f9ae0c2deae2d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71c6a7ffaa6c4244d67cd0f25c4f9ae0c2deae2d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Actually mark CVE-2024-1135/gunicorn as postponed for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 784afb10 by Chris Lamb at 2024-04-29T12:35:32+01:00 Actually mark CVE-2024-1135/gunicorn as postponed for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3654,6 +3654,7 @@ CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, le - gunicorn (bug #1069126) [bookworm] - gunicorn (Minor issue) [bullseye] - gunicorn (Minor issue) + [buster] - gunicorn (Minor issue) NOTE: https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1 NOTE: https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d CVE-2024-0549 (mintplex-labs/anything-llm is vulnerable to a relative path traversal ...) = data/dla-needed.txt = @@ -104,9 +104,6 @@ freeimage glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- -gunicorn (Chris Lamb) - NOTE: 20240421: Added by Front-Desk (apo) --- h2o (dleidert) NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784afb10403ea7c8da0854a4d241fc5c611e3bd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784afb10403ea7c8da0854a4d241fc5c611e3bd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim gunicorn.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e76d436 by Chris Lamb at 2024-04-29T12:21:52+01:00 data/dla-needed.txt: Claim gunicorn. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,7 +104,7 @@ freeimage glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- -gunicorn +gunicorn (Chris Lamb) NOTE: 20240421: Added by Front-Desk (apo) -- h2o (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e76d4369a8e3136ecb730b89b37c28437bab788 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e76d4369a8e3136ecb730b89b37c28437bab788 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update name for ansible claim (based on commit message).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fd6f0df9 by Chris Lamb at 2024-04-29T12:20:19+01:00 dla-needed.txt: Update name for ansible claim (based on commit message). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (debian) +ansible (Lee Garrett) NOTE: 20231202: Added by Front-Desk (Beuc) NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6f0df96038a01cf66456655b0349eee08822b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6f0df96038a01cf66456655b0349eee08822b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] samba/buster: tidy remaining CVEs
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c9168180 by Sylvain Beucler at 2024-04-29T12:29:15+02:00
samba/buster: tidy remaining CVEs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -141195,6 +141195,7 @@ CVE-2022-32743 (Samba does not validate the
Validated-DNS-Host-Name right for th
[experimental] - samba 2:4.17.0+dfsg-1
- samba 2:4.17.2+dfsg-3 (bug #1021022)
[bullseye] - samba (Minor issue)
+ [buster] - samba (Minor issue)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14833
CVE-2022-32742 (A flaw was found in Samba. Some SMB1 write requests were not
correctly ...)
{DSA-5205-1 DLA-3792-1}
@@ -195401,7 +195402,7 @@ CVE-2021-40146 (A Remote Code Execution (RCE)
vulnerability was discovered in th
CVE-2021-3738 (In DCE/RPC it is possible to share the handles (cookies for
resource s ...)
{DSA-5003-1}
- samba 2:4.13.14+dfsg-1
- [buster] - samba (Minor issue; affects Samba as AD DC)
+ [buster] - samba (Domain controller functionality is EOLed,
see DSA-5015-1)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14468
NOTE: https://www.samba.org/samba/security/CVE-2021-3738.html
CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response
in the ...)
@@ -201660,7 +201661,7 @@ CVE-2021-3671 (A null pointer de-reference was found
in the way samba kerberos s
[stretch] - heimdal (Minor issue)
- samba 2:4.13.13+dfsg-1
[bullseye] - samba 2:4.13.13+dfsg-1~deb11u1
- [buster] - samba (Minor issue)
+ [buster] - samba (Domain controller functionality is EOLed,
see DSA-5015-1)
[stretch] - samba (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2013080
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14770
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9168180d58fc5f3eaecdcaf8b6e2370d2f661f0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9168180d58fc5f3eaecdcaf8b6e2370d2f661f0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-45288/golang-1.11: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f3c929e by Sylvain Beucler at 2024-04-29T11:59:52+02:00 CVE-2023-45288/golang-1.11: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7333,6 +7333,7 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-golang-x-net 1:0.23.0+dfsg-1 NOTE: https://github.com/golang/go/issues/65051 NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f3c929ee1899a1fb8a8ed8ba0b1b0387565e6f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f3c929ee1899a1fb8a8ed8ba0b1b0387565e6f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5e6a1c60 by Salvatore Bonaccorso at 2024-04-29T11:42:21+02:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,7 +1,7 @@
CVE-2024-4303 (ArmorX Android APP's multi-factor authentication (MFA) for the
login f ...)
TODO: check
CVE-2024-4302 (Super 8 Live Chat online customer service platform fails to
properly f ...)
- TODO: check
+ NOT-FOR-US: Super 8 Live Chat online customer service platform
CVE-2024-4301 (N-Reporter and N-Cloud, products of the N-Partner, have an OS
Command ...)
TODO: check
CVE-2024-4300 (E-WEBInformationCo. FS-EZViewer(Web) exposes sensitive
information in ...)
@@ -37,73 +37,73 @@ CVE-2024-33899 (RARLAB WinRAR before 7.00, on Linux and
UNIX platforms, allows a
CVE-2024-33891 (Delinea Secret Server before 11.7.01 allows attackers to
bypass au ...)
TODO: check
CVE-2024-33686 (Missing Authorization vulnerability in Extend Themes Pathway,
Extend T ...)
- TODO: check
+ NOT-FOR-US: WordPress themes
CVE-2024-33681 (Cross-Site Request Forgery (CSRF) vulnerability in Sandor
Kovacs Regen ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33649 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33648 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33646 (Cross-Site Request Forgery (CSRF) vulnerability in Toast
Plugins Stick ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33645 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33643 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33641 (Deserialization of Untrusted Data vulnerability in Team Yoast
Custom f ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33640 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33637 (Insertion of Sensitive Information into Log File vulnerability
in Soli ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33634 (Server-Side Request Forgery (SSRF) vulnerability in Piotnet
Piotnet Ad ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33633 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33632 (Cross-Site Request Forgery (CSRF) vulnerability in Piotnet
Piotnet Add ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33631 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33630 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33629 (Server-Side Request Forgery (SSRF) vulnerability in Creative
Motion Au ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33627 (Server-Side Request Forgery (SSRF) vulnerability in Cusmin
Absolutely ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33584 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability in D ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33575 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33571 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33566 (Missing Authorization vulnerability in N-Media OrderConvo
allows OS Co ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33562 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33559 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33554 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33553 (Deserialization of Untrusted Data vulnerability in 8theme
XStore Core. ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-33551 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-
[Git][security-tracker-team/security-tracker][master] CVE-2024-30202,CVE-2024-30203/emacs,org-mode: precise commit versions
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac058e87 by Sylvain Beucler at 2024-04-29T11:30:17+02:00 CVE-2024-30202,CVE-2024-30203/emacs,org-mode: precise commit versions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10696,7 +10696,7 @@ CVE-2024-30204 (In Emacs before 29.3, LaTeX preview is enabled by default for e- [bullseye] - emacs (Minor issue, will be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html - NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c (emacs-29.3) NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced binary packages NOTE: making an empty dependency package only. CVE-2024-30203 (In Emacs before 29.3, Gnus treats inline MIME contents as trusted.) @@ -10705,7 +10705,7 @@ CVE-2024-30203 (In Emacs before 29.3, Gnus treats inline MIME contents as truste [bullseye] - emacs (Minor issue, will be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html - NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 (emacs-29.3) CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turn ...) - emacs 1:29.3+1-1 (bug #1067630) [bookworm] - emacs (Minor issue, will be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac058e87d90e9aab94a12d26b39f1cd98ae3828c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac058e87d90e9aab94a12d26b39f1cd98ae3828c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-30202/emacs,org-mode: precise commit versions
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d28a91c3 by Sylvain Beucler at 2024-04-29T11:26:53+02:00
CVE-2024-30202/emacs,org-mode: precise commit versions
- - - - -
14f3d07e by Sylvain Beucler at 2024-04-29T11:26:53+02:00
CVE-2024-30205/emacs,org-mode: precise commit versions
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10687,9 +10687,9 @@ CVE-2024-30205 (In Emacs before 29.3, Org mode
considers contents of remote file
[bullseye] - org-mode (Minor issue; can be fixed via point
release)
NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1
NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html
- NOTE:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877
+ NOTE:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877
(emacs-29.3)
NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t
- NOTE:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d
+ NOTE:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d
(release_9.6.23)
CVE-2024-30204 (In Emacs before 29.3, LaTeX preview is enabled by default for
e-mail a ...)
- emacs 1:29.3+1-1 (bug #1067630)
[bookworm] - emacs (Minor issue, will be fixed via point
release)
@@ -10719,8 +10719,9 @@ CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp
code is evaluated as part o
NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html
NOTE:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t
- NOTE:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
- NOTE: Introduced by:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1
+ NOTE:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
(release_9.6.23)
+ NOTE: Introduced by:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1
(release_9.5)
+ NOTE: Introduced by:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=bf9ec3d91a79414deac039f7bf83352a9b0a9a85
(emacs-28.0.90)
NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced
binary packages
NOTE: making an empty dependency package only.
CVE-2024-2865 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0388317923da14943723872f5d267e5613c31b01...14f3d07e974300c9db0ac010f8904a2deefecd32
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0388317923da14943723872f5d267e5613c31b01...14f3d07e974300c9db0ac010f8904a2deefecd32
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3800-1 for ruby-rack
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
03883179 by Adrian Bunk at 2024-04-29T12:26:12+03:00
Reserve DLA-3800-1 for ruby-rack
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Apr 2024] DLA-3800-1 ruby-rack - security update
+ {CVE-2024-25126 CVE-2024-26141 CVE-2024-26146}
+ [buster] - ruby-rack 2.0.6-3+deb10u4
[28 Apr 2024] DLA-3799-1 trafficserver - security update
{CVE-2024-31309}
[buster] - trafficserver 8.1.7-0+deb10u4
=
data/dla-needed.txt
=
@@ -258,10 +258,6 @@ ring
NOTE: 20230903: Added by Front-Desk (gladk)
NOTE: 20230928: will be likely hard to fix see
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
--
-ruby-rack (Adrian Bunk)
- NOTE: 20240306: Added by Front-Desk (opal)
- NOTE: 20240408: waiting for feedback from Debian maintainer (bunk)
---
runc (dleidert)
NOTE: 20240312: Added by coordinator (roberto)
NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in
bullseye.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0388317923da14943723872f5d267e5613c31b01
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0388317923da14943723872f5d267e5613c31b01
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim org-mode
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fd3cf99 by Sean Whitton at 2024-04-29T09:31:58+01:00 LTS: reclaim org-mode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -213,7 +213,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- -org-mode +org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- pdns-recursor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd3cf9986d2162f6e755b5f5f2144ace406790d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd3cf9986d2162f6e755b5f5f2144ace406790d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-51794/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bde8f63a by Sylvain Beucler at 2024-04-29T10:24:33+02:00 CVE-2023-51794/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -538,6 +538,7 @@ CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.1.x) NOTE: https://trac.ffmpeg.org/ticket/10746 NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07 (n7.0) CVE-2023-51365 (A path traversal vulnerability has been reported to affect several QNA ...) @@ -2297,7 +2298,7 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) - [buster] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.1.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) [experimental] - ffmpeg 7:7.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde8f63a44ded7717328ac0e0526cb864f913db9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde8f63a44ded7717328ac0e0526cb864f913db9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0f8fa9a7 by security tracker role at 2024-04-29T08:12:12+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,119 @@
+CVE-2024-4303 (ArmorX Android APP's multi-factor authentication (MFA) for the
login f ...)
+ TODO: check
+CVE-2024-4302 (Super 8 Live Chat online customer service platform fails to
properly f ...)
+ TODO: check
+CVE-2024-4301 (N-Reporter and N-Cloud, products of the N-Partner, have an OS
Command ...)
+ TODO: check
+CVE-2024-4300 (E-WEBInformationCo. FS-EZViewer(Web) exposes sensitive
information in ...)
+ TODO: check
+CVE-2024-4299 (The system configuration interface of HGiga iSherlock
(including MailS ...)
+ TODO: check
+CVE-2024-4298 (The email search interface of HGiga iSherlock (including
MailSherlock, ...)
+ TODO: check
+CVE-2024-4297 (The system configuration interface of HGiga iSherlock
(including MailS ...)
+ TODO: check
+CVE-2024-4296 (The account management interface of HGiga iSherlock (including
MailShe ...)
+ TODO: check
+CVE-2024-3196 (A vulnerability was found in MailCleaner up to 2023.03.14. It
has been ...)
+ TODO: check
+CVE-2024-3195 (A vulnerability was found in MailCleaner up to 2023.03.14. It
has been ...)
+ TODO: check
+CVE-2024-3194 (A vulnerability was found in MailCleaner up to 2023.03.14 and
classifi ...)
+ TODO: check
+CVE-2024-3193 (A vulnerability has been found in MailCleaner up to 2023.03.14
and cla ...)
+ TODO: check
+CVE-2024-3192 (A vulnerability, which was classified as problematic, was found
in Mai ...)
+ TODO: check
+CVE-2024-3191 (A vulnerability, which was classified as critical, has been
found in M ...)
+ TODO: check
+CVE-2024-33905 (In Telegram WebK before 2.0.0 (488), a crafted Mini Web App
allows XSS ...)
+ TODO: check
+CVE-2024-33904 (In plugins/HookSystem.cpp in Hyprland through 0.39.1 (before
28c8561), ...)
+ TODO: check
+CVE-2024-33903 (In CARLA through 0.9.15.2, the collision sensor mishandles
some situat ...)
+ TODO: check
+CVE-2024-33899 (RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows
attacke ...)
+ TODO: check
+CVE-2024-33891 (Delinea Secret Server before 11.7.01 allows attackers to
bypass au ...)
+ TODO: check
+CVE-2024-33686 (Missing Authorization vulnerability in Extend Themes Pathway,
Extend T ...)
+ TODO: check
+CVE-2024-33681 (Cross-Site Request Forgery (CSRF) vulnerability in Sandor
Kovacs Regen ...)
+ TODO: check
+CVE-2024-33649 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33648 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33646 (Cross-Site Request Forgery (CSRF) vulnerability in Toast
Plugins Stick ...)
+ TODO: check
+CVE-2024-33645 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33643 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33641 (Deserialization of Untrusted Data vulnerability in Team Yoast
Custom f ...)
+ TODO: check
+CVE-2024-33640 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33637 (Insertion of Sensitive Information into Log File vulnerability
in Soli ...)
+ TODO: check
+CVE-2024-33634 (Server-Side Request Forgery (SSRF) vulnerability in Piotnet
Piotnet Ad ...)
+ TODO: check
+CVE-2024-33633 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33632 (Cross-Site Request Forgery (CSRF) vulnerability in Piotnet
Piotnet Add ...)
+ TODO: check
+CVE-2024-33631 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33630 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33629 (Server-Side Request Forgery (SSRF) vulnerability in Creative
Motion Au ...)
+ TODO: check
+CVE-2024-33627 (Server-Side Request Forgery (SSRF) vulnerability in Cusmin
Absolutely ...)
+ TODO: check
+CVE-2024-33584 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability in D ...)
+ TODO: check
+CVE-2024-33575 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2024-33571 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2024-33566 (Missing Authorization vulnerability in N-Media OrderConvo
allows OS Co ...)
+ TODO: check
+CVE-2024-33562 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+
