[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8639e85f by Salvatore Bonaccorso at 2024-05-21T06:39:19+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,39 +1,39 @@ CVE-2024-5137 (A vulnerability classified as problematic was found in PHPGurukul Dire ...) - TODO: check + NOT-FOR-US: PHPGurukul Directory Management System CVE-2024-5136 (A vulnerability classified as problematic has been found in PHPGurukul ...) - TODO: check + NOT-FOR-US: PHPGurukul Directory Management System CVE-2024-5135 (A vulnerability was found in PHPGurukul Directory Management System 1. ...) - TODO: check + NOT-FOR-US: PHPGurukul Directory Management System CVE-2024-4323 (A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3. ...) - TODO: check + NOT-FOR-US: Fluent Bit CVE-2024-4287 (In mintplex-labs/anything-llm, a vulnerability exists due to improper ...) - TODO: check + NOT-FOR-US: mintplex-labs/anything-llm CVE-2024-4151 (An Improper Access Control vulnerability exists in lunary-ai/lunary ve ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-3761 (In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `pac ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-3482 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) TODO: check CVE-2024-35580 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stbpv ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-35579 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.city.vlan ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-35578 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stbal ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-35576 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.port ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-35571 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.mode ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-34953 (An issue in taurusxin ncmdump v1.3.2 allows attackers to cause a Denia ...) TODO: check CVE-2024-34952 (taurusxin ncmdump v1.3.2 was discovered to contain a segmentation viol ...) TODO: check CVE-2024-34949 (likeshop 2.5.7 is vulnerable to SQL Injection via the getOrderList fun ...) - TODO: check + NOT-FOR-US: likeshop CVE-2024-34948 (An issue in Quanxun Huiju Network Technology(Beijing) Co.,Ltd IK-Q3000 ...) - TODO: check + NOT-FOR-US: Quanxun Huiju Network Technology(Beijing) Co. CVE-2024-34947 (Quanxun Huiju Network Technology (Beijing) Co.,Ltd IK-Q3000 3.7.10 x64 ...) - TODO: check + NOT-FOR-US: Quanxun Huiju Network Technology(Beijing) Co. CVE-2024-34193 (smanga 3.2.7 does not filter the file parameter at the PHP/get file fl ...) TODO: check CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8639e85f7cee3a8171c39ba5ca9888dbffb52ff9 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8639e85f7cee3a8171c39ba5ca9888dbffb52ff9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for runc
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ea426a6 by Daniel Leidert at 2024-05-21T00:30:24+02:00 Add note for runc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -272,6 +272,7 @@ runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) + NOTE: 20240521: Already started to work on it. Upload will haben until end of month. (dleidert) -- sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ea426a6f2409a9d1c9266b5a71a0888ff0b059f -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ea426a6f2409a9d1c9266b5a71a0888ff0b059f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim runc in dla-needed.txt
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 56997afc by Daniel Leidert at 2024-05-21T00:29:23+02:00 LTS: claim runc in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,7 +110,7 @@ ghostscript (Markus Koschany) -- git (Sean Whitton) NOTE: 20240519: Added by Front-Desk (utkarsh) - NOTE: 20240519: there are other no-dsa/postponed issues as well, please batch + NOTE: 20240519: there are other no-dsa/postponed issues as well, please batch NOTE: 20240519: them, too. Newer ones are RCE and have high severity. (utkarsh) -- glibc (Adrian Bunk) @@ -268,7 +268,7 @@ ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) -- -runc +runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56997afcfaa98b7ea8620f3b395b8aecf6782594 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56997afcfaa98b7ea8620f3b395b8aecf6782594 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e91dea23 by security tracker role at 2024-05-20T20:11:56+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,330 +1,398 @@ -CVE-2024-36009 [ax25: Fix netdev refcount issue] +CVE-2024-5137 (A vulnerability classified as problematic was found in PHPGurukul Dire ...) + TODO: check +CVE-2024-5136 (A vulnerability classified as problematic has been found in PHPGurukul ...) + TODO: check +CVE-2024-5135 (A vulnerability was found in PHPGurukul Directory Management System 1. ...) + TODO: check +CVE-2024-4323 (A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3. ...) + TODO: check +CVE-2024-4287 (In mintplex-labs/anything-llm, a vulnerability exists due to improper ...) + TODO: check +CVE-2024-4151 (An Improper Access Control vulnerability exists in lunary-ai/lunary ve ...) + TODO: check +CVE-2024-3761 (In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `pac ...) + TODO: check +CVE-2024-3482 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) + TODO: check +CVE-2024-35580 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stbpv ...) + TODO: check +CVE-2024-35579 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.city.vlan ...) + TODO: check +CVE-2024-35578 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stbal ...) + TODO: check +CVE-2024-35576 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.port ...) + TODO: check +CVE-2024-35571 (Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.mode ...) + TODO: check +CVE-2024-34953 (An issue in taurusxin ncmdump v1.3.2 allows attackers to cause a Denia ...) + TODO: check +CVE-2024-34952 (taurusxin ncmdump v1.3.2 was discovered to contain a segmentation viol ...) + TODO: check +CVE-2024-34949 (likeshop 2.5.7 is vulnerable to SQL Injection via the getOrderList fun ...) + TODO: check +CVE-2024-34948 (An issue in Quanxun Huiju Network Technology(Beijing) Co.,Ltd IK-Q3000 ...) + TODO: check +CVE-2024-34947 (Quanxun Huiju Network Technology (Beijing) Co.,Ltd IK-Q3000 3.7.10 x64 ...) + TODO: check +CVE-2024-34193 (smanga 3.2.7 does not filter the file parameter at the PHP/get file fl ...) + TODO: check +CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before allows ...) + TODO: check +CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) + TODO: check +CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v. ...) + TODO: check +CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a reflected c ...) + TODO: check +CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to authorization v ...) + TODO: check +CVE-2024-24294 (A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 a ...) + TODO: check +CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 all ...) + TODO: check +CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...) + TODO: check +CVE-2024-0401 (ASUS routers supporting custom OpenVPN profiles are vulnerable to a co ...) + TODO: check +CVE-2023-49335 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injectio ...) + TODO: check +CVE-2023-49334 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injectio ...) + TODO: check +CVE-2023-49333 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injectio ...) + TODO: check +CVE-2023-49332 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injectio ...) + TODO: check +CVE-2023-49331 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injectio ...) + TODO: check +CVE-2023-49330 (Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injectio ...) + TODO: check +CVE-2024-36009 (In the Linux kernel, the following vulnerability has been resolved: a ...) - linux 6.8.9-1 [bookworm] - linux 6.1.90-1 NOTE: https://git.kernel.org/linus/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b (6.9-rc6) -CVE-2024-36008 [ipv4: check for NULL idev in ip_route_use_hint()] +CVE-2024-36008 (In the Linux kernel, the following vulnerability has been resolved: i ...) - linux 6.8.9-1 [bookworm] - linux 6.1.90-1 [bullseye] - linux 5.10.216-1 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 (6.9-rc6) -CVE-2024-36007 [mlxsw: spectrum_acl_tcam: Fix warning during rehash]
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-7258/golang-gvisor-gvisor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a62326ff by Salvatore Bonaccorso at 2024-05-20T20:26:20+02:00 Add CVE-2023-7258/golang-gvisor-gvisor - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2667,7 +2667,8 @@ CVE-2024-20257 (A vulnerability in the web-based management interface of Cisco A CVE-2024-20256 (A vulnerability in the web-based management interface of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2023-7258 (A denial of service exists in Gvisor Sandbox where a bug in reference ...) - TODO: check + - golang-gvisor-gvisor + NOTE: https://github.com/google/gvisor/commit/6a112c60a257dadac59962e0bc9e9b5aee70b5b6 CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session ...) NOT-FOR-US: ThroughTek Kalay SDK CVE-2023-6323 (ThroughTek Kalay SDK does not verify the authenticity of received mess ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a62326ff72d338d29e7b616e51764e86b17c0004 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a62326ff72d338d29e7b616e51764e86b17c0004 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] squirrel3 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 11ee5931 by Moritz Mühlenhoff at 2024-05-20T20:13:11+02:00 squirrel3 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158085,7 +158085,7 @@ CVE-2022-1590 (A vulnerability was found in Bludit 3.13.1. It has been declared CVE-2022-1589 (The Change wp-admin login WordPress plugin before 1.1.0 does not prope ...) NOT-FOR-US: WordPress plugin CVE-2022-30292 (Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lac ...) - - squirrel3 (bug #1014539) + - squirrel3 3.1-8.2 (bug #1014539) [bullseye] - squirrel3 (Minor issue) [buster] - squirrel3 (Minor issue) [stretch] - squirrel3 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ee593197d704216ac13abba9a40a006d57b4b6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ee593197d704216ac13abba9a40a006d57b4b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sssd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 696de6b3 by Moritz Mühlenhoff at 2024-05-20T20:11:08+02:00 sssd fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11261,7 +11261,7 @@ CVE-2023-47843 (Improper Limitation of a Pathname to a Restricted Directory ('Pa CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Group Pe ...) NOT-FOR-US: WordPress plugin CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is not co ...) - - sssd (bug #1070369) + - sssd 2.9.5-1 (bug #1070369) [bookworm] - sssd (Minor issue) [bullseye] - sssd (Minor issue) [buster] - sssd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/696de6b32474110b75877eef4c8da38e9a5c08e5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/696de6b32474110b75877eef4c8da38e9a5c08e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim git in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 27cccecb by Sean Whitton at 2024-05-20T17:10:06+01:00 LTS: claim git in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,7 +108,7 @@ freeimage ghostscript (Markus Koschany) NOTE: 20240510: Added by Front-Desk (ta) -- -git +git (Sean Whitton) NOTE: 20240519: Added by Front-Desk (utkarsh) NOTE: 20240519: there are other no-dsa/postponed issues as well, please batch NOTE: 20240519: them, too. Newer ones are RCE and have high severity. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27cccecb86a4ff7ff6f8207f72296e58a32b558f -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27cccecb86a4ff7ff6f8207f72296e58a32b558f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 242b558c by Salvatore Bonaccorso at 2024-05-20T17:47:41+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1927,29 +1927,29 @@ CVE-2023-51424 (Improper Privilege Management vulnerability in Saleswonder Team CVE-2023-51401 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) NOT-FOR-US: WordPress plugin CVE-2023-51398 (Improper Privilege Management vulnerability in Brainstorm Force Ultima ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51356 (Improper Privilege Management vulnerability in Repute Infosystems ARMe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50890 (Improper Privilege Management vulnerability in Brainstorm Force Ultima ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49753 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48757 (Improper Privilege Management vulnerability in Crocoblock JetEngine al ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48319 (Improper Privilege Management vulnerability in Salon Booking System Sa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47868 (Improper Privilege Management vulnerability in wpForo wpForo Forum all ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47782 (Improper Privilege Management vulnerability in Thrive Themes Thrive Th ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47683 (Improper Privilege Management vulnerability in miniOrange WordPress So ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47682 (Improper Privilege Management vulnerability in weDevs WP User Frontend ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47679 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47178 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46784 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) TODO: check CVE-2023-46205 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) @@ -2055,13 +2055,13 @@ CVE-2024-21774 (Uncontrolled search path in some Intel(R) Processor Identificati CVE-2024-21772 (Uncontrolled search path in some Intel(R) Advisor software before vers ...) NOT-FOR-US: Intel CVE-2023-49614 (Out of bounds write in firmware for some Intel(R) FPGA products before ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-48727 (NULL pointer dereference in some Intel(R) oneVPL software before versi ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-48368 (Improper input validation in Intel(R) Media SDK software all versions ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-47859 (Improper access control for some Intel(R) Wireless Bluetooth products ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some Intel( ...) TODO: check CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) @@ -2511,7 +2511,7 @@ CVE-2024-20326 (A vulnerability in the ConfD CLI and the Cisco Crosswork Networ CVE-2024-1417 (Improper Neutralization of Special Elements used in a Command ('Comman ...) NOT-FOR-US: WatchGuard AuthPoint Password Manager on MacOS CVE-2023-48643 (Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthen ...) - TODO: check + NOT-FOR-US: tac_plus CVE-2023-47717 (IBM Security Guardium 12.0 could allow a privileged user to perform un ...) NOT-FOR-US: IBM CVE-2024-4910 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) @@ -2673,9 +2673,9 @@ CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS ses CVE-2023-6323 (ThroughTek Kalay SDK does not verify the authenticity of received mess ...) NOT-FOR-US: ThroughTek Kalay SDK CVE-2023-6322 (A stack-based buffer overflow vulnerability exists in the message pars ...) - TODO: check + NOT-FOR-US: ThroughTek Kalay CVE-2023-6321 (A command injection vulnerability exists in the IOCTL that manages OTA ...) - TODO: check + NOT-FOR-US: ThroughTek Kalay CVE-2023-5938 (Multiple functions use archives without properly validating the filena ...) NOT-FOR-US: Nozomi Networks CVE-2023-5937 (On Windows systems, the Arc configuration files resulted to be world-r ...) @@ -3195,7 +3195,7 @@ CVE-2024-0862 (The
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-35190/asterisk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cfe08d7f by Salvatore Bonaccorso at 2024-05-20T17:46:39+02:00 Add CVE-2024-35190/asterisk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1349,7 +1349,11 @@ CVE-2024-35784 (In the Linux kernel, the following vulnerability has been resolv - linux 6.7.12-1 NOTE: https://git.kernel.org/linus/b0ad381fa7690244802aed119b478b4bdafc31dd (6.8-rc6) CVE-2024-35190 (Asterisk is an open source private branch exchange and telephony toolk ...) - TODO: check + - asterisk + NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9 + NOTE: https://github.com/asterisk/asterisk/pull/600 + NOTE: https://github.com/asterisk/asterisk/pull/602 + NOTE: https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d CVE-2024-35174 (Missing Authorization vulnerability in Flothemes Flo Forms.This issue ...) NOT-FOR-US: WordPress plugin CVE-2024-35173 (Missing Authorization vulnerability in PluginEver Serial Numbers for W ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe08d7f6089a0e7801fe5ae818a4f60f6c4f261 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe08d7f6089a0e7801fe5ae818a4f60f6c4f261 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c77ff6d by Salvatore Bonaccorso at 2024-05-20T16:46:40+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -372,13 +372,13 @@ CVE-2024-5104 (A vulnerability was found in Campcodes Complete Web-Based School CVE-2024-5103 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-4284 (A vulnerability in mintplex-labs/anything-llm allows for a denial of s ...) - TODO: check + NOT-FOR-US: mintplex-labs/anything-llm CVE-2024-3368 (The All in One SEO WordPress plugin before 4.6.1.1 does not validate ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36081 (Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated u ...) - TODO: check + NOT-FOR-US: Westermo EDW-100 devices CVE-2024-36080 (Westermo EDW-100 devices through 2024-05-03 have a hidden root user ac ...) - TODO: check + NOT-FOR-US: Westermo EDW-100 devices CVE-2024-5101 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) NOT-FOR-US: SourceCodester Simple Inventory System CVE-2024-5100 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) @@ -390,7 +390,7 @@ CVE-2024-36076 (Syslifters SysReptor before 2024.40 has a CSRF vulnerability for CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows anonymous ...) TODO: check CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint, service-name m ...) - TODO: check + NOT-FOR-US: mintupload CVE-2024-35947 (In the Linux kernel, the following vulnerability has been resolved: d ...) - linux NOTE: https://git.kernel.org/linus/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c (6.9-rc7) @@ -852,7 +852,7 @@ CVE-2024-3745 (MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypas CVE-2024-3658 (The Build App Online plugin for WordPress is vulnerable to authenticat ...) NOT-FOR-US: WordPress plugin CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows conten ...) - TODO: check + NOT-FOR-US: SurveyJS Form Library CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...) TODO: check CVE-2024-31879 (IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbit ...) @@ -872,7 +872,7 @@ CVE-2024-4698 (The Testimonial Carousel For Elementor plugin for WordPress is vu CVE-2024-4374 (The DethemeKit For Elementor plugin for WordPress is vulnerable to Sto ...) NOT-FOR-US: WordPress plugin CVE-2024-4264 (A remote code execution (RCE) vulnerability exists in the berriai/lite ...) - TODO: check + NOT-FOR-US: berriai/litellm CVE-2024-3812 (The Salient Core plugin for WordPress is vulnerable to Local File Incl ...) NOT-FOR-US: WordPress plugin CVE-2024-3811 (The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cr ...) @@ -892,11 +892,11 @@ CVE-2024-2772 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Dra CVE-2024-2771 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & D ...) NOT-FOR-US: WordPress plugin CVE-2024-23583 (An attacker could potentially intercept credentials via the task manag ...) - TODO: check + NOT-FOR-US: HCL CVE-2024-23556 (SSL/TLS Renegotiation functionality potentially leading to DoS attack ...) - TODO: check + NOT-FOR-US: HCL CVE-2024-23554 (Cross-Site Request Forgery (CSRF) on Session Token vulnerability that ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-52424 (The IEEE 802.11 standard sometimes enables an adversary to trick a vic ...) TODO: check CVE-2024-5072 (Improper input validation in PAM JIT elevation feature in Devolutions ...) @@ -934,7 +934,7 @@ CVE-2024-5043 (A vulnerability was found in Emlog Pro 2.3.4 and classified as cr CVE-2024-5042 (A flaw was found in the Submariner project. Due to unnecessary role-ba ...) NOT-FOR-US: Submariner CVE-2024-5022 (The file scheme of URLs would be hidden, resulting in potential spoofi ...) - TODO: check + NOT-FOR-US: Focus for iOS CVE-2024-4998 REJECTED CVE-2024-4789 (Cost Calculator Builder Pro plugin for WordPress is vulnerable to Serv ...) @@ -1669,21 +1669,21 @@ CVE-2024-24873 (: Improper Control of Interaction Frequency vulnerability in Cod CVE-2024-24869 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) NOT-FOR-US: WordPress plugin CVE-2024-24715 (Improper Validation of Specified Quantity in Input vulnerability in Th ...) - TODO: check + NOT-FOR-US: WordPress plugin
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 96cf8bf6 by Roberto C. Sánchez at 2024-05-20T10:09:34-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (Lee Garrett) +ansible NOTE: 20231202: Added by Front-Desk (Beuc) NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to @@ -91,7 +91,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firmware-nonfree (tobi) +firmware-nonfree NOTE: 20240502: Added by Front-Desk (Beuc) -- freeimage @@ -135,7 +135,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -less (Abhijith PA) +less NOTE: 20240418: Added by Front-Desk (apo) NOTE: 20240506: Pushed CVE-2022-48624 fix to git repo. (abhijith) -- @@ -228,7 +228,7 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -putty (rouca) +putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) NOTE: 20240324: Backport is straighforward (rouca) @@ -264,11 +264,11 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby2.5 (utkarsh) +ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) -- -runc (dleidert) +runc NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96cf8bf6d295d8fe7900965e332625a668454cc4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96cf8bf6d295d8fe7900965e332625a668454cc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b2d3975 by Salvatore Bonaccorso at 2024-05-20T16:04:33+02:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,332 @@ +CVE-2024-36009 [ax25: Fix netdev refcount issue] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + NOTE: https://git.kernel.org/linus/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b (6.9-rc6) +CVE-2024-36008 [ipv4: check for NULL idev in ip_route_use_hint()] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 (6.9-rc6) +CVE-2024-36007 [mlxsw: spectrum_acl_tcam: Fix warning during rehash] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/743edc8547a92b6192aa1f1b6bb78233fa21dc9b (6.9-rc6) +CVE-2024-36006 [mlxsw: spectrum_acl_tcam: Fix incorrect list API usage] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/b377add0f0117409c418ddd6504bd682ebe0bf79 (6.9-rc6) +CVE-2024-36005 [netfilter: nf_tables: honor table dormant flag from netdev release event path] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2 (6.9-rc6) +CVE-2024-36004 [i40e: Do not use WQ_MEM_RECLAIM flag for workqueue] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + NOTE: https://git.kernel.org/linus/2cc7d150550cc981aceedf008f5459193282425c (6.9-rc6) +CVE-2024-36003 [ice: fix LAG and VF lock dependency in ice_reset_vf()] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f (6.9-rc6) +CVE-2024-36002 [dpll: fix dpll_pin_on_pin_register() for multiple parent pins] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/38d7b94e81d068b8d8c8392f421cfd2c3bbfd1a6 (6.9-rc6) +CVE-2024-36001 [netfs: Fix the pre-flush when appending to a file in writethrough mode] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c97f59e276d4e93480f29a70accbd0d7273cf3f5 (6.9-rc6) +CVE-2024-36000 [mm/hugetlb: fix missing hugetlb_lock for resv uncharge] + - linux 6.8.9-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/b76b46902c2d0395488c8412e1116c2486cdfcb2 (6.9-rc6) +CVE-2024-35999 [smb3: missing lock when picking channel] + - linux 6.8.9-1 + NOTE: https://git.kernel.org/linus/8094a600245e9b28eb36a13036f202ad67c1f887 (6.9-rc6) +CVE-2024-35998 [smb3: fix lock ordering potential deadlock in cifs_sync_mid_result] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + NOTE: https://git.kernel.org/linus/8861fd5180476f45f9e8853db154600469a0284f (6.9-rc6) +CVE-2024-35997 [HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + NOTE: https://git.kernel.org/linus/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e (6.9-rc6) +CVE-2024-35996 [cpu: Re-enable CPU mitigations by default for !X86 architectures] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + [bullseye] - linux 5.10.216-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/fe42754b94a42d08cf9501790afc25c4f6a5f631 (6.9-rc6) +CVE-2024-35995 [ACPI: CPPC: Use access_width over bit_width for system memory accesses] + - linux 6.8.9-1 + [bookworm] - linux 6.1.90-1 + NOTE: https://git.kernel.org/linus/2f4a4d63a193be6fd530d180bb13c3592052904c (6.9-rc1) +CVE-2024-35994 [firmware: qcom: uefisecapp: Fix memory related IO errors and crashes] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not
[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3a10d4 by Adrian Bunk at 2024-05-20T14:38:38+03:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,6 +115,7 @@ git -- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) + NOTE: 20240520: Testing fixes. (bunk) -- h2o NOTE: 20231228: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3a10d499d7ff21ef77c49df1acadb5b97af5bf -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3a10d499d7ff21ef77c49df1acadb5b97af5bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 910713bf by Salvatore Bonaccorso at 2024-05-20T10:15:30+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,47 +1,47 @@ CVE-2024-5134 (A vulnerability was found in SourceCodester Electricity Consumption Mo ...) - TODO: check + NOT-FOR-US: SourceCodester Electricity Consumption Monitoring Tool CVE-2024-5123 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5122 (A vulnerability was found in SourceCodester Event Registration System ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5121 (A vulnerability was found in SourceCodester Event Registration System ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5120 (A vulnerability was found in SourceCodester Event Registration System ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5119 (A vulnerability was found in SourceCodester Event Registration System ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5118 (A vulnerability has been found in SourceCodester Event Registration Sy ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5117 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Event Registration System CVE-2024-5116 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Online Examination System CVE-2024-5115 (A vulnerability classified as critical was found in Campcodes Complete ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5114 (A vulnerability classified as critical has been found in Campcodes Com ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5113 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5112 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5111 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5110 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5109 (A vulnerability has been found in Campcodes Complete Web-Based School ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5108 (A vulnerability, which was classified as critical, was found in Campco ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5107 (A vulnerability, which was classified as critical, has been found in C ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5106 (A vulnerability classified as critical was found in Campcodes Complete ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5105 (A vulnerability classified as critical has been found in Campcodes Com ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5104 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-5103 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) - TODO: check + NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-4284 (A vulnerability in mintplex-labs/anything-llm allows for a denial of s ...) TODO: check CVE-2024-3368 (The All in One SEO WordPress plugin before 4.6.1.1 does not validate ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/910713bfb7a00bd58dc5b5ea10d1026ea5802715 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/910713bfb7a00bd58dc5b5ea10d1026ea5802715 You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3817-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a22949a2 by Emilio Pozuelo Monfort at 2024-05-20T10:14:09+02:00 Reserve DLA-3817-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 May 2024] DLA-3817-1 thunderbird - security update + {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777} + [buster] - thunderbird 1:115.11.0-1~deb10u1 [17 May 2024] DLA-3816-1 bind9 - security update {CVE-2023-50387 CVE-2023-50868} [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u11 = data/dla-needed.txt = @@ -301,9 +301,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240515: Added by pochu --- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a22949a22f1e2fe1d59734fa16d159976436c116 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a22949a22f1e2fe1d59734fa16d159976436c116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 215575a7 by security tracker role at 2024-05-20T08:11:59+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2024-5134 (A vulnerability was found in SourceCodester Electricity Consumption Mo ...) + TODO: check +CVE-2024-5123 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2024-5122 (A vulnerability was found in SourceCodester Event Registration System ...) + TODO: check +CVE-2024-5121 (A vulnerability was found in SourceCodester Event Registration System ...) + TODO: check +CVE-2024-5120 (A vulnerability was found in SourceCodester Event Registration System ...) + TODO: check +CVE-2024-5119 (A vulnerability was found in SourceCodester Event Registration System ...) + TODO: check +CVE-2024-5118 (A vulnerability has been found in SourceCodester Event Registration Sy ...) + TODO: check +CVE-2024-5117 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-5116 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-5115 (A vulnerability classified as critical was found in Campcodes Complete ...) + TODO: check +CVE-2024-5114 (A vulnerability classified as critical has been found in Campcodes Com ...) + TODO: check +CVE-2024-5113 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-5112 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-5111 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-5110 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-5109 (A vulnerability has been found in Campcodes Complete Web-Based School ...) + TODO: check +CVE-2024-5108 (A vulnerability, which was classified as critical, was found in Campco ...) + TODO: check +CVE-2024-5107 (A vulnerability, which was classified as critical, has been found in C ...) + TODO: check +CVE-2024-5106 (A vulnerability classified as critical was found in Campcodes Complete ...) + TODO: check +CVE-2024-5105 (A vulnerability classified as critical has been found in Campcodes Com ...) + TODO: check +CVE-2024-5104 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-5103 (A vulnerability was found in Campcodes Complete Web-Based School Manag ...) + TODO: check +CVE-2024-4284 (A vulnerability in mintplex-labs/anything-llm allows for a denial of s ...) + TODO: check +CVE-2024-3368 (The All in One SEO WordPress plugin before 4.6.1.1 does not validate ...) + TODO: check +CVE-2024-36081 (Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated u ...) + TODO: check +CVE-2024-36080 (Westermo EDW-100 devices through 2024-05-03 have a hidden root user ac ...) + TODO: check CVE-2024-5101 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) NOT-FOR-US: SourceCodester Simple Inventory System CVE-2024-5100 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/215575a7652e56bf5f1690983f1e1e205304cf96 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/215575a7652e56bf5f1690983f1e1e205304cf96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36050/nix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc2be6c7 by Salvatore Bonaccorso at 2024-05-20T09:04:02+02:00 Add CVE-2024-36050/nix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -448,7 +448,10 @@ CVE-2024-5096 (A vulnerability classified as problematic was found in Hipcam Dev CVE-2024-5095 (A vulnerability classified as problematic has been found in Victor Zsv ...) NOT-FOR-US: Victor Zsviot Camera CVE-2024-36050 (Nix through 2.22.1 mishandles certain usage of hash caches, which make ...) - TODO: check + - nix + NOTE: https://github.com/NixOS/nix/issues/969 + NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441 + TODO: check details and verify if same code (and only then) is present in guix CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x b ...) TODO: check CVE-2024-28064 (Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows /responsiveUI/Env ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc2be6c7838206d17a9dabaee7364fa1271d62f2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc2be6c7838206d17a9dabaee7364fa1271d62f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36078/zammad
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dc39ca6 by Salvatore Bonaccorso at 2024-05-20T09:03:09+02:00 Add CVE-2024-36078/zammad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2024-5101 (A vulnerability was found in SourceCodester Simple Inventory Syst CVE-2024-5100 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) NOT-FOR-US: SourceCodester Simple Inventory System CVE-2024-36078 (In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with ...) - TODO: check + - zammad (bug #841355) CVE-2024-36076 (Syslifters SysReptor before 2024.40 has a CSRF vulnerability for WebSo ...) NOT-FOR-US: Syslifters SysReptor CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows anonymous ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc39ca69856c14bf27455772ccdc2d87ca08253 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc39ca69856c14bf27455772ccdc2d87ca08253 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c38052f1 by Salvatore Bonaccorso at 2024-05-20T09:02:39+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2024-5101 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Inventory System CVE-2024-5100 (A vulnerability was found in SourceCodester Simple Inventory System 1. ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Inventory System CVE-2024-36078 (In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with ...) TODO: check CVE-2024-36076 (Syslifters SysReptor before 2024.40 has a CSRF vulnerability for WebSo ...) - TODO: check + NOT-FOR-US: Syslifters SysReptor CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows anonymous ...) TODO: check CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint, service-name m ...) @@ -548,7 +548,7 @@ CVE-2024-5044 (A vulnerability was found in Emlog Pro 2.3.4. It has been classif CVE-2024-5043 (A vulnerability was found in Emlog Pro 2.3.4 and classified as critica ...) NOT-FOR-US: Emlog Pro CVE-2024-5042 (A flaw was found in the Submariner project. Due to unnecessary role-ba ...) - TODO: check + NOT-FOR-US: Submariner CVE-2024-5022 (The file scheme of URLs would be hidden, resulting in potential spoofi ...) TODO: check CVE-2024-4998 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c38052f165647182a228408a4a8b9ca1b0c514e4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c38052f165647182a228408a4a8b9ca1b0c514e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Replace spacing in package note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0575a166 by Salvatore Bonaccorso at 2024-05-20T08:55:58+02:00 Replace spacing in package note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9413,7 +9413,7 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - cjson - [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) + [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) NOTE: https://github.com/DaveGamble/cJSON/issues/839 NOTE: https://github.com/DaveGamble/cJSON/pull/840 NOTE: https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0575a166d81ffdef2a78a417510a4ba7739e2a89 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0575a166d81ffdef2a78a417510a4ba7739e2a89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for git via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3f0d1b1 by Salvatore Bonaccorso at 2024-05-20T08:53:32+02:00 Track fixes for git via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2541,7 +2541,7 @@ CVE-2024-32636 (A vulnerability has been identified in Parasolid V35.1 (All vers CVE-2024-32635 (A vulnerability has been identified in Parasolid V35.1 (All versions < ...) NOT-FOR-US: Siemens CVE-2024-32465 (Git is a revision control system. The Git project recommends to avoid ...) - - git (bug #1071160) + - git 1:2.45.1-1 (bug #1071160) NOTE: https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4 NOTE: https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7 CVE-2024-32355 (TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a co ...) @@ -2581,19 +2581,19 @@ CVE-2024-32057 (A vulnerability has been identified in PS/IGES Parasolid Transla CVE-2024-32055 (A vulnerability has been identified in PS/IGES Parasolid Translator Co ...) NOT-FOR-US: Siemens CVE-2024-32021 (Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2. ...) - - git (bug #1071160) + - git 1:2.45.1-1 (bug #1071160) NOTE: https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7 CVE-2024-32020 (Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2. ...) - - git (bug #1071160) + - git 1:2.45.1-1 (bug #1071160) NOTE: https://github.com/git/git/security/advisories/GHSA-5rfh-556j-fhgj NOTE: https://github.com/git/git/commit/1204e1a824c34071019fe106348eaa6d88f9528d NOTE: https://github.com/git/git/commit/9e65df5eab274bf74c7b570107aacd1303a1e703 CVE-2024-32004 (Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2. ...) - - git (bug #1071160) + - git 1:2.45.1-1 (bug #1071160) NOTE: https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389 NOTE: https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8 CVE-2024-32002 (Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2. ...) - - git (bug #1071160) + - git 1:2.45.1-1 (bug #1071160) NOTE: https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv NOTE: https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d CVE-2024-31980 (A vulnerability has been identified in Parasolid V35.1 (All versions < ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3f0d1b1c47cc081edce353994f64ec3b0b84661 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3f0d1b1c47cc081edce353994f64ec3b0b84661 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits