[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40533/tinyproxy

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b72f4df7 by Salvatore Bonaccorso at 2024-05-02T07:55:54+02:00
Add CVE-2023-40533/tinyproxy

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -131,7 +131,8 @@ CVE-2023-46295 (An issue was discovered in Teledyne FLIR 
M300 2.00-19. Unauthent
 CVE-2023-46294 (An issue was discovered in Teledyne FLIR M300 2.00-19. User 
account pa ...)
NOT-FOR-US: Teledyne FLIR M300
 CVE-2023-40533 (An uninitialized memory use vulnerability exists in Tinyproxy 
1.11.1 w ...)
-   TODO: check
+   - tinyproxy 
+   NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902
 CVE-2024-27392 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
- linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/8d0d2447394b13fb22a069f0330f9c49b7fff9d3 (6.9-rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72f4df778ca3c560b7ad1155b1be3be266b8faa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72f4df778ca3c560b7ad1155b1be3be266b8faa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for wpa via bullseye-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
675f09a0 by Salvatore Bonaccorso at 2024-05-02T07:20:30+02:00
Track proposed update for wpa via bullseye-pu

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -118,3 +118,5 @@ CVE-2023-34410
[bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
 CVE-2023-33285
[bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-52160
+   [bullseye] - wpa 2:2.9.0-21+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/675f09a006ecdfd7731d0f46eae1ccb89b934fe4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/675f09a006ecdfd7731d0f46eae1ccb89b934fe4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for qtbase-opensource-src via bullseye-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a59f609f by Salvatore Bonaccorso at 2024-05-02T07:18:17+02:00
Track proposed update for qtbase-opensource-src via bullseye-pu

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -98,3 +98,23 @@ CVE-2024-30205
[bullseye] - org-mode 9.4.0+dfsg-1+deb11u2
 CVE-2023-52723
[bullseye] - libkf5ksieve 4:20.08.3-1+deb11u1
+CVE-2024-25580
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-32763
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2022-25255
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-24607
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-32762
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-51714
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-38197
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-37369
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-34410
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
+CVE-2023-33285
+   [bullseye] - qtbase-opensource-src 5.15.2+dfsg-9+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a59f609f4ae3dad2244323c55eae5e13f6e1d137

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a59f609f4ae3dad2244323c55eae5e13f6e1d137
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed org-mode update via bullseye-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c4ae82a by Salvatore Bonaccorso at 2024-05-02T07:09:49+02:00
Track proposed org-mode update via bullseye-pu

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -89,9 +89,12 @@ CVE-2024-24814
[bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u4
 CVE-2024-30203
[bullseye] - emacs 1:27.1+1-3.1+deb11u3
+   [bullseye] - org-mode 9.4.0+dfsg-1+deb11u2
 CVE-2024-30204
[bullseye] - emacs 1:27.1+1-3.1+deb11u3
+   [bullseye] - org-mode 9.4.0+dfsg-1+deb11u2
 CVE-2024-30205
[bullseye] - emacs 1:27.1+1-3.1+deb11u3
+   [bullseye] - org-mode 9.4.0+dfsg-1+deb11u2
 CVE-2023-52723
[bullseye] - libkf5ksieve 4:20.08.3-1+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c4ae82a353b95accebc15da27382368c7498bec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c4ae82a353b95accebc15da27382368c7498bec
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for pypy3 via bookworm-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
17aa8eef by Salvatore Bonaccorso at 2024-05-02T06:55:54+02:00
Track proposed update for pypy3 via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -136,3 +136,11 @@ CVE-2024-25580
[bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
 CVE-2023-51714
[bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
+CVE-2023-24329
+   [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
+CVE-2023-40217
+   [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
+CVE-2023-6597
+   [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
+CVE-2024-0450
+   [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17aa8eef30df6e53f0a4b1d1404713fd2e5913a4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17aa8eef30df6e53f0a4b1d1404713fd2e5913a4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed qtbase-opensource-src update via bookworm-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52aa799f by Salvatore Bonaccorso at 2024-05-02T06:54:17+02:00
Track proposed qtbase-opensource-src update via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -132,3 +132,7 @@ CVE-2023-5115
[bookworm] - ansible-core 2.14.16-0+deb12u1
 CVE-2023-52160
[bookworm] - wpa 2:2.10-12+deb12u1
+CVE-2024-25580
+   [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
+CVE-2023-51714
+   [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52aa799f79f47ceb355e629d885540a05433440b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52aa799f79f47ceb355e629d885540a05433440b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove wpa from dsa-needed list

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
deae7588 by Salvatore Bonaccorso at 2024-05-02T06:53:06+02:00
Remove wpa from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -88,7 +88,5 @@ squid
 --
 webkit2gtk (berto)
 --
-wpa
---
 zabbix
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deae7588ba162f5a310d1d3a094ca7cd0d5689e6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deae7588ba162f5a310d1d3a094ca7cd0d5689e6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed wpa update via bookworm-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
746a8894 by Salvatore Bonaccorso at 2024-05-02T06:52:31+02:00
Track proposed wpa update via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -130,3 +130,5 @@ CVE-2023-5764
[bookworm] - ansible-core 2.14.16-0+deb12u1
 CVE-2023-5115
[bookworm] - ansible-core 2.14.16-0+deb12u1
+CVE-2023-52160
+   [bookworm] - wpa 2:2.10-12+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/746a8894d9ea7ab7410c036becf2e1a288612f94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/746a8894d9ea7ab7410c036becf2e1a288612f94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-52160 as no-dsa as update got proposed via bookworm-pu

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b4e91307 by Salvatore Bonaccorso at 2024-05-02T06:51:47+02:00
Mark CVE-2023-52160 as no-dsa as update got proposed via bookworm-pu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21883,6 +21883,8 @@ CVE-2023-40085 (In convertSubgraphFromHAL of 
ShimConverter.cpp, there is a possi
 CVE-2023-52160 (The implementation of PEAP in wpa_supplicant through 2.10 
allows authe ...)
{DLA-3743-1}
- wpa 2:2.10-21.1 (bug #1064061)
+   [bookworm] - wpa  (Minor issue; Will be fixed via point release)
+   [bullseye] - wpa  (Minor issue; can be fixed via point release)
NOTE: 
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
NOTE: https://www.top10vpn.com/research/wifi-vulnerabilities/
NOTE: 
https://lists.infradead.org/pipermail/hostap/2024-February/042362.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4e913070d285fbf0afced3ebea6312a1c3f46b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4e913070d285fbf0afced3ebea6312a1c3f46b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-26793/libmodbus

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b1231d87 by Salvatore Bonaccorso at 2024-05-02T06:41:18+02:00
Add CVE-2023-26793/libmodbus

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -80645,7 +80645,8 @@ CVE-2023-26795
 CVE-2023-26794
RESERVED
 CVE-2023-26793 (libmodbus v3.1.10 has a heap-based buffer overflow 
vulnerability in re ...)
-   TODO: check
+   - libmodbus 
+   NOTE: https://github.com/stephane/libmodbus/issues/683
 CVE-2023-26792
RESERVED
 CVE-2023-26791



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1231d87898ec6757d9cf47a196b8ef7ecdb529f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1231d87898ec6757d9cf47a196b8ef7ecdb529f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
88197b2c by Salvatore Bonaccorso at 2024-05-01T23:11:19+02:00
Process some NFUs

- - - - -
23a51ae2 by Salvatore Bonaccorso at 2024-05-01T23:11:21+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,51 +1,51 @@
 CVE-2024-33835 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in 
the remo ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2024-33820 (Totolink AC1200 Wireless Dual Band Gigabit Router A3002R_V4 
Firmware V ...)
-   TODO: check
+   NOT-FOR-US: Totolink
 CVE-2024-33775 (An issue with the Autodiscover component in Nagios XI 
2024R1.01 allows ...)
-   TODO: check
+   NOT-FOR-US: Nagios XI
 CVE-2024-33518 (An unauthenticated Denial-of-Service (DoS) vulnerability 
exists in the ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33517 (An unauthenticated Denial-of-Service (DoS) vulnerability 
exists in the ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33516 (An unauthenticated Denial of Service (DoS) vulnerability 
exists in the ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33515 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33514 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33513 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33512 (There is a buffer overflow vulnerability in the underlying 
Local User  ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33511 (There is a buffer overflow vulnerability in the underlying 
Automatic R ...)
-   TODO: check
+   NOT-FOR-US: HPE Aruba Networking
 CVE-2024-33442 (An issue in flusity-CMS v.2.33 allows a remote attacker to 
execute arb ...)
-   TODO: check
+   NOT-FOR-US: flusity-CMS
 CVE-2024-33431 (An issue in phiola/src/afilter/conv.c:115 of phiola v2.0-rc22 
allows a ...)
-   TODO: check
+   NOT-FOR-US: phiola
 CVE-2024-33430 (An issue in phiola/src/afilter/pcm_convert.h:513 of phiola 
v2.0-rc22 a ...)
-   TODO: check
+   NOT-FOR-US: phiola
 CVE-2024-33429 (Buffer-Overflow vulnerability at pcm_convert.h:513 of phiola 
v2.0-rc22 ...)
-   TODO: check
+   NOT-FOR-US: phiola
 CVE-2024-33428 (Buffer-Overflow vulnerability at conv.c:68 of stsaz phiola 
v2.0-rc22 a ...)
-   TODO: check
+   NOT-FOR-US: phiola
 CVE-2024-33424 (A cross-site scripting (XSS) vulnerability in the Settings 
menu of CMS ...)
-   TODO: check
+   NOT-FOR-US: CMSimple
 CVE-2024-33423 (Cross-Site Scripting (XSS) vulnerability in the Settings menu 
of CMSim ...)
-   TODO: check
+   NOT-FOR-US: CMSimple
 CVE-2024-33393 (An issue in spidernet-io spiderpool v.0.9.3 and before allows 
a local  ...)
TODO: check
 CVE-2024-33307 (SourceCodester Laboratory Management System 1.0 is vulnerable 
to Cross ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Laboratory Management System
 CVE-2024-33306 (SourceCodester Laboratory Management System 1.0 is vulnerable 
to Cross ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Laboratory Management System
 CVE-2024-33304 (SourceCodester Product Show Room 1.0 is vulnerable to Cross 
Site Scrip ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Product Show Room
 CVE-2024-33300 (Typora v1.0.0 through v1.7 version (below) Markdown editor has 
a cross ...)
-   TODO: check
+   NOT-FOR-US: Typora
 CVE-2024-33292 (SQL Injection vulnerability in Realisation MGSD v.1.0 allows a 
remote  ...)
-   TODO: check
+   NOT-FOR-US: Realisation MGSD
 CVE-2024-33078 (Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user 
can send  ...)
TODO: check
 CVE-2024-32984 (Yamux is a stream multiplexer over reliable, ordered 
connections such  ...)
@@ -55,13 +55,13 @@ CVE-2024-32979 (Nautobot is a Network Source of Truth and 
Network Automation Pla
 CVE-2024-32973 (Pluto is a superset of Lua 5.4 with a focus on general-purpose 
program ...)
TODO: check
 CVE-2024-32213 (The LoMag WareHouse Management application version 1.0.20.120 
and olde ...)
-   TODO: check
+   NOT-FOR-US: LoMag WareHouse Management application
 CVE-2024-32212 (SQL Injection vulnerability in LOGINT LoMag Inventory 
Management v1.0. ...)
-   TODO: check
+   NOT-FOR-US: LOGINT LoMag Inventory Management
 CVE-2024-32211 (An issue in LOGINT LoMag Inventory Management v1.0.20.120 and 
before a ...)
-   TODO: check
+   NOT-FOR-US: LOGINT LoMag Inventory Management
 CVE-2024-32210 (The LoMag 

[Git][security-tracker-team/security-tracker][master] pypy3: Missed that CVE-2021-28861 is fixed

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cd52008d by Stefano Rivera at 2024-05-01T16:48:36-04:00
pypy3: Missed that CVE-2021-28861 is fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -225792,7 +225792,7 @@ CVE-2021-28861 (Python 3.x through 3.10 has an open 
redirection vulnerability in
- python3.9  (unimportant)
- python3.7  (unimportant)
- python2.7  (unimportant)
-   - pypy3  (unimportant)
+   - pypy3 7.3.10+dfsg-1 (unimportant)
NOTE: https://bugs.python.org/issue43223
NOTE: https://github.com/python/cpython/pull/93879
NOTE: 
https://github.com/python/cpython/commit/e2e8847bf52f4a81490653c6d13b7e3821b2c2be
 (v3.11.0b4)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd52008d24efac55475b987c00d7e4680aecd366

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd52008d24efac55475b987c00d7e4680aecd366
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] pypy3: Missed thta CVE-2023-24329 is fixed

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eefb9ee9 by Stefano Rivera at 2024-05-01T16:18:46-04:00
pypy3: Missed thta CVE-2023-24329 is fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -88295,7 +88295,7 @@ CVE-2023-24329 (An issue in the urllib.parse component 
of Python before 3.11.4 a
[buster] - python3.7  (Cf. related CVE-2022-0391)
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
-   - pypy3 
+   - pypy3 7.3.12+dfsg-1
[bookworm] - pypy3  (Minor issue)
[bullseye] - pypy3  (Minor issue)
[buster] - pypy3  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eefb9ee9bd222e62364dba45a3ee953d63b20292

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eefb9ee9bd222e62364dba45a3ee953d63b20292
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream issue for CVE-2023-46566

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6ef02d59 by Salvatore Bonaccorso at 2024-05-01T22:16:01+02:00
Reference upstream issue for CVE-2023-46566

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1137,6 +1137,7 @@ CVE-2023-46960 (Buffer Overflow vulnerability in PyPXE 
v.1.8.4 allows a remote a
NOT-FOR-US: PyPXE
 CVE-2023-46566 (Buffer Overflow vulnerability in msoulier tftpy commit 
467017b844bf6e3 ...)
- tftpy 
+   NOTE: https://github.com/msoulier/tftpy/issues/140
 CVE-2023-31889 (An issue discovered in httpd in ASUS RT-AC51U with firmware 
version up ...)
NOT-FOR-US: ASUS
 CVE-2024-4310 (Cross-site Scripting (XSS) vulnerability in HubBank affecting 
version  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ef02d593542c82cd329647a4678cd9a15aa5f19

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ef02d593542c82cd329647a4678cd9a15aa5f19
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7cb76107 by security tracker role at 2024-05-01T20:12:12+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,342 +1,476 @@
-CVE-2024-27392 [nvme: host: fix double-free of struct nvme_id_ns in 
ns_update_nuse()]
+CVE-2024-33835 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in 
the remo ...)
+   TODO: check
+CVE-2024-33820 (Totolink AC1200 Wireless Dual Band Gigabit Router A3002R_V4 
Firmware V ...)
+   TODO: check
+CVE-2024-33775 (An issue with the Autodiscover component in Nagios XI 
2024R1.01 allows ...)
+   TODO: check
+CVE-2024-33518 (An unauthenticated Denial-of-Service (DoS) vulnerability 
exists in the ...)
+   TODO: check
+CVE-2024-33517 (An unauthenticated Denial-of-Service (DoS) vulnerability 
exists in the ...)
+   TODO: check
+CVE-2024-33516 (An unauthenticated Denial of Service (DoS) vulnerability 
exists in the ...)
+   TODO: check
+CVE-2024-33515 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
+   TODO: check
+CVE-2024-33514 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
+   TODO: check
+CVE-2024-33513 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist 
in the A ...)
+   TODO: check
+CVE-2024-33512 (There is a buffer overflow vulnerability in the underlying 
Local User  ...)
+   TODO: check
+CVE-2024-33511 (There is a buffer overflow vulnerability in the underlying 
Automatic R ...)
+   TODO: check
+CVE-2024-33442 (An issue in flusity-CMS v.2.33 allows a remote attacker to 
execute arb ...)
+   TODO: check
+CVE-2024-33431 (An issue in phiola/src/afilter/conv.c:115 of phiola v2.0-rc22 
allows a ...)
+   TODO: check
+CVE-2024-33430 (An issue in phiola/src/afilter/pcm_convert.h:513 of phiola 
v2.0-rc22 a ...)
+   TODO: check
+CVE-2024-33429 (Buffer-Overflow vulnerability at pcm_convert.h:513 of phiola 
v2.0-rc22 ...)
+   TODO: check
+CVE-2024-33428 (Buffer-Overflow vulnerability at conv.c:68 of stsaz phiola 
v2.0-rc22 a ...)
+   TODO: check
+CVE-2024-33424 (A cross-site scripting (XSS) vulnerability in the Settings 
menu of CMS ...)
+   TODO: check
+CVE-2024-33423 (Cross-Site Scripting (XSS) vulnerability in the Settings menu 
of CMSim ...)
+   TODO: check
+CVE-2024-33393 (An issue in spidernet-io spiderpool v.0.9.3 and before allows 
a local  ...)
+   TODO: check
+CVE-2024-33307 (SourceCodester Laboratory Management System 1.0 is vulnerable 
to Cross ...)
+   TODO: check
+CVE-2024-33306 (SourceCodester Laboratory Management System 1.0 is vulnerable 
to Cross ...)
+   TODO: check
+CVE-2024-33304 (SourceCodester Product Show Room 1.0 is vulnerable to Cross 
Site Scrip ...)
+   TODO: check
+CVE-2024-33300 (Typora v1.0.0 through v1.7 version (below) Markdown editor has 
a cross ...)
+   TODO: check
+CVE-2024-33292 (SQL Injection vulnerability in Realisation MGSD v.1.0 allows a 
remote  ...)
+   TODO: check
+CVE-2024-33078 (Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user 
can send  ...)
+   TODO: check
+CVE-2024-32984 (Yamux is a stream multiplexer over reliable, ordered 
connections such  ...)
+   TODO: check
+CVE-2024-32979 (Nautobot is a Network Source of Truth and Network Automation 
Platform  ...)
+   TODO: check
+CVE-2024-32973 (Pluto is a superset of Lua 5.4 with a focus on general-purpose 
program ...)
+   TODO: check
+CVE-2024-32213 (The LoMag WareHouse Management application version 1.0.20.120 
and olde ...)
+   TODO: check
+CVE-2024-32212 (SQL Injection vulnerability in LOGINT LoMag Inventory 
Management v1.0. ...)
+   TODO: check
+CVE-2024-32211 (An issue in LOGINT LoMag Inventory Management v1.0.20.120 and 
before a ...)
+   TODO: check
+CVE-2024-32210 (The LoMag WareHouse Management application version 1.0.20.120 
and olde ...)
+   TODO: check
+CVE-2024-31413 (Free of pointer not at start of buffer vulnerability exists in 
CX-One  ...)
+   TODO: check
+CVE-2024-31412 (Out-of-bounds read vulnerability exists in CX-Programmer 
included in C ...)
+   TODO: check
+CVE-2024-30176 (In Logpoint before 7.4.0, an attacker can enumerate a valid 
list of us ...)
+   TODO: check
+CVE-2024-29011 (Use of hard-coded password in the GMS ECM endpoint leading to 
authenti ...)
+   TODO: check
+CVE-2024-29010 (The XML document processed in the GMS ECM URL endpoint is 
vulnerable t ...)
+   TODO: check
+CVE-2024-28893 (Certain HP software packages (SoftPaqs) are potentially 
vulnerable to  ...)
+   TODO: check
+CVE-2024-28775 (IBM WebSphere Automation 1.7.0 is vulnerable to cross-site 
scripting.  ...)
+   TODO: check
+CVE-2024-28764 (IBM WebSphere Automation 1.7.0 could allow an attacker with 
privileged ...)
+   TODO: 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28130/dcmtk

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
57e5656a by Salvatore Bonaccorso at 2024-05-01T22:07:24+02:00
Add CVE-2024-28130/dcmtk

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2400,7 +2400,7 @@ CVE-2024-2477 (The wpDiscuz plugin for WordPress is 
vulnerable to Stored Cross-S
 CVE-2024-28627 (An issue in Flipsnack v.18/03/2024 allows a local attacker to 
obtain s ...)
NOT-FOR-US: Flipsnack
 CVE-2024-28130 (An incorrect type conversion vulnerability exists in the 
DVPSSoftcopyV ...)
-   - dcmtk 
+   - dcmtk  (bug #1070207)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957
NOTE: https://support.dcmtk.org/redmine/issues/1120
NOTE: 
https://github.com/DCMTK/dcmtk/commit/601b227eecaab33a3a3a11dc256d84b1a62f63af



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57e5656a361194bbd4378b52184ce20bb2060397

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57e5656a361194bbd4378b52184ce20bb2060397
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2020-14931/dmitry

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d8f5903 by Salvatore Bonaccorso at 2024-05-01T22:06:27+02:00
Reference upstream commit for CVE-2020-14931/dmitry

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -289817,6 +289817,7 @@ CVE-2020-14931 (A stack-based buffer overflow in 
DMitry (Deepmagic Information G
[bullseye] - dmitry  (Minor issue)
NOTE: https://github.com/jaygreig86/dmitry/issues/4
NOTE: https://github.com/jaygreig86/dmitry/pull/6
+   NOTE: Fixed by: 
https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192
 CVE-2020-14930 (An issue was discovered in BT CTROMS Terminal OS Port Portal 
CT-464. A ...)
NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464
 CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in 
usm_free_usmStateRefer ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8f590345ba138d3349fcf061ba11fa78aaf7c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8f590345ba138d3349fcf061ba11fa78aaf7c8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-31031

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6c0c1d0f by Salvatore Bonaccorso at 2024-05-01T21:40:38+02:00
Update status for CVE-2024-31031

Up to the version first at least v4.3.0-rc1 upstream the issue is not
present. Update status for src:libcoap and src:libcoap2 as up to the
version removed in unstable in the end the version was not affected.

Thanks: Sylvain Beucler for the triage.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3476,11 +3476,8 @@ CVE-2024-31041 (Null Pointer Dereference vulnerability 
in topic_filtern function
 CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function 
in mqtt_ ...)
NOT-FOR-US: NanoMQ
 CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to 
cause un ...)
-   - libcoap 
-   [buster] - libcoap  (Vulnerable code not present)
-   - libcoap2 
-   [bullseye] - libcoap2  (Minor issue)
-   [buster] - libcoap2  (Vulnerable code not present)
+   - libcoap  (Vulnerable code not present)
+   - libcoap2  (Vulnerable code not present)
- libcoap3 
[bookworm] - libcoap3  (Minor issue)
NOTE: https://github.com/obgm/libcoap/issues/1351



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0c1d0f734b8c155147f71abfc6ec87d4199666

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0c1d0f734b8c155147f71abfc6ec87d4199666
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] pypy3: Use versions published in unstable, not experimental

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
90abd11f by Stefano Rivera at 2024-05-01T15:29:42-04:00
pypy3: Use versions published in unstable, not experimental

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -53505,7 +53505,7 @@ CVE-2022-48566 (An issue was discovered in 
compare_digest in Lib/hmac.py in Pyth
- python3.7 
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
-   - pypy3 7.3.4~rc1+dfsg-1
+   - pypy3 7.3.5+dfsg-2
NOTE: https://bugs.python.org/issue40791
NOTE: 
https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781
 (v3.9.0b2)
NOTE: 
https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb
 (v3.9.1rc1)
@@ -53518,7 +53518,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was 
discovered in Python thro
- python3.7 
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
-   - pypy3 7.3.4~rc1+dfsg-1
+   - pypy3 7.3.5+dfsg-2
NOTE: https://bugs.python.org/issue42051
NOTE: https://github.com/python/cpython/issues/86217
NOTE: 
https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2
 (v3.10.0a2)
@@ -53531,7 +53531,7 @@ CVE-2022-48564 (read_ints in plistlib.py in Python 
through 3.9.1 is vulnerable t
- python3.9 3.9.1~rc1-1
- python3.7 
- python2.7  (In 2.7, the plistlib parser only supports 
XML and not the affected binary format)
-   - pypy3 7.3.4~rc1+dfsg-1
+   - pypy3 7.3.5+dfsg-2
NOTE: https://bugs.python.org/issue42103
NOTE: https://github.com/python/cpython/issues/86269
NOTE: 
https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f
 (v3.10.0a2)
@@ -168597,7 +168597,7 @@ CVE-2022-0391 (A flaw was found in Python, 
specifically within the urllib.parse
- python3.4 
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
-   - pypy3 7.3.6~rc2+dfsg-1
+   - pypy3 7.3.6+dfsg-1
[bullseye] - pypy3  (Minor issue)
[buster] - pypy3  (Minor issue)
NOTE: https://bugs.python.org/issue43882
@@ -175924,7 +175924,7 @@ CVE-2021-4189 (A flaw was found in Python, 
specifically in the FTP (File Transfe
[experimental] - python2.7 2.7.18-13.1~exp1
- python2.7 2.7.18-13.1
[bullseye] - python2.7  (Python 2.7 in Bullseye not covered by 
security support)
-   - pypy3 7.3.8~rc1+dfsg-1
+   - pypy3 7.3.8+dfsg-1
[bullseye] - pypy3  (Minor issue)
[buster] - pypy3  (Minor issue)
NOTE: https://bugs.python.org/issue43285
@@ -196621,7 +196621,7 @@ CVE-2021-3737 (A flaw was found in python. An 
improperly handled HTTP response i
- python3.4 
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
-   - pypy3 7.3.8~rc1+dfsg-1
+   - pypy3 7.3.8+dfsg-1
[bullseye] - pypy3  (Minor issue)
[buster] - pypy3  (Minor issue)
NOTE: https://bugs.python.org/issue44022
@@ -197832,7 +197832,7 @@ CVE-2021-3733 (There's a flaw in urllib's 
AbstractBasicAuthHandler class. An att
- python3.5 
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
-   - pypy3 7.3.8~rc1+dfsg-1
+   - pypy3 7.3.8+dfsg-1
[bullseye] - pypy3  (Minor issue)
[buster] - pypy3  (Minor issue)
NOTE: https://bugs.python.org/issue43075
@@ -223044,7 +223044,7 @@ CVE-2021-29921 (In Python before 3,9,5, the ipaddress 
library mishandles leading
- python3.9 3.9.7-1 (bug #989195)
[bullseye] - python3.9  (Minor issue)
- python2.7  (Vulnerable code introduced later)
-   - pypy3 7.3.8~rc1+dfsg-1
+   - pypy3 7.3.8+dfsg-1
[buster] - pypy3  (Minor issue)
[bullseye] - pypy3  (Vulnerable code introduced later)
NOTE: https://bugs.python.org/issue36384#msg392423
@@ -260808,7 +260808,7 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the 
Lib/test/multibytecodec_support.p
- python3.8  (unimportant)
- python3.7  (unimportant)
- python2.7  (unimportant)
-   - pypy3 7.3.4~rc1+dfsg-1
+   - pypy3 7.3.5+dfsg-2
NOTE: 
https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html
NOTE: 
https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8
 (master)
NOTE: 
https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
 (master)
@@ -264380,7 +264380,7 @@ CVE-2020-26116 (http.client in Python 3.x before 
3.5.10, 3.6.x before 3.6.12, 3.
- python3.5 
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
-   - pypy3 

[Git][security-tracker-team/security-tracker][master] Sync status of some linux CVEs with kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df1aa63a by Salvatore Bonaccorso at 2024-05-01T21:22:21+02:00
Sync status of some linux CVEs with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,8 +1,5 @@
 CVE-2024-27392 [nvme: host: fix double-free of struct nvme_id_ns in 
ns_update_nuse()]
-   - linux 
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
+   - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/8d0d2447394b13fb22a069f0330f9c49b7fff9d3 (6.9-rc1)
 CVE-2024-27391 [wifi: wilc1000: do not realloc workqueue everytime an 
interface is added]
- linux 6.7.12-1
@@ -65,22 +62,13 @@ CVE-2024-27072 [media: usbtv: Remove useless locks in 
usbtv_video_free()]
- linux 
NOTE: 
https://git.kernel.org/linus/65e6a2773d655172143cc0b927cdc89549842895 (6.9-rc1)
 CVE-2024-27071 [backlight: hx8357: Fix potential NULL pointer dereference]
-   - linux 
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
+   - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/b1ba8bcb2d1ffce11b308ce166c9cc28d989e3b9 (6.9-rc1)
 CVE-2024-27070 [f2fs: fix to avoid use-after-free issue in f2fs_filemap_fault]
-   - linux 
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
+   - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/eb70d5a6c932d9d23f4bb3e7b83782c21ac4b064 (6.9-rc1)
 CVE-2024-27069 [ovl: relax WARN_ON in ovl_verify_area()]
-   - linux 
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
+   - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/77a28aa476873048024ad56daf8f4f17d58ee48e (6.9-rc1)
 CVE-2024-27068 [thermal/drivers/mediatek/lvts_thermal: Fix a memory leak in an 
error handling path]
- linux 6.7.12-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df1aa63aea5ff25dcbbda48939d1ed17910a85c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df1aa63aea5ff25dcbbda48939d1ed17910a85c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update cPython versions that pypy3 embeds

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
801a211f by Stefano Rivera at 2024-05-01T15:13:55-04:00
Update cPython versions that pypy3 embeds

- - - - -


1 changed file:

- data/embedded-code-copies


Changes:

=
data/embedded-code-copies
=
@@ -1677,6 +1677,14 @@ python3.7
- pypy3  (fork)
NOTE: embeds stdlib
 
+python3.8
+   - pypy3  (fork)
+   NOTE: embeds stdlib
+
+python3.9
+   - pypy3  (fork)
+   NOTE: embeds stdlib
+
 argparse
- twill  (embed; bug #555347)
- ipython  (embed; bug #555348)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/801a211fff0f34f615ac5dde6433f00ff42a8032

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/801a211fff0f34f615ac5dde6433f00ff42a8032
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triage of Python bugs that affect pypy3

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9efceb85 by Stefano Rivera at 2024-05-01T14:55:54-04:00
Triage of Python bugs that affect pypy3

Applied the same triage as was already applied to the relevant cPythons

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13409,6 +13409,7 @@ CVE-2024-1144 (Improper access control vulnerability in 
Devklan's Alma Blog that
NOT-FOR-US: Devklan's Alma Blog
 CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting 
versions  ...)
{DLA-3772-1 DLA-3771-1}
+   - pypy3 7.3.16+dfsg-1
- python3.12 3.12.2-1
- python3.11 3.11.8-1 (bug #1070133)
- python3.10 
@@ -13433,6 +13434,10 @@ CVE-2023-6597 (An issue was found in the CPython 
`tempfile.TemporaryDirectory` c
[bullseye] - python3.9  (Minor issue)
- python3.7 
- python2.7  (tempfile.TemporaryDirectory added in 3.2)
+   - pypy3 7.3.13+dfsg-1
+   [bookworm] - pypy3  (Minor issue)
+   [bullseye] - pypy3  (Minor issue)
+   [buster] - pypy3  (Minor issue)
NOTE: https://github.com/python/cpython/pull/99930
NOTE: https://github.com/python/cpython/issues/91133
NOTE: 
https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5
 (v3.12.1)
@@ -53512,6 +53517,7 @@ CVE-2022-48566 (An issue was discovered in 
compare_digest in Lib/hmac.py in Pyth
- python3.7 
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
+   - pypy3 7.3.4~rc1+dfsg-1
NOTE: https://bugs.python.org/issue40791
NOTE: 
https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781
 (v3.9.0b2)
NOTE: 
https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb
 (v3.9.1rc1)
@@ -53524,6 +53530,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was 
discovered in Python thro
- python3.7 
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
+   - pypy3 7.3.4~rc1+dfsg-1
NOTE: https://bugs.python.org/issue42051
NOTE: https://github.com/python/cpython/issues/86217
NOTE: 
https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2
 (v3.10.0a2)
@@ -53536,6 +53543,7 @@ CVE-2022-48564 (read_ints in plistlib.py in Python 
through 3.9.1 is vulnerable t
- python3.9 3.9.1~rc1-1
- python3.7 
- python2.7  (In 2.7, the plistlib parser only supports 
XML and not the affected binary format)
+   - pypy3 7.3.4~rc1+dfsg-1
NOTE: https://bugs.python.org/issue42103
NOTE: https://github.com/python/cpython/issues/86269
NOTE: 
https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f
 (v3.10.0a2)
@@ -79980,6 +79988,10 @@ CVE-2023-27043 (The email module of Python through 
3.11.3 incorrectly parses e-m
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
[buster] - python2.7  (Minor issue, wait until upstream has 
decided whether to backport to older branches)
+   - pypy3 
+   [bookworm] - pypy3  (Minor issue, wait until upstream has 
decided whether to backport to older branches)
+   [bullseye] - pypy3  (Minor issue, wait until upstream has 
decided whether to backport to older branches)
+   [buster] - pypy3  (Minor issue, wait until upstream has 
decided whether to backport to older branches)
NOTE: https://github.com/python/cpython/issues/102988
 CVE-2023-27042 (Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via 
/goform/Se ...)
NOT-FOR-US: Tenda
@@ -88163,6 +88175,10 @@ CVE-2023-24329 (An issue in the urllib.parse component 
of Python before 3.11.4 a
[buster] - python3.7  (Cf. related CVE-2022-0391)
- python2.7 
[bullseye] - python2.7 2.7.18-8+deb11u1
+   - pypy3 
+   [bookworm] - pypy3  (Minor issue)
+   [bullseye] - pypy3  (Minor issue)
+   [buster] - pypy3  (Minor issue)
NOTE: https://pointernull.com/security/python-url-parse-problem.html
NOTE: https://github.com/python/cpython/pull/99421
NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 
branch)
@@ -105870,6 +105886,9 @@ CVE-2022-45061 (An issue was discovered in Python 
before 3.11.1. An unnecessary
- python3.7 
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
+   - pypy3 7.3.11+dfsg-1
+   [bullseye] - pypy3  (Minor issue)
+   [buster] - pypy3  (Minor issue)
NOTE: https://github.com/python/cpython/issues/98433
NOTE: https://github.com/python/cpython/pull/99092
NOTE: 
https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15
 (v3.11.1)
@@ -114676,6 +114695,9 @@ 

[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6ca6d65a by Salvatore Bonaccorso at 2024-05-01T20:52:40+02:00
Track fixed version for chromium issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -345,11 +345,11 @@ CVE-2022-48669 [powerpc/pseries: Fix potential memleak in 
papr_get_attr()]
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/cda9c0d556283e2d4adaa9960b2dc19b16156bae (6.9-rc1)
 CVE-2024-4331
-   - chromium 
+   - chromium 124.0.6367.118-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-4368
-   - chromium 
+   - chromium 124.0.6367.118-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-4369 (An information disclosure flaw was found in OpenShift's 
internal image ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca6d65aed97cea872f484664a603e1898932b4b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca6d65aed97cea872f484664a603e1898932b4b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
83c72f90 by Salvatore Bonaccorso at 2024-05-01T20:48:30+02:00
Merge Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,349 @@
+CVE-2024-27392 [nvme: host: fix double-free of struct nvme_id_ns in 
ns_update_nuse()]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/8d0d2447394b13fb22a069f0330f9c49b7fff9d3 (6.9-rc1)
+CVE-2024-27391 [wifi: wilc1000: do not realloc workqueue everytime an 
interface is added]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/328efda22af81130c2ad981c110518cb29ff2f1d (6.9-rc1)
+CVE-2024-27390 [ipv6: mcast: remove one synchronize_net() barrier in 
ipv6_mc_down()]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/17ef8efc00b34918b966388b2af0993811895a8c (6.9-rc1)
+CVE-2024-27389 [pstore: inode: Only d_invalidate() is needed]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/a43e0fc5e9134a46515de2f2f8d4100b74e50de3 (6.9-rc1)
+CVE-2024-27388 [SUNRPC: fix some memleaks in gssx_dec_option_array]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/3cfcfc102a5e57b021b786a755a38935e357797d (6.9-rc1)
+CVE-2024-27080 [btrfs: fix race when detecting delalloc ranges during fiemap]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/978b63f7464abcfd364a6c95f734282c50f3decf (6.9-rc1)
+CVE-2024-27079 [iommu/vt-d: Fix NULL domain on device release]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/81e921fd321614c2ad8ac333b041aae1da7a1c6d (6.9-rc1)
+CVE-2024-27078 [media: v4l2-tpg: fix some memleaks in tpg_alloc]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/8cf9c5051076e0eb958f4361d50d8b0c3ee6691c (6.9-rc1)
+CVE-2024-27077 [media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/8f94b49a5b5d386c038e355bef6347298aabd211 (6.9-rc1)
+CVE-2024-27076 [media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/4797a3dd46f220e6d83daf54d70c5b33db6deb01 (6.9-rc1)
+CVE-2024-27075 [media: dvb-frontends: avoid stack overflow warnings with clang]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/7a4cf27d1f0538f779bf31b8c99eda394e277119 (6.9-rc1)
+CVE-2024-27074 [media: go7007: fix a memleak in go7007_load_encoder]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/b9b683844b01d171a72b9c0419a2d760d946ee12 (6.9-rc1)
+CVE-2024-27073 [media: ttpci: fix two memleaks in budget_av_attach]
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   NOTE: 
https://git.kernel.org/linus/d0b07f712bf61e1a3cf23c87c663791c42e50837 (6.9-rc1)
+CVE-2024-27072 [media: usbtv: Remove useless locks in usbtv_video_free()]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/65e6a2773d655172143cc0b927cdc89549842895 (6.9-rc1)
+CVE-2024-27071 [backlight: hx8357: Fix potential NULL pointer dereference]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/b1ba8bcb2d1ffce11b308ce166c9cc28d989e3b9 (6.9-rc1)
+CVE-2024-27070 [f2fs: fix to avoid use-after-free issue in f2fs_filemap_fault]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/eb70d5a6c932d9d23f4bb3e7b83782c21ac4b064 (6.9-rc1)
+CVE-2024-27069 [ovl: relax WARN_ON in 

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for nvidia-cuda-toolkit issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c407747 by Salvatore Bonaccorso at 2024-05-01T20:17:02+02:00
Add Debian bug reference for nvidia-cuda-toolkit issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7609,12 +7609,12 @@ CVE-2024-0081 (NVIDIA NeMo framework for Ubuntu 
contains a vulnerability in tool
 CVE-2024-0080 (NVIDIA nvTIFF Library for Windows and Linux contains a 
vulnerability w ...)
NOT-FOR-US: NVIDIA nvTIFF Library
 CVE-2024-0076 (NVIDIA CUDA toolkit for all platforms contains a vulnerability 
in cuob ...)
-   - nvidia-cuda-toolkit 
+   - nvidia-cuda-toolkit  (bug #1070177)
[bookworm] - nvidia-cuda-toolkit  (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5517
 CVE-2024-0072 (NVIDIA CUDA toolkit for all platforms contains a vulnerability 
in cuob ...)
-   - nvidia-cuda-toolkit 
+   - nvidia-cuda-toolkit  (bug #1070177)
[bookworm] - nvidia-cuda-toolkit  (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5517



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c407747a4cbf719319632e808576fd5577ff0af

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c407747a4cbf719319632e808576fd5577ff0af
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed changes for ansible-core via bookworm-pu (but not yet acked)

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
57a4ad55 by Salvatore Bonaccorso at 2024-05-01T20:12:56+02:00
Track proposed changes for ansible-core via bookworm-pu (but not yet acked)

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -124,3 +124,9 @@ CVE-2024-30205
[bookworm] - emacs 1:28.2+1-15+deb12u1
 CVE-2023-52723
[bookworm] - libkf5ksieve 4:22.12.3-1+deb12u1
+CVE-2024-0690
+   [bookworm] - ansible-core 2.14.16-0+deb12u1
+CVE-2023-5764
+   [bookworm] - ansible-core 2.14.16-0+deb12u1
+CVE-2023-5115
+   [bookworm] - ansible-core 2.14.16-0+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57a4ad552f52fe6259223dce0fbf61f1b52474ed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57a4ad552f52fe6259223dce0fbf61f1b52474ed
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add note about bookworm-proposed-update for ansible(-core)

[Lee Garrett (@lgarrett)]

Lee Garrett pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
59be7188 by Lee Garrett at 2024-05-01T17:51:12+02:00
add note about bookworm-proposed-update for ansible(-core)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -29,6 +29,7 @@ ansible (Lee Garrett)
   NOTE: 20231217: Begin to triage CVEs (rouca)
   NOTE: 20231217: Triaging done a few mail send upstream for claryfication 
purposes (rouca)
   NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
+  NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee)
 --
 apache2 (debian)
   NOTE: 20240418: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59be7188320e27ccfcfde9661413965d15f39077

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59be7188320e27ccfcfde9661413965d15f39077
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new gobgp issue

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b46df9c3 by Moritz Muehlenhoff at 2024-05-01T16:26:57+02:00
new gobgp issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -800,7 +800,8 @@ CVE-2023-48684 (Sensitive information disclosure and 
manipulation due to missing
 CVE-2023-48683 (Sensitive information disclosure and manipulation due to 
missing autho ...)
NOT-FOR-US: Acronis Cyber Protect Cloud Agent
 CVE-2023-46565 (Buffer Overflow vulnerability in osrg gobgp commit 
419c50dfac578daa4d1 ...)
-   TODO: check
+   - gobgp 
+   NOTE: https://github.com/osrg/gobgp/issues/2725
 CVE-2023-46270 (MacPaw The Unarchiver before 4.3.6 contains vulnerability 
related to m ...)
NOT-FOR-US: MacPaw The Unarchiver
 CVE-2024-4303 (ArmorX Android APP's multi-factor authentication (MFA) for the 
login f ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46df9c369e94212b17c8dbf9d1998995803cb3c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46df9c369e94212b17c8dbf9d1998995803cb3c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new tftpy issue

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f4f3f752 by Moritz Muehlenhoff at 2024-05-01T16:25:42+02:00
new tftpy issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -668,7 +668,7 @@ CVE-2023-50432 (simple-dhcp-server through ec976d2 allows 
remote attackers to ca
 CVE-2023-46960 (Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote 
attacke ...)
NOT-FOR-US: PyPXE
 CVE-2023-46566 (Buffer Overflow vulnerability in msoulier tftpy commit 
467017b844bf6e3 ...)
-   TODO: check
+   - tftpy 
 CVE-2023-31889 (An issue discovered in httpd in ASUS RT-AC51U with firmware 
version up ...)
NOT-FOR-US: ASUS
 CVE-2024-4310 (Cross-site Scripting (XSS) vulnerability in HubBank affecting 
version  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f3f752facfb3c5a701db3999a0c7f97f0cde64

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f3f752facfb3c5a701db3999a0c7f97f0cde64
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
57086a86 by Moritz Muehlenhoff at 2024-05-01T16:23:57+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -35,9 +35,9 @@ CVE-2024-32967 (Zitadel is an open source identity management 
system. In case ZI
 CVE-2024-32966 (Static Web Server (SWS) is a tiny and fast production-ready 
web server ...)
NOT-FOR-US: Static Web Server
 CVE-2024-32963 (Navidrome is an open source web-based music collection server 
and stre ...)
-   TODO: check
+   NOT-FOR-US: Navidrome
 CVE-2024-32890 (librespeed/speedtest is an open source, self-hosted speed test 
for HTM ...)
-   TODO: check
+   NOT-FOR-US: Navidrome
 CVE-2024-32018 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
NOT-FOR-US: RIOT
 CVE-2024-32017 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
@@ -45,7 +45,7 @@ CVE-2024-32017 (RIOT is a real-time multi-threading operating 
system that suppor
 CVE-2024-31225 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
NOT-FOR-US: RIOT
 CVE-2024-29466 (Directory Traversal vulnerability in lsgwr spring boot online 
exam v.0 ...)
-   TODO: check
+   NOT-FOR-US: lsgwr spring boot online exam
 CVE-2024-28979 (Dell OpenManage Enterprise, versions prior to 4.1.0, contains 
an XSS i ...)
NOT-FOR-US: Dell
 CVE-2024-28978 (Dell OpenManage Enterprise, versions 3.10 and 4.0, contains an 
Imprope ...)
@@ -495,7 +495,7 @@ CVE-2024-4185 (The Customer Email Verification for 
WooCommerce plugin for WordPr
 CVE-2024-3746 (The entire parent directory - C:\ScadaPro and its 
sub-directories and  ...)
NOT-FOR-US: Measuresoft
 CVE-2024-3411 (Implementations of IPMI Authenticated sessions does not provide 
enough ...)
-   TODO: check
+   NOT-FOR-US: IPMI implementations
 CVE-2024-3072 (The ACF Front End Editor plugin for WordPress is vulnerable to 
unautho ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the 
get_edge() func ...)
@@ -505,7 +505,7 @@ CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is 
possible for the get_edge(
 CVE-2024-33832 (OneNav v0.9.35-20240318 was discovered to contain a 
Server-Side Reques ...)
NOT-FOR-US: OneNav
 CVE-2024-33831 (A stored cross-site scripting (XSS) vulnerability in the 
Advanced Expe ...)
-   TODO: check
+   NOT-FOR-US: yapi
 CVE-2024-33465 (Cross Site Scripting vulnerability in MajorDoMo before 
v.0662e5e allow ...)
NOT-FOR-US: MajorDoMo (aka Major Domestic Module)
 CVE-2024-33437 (An issue in CSS Exfil Protection v.1.1.0 allows a remote 
attacker to o ...)
@@ -554,9 +554,9 @@ CVE-2024-2377 (A vulnerability exists in the too permissive 
HTTP response header
 CVE-2024-29384 (An issue in CSS Exfil Protection v.1.1.0 allows a remote 
attacker to o ...)
NOT-FOR-US: CSS Exfil Protection
 CVE-2024-29320 (Wallos before 1.15.3 is vulnerable to SQL Injection via the 
category a ...)
-   TODO: check
+   NOT-FOR-US: Wallos
 CVE-2024-28716 (An issue in OpenStack Storlets yoga-eom allows a remote 
attacker to ex ...)
-   TODO: check
+   NOT-FOR-US: OpenStack Storlets yoga-eom
 CVE-2024-28269 (ReCrystallize Server 5.10.0.0 allows administrators to upload 
files to ...)
NOT-FOR-US: ReCrystallize Server
 CVE-2024-26331 (ReCrystallize Server 5.10.0.0 uses a authorization mechanism 
that reli ...)
@@ -578,7 +578,7 @@ CVE-2024-23463 (Anti-tampering protection of the Zscaler 
Client Connector can be
 CVE-2024-22546 (TRENDnet TEW-815DAP 1.0.2.0 is vulnerable to Command Injection 
via the ...)
NOT-FOR-US: TRENDnet TEW-815DAP
 CVE-2024-22405 (XADMaster is an objective-C library for archive and file 
unarchiving a ...)
-   TODO: check
+   NOT-FOR-US: XADMaster
 CVE-2024-1895 (The Event Monster \u2013 Event Management, Tickets Booking, 
Upcoming E ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-50915 (An issue exists in GalaxyClientService.exe in GOG Galaxy 
(Beta) 2.0.67 ...)
@@ -594,7 +594,7 @@ CVE-2023-49473 (Shenzhen JF6000 Cloud Media Collaboration 
Processing Platform fi
 CVE-2023-46304 (modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a 
remote au ...)
NOT-FOR-US: Vtiger CRM
 CVE-2023-45385 (ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable 
to Dire ...)
-   TODO: check
+   NOT-FOR-US: ProQuality pqprintshippinglabels
 CVE-2023-38002 (IBM Storage Scale 5.1.0.0 through 5.1.9.2 could allow an 
authenticated ...)
NOT-FOR-US: IBM
 CVE-2023-36268 (An issue in The Document Foundation Libreoffice v.7.4.7 allows 
a remot ...)
@@ -666,7 +666,7 @@ CVE-2023-50433 (marshall in dhcp_packet.c in 
simple-dhcp-server through ec976d2
 CVE-2023-50432 (simple-dhcp-server through ec976d2 allows 

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3806-1 for distro-info-data

[Stefano Rivera (@stefanor)]

Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fb03d35c by Stefano Rivera at 2024-05-01T10:16:22-04:00
Reserve DLA-3806-1 for distro-info-data

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[01 May 2024] DLA-3806-1 distro-info-data - database update
+   [buster] - distro-info-data 0.41+deb10u9
 [01 May 2024] DLA-3805-1 qtbase-opensource-src - security update
{CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 
CVE-2023-37369 CVE-2023-38197 CVE-2023-51714}
[buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u6



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb03d35caa2f8984793fc91e0f9cd3e67d8a615a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb03d35caa2f8984793fc91e0f9cd3e67d8a615a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new chromium issues

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
44dd9776 by Moritz Muehlenhoff at 2024-05-01T13:56:53+02:00
new chromium issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,3 +1,11 @@
+CVE-2024-4331
+   - chromium 
+   [bullseye] - chromium  (see #1061268)
+   [buster] - chromium  (see DSA 5046)
+CVE-2024-4368
+   - chromium 
+   [bullseye] - chromium  (see #1061268)
+   [buster] - chromium  (see DSA 5046)
 CVE-2024-4369 (An information disclosure flaw was found in OpenShift's 
internal image ...)
NOT-FOR-US: OpenShift
 CVE-2024-4349 (A vulnerability has been found in SourceCodester Pisay Online 
E-Learni ...)


=
data/dsa-needed.txt
=
@@ -16,6 +16,8 @@ atril (jmm)
 --
 dav1d (jmm)
 --
+chromium (dilinger)
+--
 dnsdist (jmm)
 --
 dnsmasq



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44dd97762c4c362bba0a6d5f06ac5e115f98cf61

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44dd97762c4c362bba0a6d5f06ac5e115f98cf61
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eab15f76 by Moritz Muehlenhoff at 2024-05-01T13:42:52+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -22378,7 +22378,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
[bullseye] - knot-resolver  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
[buster] - knot-resolver  (Too intrusive to backport)
- pdns-recursor 4.9.3-1 (bug #1063852)
-   [bullseye] - pdns-recursor  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
+   [bullseye] - pdns-recursor  (No longer supported with 
security updates in Bullseye)
- unbound 1.19.1-1 (bug #1063845)
- systemd 255.4-1
[bookworm] - systemd  (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
@@ -22420,7 +22420,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of 
the DNS protocol (in RFC 51
[bullseye] - knot-resolver  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
[buster] - knot-resolver  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
- pdns-recursor 4.9.3-1 (bug #1063852)
-   [bullseye] - pdns-recursor  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
+   [bullseye] - pdns-recursor  (No longer supported with 
security updates in Bullseye)
- unbound 1.19.1-1 (bug #1063845)
- systemd 255.4-1
[bookworm] - systemd  (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
@@ -41844,6 +41844,7 @@ CVE-2015-20110 (JHipster generator-jhipster before 
2.23.0 allows a timing attack
NOT-FOR-US: JHipster generator-jhipster
 CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script]
- salt  (bug #1055179)
+   [bullseye] - salt  (Scheduled for removal)
[buster] - salt  (EOL in buster LTS)
NOTE: 
https://saltproject.io/security-announcements/2023-10-27-advisory/index.html
 CVE-2023-5844 (Unverified Password Change in GitHub repository 
pimcore/admin-ui-class ...)
@@ -64221,6 +64222,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado 
versions 6.3.1 and earlie
[bullseye] - python-tornado  (Minor issue)
[buster] - python-tornado  (Minor issue)
- salt  (bug #1059297)
+   [bullseye] - salt  (Scheduled for removal)
[buster] - salt  (EOL in buster LTS)
NOTE: 
https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
 (v6.3.2)
 CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) 
contains an ...)
@@ -81150,7 +81152,7 @@ CVE-2023-26438 (External service lookups for a number 
of protocols were vulnerab
NOT-FOR-US: OX App Suite
 CVE-2023-26437 (Denial of service vulnerability in PowerDNS Recursor allows 
authoritat ...)
- pdns-recursor 4.8.4-1 (bug #1033941)
-   [bullseye] - pdns-recursor  (Minor issue)
+   [bullseye] - pdns-recursor  (No longer supported with 
security updates in Bullseye)
[buster] - pdns-recursor  (Minor issue)
NOTE: 
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html
NOTE: 
https://github.com/PowerDNS/pdns/commit/94fccab63457f8327add3a8e1e2b7876234e4989
 (rec-4.6.6)
@@ -107817,10 +107819,12 @@ CVE-2023-20899 (VMware SD-WAN (Edge) contains a 
bypass authentication vulnerabil
NOT-FOR-US: VMware
 CVE-2023-20898 (Git Providers can read from the wrong environment because they 
get the ...)
- salt  (bug #1051504)
+   [bullseye] - salt  (Scheduled for removal)
[buster] - salt  (EOL in buster LTS)
NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/
 CVE-2023-20897 (Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion 
return. ...)
- salt  (bug #1051504)
+   [bullseye] - salt  (Scheduled for removal)
[buster] - salt  (EOL in buster LTS)
NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/
NOTE: https://github.com/saltstack/salt/issues/64061
@@ -129284,7 +129288,7 @@ CVE-2022-37429 (Silverstripe silverstripe/framework 
through 4.11 allows XSS (iss
NOT-FOR-US: SilverStripe CMS
 CVE-2022-37428 (PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, 
when pro ...)
- pdns-recursor 4.7.2-1
-   [bullseye] - pdns-recursor  (Minor issue)
+   [bullseye] - pdns-recursor  (No longer supported with 
security updates in Bullseye)
[buster] - pdns-recursor  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/08/23/1
NOTE: https://downloads.powerdns.com/patches/2022-02/
@@ -158499,7 +158503,7 @@ CVE-2022-27228 (In the 

[Git][security-tracker-team/security-tracker][master] NFUs

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc8f9c9c by Moritz Muehlenhoff at 2024-05-01T13:16:08+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,51 +1,51 @@
 CVE-2024-4369 (An information disclosure flaw was found in OpenShift's 
internal image ...)
-   TODO: check
+   NOT-FOR-US: OpenShift
 CVE-2024-4349 (A vulnerability has been found in SourceCodester Pisay Online 
E-Learni ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester
 CVE-2024-4348 (A vulnerability, which was classified as problematic, was found 
in osC ...)
-   TODO: check
+   NOT-FOR-US: osCommerce
 CVE-2024-4192 (Delta Electronics CNCSoft-G2 lacks proper validation of the 
length of  ...)
-   TODO: check
+   NOT-FOR-US: Delta Electronics
 CVE-2024-3591 (The Geo Controller WordPress plugin before 8.6.5 unserializes 
user inp ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-34149 (In Bitcoin Core through 27.0 and Bitcoin Knots before 
25.1.knots202311 ...)
-   TODO: check
+   - bitcoin 
 CVE-2024-33768 (lunasvg v2.3.9 was discovered to contain a segmentation 
violation via  ...)
-   TODO: check
+   NOT-FOR-US: lunasvg
 CVE-2024-33767 (lunasvg v2.3.9 was discovered to contain a segmentation 
violation via  ...)
-   TODO: check
+   NOT-FOR-US: lunasvg
 CVE-2024-33766 (lunasvg v2.3.9 was discovered to contain an FPE (Floating 
Point Except ...)
-   TODO: check
+   NOT-FOR-US: lunasvg
 CVE-2024-33764 (lunasvg v2.3.9 was discovered to contain a stack-overflow at 
lunasvg/s ...)
-   TODO: check
+   NOT-FOR-US: lunasvg
 CVE-2024-33763 (lunasvg v2.3.9 was discovered to contain a 
stack-buffer-underflow at l ...)
-   TODO: check
+   NOT-FOR-US: lunasvg
 CVE-2024-32970 (Phlex is a framework for building object-oriented views in 
Ruby. In af ...)
-   TODO: check
+   NOT-FOR-US: Phlex
 CVE-2024-32967 (Zitadel is an open source identity management system. In case 
ZITADEL  ...)
-   TODO: check
+   NOT-FOR-US: Zitadel
 CVE-2024-32966 (Static Web Server (SWS) is a tiny and fast production-ready 
web server ...)
-   TODO: check
+   NOT-FOR-US: Static Web Server
 CVE-2024-32963 (Navidrome is an open source web-based music collection server 
and stre ...)
TODO: check
 CVE-2024-32890 (librespeed/speedtest is an open source, self-hosted speed test 
for HTM ...)
TODO: check
 CVE-2024-32018 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
-   TODO: check
+   NOT-FOR-US: RIOT
 CVE-2024-32017 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
-   TODO: check
+   NOT-FOR-US: RIOT
 CVE-2024-31225 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
-   TODO: check
+   NOT-FOR-US: RIOT
 CVE-2024-29466 (Directory Traversal vulnerability in lsgwr spring boot online 
exam v.0 ...)
TODO: check
 CVE-2024-28979 (Dell OpenManage Enterprise, versions prior to 4.1.0, contains 
an XSS i ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2024-28978 (Dell OpenManage Enterprise, versions 3.10 and 4.0, contains an 
Imprope ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2024-23336 (MyBB is a free and open source forum software. The default 
list of dis ...)
-   TODO: check
+   NOT-FOR-US: MyBB
 CVE-2024-23335 (MyBB is a free and open source forum software. The backup 
management m ...)
-   TODO: check
+   NOT-FOR-US: MyBB
 CVE-2024-27022 (In the Linux kernel, the following vulnerability has been 
resolved:  f ...)
- linux 
[bullseye] - linux  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc8f9c9c1911feb00ab85d93b709c9cb7dcb777d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc8f9c9c1911feb00ab85d93b709c9cb7dcb777d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim python-idna in dla-needed.txt

[Guilhem Moulin (@guilhem)]

Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
716af3b4 by Guilhem Moulin at 2024-05-01T11:52:45+02:00
LTS: claim python-idna in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -219,7 +219,7 @@ python-asyncssh
   NOTE: 20240116: Added by Front-Desk (lamby)
   NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and 
in Git, but one test is failing. Waiting for feedback before release. (dleidert)
 --
-python-idna
+python-idna (guilhem)
   NOTE: 20240421: Added by Front-Desk (apo)
 --
 rails



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/716af3b426e26ea86508d04d1f067473cffb3177

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/716af3b426e26ea86508d04d1f067473cffb3177
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
73ae8f0d by security tracker role at 2024-05-01T08:12:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,426 +1,474 @@
-CVE-2024-27022 [fork: defer linking file vma until vma is fully initialized]
+CVE-2024-4369 (An information disclosure flaw was found in OpenShift's 
internal image ...)
+   TODO: check
+CVE-2024-4349 (A vulnerability has been found in SourceCodester Pisay Online 
E-Learni ...)
+   TODO: check
+CVE-2024-4348 (A vulnerability, which was classified as problematic, was found 
in osC ...)
+   TODO: check
+CVE-2024-4192 (Delta Electronics CNCSoft-G2 lacks proper validation of the 
length of  ...)
+   TODO: check
+CVE-2024-3591 (The Geo Controller WordPress plugin before 8.6.5 unserializes 
user inp ...)
+   TODO: check
+CVE-2024-34149 (In Bitcoin Core through 27.0 and Bitcoin Knots before 
25.1.knots202311 ...)
+   TODO: check
+CVE-2024-33768 (lunasvg v2.3.9 was discovered to contain a segmentation 
violation via  ...)
+   TODO: check
+CVE-2024-33767 (lunasvg v2.3.9 was discovered to contain a segmentation 
violation via  ...)
+   TODO: check
+CVE-2024-33766 (lunasvg v2.3.9 was discovered to contain an FPE (Floating 
Point Except ...)
+   TODO: check
+CVE-2024-33764 (lunasvg v2.3.9 was discovered to contain a stack-overflow at 
lunasvg/s ...)
+   TODO: check
+CVE-2024-33763 (lunasvg v2.3.9 was discovered to contain a 
stack-buffer-underflow at l ...)
+   TODO: check
+CVE-2024-32970 (Phlex is a framework for building object-oriented views in 
Ruby. In af ...)
+   TODO: check
+CVE-2024-32967 (Zitadel is an open source identity management system. In case 
ZITADEL  ...)
+   TODO: check
+CVE-2024-32966 (Static Web Server (SWS) is a tiny and fast production-ready 
web server ...)
+   TODO: check
+CVE-2024-32963 (Navidrome is an open source web-based music collection server 
and stre ...)
+   TODO: check
+CVE-2024-32890 (librespeed/speedtest is an open source, self-hosted speed test 
for HTM ...)
+   TODO: check
+CVE-2024-32018 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
+   TODO: check
+CVE-2024-32017 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
+   TODO: check
+CVE-2024-31225 (RIOT is a real-time multi-threading operating system that 
supports a r ...)
+   TODO: check
+CVE-2024-29466 (Directory Traversal vulnerability in lsgwr spring boot online 
exam v.0 ...)
+   TODO: check
+CVE-2024-28979 (Dell OpenManage Enterprise, versions prior to 4.1.0, contains 
an XSS i ...)
+   TODO: check
+CVE-2024-28978 (Dell OpenManage Enterprise, versions 3.10 and 4.0, contains an 
Imprope ...)
+   TODO: check
+CVE-2024-23336 (MyBB is a free and open source forum software. The default 
list of dis ...)
+   TODO: check
+CVE-2024-23335 (MyBB is a free and open source forum software. The backup 
management m ...)
+   TODO: check
+CVE-2024-27022 (In the Linux kernel, the following vulnerability has been 
resolved:  f ...)
- linux 
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/35e351780fa9d8240dd6f7e4f245f9ea37e96c19 (6.9-rc5)
-CVE-2024-27021 [r8169: fix LED-related deadlock on module removal]
+CVE-2024-27021 (In the Linux kernel, the following vulnerability has been 
resolved:  r ...)
- linux 
[bookworm] - linux  (Vulnerable code not present)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/19fa4f2a85d777a8052e869c1b892a2f7556569d (6.9-rc4)
-CVE-2024-27020 [netfilter: nf_tables: Fix potential data-race in 
__nft_expr_type_get()]
+CVE-2024-27020 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
- linux 
NOTE: 
https://git.kernel.org/linus/f969eb84ce482331a991079ab7a5c4dc3b7f89bf (6.9-rc5)
-CVE-2024-27019 [netfilter: nf_tables: Fix potential data-race in 
__nft_obj_type_get()]
+CVE-2024-27019 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
- linux 
NOTE: 
https://git.kernel.org/linus/d78d867dcea69c328db30df665be5be7d0148484 (6.9-rc5)
-CVE-2024-27018 [netfilter: br_netfilter: skip conntrack input hook for promisc 
packets]
+CVE-2024-27018 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
- linux 
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/751de2012eafa4d46d8081056761fa0e9cc8a178 (6.9-rc5)
-CVE-2024-27017 [netfilter: nft_set_pipapo: walk over current view on 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27022/linux

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
824fe124 by Salvatore Bonaccorso at 2024-05-01T08:32:51+02:00
Add CVE-2024-27022/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,8 @@
+CVE-2024-27022 [fork: defer linking file vma until vma is fully initialized]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/35e351780fa9d8240dd6f7e4f245f9ea37e96c19 (6.9-rc5)
 CVE-2024-27021 [r8169: fix LED-related deadlock on module removal]
- linux 
[bookworm] - linux  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/824fe1242f16d60b9905ac0568ff510eead8019d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/824fe1242f16d60b9905ac0568ff510eead8019d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Merge CVEs for Linux from kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9254f047 by Salvatore Bonaccorso at 2024-05-01T08:00:42+02:00
Merge CVEs for Linux from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,426 @@
+CVE-2024-27021 [r8169: fix LED-related deadlock on module removal]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/19fa4f2a85d777a8052e869c1b892a2f7556569d (6.9-rc4)
+CVE-2024-27020 [netfilter: nf_tables: Fix potential data-race in 
__nft_expr_type_get()]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/f969eb84ce482331a991079ab7a5c4dc3b7f89bf (6.9-rc5)
+CVE-2024-27019 [netfilter: nf_tables: Fix potential data-race in 
__nft_obj_type_get()]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/d78d867dcea69c328db30df665be5be7d0148484 (6.9-rc5)
+CVE-2024-27018 [netfilter: br_netfilter: skip conntrack input hook for promisc 
packets]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/751de2012eafa4d46d8081056761fa0e9cc8a178 (6.9-rc5)
+CVE-2024-27017 [netfilter: nft_set_pipapo: walk over current view on netlink 
dump]
+   - linux 
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/29b359cf6d95fd60730533f7f10464e95bd17c73 (6.9-rc5)
+CVE-2024-27016 [netfilter: flowtable: validate pppoe header]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf (6.9-rc5)
+CVE-2024-27015 [netfilter: flowtable: incorrect pppoe tuple]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/6db5dc7b351b9569940cd1cf445e237c42cd6d27 (6.9-rc5)
+CVE-2024-27014 [net/mlx5e: Prevent deadlock while disabling aRFS]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/fef965764cf562f28afb997b626fc7c3cec99693 (6.9-rc5)
+CVE-2024-27013 [tun: limit printing rate when illegal packet received by tun 
dev]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/f8bbc07ac535593139c875ffa19af924b1084540 (6.9-rc5)
+CVE-2024-27012 [netfilter: nf_tables: restore set elements when delete set 
fails]
+   - linux 
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/e79b47a8615d42c68aaeb6897159667382ed (6.9-rc5)
+CVE-2024-27011 [netfilter: nf_tables: fix memleak in map from abort path]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/86a1471d7cde792941109b93b558b5dc078b9ee9 (6.9-rc5)
+CVE-2024-27010 [net/sched: Fix mirred deadlock on device recursion]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/0f022d32c3eca477fbf79a205243a6123ed0fe11 (6.9-rc5)
+CVE-2024-27009 [s390/cio: fix race condition during online processing]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/2d8527f2f911fab84aec04df4788c0c23af3df48 (6.9-rc5)
+CVE-2024-27008 [drm: nv04: Fix out of bounds access]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/cf92bb778eda7830e79452c6917efa8474a30c1e (6.9-rc5)
+CVE-2024-27007 [userfaultfd: change src_folio after ensuring it's unpinned in 
UFFDIO_MOVE]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 (6.9-rc5)
+CVE-2024-27006 [thermal/debugfs: Add missing count increment to 
thermal_debug_tz_trip_up()]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/b552f63cd43735048bbe9bfbb7a9dcfce166fbdd (6.9-rc5)
+CVE-2024-27005 [interconnect: Don't access req_list while it's being 
manipulated]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/de1bf25b6d771abdb52d43546cf57ad775fb68a1 (6.9-rc5)
+CVE-2024-27004 [clk: Get runtime PM before walking tree during disable_unused]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/e581cf5d216289ef292d1a4036d53ce90e122469 (6.9-rc5)