[Git][security-tracker-team/security-tracker][master] pypdf spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96898fb3 by Moritz Mühlenhoff at 2024-01-15T20:52:24+01:00 pypdf spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -84,3 +84,5 @@ CVE-2024- [spip XSS] [bookworm] - spip 4.1.9+dfsg-1+deb12u4 CVE-2023-48795 [bookworm] - proftpd-mod-proxy 0.9.2-1+deb12u1 +CVE-2023-36464 + [bookworm] - pypdf 3.4.1-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96898fb34451aefb06efd40493c89e6b009b8d75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96898fb34451aefb06efd40493c89e6b009b8d75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one gitlab issue fixed in sid (rest of them only for more recent release series)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b302ca48 by Moritz Muehlenhoff at 2024-01-15T16:27:32+01:00 one gitlab issue fixed in sid (rest of them only for more recent release series) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -329,7 +329,7 @@ CVE-2023-4812 (An issue has been discovered in GitLab EE affecting all versions CVE-2023-5356 (Incorrect authorization checks in GitLab CE/EE from all versions start ...) - gitlab CVE-2023-7028 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...) - - gitlab + - gitlab 16.4.5+ds2-1 CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) NOT-FOR-US: MediaWiki extension GlobalBlocking CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b302ca48ac8f9da78f8fab4dc32a60648728c83a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b302ca48ac8f9da78f8fab4dc32a60648728c83a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] netatalk ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dedfa63 by Moritz Mühlenhoff at 2024-01-15T16:22:17+01:00 netatalk ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -126,3 +126,5 @@ CVE-2023-49468 [bullseye] - libde265 1.0.11-0+deb11u3 CVE-2024-22368 [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u1 +CVE-2022-22995 + [bullseye] - netatalk 3.1.12~ds-8+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dedfa63781c0a24f8f8e75d9b2f983cd9ff4c92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dedfa63781c0a24f8f8e75d9b2f983cd9ff4c92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openssl issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 770f6309 by Moritz Muehlenhoff at 2024-01-15T14:15:50+01:00 new openssl issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2023-6237 [openssl: Checking excessively long invalid RSA public keys may take a long time] + - openssl + [bookworm] - openssl (Minor issue) + [bullseye] - openssl (Only affects 3.x) + [buster] - openssl (Only affects 3.x) + NOTE: https://www.openssl.org/news/secadv/20240115.txt + NOTE: https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db CVE-2024- [RUSTSEC-2023-0078] - rust-tracing [bookworm] - rust-tracing (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/770f6309c626cce57af1d61a098bc4177462b6b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/770f6309c626cce57af1d61a098bc4177462b6b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-vmm-sys-util issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c2c64a1 by Moritz Muehlenhoff at 2024-01-15T11:09:07+01:00 new rust-vmm-sys-util issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2476,7 +2476,10 @@ CVE-2023-6436 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-51652 (OWASP AntiSamy .NET is a library for performing cleansing of HTML comi ...) NOT-FOR-US: OWASP AntiSamy .NET library CVE-2023-50711 (vmm-sys-util is a collection of modules that provides helpers and util ...) - NOT-FOR-US: vmm-sys-util rust modules + - rust-vmm-sys-util + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0002.html + NOTE: https://github.com/advisories/GHSA-875g-mfp6-g7f9 + NOTE: https://github.com/rust-vmm/vmm-sys-util/commit/30172fca2a8e0a38667d934ee56682247e13f167 CVE-2023-50333 (Mattermost fails to update the permissions of the current session for ...) - mattermost-server (bug #823556) CVE-2023-4280 (An unvalidated input in Silicon Labs TrustZone implementation in v4.3. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c2c64a157426c866489379c82526263badbc38c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c2c64a157426c866489379c82526263badbc38c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-tracing issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cb3715e by Moritz Muehlenhoff at 2024-01-15T10:39:06+01:00 new rust-tracing issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [RUSTSEC-2023-0078] + - rust-tracing + [bookworm] - rust-tracing (Vulnerable code not present) + NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0078.html + NOTE: https://github.com/tokio-rs/tracing/pull/2765 + NOTE: Introduced in https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 CVE-2024-22028 (Insufficient technical documentation issue exists in thermal camera TM ...) NOT-FOR-US: thermal camera TMC series firmware CVE-2024-0552 (Intumit inc. SmartRobot's web framwork has a remote code execution vul ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cb3715e3eb11068e8ddf2968d809d2c92e793bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cb3715e3eb11068e8ddf2968d809d2c92e793bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd-mod-proxy spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca9f5cb by Moritz Mühlenhoff at 2024-01-13T23:34:27+01:00 proftpd-mod-proxy spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -82,3 +82,5 @@ CVE-2024-22368 [bookworm] - libspreadsheet-parsexlsx-perl 0.27-3+deb12u1 CVE-2024- [spip XSS] [bookworm] - spip 4.1.9+dfsg-1+deb12u4 +CVE-2023-48795 + [bookworm] - proftpd-mod-proxy 0.9.2-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9f5cbd20e1fffd830d11daa91e079696608b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9f5cbd20e1fffd830d11daa91e079696608b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f7fa5caa by Moritz Mühlenhoff at 2024-01-12T23:17:14+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -223,7 +223,7 @@ CVE-2022-4960 (A vulnerability, which was classified as problematic, has been fo CVE-2022-4959 (A vulnerability classified as problematic was found in qkmc-rk redbbs ...) NOT-FOR-US: qkmc-rk redbbs CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if m ...) - - libuev + - libuev (bug #1060692) [bookworm] - libuev (Minor issue) [bullseye] - libuev (Minor issue) NOTE: https://github.com/troglobit/libuev/issues/27 @@ -703,7 +703,7 @@ CVE-2023-50916 (Kyocera Device Manager before 3.1.1213.0 allows NTLM credential CVE-2023-50172 (A recovery notification bypass vulnerability exists in the userRecover ...) NOT-FOR-US: WWBN AVideo CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to ...) - - gpac + - gpac (bug #1060696) [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2698 NOTE: https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb @@ -860,28 +860,23 @@ CVE-2023-50136 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allo CVE-2023-48864 (SEMCMS v4.8 was discovered to contain a SQL injection vulnerability vi ...) NOT-FOR-US: SEMCMS CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 - TODO: check upstream reporting status CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 - TODO: check upstream reporting status CVE-2023-47995 (Buffer Overflow vulnerability in BitmapAccess.cpp::FreeImage_AllocateB ...) - - freeimage - TODO: check no sensible references in CVE entry + - freeimage + NOTE: no sensible references in CVE entry CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 - TODO: check upstream reporting status CVE-2023-47993 (A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in Fre ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 - TODO: check upstream reporting status CVE-2023-47992 (An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 - TODO: check upstream reporting status CVE-2023-41781 (There is a Cross-sitescripting (XSS) vulnerability in ZTE MF258. Due t ...) NOT-FOR-US: ZTE CVE-2023-3043 (AMI\u2019s SPx contains a vulnerability in the BMC where an Attacker m ...) @@ -3275,13 +3270,13 @@ CVE-2023-51772 (One Identity Password Manager before 5.13.1 allows Kiosk Escape. CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHead ...) NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - - qt6-base + - qt6-base (bug #1060693) [bookworm] - qt6-base (Minor issue) - - qtbase-opensource-src + - qtbase-opensource-src (bug #1060694) [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles (bug #1060695) [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https
[Git][security-tracker-team/security-tracker][master] solr n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 318a3665 by Moritz Mühlenhoff at 2024-01-12T22:53:19+01:00 solr n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-50290 + - lucene-solr (Vulnerable code not yet present) CVE-2024-0232 [use-after-free bug in jsonParseAddNodeArray] - sqlite3 3.43.2-1 [bullseye] - sqlite3 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318a366555fa3d97a8acd7ed885a0bd3fb6138d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318a366555fa3d97a8acd7ed885a0bd3fb6138d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new spip issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f407d9c by Moritz Muehlenhoff at 2024-01-12T14:55:58+01:00 new spip issue - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024- [spip XSS] + - spip 4.1.15+dfsg-1 + [bookworm] - spip (Minor issue) + [bullseye] - spip (Vulnerable code not present) CVE-2023-6955 - gitlab CVE-2023-4812 = data/next-point-update.txt = @@ -78,3 +78,5 @@ CVE-2024-21633 [bookworm] - apktool 2.7.0+dfsg-6+deb12u1 CVE-2023-46303 [bookworm] - calibre 6.13.0+repack-2+deb12u3 +CVE-2024- [spip XSS] + [bookworm] - spip 4.1.9+dfsg-1+deb12u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f407d9c2b83b023f1587ad207998943c270f1c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f407d9c2b83b023f1587ad207998943c270f1c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] calibre spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e468e284 by Moritz Muehlenhoff at 2024-01-12T14:54:10+01:00 calibre spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -76,3 +76,5 @@ CVE-2023-51713 [bookworm] - proftpd-dfsg 1.3.8+dfsg-4+deb12u3 CVE-2024-21633 [bookworm] - apktool 2.7.0+dfsg-6+deb12u1 +CVE-2023-46303 + [bookworm] - calibre 6.13.0+repack-2+deb12u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e468e284592c3e40ad99d05612f8e27460b42061 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e468e284592c3e40ad99d05612f8e27460b42061 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new quic-go issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6b2ea7df by Moritz Muehlenhoff at 2024-01-12T14:52:20+01:00
new quic-go issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -404,7 +404,18 @@ CVE-2023-51123 (An issue discovered in D-Link dir815
v.1.01SSb08.bin allows a re
CVE-2023-51073 (An issue in Buffalo LS210D v.1.78-0.03 allows a remote
attacker to exe ...)
NOT-FOR-US: Buffalo
CVE-2023-49295 (quic-go is an implementation of the QUIC protocol (RFC 9000,
RFC 9001, ...)
- TODO: check
+ - golang-github-lucas-clemente-quic-go
+ [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue)
+ [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue)
+ NOTE:
https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf
+ NOTE:
https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc
+ NOTE:
https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965
+ NOTE:
https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a
+ NOTE:
https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49
+ NOTE:
https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e
+ NOTE:
https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc
+ NOTE:
https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4
+ NOTE:
https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8
CVE-2023-45175 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged
local user ...)
NOT-FOR-US: IBM
CVE-2023-45173 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged
local user ...)
@@ -16255,9 +16266,9 @@ CVE-2023-45133 (Babel is a compiler for
writingJavaScript. In `@babel/traverse`
{DSA-5528-1 DLA-3618-1}
- node-babel
- node-babel7 7.20.15+ds1+~cs214.269.168-5 (bug #1053880)
- NOTE: github.com:
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- NOTE: github.com: https://github.com/babel/babel/pull/16033
- NOTE: github.com:
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
+ NOTE:
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
+ NOTE: https://github.com/babel/babel/pull/16033
+ NOTE:
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
CVE-2023-45106 (Cross-Site Request Forgery (CSRF) vulnerability in Fedor
Urvanov, Aram ...)
NOT-FOR-US: WordPress plugin
CVE-2023-45103 (Cross-Site Request Forgery (CSRF) vulnerability in YAS Global
Team Per ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ea7dfd0f2652b5d4a5ca2a100330db20c7bb3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ea7dfd0f2652b5d4a5ca2a100330db20c7bb3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" libuev issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 27b9ef49 by Moritz Muehlenhoff at 2024-01-12T13:21:21+01:00 new libuev issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,11 @@ CVE-2022-4960 (A vulnerability, which was classified as problematic, has been fo CVE-2022-4959 (A vulnerability classified as problematic was found in qkmc-rk redbbs ...) NOT-FOR-US: qkmc-rk redbbs CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if m ...) - TODO: check + - libuev + [bookworm] - libuev (Minor issue) + [bullseye] - libuev (Minor issue) + NOTE: https://github.com/troglobit/libuev/issues/27 + NOTE: https://github.com/troglobit/libuev/commit/2d9f1c9ce655cc38511aeeb6e95ac30914f7aec9 CVE-2022-48619 (An issue was discovered in drivers/input/input.c in the Linux kernel b ...) TODO: check CVE-2016-20021 (In Gentoo Portage before 3.0.47, there is missing PGP validation of ex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b9ef49f4ace702425fe0b6a50ffe83edf46781 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b9ef49f4ace702425fe0b6a50ffe83edf46781 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 891e060a by Moritz Muehlenhoff at 2024-01-12T13:08:35+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,7 +139,7 @@ CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wai CVE-2022-48619 (An issue was discovered in drivers/input/input.c in the Linux kernel b ...) TODO: check CVE-2016-20021 (In Gentoo Portage before 3.0.47, there is missing PGP validation of ex ...) - TODO: check + NOT-FOR-US: Portage CVE-2024-0443 (A flaw was found in the blkgs destruction path in block/blk-cgroup.c i ...) - linux 6.3.11-1 [bookworm] - linux (Vulnerable code not present) @@ -821,7 +821,7 @@ CVE-2024-22164 (In Splunk Enterprise Security (ES) versions below 7.1.2, an atta CVE-2024-21668 (react-native-mmkv is a library that allows easy use of MMKV inside Rea ...) NOT-FOR-US: react-native-mmkv CVE-2024-21664 (jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, othe ...) - TODO: check + NOT-FOR-US: jwx CVE-2024-21325 (Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution V ...) NOT-FOR-US: Microsoft CVE-2024-21320 (Windows Themes Spoofing Vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891e060ab7a7342a6f98fce5f51bea1fd4f5f61b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891e060ab7a7342a6f98fce5f51bea1fd4f5f61b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libebml issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f1d1cfb by Moritz Muehlenhoff at 2024-01-12T12:59:55+01:00 new libebml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,7 +89,12 @@ CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was rep NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) - TODO: check + - libebml 1.4.5-1 + [bookworm] - libebml (Minor issue) + [bullseye] - libebml (Minor issue) + NOTE: https://github.com/Matroska-Org/libebml/issues/147 + NOTE: https://github.com/Matroska-Org/libebml/pull/148 + NOTE: https://github.com/Matroska-Org/libebml/commit/4d577f5c3e267b2988d56dafebc82dedb4c45506 CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) NOT-FOR-US: ujcms CVE-2023-50920 (An issue was discovered on GL.iNet devices before version 4.5.0. They ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1d1cfba7f0fbcce4bfcf3bd4c3db1b990c6ac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1d1cfba7f0fbcce4bfcf3bd4c3db1b990c6ac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new liblivemedia issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c5773fdb by Moritz Muehlenhoff at 2024-01-12T12:40:27+01:00
new liblivemedia issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -117,7 +117,8 @@ CVE-2023-40362 (An issue was discovered in CentralSquare
Click2Gov Building Perm
CVE-2023-40250 (Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow') ...)
NOT-FOR-US: Hancom
CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555
version 2023. ...)
- TODO: check
+ - liblivemedia
+ NOTE:
http://lists.live555.com/pipermail/live-devel/2023-June/022331.html
CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions
vulnerability ...)
NOT-FOR-US: Juniper
CVE-2023-34061 (Cloud Foundry routing release versions from v0.163.0 to
v0.283.0 are v ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5773fdb66c233217dd25d8d296e2479ae70b64f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5773fdb66c233217dd25d8d296e2479ae70b64f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e6911c5 by Moritz Muehlenhoff at 2024-01-12T11:29:55+01:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,7 +85,9 @@ CVE-2023-6740 (Privilege escalation in jar_signature agent plugin in Checkmk bef CVE-2023-6735 (Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17 ...) - check-mk CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was reported ...) - TODO: check + - linux 5.18.2-1 + NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/1 + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) TODO: check CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e6911c5692f5a8a2a296cb820643d405a161e35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e6911c5692f5a8a2a296cb820643d405a161e35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b6c3b8ce by Moritz Muehlenhoff at 2024-01-12T11:07:04+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,23 +7,23 @@ CVE-2023-5356 CVE-2023-7028 - gitlab CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension GlobalBlocking CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) - TODO: check + NOT-FOR-US: MediaWiki extension Phonos CVE-2024-23177 (An issue was discovered in the WatchAnalytics extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension WatchAnalytics CVE-2024-23174 (An issue was discovered in the PageTriage extension in MediaWiki befor ...) - TODO: check + NOT-FOR-US: MediaWiki extension PageTriage CVE-2024-23173 (An issue was discovered in the Cargo extension in MediaWiki before 1.3 ...) - TODO: check + NOT-FOR-US: MediaWiki extension Cargo CVE-2024-23172 (An issue was discovered in the CheckUser extension in MediaWiki before ...) - TODO: check + NOT-FOR-US: MediaWiki extension CheckUser CVE-2024-23171 (An issue was discovered in the CampaignEvents extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension CampaignEvents CVE-2024-22027 (Improper input validation vulnerability in WordPress Quiz Maker Plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-21982 (ONTAP versions 9.4 and higher are susceptible to a vulnerability whic ...) - TODO: check + NOT-FOR-US: ONTAP CVE-2024-21617 (An Incomplete Cleanup vulnerability in Nonstop active routing (NSR) co ...) NOT-FOR-US: Juniper CVE-2024-21616 (An Improper Validation of Syntactic Correctness of Input vulnerability ...) @@ -69,63 +69,63 @@ CVE-2024-21587 (An Improper Handling of Exceptional Conditions vulnerability in CVE-2024-21585 (An Improper Handling of Exceptional Conditions vulnerability in BGP se ...) NOT-FOR-US: Juniper CVE-2024-21337 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-20675 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-0454 (ELAN Match-on-Chip FPR solution has design fault about potential risk ...) - TODO: check + NOT-FOR-US: ELAN Match-on-Chip FPR CVE-2024-0426 (A vulnerability, which was classified as critical, has been found in F ...) - TODO: check + NOT-FOR-US: ForU CMS CVE-2024-0393 REJECTED CVE-2023-7226 (A vulnerability was found in meetyoucrop big-whale 1.1 and classified ...) - TODO: check + NOT-FOR-US: meetyoucrop big-whale CVE-2023-6740 (Privilege escalation in jar_signature agent plugin in Checkmk before 2 ...) - TODO: check + - check-mk CVE-2023-6735 (Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17 ...) - TODO: check + - check-mk CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was reported ...) TODO: check CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) TODO: check CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) - TODO: check + NOT-FOR-US: ujcms CVE-2023-50920 (An issue was discovered on GL.iNet devices before version 4.5.0. They ...) - TODO: check + NOT-FOR-US: GL.iNet CVE-2023-50919 (An issue was discovered on GL.iNet devices before version 4.5.0. There ...) - TODO: check + NOT-FOR-US: GL.iNet CVE-2023-50129 (Missing encryption in the NFC tags of the Flient Smart Door Lock v1.0 ...) - TODO: check + NOT-FOR-US: Flient Smart Door Lock CVE-2023-50128 (The remote keyless system of the Hozard alarm system (alarmsystemen) v ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50127 (Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Auth ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50126 (Missing encryption in the RFID tags of the Hozard alarm system (Alarms ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50125 (A default engineer password set on the Hozard alarm system (Alarmsyste ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50124 (Flient Smart Door Lock v1.0 is vulnerable to Use of Default Credential ...) - TODO: check + NOT-FOR-US: Flient Smart Door Lock CVE-2023-50123 (The number of attempts to bring the Hozard Alarm system (alarmsystemen ...) - TODO: check
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e7e48cf by Moritz Muehlenhoff at 2024-01-12T10:13:39+01:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-6955 + - gitlab +CVE-2023-4812 + - gitlab +CVE-2023-5356 + - gitlab +CVE-2023-7028 + - gitlab CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) TODO: check CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) @@ -39712,6 +39720,7 @@ CVE-2023-2031 (The Locatoraid Store Locator plugin for WordPress is vulnerable t NOT-FOR-US: WordPress plugin CVE-2023-2030 RESERVED + - gitlab CVE-2023-2029 (The PrePost SEO WordPress plugin through 3.0 does not properly sanitiz ...) NOT-FOR-US: WordPress plugin CVE-2023-2028 (The Call Now Accessibility Button WordPress plugin before 1.1 does not ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7e48cfcf79bcca6e1d5714952e87bcb29e7857 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7e48cfcf79bcca6e1d5714952e87bcb29e7857 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
51f368c9 by Moritz Muehlenhoff at 2024-01-12T09:47:35+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -17,49 +17,49 @@ CVE-2024-22027 (Improper input validation vulnerability in
WordPress Quiz Maker
CVE-2024-21982 (ONTAP versions 9.4 and higher are susceptible to a
vulnerability whic ...)
TODO: check
CVE-2024-21617 (An Incomplete Cleanup vulnerability in Nonstop active routing
(NSR) co ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21616 (An Improper Validation of Syntactic Correctness of Input
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21614 (An Improper Check for Unusual or Exceptional Conditions
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21613 (A Missing Release of Memory after Effective Lifetime
vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21612 (An Improper Handling of Syntactically Invalid Structure
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21611 (A Missing Release of Memory after Effective Lifetime
vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21607 (An Unsupported Feature in the UI vulnerability in Juniper
Networks Jun ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21606 (A Double Free vulnerability in the flow processing daemon
(flowd) of J ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21604 (An Allocation of Resources Without Limits or Throttling
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21603 (An Improper Check for Unusual or Exceptional Conditions
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21602 (A NULL Pointer Dereference vulnerability in Juniper Networks
Junos OS ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21601 (A Concurrent Execution using Shared Resource with Improper
Synchroniza ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21600 (An Improper Neutralization of Equivalent Special Elements
vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21599 (A Missing Release of Memory after Effective Lifetime
vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21597 (An Exposure of Resource to Wrong Sphere vulnerability in the
Packet Fo ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21596 (A Heap-based Buffer Overflow vulnerability in the Routing
Protocol Dae ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21595 (An Improper Validation of Syntactic Correctness of Input
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21594 (A Heap-based Buffer Overflow vulnerability in the Network
Services Dae ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21591 (An Out-of-bounds Write vulnerability in J-Web of Juniper
Networks Juno ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21589 (An Improper Access Control vulnerability in the Juniper
Networks Parag ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21587 (An Improper Handling of Exceptional Conditions vulnerability
in the br ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21585 (An Improper Handling of Exceptional Conditions vulnerability
in BGP se ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2024-21337 (Microsoft Edge (Chromium-based) Elevation of Privilege
Vulnerability)
TODO: check
CVE-2024-20675 (Microsoft Edge (Chromium-based) Security Feature Bypass
Vulnerability)
@@ -109,7 +109,7 @@ CVE-2023-40250 (Buffer Copy without Checking Size of Input
('Classic Buffer Over
CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555
version 2023. ...)
TODO: check
CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2023-34061 (Cloud Foundry routing release versions from v0.163.0 to
v0.283.0 are v ...)
TODO: check
CVE-2022-4961 (A vulnerability was found in Weitong Mall 1.0.0. It has been
declared ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f368c9565691af5e383bafa00abd23bd878bf7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f368c9565691af5e383bafa00abd23bd878bf7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c01a5721 by Moritz Muehlenhoff at 2024-01-11T13:50:22+01:00
bookworm/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -255,6 +255,7 @@ CVE-2023-50172 (A recovery notification bypass
vulnerability exists in the userR
NOT-FOR-US: WWBN AVideo
CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was
discovered to ...)
- gpac
+ [bullseye] - gpac (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/issues/2698
NOTE:
https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb
CVE-2023-49864 (An information disclosure vulnerability exists in the
aVideoEncoderRec ...)
@@ -758,6 +759,8 @@ CVE-2024-21650 (XWiki Platform is a generic wiki platform
offering runtime servi
NOT-FOR-US: XWiki
CVE-2024-21647 (Puma is a web server for Ruby/Rack applications built for
parallelism. ...)
- puma (bug #1060345)
+ [bookworm] - puma (Minor issue)
+ [bullseye] - puma (Minor issue)
NOTE:
https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
NOTE:
https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
(v5.6.8)
CVE-2024-21645 (pyLoad is the free and open-source Download Manager written in
pure Py ...)
@@ -1516,6 +1519,8 @@ CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is
affected by a mishandli
NOT-FOR-US: Newtonsoft.Json
CVE-2024-21633 (Apktool is a tool for reverse engineering Android APK files.
In versio ...)
- apktool 2.7.0+dfsg-7 (bug #1060013)
+ [bookworm] - apktool (Minor issue)
+ [bullseye] - apktool (Minor issue)
NOTE:
https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w
NOTE:
https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712
CVE-2024-21631 (Vapor is an HTTP web framework for Swift. Prior to version
4.90.0, Vap ...)
@@ -1524,9 +1529,10 @@ CVE-2024-21622 (Craft is a content management system.
This is a potential modera
NOT-FOR-US: Craft CMS
CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some
conditions, th ...)
- packagekit (bug #1060016)
+ [bookworm] - packagekit (Minor issue)
+ [bullseye] - packagekit (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624
NOTE: Reducing impact via:
https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79
(v1.2.7)
- TODO: check, RHBZ#2256624 claims fixed in upstream 1.2.7 but provides
no references
CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2023-7068 (The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and
Shippi ...)
@@ -33240,6 +33246,8 @@ CVE-2023-34246 (Doorkeeper is an OAuth 2 provider for
Ruby on Rails / Grape. Pri
{DLA-3494-1}
[experimental] - ruby-doorkeeper 5.6.6-1
- ruby-doorkeeper (bug #1038950)
+ [bookworm] - ruby-doorkeeper (Minor issue)
+ [bullseye] - ruby-doorkeeper (Minor issue)
NOTE:
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/1589
NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1646
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01a5721eb82c1ef27b35307726dcabf20720d5b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01a5721eb82c1ef27b35307726dcabf20720d5b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gtkwave bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 371c63cc by Moritz Muehlenhoff at 2024-01-10T20:42:19+01:00 gtkwave bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -515,250 +515,250 @@ CVE-2023-47211 (A directory traversal vulnerability exists in the uploadMib func CVE-2023-41710 (User-defined script code could be stored for a upsell related shop URL ...) NOT-FOR-US: Open-Xchange CVE-2023-39444 (Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsing ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826 CVE-2023-39443 (Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsing ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826 CVE-2023-39414 (Multiple integer underflow vulnerabilities exist in the LXT2 lxt2_rd_i ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824 CVE-2023-39413 (Multiple integer underflow vulnerabilities exist in the LXT2 lxt2_rd_i ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824 CVE-2023-39317 (Multiple integer overflow vulnerabilities exist in the LXT2 num_dict_e ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820 CVE-2023-39316 (Multiple integer overflow vulnerabilities exist in the LXT2 num_dict_e ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820 CVE-2023-39275 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39274 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39273 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39272 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39271 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39270 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39235 (Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_p ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817 CVE-2023-39234 (Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_p ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817 CVE-2023-38657 (An out-of-bounds write vulnerability exists in the LXT2 zlib block dec ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1823 CVE-2023-38653 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815 CVE-2023-38652 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815 CVE-2023-38651 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814 CVE-2023-38650 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814 CVE-2023-38649 (Multiple out-of-bounds write vulnerabilities exist
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 28ec6493 by Moritz Muehlenhoff at 2024-01-10T17:25:46+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ +CVE-2023-49619 + NOT-FOR-US: Apache Answer CVE-2024-21643 (IdentityModel Extensions for .NET provide assemblies for web developer ...) - TODO: check + NOT-FOR-US: IdentityModel Extensions for .NET CVE-2024-0364 (A vulnerability, which was classified as critical, was found in PHPGur ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2024-0363 (A vulnerability, which was classified as critical, has been found in P ...) @@ -111,7 +113,7 @@ CVE-2024-22165 (In Splunk Enterprise Security (ES) versions lower than 7.1.2, an CVE-2024-22164 (In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker c ...) NOT-FOR-US: Splunk Enterprise Security (ES) CVE-2024-21668 (react-native-mmkv is a library that allows easy use of MMKV inside Rea ...) - TODO: check + NOT-FOR-US: react-native-mmkv CVE-2024-21664 (jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, othe ...) TODO: check CVE-2024-21325 (Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution V ...) @@ -179,7 +181,7 @@ CVE-2024-20676 (Azure Storage Mover Remote Code Execution Vulnerability) CVE-2024-20674 (Windows Kerberos Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2024-20672 (.NET Core and Visual Studio Denial of Service Vulnerability) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2024-20666 (BitLocker Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2024-20664 (Microsoft Message Queuing Information Disclosure Vulnerability) @@ -224,7 +226,7 @@ CVE-2024-0213 (A buffer overflow vulnerability in TA for Linux and TA for MacOS CVE-2024-0206 (A symbolic link manipulation vulnerability in Trellix Anti-Malware Eng ...) NOT-FOR-US: Trellix CVE-2024-0057 (NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnera ...) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2024-0056 (Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider S ...) NOT-FOR-US: Microsoft CVE-2023-7223 (A vulnerability classified as problematic has been found in Totolink T ...) @@ -300,7 +302,7 @@ CVE-2023-44120 (A vulnerability has been identified in Spectrum Power 7 (All ver CVE-2023-42797 (A vulnerability has been identified in CP-8031 MASTER MODULE (All vers ...) NOT-FOR-US: Siemens CVE-2022-48618 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-41056 [Buffer overflow in certain payloads may lead to remote code execution] - redis 5:7.0.15-1 (bug #1060316) [bullseye] - redis (Vulnerable code not present) @@ -329,7 +331,7 @@ CVE-2024-21651 (XWiki Platform is a generic wiki platform offering runtime servi CVE-2024-21648 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2024-21646 (Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP lib ...) - TODO: check + NOT-FOR-US: Azure uAMQP CVE-2023-7220 (A vulnerability was found in Totolink NR1800X 9.1.0u.6279_B20210910 an ...) NOT-FOR-US: Totolink CVE-2023-7219 (A vulnerability has been found in Totolink N350RT 9.3.5u.6139_B202012 ...) @@ -463,7 +465,7 @@ CVE-2023-5911 (The WP Custom Cursors | WordPress Cursor Plugin WordPress plugin CVE-2023-5235 (The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not li ...) NOT-FOR-US: WordPress plugin CVE-2023-5091 (Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allo ...) - TODO: check + NOT-FOR-US: Arm CVE-2023-52271 (The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-pr ...) NOT-FOR-US: Topaz Antifraud CVE-2023-52225 (Deserialization of Untrusted Data vulnerability in Tagbox Tagbox \u201 ...) @@ -499,13 +501,13 @@ CVE-2023-52200 (Cross-Site Request Forgery (CSRF), Deserialization of Untrusted CVE-2023-52190 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin CVE-2023-51701 (fastify-reply-from is a Fastify plugin to forward the current HTTP req ...) - TODO: check + NOT-FOR-US: fastify-reply-from CVE-2023-51508 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin CVE-2023-51246 (A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exi ...) NOT-FOR-US: GetSimple CMS CVE-2023-50982 (Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executab ...) - TODO: check
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1163408e by Moritz Muehlenhoff at 2024-01-10T14:56:59+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -290,7 +290,10 @@ CVE-2022-48618 (The issue was addressed with improved checks. This issue is fixe TODO: check CVE-2023-41056 [Buffer overflow in certain payloads may lead to remote code execution] - redis 5:7.0.15-1 (bug #1060316) - NOTE: Introduced with changes from: https://github.com/redis/redis/pull/11766 + [bullseye] - redis (Vulnerable code not present) + [buster] - redis (Vulnerable code not present) + NOTE: Introduced with changes from: https://github.com/redis/redis/pull/11766 (which landed + NOTE: in 7.2, but which also got backported to the 7.0. branch) NOTE: https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224 (7.0.15) CVE-2024-22125 (Under certain conditions the Microsoft Edge browser extension (SAP GUI ...) NOT-FOR-US: SAP = data/dsa-needed.txt = @@ -24,6 +24,8 @@ frr -- gpac/oldstable -- +gtkwave +-- h2o (jmm) -- libreswan (jmm) @@ -36,8 +38,11 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -php*seclib* (seb) - Maintainer prepared updates +php-phpseclib (seb) +-- +phpseclib (seb) +-- +php-phpseclib3/stable (seb) -- php-cas/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1163408e442801bcc293d0c93deb936912a1f9f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1163408e442801bcc293d0c93deb936912a1f9f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b49ba638 by Moritz Muehlenhoff at 2024-01-09T10:08:37+01:00
bookworm/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -688,6 +688,8 @@ CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image
Slider, Video Slider
NOT-FOR-US: WordPress plugin
CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow
side-channel leakag ...)
- pycryptodome (bug #1060059)
+ [bookworm] - pycryptodome (Minor issue)
+ [bullseye] - pycryptodome (Minor issue)
NOTE:
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd
(v3.19.1)
CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job
Portal WP Jo ...)
NOT-FOR-US: WordPress plugin
@@ -3528,13 +3530,8 @@ CVE-2023-48795 (The SSH transport protocol with certain
OpenSSH extensions, foun
[bookworm] - paramiko (Minor issue)
[bullseye] - paramiko (Minor issue)
- phpseclib 1.0.22-1
- [bookworm] - phpseclib (Minor issue)
- [bullseye] - phpseclib (Minor issue)
- php-phpseclib 2.0.46-1
- [bookworm] - php-phpseclib (Minor issue)
- [bullseye] - php-phpseclib (Minor issue)
- php-phpseclib3 3.0.35-1
- [bookworm] - php-phpseclib3 (Minor issue)
- proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144)
[bookworm] - proftpd-dfsg (Minor issue)
[bullseye] - proftpd-dfsg (Minor issue)
@@ -14649,6 +14646,8 @@ CVE-2023-5575 (Improper access control in the
permission inheritance in Devoluti
CVE-2023-5561 (WordPress does not properly restrict which user fields are
searchable ...)
{DLA-3658-1}
- wordpress 6.3.2+dfsg1-1
+ [bookworm] - wordpress (Minor issue)
+ [bullseye] - wordpress (Minor issue)
NOTE:
https://wordpress.org/documentation/wordpress-version/version-6-3-2/
NOTE: https://core.trac.wordpress.org/changeset/56840/
CVE-2023-5422 (The functions to fetch e-mail via POP3 or IMAP as well as
sending e-ma ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49ba638bb8cf6726e4caa4b68beddabc056eb86
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49ba638bb8cf6726e4caa4b68beddabc056eb86
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b97b1d8b by Moritz Muehlenhoff at 2024-01-08T20:35:53+01:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -3062,6 +3062,8 @@ CVE-2023-48795 (The SSH transport protocol with certain
OpenSSH extensions, foun
[bullseye] - filezilla (Minor issue)
[buster] - filezilla (Minor issue)
- golang-go.crypto 1:0.17.0-1 (bug #1059003)
+ [bookworm] - golang-go.crypto (Minor issue)
+ [bullseye] - golang-go.crypto (Minor issue)
- jsch (ChaCha20-Poly1305 support introduced in 0.1.61;
*-EtM support introduced in 0.1.58)
- libssh 0.10.6-1 (bug #1059004)
- libssh2 1.11.0-4 (bug #1059005)
@@ -3091,6 +3093,8 @@ CVE-2023-48795 (The SSH transport protocol with certain
OpenSSH extensions, foun
- python-asyncssh (bug #1059007)
- tinyssh 20230101-4 (bug #1059058; unimportant)
- trilead-ssh2 (bug #1059294)
+ [bookworm] - trilead-ssh2 (Minor issue)
+ [bullseye] - trilead-ssh2 (Minor issue)
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: dropbear:
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
@@ -4451,6 +4455,8 @@ CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27
- CWE-78: Improper Neu
CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
TinyXML ...)
{DLA-3701-1}
- tinyxml 2.6.2-6.1 (bug #1059315)
+ [bookworm] - tinyxml (Minor issue)
+ [bullseye] - tinyxml (Minor issue)
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
NOTE: Debian (non upstream) patch:
https://salsa.debian.org/debian/tinyxml/-/raw/2366e1f23d059d4c20c43c54176b6bd78d6a83fc/debian/patches/CVE-2023-34194.patch
CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109
allowed ...)
@@ -7057,6 +7063,8 @@ CVE-2023-47418 (Remote Code Execution (RCE) vulnerability
in o2oa version 8.1.2
NOT-FOR-US: p2pa
CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop')
vulnerability i ...)
- tinyxml (bug #1059315)
+ [bookworm] - tinyxml (Minor issue)
+ [bullseye] - tinyxml (Minor issue)
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900
and DT900 ...)
NOT-FOR-US: NEC
@@ -15628,6 +15636,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of
service (server resource
- tomcat10 10.1.14-1
- trafficserver 9.2.3+ds-1 (bug #1053801; bug #1054427)
- grpc
+ [bookworm] - grpc (Minor issue)
+ [bullseye] - grpc (Minor issue)
- h2o 2.2.5+dfsg2-8 (bug #1054232)
- haproxy 1.8.13-1
- nginx 1.24.0-2 (unimportant; bug #1053770)
=
data/dsa-needed.txt
=
@@ -39,6 +39,8 @@ php*seclib* (seb)
--
php-cas/oldstable
--
+php-dompdf-svg-lib/stable
+--
php-horde-mime-viewer/oldstable
--
php-horde-turba/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b97b1d8b86be85dbfe389ffe87b5dbe6f74a27c7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b97b1d8b86be85dbfe389ffe87b5dbe6f74a27c7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] condor fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1be025b1 by Moritz Muehlenhoff at 2024-01-05T14:31:09+01:00
condor fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -131238,7 +131238,7 @@ CVE-2022-26111 (The BeanShell components of IRISNext
through 9.8.28 allow execut
NOT-FOR-US: IRISNext
CVE-2022-26110 (An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x
before ...)
{DSA-5144-1 DLA-2984-1}
- - condor (bug #1008634)
+ - condor 23.2.0+dfsg-1 (bug #1008634)
NOTE: https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003
NOTE:
https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca
(V8_8_16)
NOTE:
https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b
(V8_8_16)
@@ -147986,7 +147986,7 @@ CVE-2021-45102 (An issue was discovered in HTCondor
9.0.x before 9.0.4 and 9.1.x
- condor (Only affects 9.0.0 and above)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/
CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x
before 9.0.4, ...)
- - condor (bug #1002540)
+ - condor 23.2.0+dfsg-1 (bug #1002540)
[buster] - condor (Patch is too intrusive to backport)
[stretch] - condor (Patch is too destructive to backport it;
Patch does not apply cleanly. Too many calls in patch, not existed in this
version of the software)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/
@@ -297816,7 +297816,7 @@ CVE-2019-18824 (Barco ClickShare Button R9861500D01
devices before 1.10.0.13 hav
NOT-FOR-US: Barco ClickShare Button R9861500D01 devices
CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and
development serie ...)
{DSA-5144-1 DLA-2724-1}
- - condor (bug #963777)
+ - condor 23.2.0+dfsg-1 (bug #963777)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html
NOTE:
https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: baf17973 by Moritz Muehlenhoff at 2024-01-05T12:18:25+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1156,6 +1156,8 @@ CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop i NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - jayway-jsonpath + [bookworm] - jayway-jsonpath (Minor issue) + [bullseye] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro @@ -2854,8 +2856,13 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 + [bookworm] - phpseclib (Minor issue) + [bullseye] - phpseclib (Minor issue) - php-phpseclib 2.0.46-1 + [bookworm] - php-phpseclib (Minor issue) + [bullseye] - php-phpseclib (Minor issue) - php-phpseclib3 3.0.35-1 + [bookworm] - php-phpseclib3 (Minor issue) - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -2934,12 +2941,18 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - libcrypto++ (bug #1059312) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -3989,6 +4002,8 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - m2crypto (bug #1059292) + [bookworm] - m2crypto (Minor issue) + [bullseye] - m2crypto (Minor issue) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -13161,6 +13176,8 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - libxml-security-java (bug #1059313) + [bookworm] - libxml-security-java (Minor issue) + [bullseye] - libxml-security-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -18706,6 +18723,8 @@ CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allow NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - ansible (bug #1055300) + [bookworm] - ansible (Minor issue) + [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 NOTE: https://github.com/advisories/GHSA-ww3m-ffrm-qvqv = data/dsa-needed.txt = @@ -48,6 +48,8 @@ python3.11/stable (carnil) -- python3.9/oldstable -- +python-asyncssh +-- redmine/stable -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baf179734b0fede4b1a1c6cf53b59b1721456257 -- View it on GitLab: https://salsa.debian.org
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d468829 by Moritz Muehlenhoff at 2024-01-04T13:00:43+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,16 +43,16 @@ CVE-2023-49442 (Deserialization of Untrusted Data in jeecgFormDemoController in CVE-2023-41784 (Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro) NOT-FOR-US: ZTE CVE-2024-0225 (Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allo ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0224 (Use after free in WebAudio in Google Chrome prior to 120.0.6099.199 al ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0223 (Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199 ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 allow ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d468829deb5605bf889151a87fc3e9297893d93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d468829deb5605bf889151a87fc3e9297893d93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 99f1bf0a by Moritz Muehlenhoff at 2024-01-04T12:39:24+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -133,6 +133,7 @@ CVE-2023-50090 (Arbitrary File Write vulnerability in the saveReportFile method NOT-FOR-US: ureport CVE-2023-46929 (An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box ...) - gpac + [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2662 NOTE: https://github.com/gpac/gpac/commit/4248def5d24325aeb0e35cacde3d56c9411816a6 CVE-2023-46742 (CubeFS is an open-source cloud-native file storage system. CubeFS prio ...) @@ -179,22 +180,34 @@ CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to com NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19501 + NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", + NOTE: the more severe "Bug log 1" only affected unreleased versions CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-01.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502 CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...) @@ -246,19 +259,24 @@ CVE-2023-50019 (An issue was discovered in open5gs v2.6.6. InitialUEMessage, Reg CVE-2023-4164 (There is a possible informationdisclosure due to a missing permission ...) NOT-FOR-US: Google Pixel Watch CVE-2023-49558 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/252 CVE-2023-49557 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/253 CVE-2023-49556 (Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote a ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/250 CVE-2023-49555 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/248 CVE-2023-49554 (Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote at ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/249 CVE-2023-49553 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) NOT-FOR-US: Cesenta MJS @@ -1246,6 +1264,8 @@ CVE-2023-51363 (VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacen NOT-FOR-US: VR-S1000 firmware CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to cause a ...) - golang-github-dvsekhvalnov-jose2go (bug #105950
[Git][security-tracker-team/security-tracker][master] cvelist.el: New defun to mark a CVE as a non issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 862f0bd0 by Moritz Muehlenhoff at 2024-01-04T10:23:09+01:00 cvelist.el: New defun to mark a CVE as a non issue - - - - - 1 changed file: - conf/cvelist.el Changes: = conf/cvelist.el = @@ -17,6 +17,7 @@ (setq last-nfu "") (setq bugnum "") +(setq non_issue_reason "Crash in CLI tool, no security impact") (setq newsrcpkg "") (setq default_distro "bullseye") @@ -41,6 +42,14 @@ (end-of-line) (insert " (bug #" bugnum ")" )) +(defun debian-cvelist-mark-non-issue () + "Mark an entry as a non issue." + (setq bugnum (read-string "Why is this a non-issue?: " non_issue_reason)) + (interactive) + (end-of-line) + (insert " (unimportant)" ) + (insert "\n\tNOTE: " non_issue_reason )) + ; TODO: Read supported distros from central config and prompt for applicable suites (defun debian-cvelist-insert-nodsa () "Insert no-dsa comment based on the current source entry." @@ -100,6 +109,7 @@ (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected) (define-key map (kbd "C-c C-p") 'debian-cvelist-insert-postponed) (define-key map (kbd "C-c C-b") 'debian-cvelist-insert-bug) + (define-key map (kbd "C-c C-u") 'debian-cvelist-mark-non-issue) (define-key map (kbd "C-c C-p") 'debian-cvelist-ptslookup) map) "Keymap for `debian-cvelist-mode'.") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862f0bd0052b3a4a99f64350711254dc85746638 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862f0bd0052b3a4a99f64350711254dc85746638 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bafdec8e by Moritz Muehlenhoff at 2024-01-04T09:21:01+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,47 +1,47 @@ CVE-2024-21634 (Amazon Ion is a Java implementation of the Ion data notation. Prior to ...) - TODO: check + NOT-FOR-US: Amazon Ion CVE-2024-20809 (Improper access control vulnerability in Nearby device scanning prior ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20808 (Improper access control vulnerability in Nearby device scanning prior ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20807 (Implicit intent hijacking vulnerability in Samsung Email prior to vers ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20806 (Improper access control in Notification service prior to SMR Jan-2024 ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20805 (Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20804 (Path traversal vulnerability in FileUriConverter of MyFiles prior to S ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20803 (Improper authentication vulnerability in Bluetooth pairing process pri ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20802 (Improper access control vulnerability in Samsung DeX prior to SMR Jan- ...) - TODO: check + NOT-FOR-US: Samsung CVE-2023-6738 (The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6733 (The WP-Members Membership Plugin plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6540 (A vulnerability was reported in the Lenovo Browser Mobile and Lenovo B ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2023-6498 (The Complianz \u2013 GDPR/CCPA Cookie Consent plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6338 (Uncontrolled search path vulnerabilities were reported in the Lenovo U ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2023-5138 (Glitch detection is not enabled by default for the CortexM33 core in S ...) - TODO: check + NOT-FOR-US: Silabs CVE-2023-52141 REJECTED CVE-2023-52140 REJECTED CVE-2023-50630 (Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 al ...) - TODO: check + NOT-FOR-US: xiweicheng TMS CVE-2023-50256 (Froxlor is open source server administration software. Prior to versio ...) - TODO: check + - froxlor (bug #581792) CVE-2023-50082 (Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Con ...) - TODO: check + NOT-FOR-US: pbootcms CVE-2023-49442 (Deserialization of Untrusted Data in jeecgFormDemoController in JEECG ...) - TODO: check + NOT-FOR-US: JEECG CVE-2023-41784 (Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro) - TODO: check + NOT-FOR-US: ZTE CVE-2024-0225 (Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allo ...) - chromium [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bafdec8edeaae199a9974e5d7e786b41923028f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bafdec8edeaae199a9974e5d7e786b41923028f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f1734f7c by Moritz Muehlenhoff at 2024-01-03T16:32:27+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,17 @@ +CVE-2023-51785 + NOT-FOR-US: Apache InLong +CVE-2023-51784 + NOT-FOR-US: Apache InLong CVE-2024-21632 (omniauth-microsoft_graph provides an Omniauth strategy for the Microso ...) - TODO: check + NOT-FOR-US: omniauth-microsoft_graph CVE-2024-21629 (Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a ...) - TODO: check + NOT-FOR-US: Rust EVM CVE-2024-21628 (PrestaShop is an open-source e-commerce platform. Prior to version 8.1 ...) NOT-FOR-US: PrestaShop CVE-2024-21627 (PrestaShop is an open-source e-commerce platform. Prior to versions 8. ...) NOT-FOR-US: PrestaShop CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to commit db ...) - TODO: check + NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html @@ -29,9 +33,9 @@ CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502 CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...) - TODO: check + NOT-FOR-US: Magic-Api CVE-2024-0195 (A vulnerability, which was classified as critical, was found in spider ...) - TODO: check + NOT-FOR-US: spider-flow CVE-2024-0194 (A vulnerability, which was classified as critical, has been found in C ...) NOT-FOR-US: CodeAstro Internet Banking System CVE-2023-7027 (The POST SMTP Mailer \u2013 Email log, Delivery Failure Notifications ...) @@ -75,7 +79,7 @@ CVE-2023-50020 (An issue was discovered in open5gs v2.6.6. SIGPIPE can be used t CVE-2023-50019 (An issue was discovered in open5gs v2.6.6. InitialUEMessage, Registrat ...) NOT-FOR-US: Open5GS CVE-2023-4164 (There is a possible informationdisclosure due to a missing permission ...) - TODO: check + NOT-FOR-US: Google Pixel Watch CVE-2023-49558 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - yasm NOTE: https://github.com/yasm/yasm/issues/252 @@ -92,15 +96,15 @@ CVE-2023-49554 (Use After Free vulnerability in YASM 1.3.0.86.g9def allows a rem - yasm NOTE: https://github.com/yasm/yasm/issues/249 CVE-2023-49553 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49552 (An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49551 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49550 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49549 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-48418 (In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a ...) TODO: check CVE-2023-47473 (Directory Traversal vulnerability in fuwushe.org iFair versions 23.8_a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1734f7c81fe0e5ea8d7bc46e52618c8cd8aee25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1734f7c81fe0e5ea8d7bc46e52618c8cd8aee25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libpod ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d46d3db3 by Moritz Mühlenhoff at 2024-01-02T12:34:09+01:00 libpod ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -119,3 +119,5 @@ CVE-2023-22084 [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 CVE-2022-4515 [bullseye] - exuberant-ctags 1:5.9~svn20110310-14+deb11u1 +CVE-2022-2989 + [bullseye] - libpod 3.0.1+dfsg1-3+deb11u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46d3db3bab344a65bdaba1ab7d5d89ca9f88816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46d3db3bab344a65bdaba1ab7d5d89ca9f88816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c49b2bc by Moritz Muehlenhoff at 2024-01-02T12:13:50+01:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -208,6 +208,7 @@ CVE-2021-46901 (examples/6lbr/apps/6lbr-webserver/httpd.c in CETIC-6LBR (aka 6lb NOT-FOR-US: CETIC-6LBR (aka 6lbr) CVE-2021-46900 (Sympa before 6.2.62 relies on a cookie parameter for certain security ...) - sympa 6.2.66~dfsg-1 + [bullseye] - sympa (Minor issue) NOTE: https://www.sympa.community/security/2021-001.html NOTE: https://github.com/sympa-community/sympa/issues/1091 CVE-2023-7192 [netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()] @@ -689,6 +690,7 @@ CVE-2023-50038 (There is an arbitrary file upload vulnerability in the backgroun - textpattern CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, ...) - shaarli 0.13.0+dfsg-1 + [bookworm] - shaarli (Minor issue) NOTE: https://github.com/shaarli/Shaarli/issues/2038 NOTE: https://github.com/shaarli/Shaarli/commit/326870f216ba52d80488cb4ba3fadcf1247d7cf8 (v0.13.0) CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) @@ -1062,6 +1064,8 @@ CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/C NOTE: https://git.exim.org/exim.git/commit/5bb786d5ad568a88d50d15452aacc8404047e5ca CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in certain conf ...) - sendmail (bug #1059386) + [bookworm] - sendmail (Minor issue) + [bullseye] - sendmail (Minor issue) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.openwall.com/lists/oss-security/2023/12/26/5 @@ -1133,14 +1137,20 @@ CVE-2023-50727 (Resque is a Redis-backed Ruby library for creating background jo CVE-2023-6937 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6936 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6935 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-7076 (A vulnerability was found in slawkens MyAAC up to 0.8.13. It has been ...) NOT-FOR-US: slawkens MyAAC @@ -1314,6 +1324,8 @@ CVE-2023-6690 (A race condition in GitHub Enterprise Server allowed an existing NOT-FOR-US: GitHub Enterprise Server CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of- ...) - proftpd-dfsg 1.3.8.a+dfsg-1 + [bookworm] - proftpd-dfsg (Minor issue) + [bullseye] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/1683 NOTE: https://github.com/proftpd/proftpd/commit/1376d8ccc0966d1ce9a1c76b32c6a9ca61bbe67f (v1.3.9rc1) NOTE: https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 (v1.3.8a) @@ -2354,6 +2366,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - libssh2 (ChaCha20-Poly1305 and CBC-EtM support not present) - openssh 1:9.6p1-1 - paramiko (bug #1059006) + [bookworm] - paramiko (Minor issue) + [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 - php-phpseclib 2.0.46-1 - php-phpseclib3 3.0.35-1 @@ -3481,6 +3495,8 @@ CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allow NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - python-cryptography (bug #1059308) + [bookworm] - python-cryptography (Minor issue) + [bullseye] - python-cryptography (Minor issue) [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -14319,6 +14335,7 @@ CVE-2023-44689 (e-Gov Client Application (Windows version) versions prior to 2.1
[Git][security-tracker-team/security-tracker][master] vim fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 188104a7 by Moritz Muehlenhoff at 2024-01-01T19:46:21+01:00 vim fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6867,7 +6867,7 @@ CVE-2023-40002 (Exposure of Sensitive Information to an Unauthorized Actor vulne CVE-2023-39253 (Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 c ...) NOT-FOR-US: Dell CVE-2023-48706 (Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-a ...) - - vim (unimportant) + - vim 2:9.0.2189-1 (unimportant) NOTE: https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q NOTE: Fixed by: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf8 (v9.0.2121) NOTE: Crash in CLI tool, no security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188104a7f66d84781a58fdeb160dd7f22702ab72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188104a7f66d84781a58fdeb160dd7f22702ab72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gemmi fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e5d2231 by Moritz Muehlenhoff at 2023-12-31T13:42:45+01:00 gemmi fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5273,7 +5273,7 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - falcosecurity-libs (bug #1059256) [bookworm] - falcosecurity-libs (Minor issue) - - gemmi (bug #1059257) + - gemmi 0.6.4+ds-1 (bug #1059257) [bookworm] - gemmi (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5d22313182960144e0a01b72e8dcb36f584e33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5d22313182960144e0a01b72e8dcb36f584e33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libsass fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba45f82 by Moritz Muehlenhoff at 2023-12-30T20:55:56+01:00 libsass fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81656,14 +81656,14 @@ CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was disco NOT-FOR-US: Gifdec CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function Sass::C ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051895) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3178 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051893) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -128882,7 +128882,7 @@ CVE-2022-26593 (Cross-site scripting (XSS) vulnerability in the Asset module's a NOT-FOR-US: Liferay CVE-2022-26592 (Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051894) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -297083,7 +297083,7 @@ CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3000 - NOTE: Not considered a security issue be upstream + NOTE: Not considered a security issue by upstream CVE-2019-18796 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) NOT-FOR-US: BASS Audio Library CVE-2019-18795 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add putty reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d936efe by Moritz Mühlenhoff at 2023-12-29T23:35:15+01:00 add putty reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2087,6 +2087,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: proftpd: https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b (v1.3.8b) NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/issues/257 NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/commit/54612735629231de2242d6395d334539604872fb (v0.9.3) + NOTE: PuTTY: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d936efe0de530d3ea1a2522d619692dfa108b0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d936efe0de530d3ea1a2522d619692dfa108b0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] espeak-ng spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7e0305 by Moritz Mühlenhoff at 2023-12-29T23:19:04+01:00 espeak-ng spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -53,3 +53,13 @@ CVE-2023-51764 [bookworm] - postfix 3.7.9-0+deb12u1 CVE-2023-7008 [bookworm] - systemd 252.21-1~deb12u1 +CVE-2023-49994 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49993 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49992 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49991 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49990 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7e030590834abcfb803026e65d9675ece43116 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7e030590834abcfb803026e65d9675ece43116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ff7c8434 by Moritz Mühlenhoff at 2023-12-29T23:16:38+01:00
bookworm/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -696,8 +696,13 @@ CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server)
through a8ab029, _Par
NOT-FOR-US: MicroHttpServer
CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt
before 5.15. ...)
- qt6-base
+ [bookworm] - qt6-base (Minor issue)
- qtbase-opensource-src
+ [bookworm] - qtbase-opensource-src (Minor issue)
+ [bullseye] - qtbase-opensource-src (Minor issue)
- qtbase-opensource-src-gles
+ [bookworm] - qtbase-opensource-src-gles (Minor issue)
+ [bullseye] - qtbase-opensource-src-gles (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524865/3
CVE-2023-49954 (The CRM Integration in 3CX before 18.0.9.23 and 20 before
20.0.0.1494 ...)
@@ -949,6 +954,8 @@ CVE-2023-49085 (Cacti provides an operational monitoring
and fault management fr
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
CVE-2023-48704 (ClickHouse is an open-source column-oriented database
management syste ...)
- clickhouse (bug #1059367)
+ [bookworm] - clickhouse (Minor issue)
+ [bullseye] - clickhouse (Minor issue)
NOTE:
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63
NOTE: https://github.com/ClickHouse/ClickHouse/pull/57107
CVE-2023-48670 (Dell SupportAssist for Home PCs version 3.14.1 and prior
versions cont ...)
@@ -1090,6 +1097,8 @@ CVE-2023-48308 (Nextcloud/Cloud is a calendar app for
Nextcloud. An attacker can
NOT-FOR-US: Nextcloud calendar app
CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database
management s ...)
- clickhouse (bug #1059261)
+ [bookworm] - clickhouse (Minor issue)
+ [bullseye] - clickhouse (Minor issue)
NOTE:
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795
CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified
that could ...)
@@ -1110,6 +1119,8 @@ CVE-2023-37519 (Unauthenticated Stored Cross-Site
Scripting (XSS) vulnerability.
NOT-FOR-US: HCL
CVE-2023-42465 (Sudo before 1.9.15 might allow row hammer attacks (for
authentication ...)
- sudo 1.9.15p2-2
+ [bookworm] - sudo (Minor issue)
+ [bullseye] - sudo (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9
NOTE:
https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
(SUDO_1_9_15p1)
CVE-2023-7047 (Inadequate validation of permissions when employing remote
tools and ...)
@@ -1209,6 +1220,8 @@ CVE-2023-4256 (Within tcpreplay's tcprewrite, a double
free vulnerability has be
NOTE: Crash in CLI tool, no security impact
CVE-2023-4255 (An out-of-bounds write issue has been discovered in the
backspace hand ...)
- w3m (bug #1059265)
+ [bookworm] - w3m (Minor issue)
+ [bullseye] - w3m (Minor issue)
[buster] - w3m (Minor issue)
NOTE:
https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
NOTE: https://github.com/tats/w3m/issues/268
@@ -1442,6 +1455,8 @@ CVE-2023-47236 (Improper Neutralization of Special
Elements used in an SQL Comma
NOT-FOR-US: WordPress plugin
CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database
management s ...)
- clickhouse (bug #1059261)
+ [bookworm] - clickhouse (Minor issue)
+ [bullseye] - clickhouse (Minor issue)
NOTE:
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability
in gVec ...)
NOT-FOR-US: WordPress plugin
@@ -1812,6 +1827,7 @@ CVE-2023-46104 (Uncontrolled resource consumption can be
triggered by authentica
NOT-FOR-US: Apache Superset
CVE-2023- [RUSTSEC-2023-0074]
- rust-zerocopy
+ [bookworm] - rust-zerocopy (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0074.html
NOTE: https://github.com/google/zerocopy/issues/716
CVE-2023-6940 (with only one user interaction(download a malicious config),
attackers ...)
@@ -2014,11 +2030,15 @@ CVE-2023-32230 (An improper handling of a malformed API
request to an API server
CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions,
found in O ...)
{DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3694-1}
- dropbear (bug #1059001
[Git][security-tracker-team/security-tracker][master] nodejs DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
20d5621e by Moritz Mühlenhoff at 2023-12-27T23:02:34+01:00
nodejs DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[27 Dec 2023] DSA-5589-1 nodejs - security update
+ {CVE-2023-23918 CVE-2023-23919 CVE-2023-23920 CVE-2023-30581
CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 CVE-2023-32002 CVE-2023-32006
CVE-2023-32559 CVE-2023-38552 CVE-2023-39333}
+ [bookworm] - nodejs 18.19.0+dfsg-6~deb12u1
[24 Dec 2023] DSA-5588-1 putty - security update
{CVE-2023-48795}
[bullseye] - putty 0.74-1+deb11u1
=
data/dsa-needed.txt
=
@@ -39,9 +39,6 @@ linux (carnil)
nbconvert/oldstable
Guilhem Moulin proposed an update ready for review
--
-nodejs (jmm)
- maintainer proposed to follow the upstream 18.x LTS branch
---
php-cas/oldstable
--
php-horde-mime-viewer/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20d5621ee3138c3d8cbffb3cee17fb4407ab008f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20d5621ee3138c3d8cbffb3cee17fb4407ab008f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one older nodejs issue fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1133e4aa by Moritz Mühlenhoff at 2023-12-27T20:30:02+01:00 one older nodejs issue fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56883,7 +56883,7 @@ CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14. NOTE: https://hackerone.com/reports/1808596 NOTE: https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...) - - nodejs (bug #1031834) + - nodejs 18.19.0+dfsg-2 (bug #1031834) [bullseye] - nodejs (Permissions policy introduced in v16.x) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1133e4aab48a47dd465f2973bd63d038b63b1292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1133e4aab48a47dd465f2973bd63d038b63b1292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove three postponed nodejs issues lined up for DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
097dcd38 by Moritz Mühlenhoff at 2023-12-27T20:27:46+01:00
remove three postponed nodejs issues lined up for DSA
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -56873,12 +56873,10 @@ CVE-2023-0407
CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js.
<19.6.1, <18 ...)
{DSA-5395-1 DLA-3344-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1031834)
- [bookworm] - nodejs (Can be fixed along with next update)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920
NOTE:
https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1
CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0,
<18.14.1, <16 ...)
- nodejs 18.13.0+dfsg1-1.1 (bug #1031834)
- [bookworm] - nodejs (Can be fixed along with next update)
[bullseye] - nodejs (X509Certificate API introduced in
v15.6.0)
[buster] - nodejs (X509Certificate API introduced in
v15.6.0)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919
@@ -56886,7 +56884,6 @@ CVE-2023-23919 (A cryptographic vulnerability exists in
Node.js <19.2.0, <18.14.
NOTE:
https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029
CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js
<19.6.1, <18.14 ...)
- nodejs (bug #1031834)
- [bookworm] - nodejs (Can be fixed along with next update)
[bullseye] - nodejs (Permissions policy introduced in
v16.x)
[buster] - nodejs (v10.x doesn't support policy
manifests)
NOTE:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/097dcd38fe6bd11c2ad64465e23518f2e49d528e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/097dcd38fe6bd11c2ad64465e23518f2e49d528e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 428aa1f7 by Moritz Mühlenhoff at 2023-12-27T20:23:06+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-52096 (SteVe Community ocpp-jaxb before 0.0.8 generates invalid timestamps su ...) - TODO: check + NOT-FOR-US: SteVe Community ocpp-jaxb CVE-2023-49438 (An open redirect vulnerability in the python package Flask-Security-To ...) TODO: check CVE-2023-48003 (An open redirect through HTML injection in user messages in Asp.Net Ze ...) - TODO: check + NOT-FOR-US: Asp.Net Zero CVE-2023-6268 (The JSON Content Importer WordPress plugin before 1.5.4 does not sanit ...) NOT-FOR-US: WordPress plugin CVE-2023-6250 (The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses ...) @@ -37,7 +37,7 @@ CVE-2023-5203 (The WP Sessions Time Monitoring Full Automatic WordPress plugin b CVE-2023-5180 (An issue was discovered in Open Design Alliance Drawings SDK before 20 ...) NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2023-52086 (resumable.php (aka PHP backend for resumable.js) 0.1.4 before 3c6dbf5 ...) - TODO: check + NOT-FOR-US: PHP backend for resumable.js CVE-2023-51107 (A floating point exception (divide-by-zero) vulnerability was discover ...) - mupdf (unimportant) NOTE: https://github.com/dongyuma/sox-defects/blob/main/mupdf-defects.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428aa1f7c7812adb4d0462c339d072da21201d45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428aa1f7c7812adb4d0462c339d072da21201d45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] librecad fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a6d2e3b by Moritz Mühlenhoff at 2023-12-27T20:21:16+01:00 librecad fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37571,7 +37571,7 @@ CVE-2023-30261 (Command Injection vulnerability in OpenWB 1.6 and 1.7 allows rem CVE-2023-30260 (Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earl ...) NOT-FOR-US: RaspAP CVE-2023-30259 (A Buffer Overflow vulnerability in importshp plugin in LibreCAD 2.2.0 ...) - - librecad (unimportant) + - librecad 2.2.0.2-1 (unimportant) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1481 NOTE: Crash in CLI tool, no security impact CVE-2023-30258 (Command Injection vulnerability in MagnusSolution magnusbilling 6.x an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a6d2e3b46e151696b95cd2167fc520f5fc6b477 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a6d2e3b46e151696b95cd2167fc520f5fc6b477 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix syntax for postfix issue, the fixed version will only with the next point update
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 891044d0 by Moritz Mühlenhoff at 2023-12-27T20:19:53+01:00 fix syntax for postfix issue, the fixed version will only with the next point update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,7 @@ CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in certai NOTE: https://www.openwall.com/lists/oss-security/2023/12/26/5 CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured with smt ...) - postfix 3.8.4-1 (bug #1059230) - [bookworm] - postfix 3.7.9-0+deb12u1 (Minor issue; mitigations exist) + [bookworm] - postfix (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891044d00dcd087b271d7e3817def7fa9d3411ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891044d00dcd087b271d7e3817def7fa9d3411ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d2f40c8 by Moritz Mühlenhoff at 2023-12-26T17:12:18+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-51467 + NOT-FOR-US: Apache OFBiz +CVE-2023-50968 + NOT-FOR-US: Apache OFBiz CVE-2023-7111 (A vulnerability, which was classified as critical, was found in code-p ...) NOT-FOR-US: code-projects Library Management System CVE-2023-7110 (A vulnerability, which was classified as critical, has been found in c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2f40c8bc1c65c1b6d7f51588d6eece7d8e881e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2f40c8bc1c65c1b6d7f51588d6eece7d8e881e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] systemd spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ee785aa by Moritz Mühlenhoff at 2023-12-26T17:03:01+01:00 systemd spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -51,3 +51,5 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] NOTE: For Debian bug #1059331 CVE-2023-51764 [bookworm] - postfix 3.7.9-0+deb12u1 +CVE-2023-7008 + [bookworm] - systemd 252.21-1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ee785aac5fd84e151fb49f199b123fe5e6f9fb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ee785aac5fd84e151fb49f199b123fe5e6f9fb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c13efea by Moritz Muehlenhoff at 2023-12-25T19:49:02+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36907,7 +36907,7 @@ CVE-2023-1963 (A vulnerability was found in PHPGurukul Bank Locker Management Sy CVE-2018-25084 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Ping Identity Self-Service Account Manager CVE-2023-30451 (In TYPO3 11.5.24, the filelist component allows attackers (who have ac ...) - TODO: check + NOT-FOR-US: Typo3 CVE-2023-30450 (rpk in Redpanda before 23.1.2 mishandles the redpanda.rpc_server_tls f ...) NOT-FOR-US: Redpanda CVE-2023-30449 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c13efeab2705876ba6cde02bab0173f6f528e16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c13efeab2705876ba6cde02bab0173f6f528e16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new Qt issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c1e5e8 by Moritz Muehlenhoff at 2023-12-25T19:45:06+01:00 new Qt issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,11 @@ CVE-2023-51772 (One Identity Password Manager before 5.13.1 allows Kiosk Escape. CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHead ...) NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - TODO: check + - qt6-base + - qtbase-opensource-src + - qtbase-opensource-src-gles + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 CVE-2023-49954 (The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 ...) NOT-FOR-US: 3CX CVE-2023-49944 (The Challenge Response feature of BeyondTrust Privilege Management for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c1e5e86095e06bc44615a400dd43f08431aada -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c1e5e86095e06bc44615a400dd43f08431aada You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one nodejs issue ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dcdba6bd by Moritz Muehlenhoff at 2023-12-25T19:42:30+01:00 one nodejs issue ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36163,6 +36163,7 @@ CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffi NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Minor issue, too intrusive to backport) [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcdba6bd33228550f0f67068a4ff69b986908357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcdba6bd33228550f0f67068a4ff69b986908357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] twisted fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6dc719a by Moritz Muehlenhoff at 2023-12-25T19:08:44+01:00 twisted fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10444,7 +10444,7 @@ CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior to CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer ...) NOT-FOR-US: era-compiler-vyper CVE-2023-46137 (Twisted is an event-based framework for internet applications. Prior t ...) - - twisted (bug #1054913) + - twisted 23.10.0-1 (bug #1054913) [bookworm] - twisted (Minor issue) [bullseye] - twisted (Minor issue) [buster] - twisted (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6dc719a7489ff99b0f419a8c0629d7c6e567775 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6dc719a7489ff99b0f419a8c0629d7c6e567775 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add upstream reference for hamster-time-tracker
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4f9d10 by Moritz Muehlenhoff at 2023-12-24T23:48:23+01:00 add upstream reference for hamster-time-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17464,7 +17464,7 @@ CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) - hamster-time-tracker (bug #1059296) NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md - NOTE: Report sounds a little dubious, it's not really clear whether this cross any security boundary + NOTE: https://github.com/projecthamster/hamster/issues/750 CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) NOT-FOR-US: Movim CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more gitlab issues fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
156430c8 by Moritz Muehlenhoff at 2023-12-24T23:37:26+01:00
more gitlab issues fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2240,11 +2240,11 @@ CVE-2023-3511 (An issue has been discovered in GitLab
EE affecting all versions
CVE-2023-3907 (A privilege escalation vulnerability in GitLab EE affecting all
versio ...)
- gitlab (Specific to EE)
CVE-2023-5061 (An issue has been discovered in GitLab affecting all versions
starting ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-5512 (An issue has been discovered in GitLab CE/EE affecting all
versions fr ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-6051 (An issue has been discovered in GitLab CE/EE affecting all
versions be ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-6680 (An improper certificate validation issue in Smartcard
authentication i ...)
- gitlab (Specific to EE)
CVE-2023-6564
@@ -4724,7 +4724,7 @@ CVE-2023-6442 (A vulnerability was found in PHPGurukul
Nipah Virus Testing Manag
CVE-2023-6440 (A vulnerability was found in SourceCodester Book Borrower
System 1.0 a ...)
NOT-FOR-US: SourceCodester
CVE-2023-6033 (Improper neutralization of input in Jira integration
configuration in ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-5995 (An issue has been discovered in GitLab EE affecting all
versions start ...)
- gitlab (Specific to EE)
CVE-2023-5915 (A vulnerability of Uncontrolled Resource Consumption has been
identifi ...)
@@ -4734,7 +4734,7 @@ CVE-2023-5909 (KEPServerEX does not properly validate
certificates from clients
CVE-2023-5908 (KEPServerEX is vulnerable to a buffer overflow which may allow
an atta ...)
NOT-FOR-US: KEPServerEX
CVE-2023-5226 (An issue has been discovered in GitLab affecting all versions
before 1 ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-4912 (An issue has been discovered in GitLab EE affecting all
versions start ...)
- gitlab (Specific to EE)
CVE-2023-4658 (An issue has been discovered in GitLab EE affecting all
versions start ...)
@@ -9423,7 +9423,7 @@ CVE-2023-46695 (An issue was discovered in Django 3.2
before 3.2.23, 4.1 before
- python-django (Only an issue on windows)
NOTE:
https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
CVE-2023-5831 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-4700 (An authorization issue affecting GitLab EE affecting all
versions from ...)
- gitlab (Specific to EE)
CVE-2023-5600
@@ -9433,7 +9433,7 @@ CVE-2023-3246 (An issue has been discovered in GitLab
EE/CE affecting all versio
CVE-2023-3909 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab 16.4.4+ds2-2
CVE-2023-5825 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-3399 (An issue has been discovered in GitLab EE affecting all
versions start ...)
- gitlab 16.4.4+ds2-2
CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository
pkp/pkp-lib p ...)
@@ -15108,7 +15108,7 @@ CVE-2023-5301 (A vulnerability classified as critical
was found in DedeCMS 5.7.1
CVE-2023-5300 (A vulnerability classified as critical has been found in
TTSPlanning u ...)
NOT-FOR-US: TTSPlanning
CVE-2023-5207 (A vulnerability was discovered in GitLab CE and EE affecting
all versi ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-44488 (VP9 in libvpx before 1.13.1 mishandles widths, leading to a
crash rela ...)
{DSA-5518-1 DLA-3598-1}
- libvpx 1.12.0-1.2
@@ -15281,7 +15281,7 @@ CVE-2023-39410 (When deserializing untrusted or
corrupted data, it is possible f
CVE-2023-39308 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in
UserFeedbac ...)
NOT-FOR-US: WordPress plugin
CVE-2023-5198 (An issue has been discovered in GitLab affecting all versions
prior to ...)
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-5185 (Gym Management System Project v1.0 is vulnerable to an
Insecure File ...)
NOT-FOR-US: Gym Management System Project
CVE-2023-5077 (The Vault and Vault Enterprise ("Vault") Google Cloud secrets
engine d ...)
@@ -16979,7 +16979,7 @@ CVE-2023-2567 (A SQL Injection vulnerability in Nozomi
Networks Guardian and CMC
CVE-2023-29245 (A SQL Injection vulnerability in Nozomi Networks Guardian and
CMC, due ...)
NOT-FOR-US: Nozomi Networks Guardian and CMC
CVE-2023-4998
- - gitlab
+ - gitlab 16.4.4+ds2-2
CVE-2023-5060 (Cross-site Scripting (XSS) - DOM in GitHub repository
libren
[Git][security-tracker-team/security-tracker][master] gitlab issues fixed in sid (more to investigate)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7368f17 by Moritz Muehlenhoff at 2023-12-24T20:48:00+01:00 gitlab issues fixed in sid (more to investigate) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4738,7 +4738,7 @@ CVE-2023-4912 (An issue has been discovered in GitLab EE affecting all versions CVE-2023-4658 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-4317 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-49735 (** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleRes ...) - tiles (unimportant; bug #1057315) NOTE: https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p @@ -4808,11 +4808,11 @@ CVE-2023-42916 (An out-of-bounds read was addressed with improved input validati [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2023-0011.html CVE-2023-3964 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3949 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3443 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-39226 (In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability ...) NOT-FOR-US: Delta Electronics CVE-2023-6439 (A vulnerability classified as problematic was found in ZenTao PMS 18.8 ...) @@ -9427,13 +9427,13 @@ CVE-2023-4700 (An authorization issue affecting GitLab EE affecting all versions CVE-2023-5600 - gitlab (Specific to EE) CVE-2023-3246 (An issue has been discovered in GitLab EE/CE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3909 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5825 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab CVE-2023-3399 (An issue has been discovered in GitLab EE affecting all versions start ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) NOT-FOR-US: pkp-lib CVE-2023-5903 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) @@ -15268,7 +15268,7 @@ CVE-2023-41657 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-41655 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andr ...) NOT-FOR-US: WordPress plugin CVE-2023-3413 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3024 (Forcing the Bluetooth LE stack to segment 'prepare write response' pac ...) NOT-FOR-US: Silabs CVE-2023-39410 (When deserializing untrusted or corrupted data, it is possible for a r ...) @@ -15286,7 +15286,7 @@ CVE-2023-5053 (Hospital management system version 378c157 allows to bypass authe CVE-2023-5004 (Hospital management system version 378c157 allows to bypass authentica ...) NOT-FOR-US: Hospital management system CVE-2023-4532 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of servic ...) NOT-FOR-US: Zod CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...) @@ -15342,13 +15342,13 @@ CVE-2023-43014 (Asset Management System v1.0 is vulnerable to an Authenticated CVE-2023-43013 (Asset Management System v1.0 is vulnerable to an unauthenticated SQL ...) NOT-FOR-US: Asset Management System CVE-2023-3979 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3922 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3920 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3917 (Denial of Service in pipelines affecting all versions of Gitlab EE and ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3914 (A business logic error in GitLab EE affecting all versions prior to 16 ...) - gitlab (Specific to EE) CVE-2023-3906 (An input validation issue in the asset proxy in GitLab EE, affecting a ...) @@ -1932
[Git][security-tracker-team/security-tracker][master] zfs-linux fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 322ffb57 by Moritz Muehlenhoff at 2023-12-24T20:38:16+01:00 zfs-linux fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -197038,7 +197038,7 @@ CVE-2021-27206 RESERVED CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) [experimental] - zfs-linux 2.2.0-1~exp1 - - zfs-linux (bug #1059322) + - zfs-linux 2.2.2-1 (bug #1059322) [bookworm] - zfs-linux (contrib not supported) [bullseye] - zfs-linux (contrib not supported) NOTE: https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322ffb57627dceea622a5d35d70a632091e48d74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322ffb57627dceea622a5d35d70a632091e48d74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two nodejs issues n/a or ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e70ad7ca by Moritz Muehlenhoff at 2023-12-23T20:26:07+01:00 two nodejs issues n/a or ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36017,6 +36017,7 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x) CVE-2023-30588 (When an invalid public key is used to create an x509 certificate using ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Vulnerable code not present) [buster] - nodejs (X509Certificate API introduced later) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588 NOTE: https://hackerone.com/reports/1884159 @@ -36045,6 +36046,7 @@ CVE-2023-30582 NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fswatchfile-bypass-in-experimental-permission-model-medium-cve-2023-30582 CVE-2023-30581 (The use of __proto__ in process.mainModule.__proto__.require() can byp ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581 NOTE: https://hackerone.com/reports/1877919 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e70ad7cac8feace12637a67b1c48e3cdb372e910 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e70ad7cac8feace12637a67b1c48e3cdb372e910 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cc038894 by Moritz Mühlenhoff at 2023-12-23T19:59:24+01:00
curl DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -3777,6 +3777,7 @@ CVE-2023-46218 (This flaw allows a malicious HTTP server
to set "super cookies"
NOTE: https://curl.se/docs/CVE-2023-46218.html
CVE-2023-46219 (When saving HSTS data to an excessively long file name, curl
could end ...)
- curl 8.5.0-1 (bug #1057645)
+ [bookworm] - curl 7.88.1-10+deb12u5
[bullseye] - curl (curl is not built with HSTS support)
[buster] - curl (Not affected by CVE-2022-32207)
NOTE: Introduced by:
https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f
(curl-7_84_0)
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[23 Dec 2023] DSA-5587-1 curl - security update
+ {CVE-2023-46218}
+ [bullseye] - curl 7.74.0-1.3+deb11u11
+ [bookworm] - curl 7.88.1-10+deb12u5
[22 Dec 2023] DSA-5586-1 openssh - security update
{CVE-2023-48795 CVE-2023-51385}
[bullseye] - openssh 1:8.4p1-5+deb11u3
=
data/dsa-needed.txt
=
@@ -16,9 +16,6 @@ asterisk
--
cryptojs
--
-curl (jmm)
- Samuel Henrique provided debdiffs for review
---
dnsdist (jmm)
--
frr
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc0388946ba384dfb0abc225b6148a867a1e0613
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc0388946ba384dfb0abc225b6148a867a1e0613
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] four nodejs issues ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0084a5ac by Moritz Muehlenhoff at 2023-12-22T20:15:49+01:00 four nodejs issues ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22162,6 +22162,7 @@ CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol might NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol CVE-2023-32559 (A privilege escalation vulnerability exists in the experimental policy ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559 NOTE: https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d (v18.x) @@ -22171,6 +22172,7 @@ CVE-2023-32558 (The use of the deprecated API `process.binding()` can bypass the NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558 CVE-2023-32006 (The use of `module.constructor.createRequire()` can bypass the policy ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006 NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x) @@ -22186,6 +22188,7 @@ CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003 CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism and requir ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002 NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x) @@ -35819,6 +35822,7 @@ CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated at NOT-FOR-US: NodeBB CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffieHellm ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Minor issue, only updates documentation to clarify an API) [buster] - nodejs (minor issue - Inconsistency Between Implementation and Documented Design) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590 NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take nodejs and curl
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3552c875 by Moritz Muehlenhoff at 2023-12-22T19:47:11+01:00 take nodejs and curl - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,7 +16,7 @@ asterisk -- cryptojs -- -curl +curl (jmm) Samuel Henrique provided debdiffs for review -- dnsdist (jmm) @@ -39,7 +39,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -nodejs +nodejs (jmm) maintainer proposed to follow the upstream 18.x LTS branch -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3552c875568fccfd0e862cb2b924d15a1e8fe2cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3552c875568fccfd0e862cb2b924d15a1e8fe2cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ceecb73f by Moritz Muehlenhoff at 2023-12-22T15:03:39+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2376,7 +2376,7 @@ CVE-2023-43813 (GLPI is a free asset and IT management
software package. Startin
CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper
Neutraliz ...)
NOT-FOR-US: Dasan Networks W-Web
CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
TinyXML ...)
- - tinyxml
+ - tinyxml (bug #1059315)
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109
allowed ...)
{DSA-5577-1}
@@ -3938,7 +3938,7 @@ CVE-2023-40464 (Several versions of ALEOS, including
ALEOS 4.16.0, use a hardcod
CVE-2023-40463 (When configured in debugging mode by an authenticated user
withadm ...)
NOT-FOR-US: ALEOS
CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not
perform ...)
- - tinyxml
+ - tinyxml (bug #1059315)
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an
authen ...)
NOT-FOR-US: ALEOS
@@ -4960,7 +4960,7 @@ CVE-2023-47463 (Insecure Permissions vulnerability in
GL.iNet AX1800 version 4.0
CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version
8.1.2 and be ...)
NOT-FOR-US: p2pa
CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop')
vulnerability i ...)
- - tinyxml
+ - tinyxml (bug #1059315)
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900
and DT900 ...)
NOT-FOR-US: NEC
@@ -30542,10 +30542,10 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0
with use of yajl_tree_parse
NOTE: https://github.com/lloyd/yajl/issues/250
NOTE: Introduced with:
https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb
(2.0.0)
NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete.
- - epics-base
+ - epics-base (bug #1059316)
[bookworm] - epics-base (Minor issue)
[buster] - epics-base (Minor issue; fix only after newer
releases got a fix)
- - r-cran-jsonlite
+ - r-cran-jsonlite (bug #1059317)
[bookworm] - r-cran-jsonlite (Minor issue)
[bullseye] - r-cran-jsonlite (Minor issue)
[buster] - r-cran-jsonlite (Minor issue; fix only after
newer releases got a fix)
@@ -169626,15 +169626,15 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was
discovered to contain an infinite
[bullseye] - pdftk-java (Minor issue)
[buster] - pdftk-java (Minor issue)
- pdftk 2.02-5
- - libitext-java
+ - libitext-java (bug #1059318)
[bookworm] - libitext-java (Minor issue)
[bullseye] - libitext-java (Minor issue)
[buster] - libitext-java (Minor issue)
- - libitext1-java
+ - libitext1-java (bug #1059319)
[bookworm] - libitext1-java (Minor issue)
[bullseye] - libitext1-java (Minor issue)
[buster] - libitext1-java (Minor issue)
- - libitext5-java
+ - libitext5-java (bug #1059320)
[bookworm] - libitext5-java (Minor issue)
[bullseye] - libitext5-java (Minor issue)
[buster] - libitext5-java (Minor issue)
@@ -196775,7 +196775,7 @@ CVE-2021-27206
RESERVED
CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS
share is ...)
[experimental] - zfs-linux 2.2.0-1~exp1
- - zfs-linux
+ - zfs-linux (bug #1059322)
[bookworm] - zfs-linux (contrib not supported)
[bullseye] - zfs-linux (contrib not supported)
NOTE:
https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7
(zfs-2.2.0-rc1)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] tcpreplay unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
57259da0 by Moritz Muehlenhoff at 2023-12-22T15:00:35+01:00
tcpreplay unimportant
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -233,8 +233,9 @@ CVE-2023-50377 (Improper Neutralization of Input During Web
Page Generation ('Cr
CVE-2023-50119
REJECTED
CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has
been id ...)
- - tcpreplay
+ - tcpreplay (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/813
+ NOTE: Crashnin CLI tool, no security impact
CVE-2023-4255 (An out-of-bounds write issue has been discovered in the
backspace hand ...)
- w3m (bug #1059265)
NOTE:
https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57259da0849269f4071f844a887a7f0d66dd0816
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57259da0849269f4071f844a887a7f0d66dd0816
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f496e701 by Moritz Muehlenhoff at 2023-12-22T14:49:22+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1099,14 +1099,13 @@ CVE-2023-6903 (A vulnerability classified as critical has been found in Netentse CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - - libcrypto++ + - libcrypto++ (bug #1059312) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - - libcrypto++ + - libcrypto++ (bug #1059311) NOTE: https://github.com/weidai11/cryptopp/issues/1248 - TODO: check details about mitigation applied, but issue in per se "unfixed" CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - - libcrypto++ + - libcrypto++ (bug #1059310) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -1982,7 +1981,7 @@ CVE-2023-40628 (A reflected XSS vulnerability was discovered in the Extplorer co CVE-2023-40627 (A reflected XSS vulnerability was discovered in the LivingWord compone ...) NOT-FOR-US: Joomla module CVE-2023-37457 (Asterisk is an open source private branch exchange and telephony toolk ...) - - asterisk + - asterisk (bug #1059303) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh NOTE: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa CVE-2023-3904 (An issue has been discovered in GitLab EE affecting all versions start ...) @@ -2140,7 +2139,7 @@ CVE-2023-40921 (SQL Injection vulnerability in functions/point_list.php in Commo CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows atta ...) NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - - python-cryptography + - python-cryptography (bug #1059308) [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -11235,7 +11234,7 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9 NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - - libxml-security-java + - libxml-security-java (bug #1059313) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -13938,9 +13937,9 @@ CVE-2023-40008 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta CVE-2023-3725 (Potential buffer overflow vulnerability in the Zephyr CAN bus subsyste ...) NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-38703 (PJSIP is a free and open source multimedia communication library writt ...) - - asterisk + - asterisk (bug #1059303) - pjproject - - ring + - ring (bug #1059307) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 NOTE: https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14) CVE-2023-36465 (Decidim is a participatory democracy framework, written in Ruby on Rai ...) @@ -19701,7 +19700,7 @@ CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote a CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web interface ...) NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - - mathjax + - mathjax (bug #1059304) [bookworm] - mathjax (Minor issue) [bullseye] - mathjax (Minor issue) [buster] - mathjax (Minor issue) @@ -20263,11 +20262,11 @@ CVE-2023-40036 (Notepad++ is a free and open-source source code editor. Versions CVE-2023-40031 (Notepad++ is a free and open-source source code editor. Versions 8.5.6 ...) NOT-FOR-US: Notepad++ CVE-2023-40030 (Cargo
[Git][security-tracker-team/security-tracker][master] two more CVEs for tinyxml
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
90767b0e by Moritz Muehlenhoff at 2023-12-22T14:45:11+01:00
two more CVEs for tinyxml
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2378,7 +2378,6 @@ CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27
- CWE-78: Improper Neu
CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
TinyXML ...)
- tinyxml
NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
- TODO: check details and embedded copies once assessment for tinyxml done
CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109
allowed ...)
{DSA-5577-1}
- chromium 120.0.6099.109-1
@@ -3939,7 +3938,8 @@ CVE-2023-40464 (Several versions of ALEOS, including
ALEOS 4.16.0, use a hardcod
CVE-2023-40463 (When configured in debugging mode by an authenticated user
withadm ...)
NOT-FOR-US: ALEOS
CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not
perform ...)
- NOT-FOR-US: ALEOS
+ - tinyxml
+ NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an
authen ...)
NOT-FOR-US: ALEOS
CVE-2023-40460 (The ACEManager component of ALEOS 4.16 and earlier does not
validat ...)
@@ -4960,7 +4960,8 @@ CVE-2023-47463 (Insecure Permissions vulnerability in
GL.iNet AX1800 version 4.0
CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version
8.1.2 and be ...)
NOT-FOR-US: p2pa
CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop')
vulnerability i ...)
- NOT-FOR-US: Sierra Wireless
+ - tinyxml
+ NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities
CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900
and DT900 ...)
NOT-FOR-US: NEC
CVE-2023-37928 (A post-authentication command injection vulnerability in the
WSGI serv ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90767b0ea7a84688f34450c8f79ddd867ed13328
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90767b0ea7a84688f34450c8f79ddd867ed13328
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gomarkdown fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb288f8 by Moritz Muehlenhoff at 2023-12-22T14:30:41+01:00 gomarkdown fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16251,7 +16251,7 @@ CVE-2023-43270 (dst-admin v1.5.0 was discovered to contain a remote command exec CVE-2023-43144 (Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQ ...) NOT-FOR-US: Projectworldsl Assets-management-system-in-php CVE-2023-42821 (The package `github.com/gomarkdown/markdown` is a Go library for parsi ...) - - golang-github-gomarkdown-markdown + - golang-github-gomarkdown-markdown 0.0~git20231115.a660076-1 [bookworm] - golang-github-gomarkdown-markdown (Minor issue) NOTE: https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940 NOTE: https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb288f81e8fd22d7c3d6aa94c3d478f969ecc00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb288f81e8fd22d7c3d6aa94c3d478f969ecc00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
32e9a182 by Moritz Muehlenhoff at 2023-12-22T14:22:18+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1039,7 +1039,7 @@ CVE-2023-48795 (The SSH transport protocol with certain
OpenSSH extensions, foun
- putty 0.80-1
- python-asyncssh (bug #1059007)
- tinyssh 20230101-4 (bug #1059058; unimportant)
- - trilead-ssh2
+ - trilead-ssh2 (bug #1059294)
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: dropbear:
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
@@ -2147,7 +2147,7 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack
against RSA decryption - inc
NOTE: https://github.com/openssl/openssl/pull/13817
NOTE: CVE is for incomplete fix of CVE-2020-25659
CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API -
incomplete fix for CVE-2020-25657]
- - m2crypto
+ - m2crypto (bug #1059292)
[buster] - m2crypto (Minor issue; it's an incomplete fix of
CVE-2020-25657)
NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342
NOTE: https://people.redhat.com/~hkario/marvin/
@@ -17201,7 +17201,7 @@ CVE-2023-37755 (i-doit pro 25 and below and I-doit open
25 and below are configu
CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to
path trave ...)
NOT-FOR-US: I-doit pro
CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version
3.0.2, allow ...)
- - hamster-time-tracker
+ - hamster-time-tracker (bug #1059296)
NOTE:
https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md
NOTE: Report sounds a little dubious, it's not really clear whether
this cross any security boundary
CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site
WebSocket Hija ...)
@@ -21134,7 +21134,7 @@ CVE-2023-39970 (Unrestricted Upload of File with
Dangerous Type vulnerability in
CVE-2023-39743 (lrzip-next LZMA v23.01 was discovered to contain an access
violation v ...)
- lrzip-next (bug #1042088)
CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the
libzpaq ...)
- - lrzip
+ - lrzip (bug #1059293)
[bookworm] - lrzip (Minor issue)
[bullseye] - lrzip (Minor issue)
[buster] - lrzip (Minor issue)
@@ -24077,7 +24077,7 @@ CVE-2023-32427 (This issue was addressed by using HTTPS
when sending information
NOT-FOR-US: Apple
CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through
6.5.x before ...)
{DLA-3539-1}
- - qt6-base
+ - qt6-base (bug #1059302)
[bookworm] - qt6-base (Minor issue)
- qtbase-opensource-src-gles 5.15.10+dfsg-2
[bookworm] - qtbase-opensource-src-gles (Minor issue)
@@ -31766,7 +31766,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado
versions 6.3.1 and earlie
[bookworm] - python-tornado (Minor issue)
[bullseye] - python-tornado (Minor issue)
[buster] - python-tornado (Minor issue)
- - salt
+ - salt (bug #1059297)
NOTE:
https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
(v6.3.2)
CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS)
contains an ...)
NOT-FOR-US: Wacom Tablet Driver installer
@@ -42676,7 +42676,7 @@ CVE-2023-28439 (CKEditor4 is an open source
what-you-see-is-what-you-get HTML ed
[bookworm] - ckeditor (Minor issue)
[bullseye] - ckeditor (Minor issue)
[buster] - ckeditor (Minor issue)
- - ckeditor3
+ - ckeditor3 (bug #1059301)
[bookworm] - ckeditor3 (Minor issue)
[bullseye] - ckeditor3 (Minor issue)
[buster] - ckeditor3 (No longer supported in LTS)
@@ -47077,7 +47077,8 @@ CVE-2023-27045
CVE-2023-27044
RESERVED
CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses
e-mail ad ...)
- - python3.11
+ - python3.12 (bug #1059299)
+ - python3.11 (bug #1059298)
[bookworm] - python3.11 (Minor issue)
- python3.10
- python3.9
@@ -49404,7 +49405,7 @@ CVE-2023-26143 (Versions of the package blamer before
1.0.4 are vulnerable to Ar
CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP
Response Split ...)
NOT-FOR-US: Crow
CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to
Denial ...)
- - ruby-sidekiq
+ - ruby-sidekiq (bug #1059300)
[bookworm] - ruby-sidekiq (Minor issue)
[bullseye] - ruby-sidekiq (Minor issue)
[buster] - ruby-sidekiq (Minor issue, DoS still possible)
View
[Git][security-tracker-team/security-tracker][master] three QT issues fixed in the gles build
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ddf505fe by Moritz Muehlenhoff at 2023-12-22T14:17:15+01:00
three QT issues fixed in the gles build
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -24079,7 +24079,7 @@ CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9,
and 6.3.x through 6.5.x
{DLA-3539-1}
- qt6-base
[bookworm] - qt6-base (Minor issue)
- - qtbase-opensource-src-gles
+ - qtbase-opensource-src-gles 5.15.10+dfsg-2
[bookworm] - qtbase-opensource-src-gles (Minor issue)
[bullseye] - qtbase-opensource-src-gles (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-3
@@ -30770,7 +30770,7 @@ CVE-2023-34410 (An issue was discovered in Qt before
5.15.15, 6.x before 6.2.9,
[bookworm] - qtbase-opensource-src (Minor issue)
[bullseye] - qtbase-opensource-src (Minor issue)
[buster] - qtbase-opensource-src (Minor issue)
- - qtbase-opensource-src-gles
+ - qtbase-opensource-src-gles 5.15.10+dfsg-2
[bookworm] - qtbase-opensource-src-gles (Minor issue)
[bullseye] - qtbase-opensource-src-gles (Minor issue)
- qt4-x11
@@ -32109,7 +32109,7 @@ CVE-2023-33285 (An issue was discovered in Qt 5.x
before 5.15.14, 6.x before 6.2
- qtbase-opensource-src 5.15.8+dfsg-11
[bullseye] - qtbase-opensource-src (Minor issue)
[buster] - qtbase-opensource-src (Minor issue)
- - qtbase-opensource-src-gles
+ - qtbase-opensource-src-gles 5.15.10+dfsg-2
[bookworm] - qtbase-opensource-src-gles (Minor issue)
[bullseye] - qtbase-opensource-src-gles (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/477644
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddf505fe083b0ad1639e7c5e869aa3dc207e5871
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddf505fe083b0ad1639e7c5e869aa3dc207e5871
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] no bugs needed for py3.10, blocked from testind and soon removed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b747182 by Moritz Muehlenhoff at 2023-12-22T13:55:50+01:00 no bugs needed for py3.10, blocked from testind and soon removed - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -15,3 +15,4 @@ wpewebkit xen gcc-9 gcc-10 +python3.10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b74718200deb0442d4dae3f8fd99feb20cbc2d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b74718200deb0442d4dae3f8fd99feb20cbc2d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] keepass2 issue unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bf12703 by Moritz Muehlenhoff at 2023-12-22T13:51:16+01:00 keepass2 issue unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32730,12 +32730,10 @@ CVE-2023-31409 (Uncontrolled Resource Consumption in SICK FTMg AIR FLOW SENSOR w CVE-2023-31408 (Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSO ...) NOT-FOR-US: SICK CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to recover the cleartext ma ...) - - keepass2 - [bookworm] - keepass2 (Minor issue) - [bullseye] - keepass2 (Minor issue) - [buster] - keepass2 (Minor issue) + - keepass2 (unimportant) NOTE: https://github.com/vdohney/keepass-password-dumper NOTE: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/ + NOTE: Negligible security impact CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5. ...) NOT-FOR-US: git-url-parse CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf12703e2ca21a68e367607b1533fe13d87a061 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf12703e2ca21a68e367607b1533fe13d87a061 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
91d80e70 by Moritz Muehlenhoff at 2023-12-22T13:36:37+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -386,7 +386,7 @@ CVE-2023-41166 (An issue was discovered in Stormshield
Network Security (SNS) 3.
CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository
huggingface/tra ...)
NOT-FOR-US: Transformers
CVE-2023-7008 [Unsigned name response in signed zone is not refused when
DNSSEC=yes]
- - systemd
+ - systemd (bug #1059278)
[bookworm] - systemd (Minor issue)
[bullseye] - systemd (Minor issue)
[buster] - systemd (Minor issue, should be fixed after
newer releases are done)
@@ -1033,7 +1033,7 @@ CVE-2023-48795 (The SSH transport protocol with certain
OpenSSH extensions, foun
- proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144)
[bookworm] - proftpd-dfsg (Minor issue)
[bullseye] - proftpd-dfsg (Minor issue)
- - proftpd-mod-proxy
+ - proftpd-mod-proxy (bug #1059290)
- putty 0.80-1
- python-asyncssh (bug #1059007)
- tinyssh 20230101-4 (bug #1059058; unimportant)
@@ -1777,11 +1777,11 @@ CVE-2023-50564 (An arbitrary file upload vulnerability
in the component /inc/mod
CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection
vulnerability vi ...)
NOT-FOR-US: Semcms
CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation
violation via t ...)
- - cjson
+ - cjson (bug #1059287)
NOTE: https://github.com/DaveGamble/cJSON/issues/803
NOTE: Fixed by:
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation
violation via t ...)
- - cjson
+ - cjson (bug #1059287)
NOTE: https://github.com/DaveGamble/cJSON/issues/802
NOTE: Fixed by:
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
CVE-2023-50371 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
@@ -1920,7 +1920,7 @@ CVE-2023-48631 (@adobe/css-tools versions 4.3.1 and
earlier are affected by an I
CVE-2023-47261 (Dokmee ECM 7.4.6 allows remote code execution because the
response to ...)
NOT-FOR-US: Dokmee ECM
CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability when ...)
- - shiro
+ - shiro (bug #1059288)
[bookworm] - shiro (Minor issue)
[bullseye] - shiro (Minor issue)
[buster] - shiro (Minor issue)
@@ -3264,14 +3264,14 @@ CVE-2023-49493 (DedeCMS v5.7.111 was discovered to
contain a reflective cross-si
CVE-2023-49492 (DedeCMS v5.7.111 was discovered to contain a reflective
cross-site scr ...)
NOT-FOR-US: DedeCMS
CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer
overflow vu ...)
- - libde265
+ - libde265 (bug #1059275)
NOTE: https://github.com/strukturag/libde265/issues/432
NOTE: Fixed by:
https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb
CVE-2023-49467 (Libde265 v1.0.14 was discovered to contain a
heap-buffer-overflow vuln ...)
- - libde265
+ - libde265 (bug #1059275)
NOTE: https://github.com/strukturag/libde265/issues/434
CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a
heap-buffer-overflow vuln ...)
- - libde265
+ - libde265 (bug #1059275)
NOTE: https://github.com/strukturag/libde265/issues/435
CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation
violation via ...)
- libheif (bug #1059151)
@@ -7947,10 +7947,10 @@ CVE-2023-47005 (An issue in ASUS RT-AX57
v.3.0.0.4_386_52041 allows a remote att
CVE-2023-46492 (Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0
allows a ...)
NOT-FOR-US: MLDB.ai
CVE-2023-46363 (jbig2enc v0.28 was discovered to contain a SEGV via
jbig2_add_page in ...)
- - jbig2enc
+ - jbig2enc (bug #1059285)
NOTE: https://github.com/agl/jbig2enc/issues/85
CVE-2023-46362 (jbig2enc v0.28 was discovered to contain a heap-use-after-free
via jbi ...)
- - jbig2enc
+ - jbig2enc (bug #1059284)
NOTE: https://github.com/agl/jbig2enc/issues/84
CVE-2023-45875 (An issue was discovered in Couchbase Server 7.2.0. There is a
private ...)
NOT-FOR-US: Couchbase Server
@@ -9720,7 +9720,7 @@ CVE-2023-46510 (An issue in ZIONCOM (Hong Kong)
Technology Limited A7000R v.4.1c
CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows
an attack ...)
NOT-FOR-US: Contec SolarView Compact
CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote
attacker ...)
- - cacti
[Git][security-tracker-team/security-tracker][master] add openbabel reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf21fe4 by Moritz Muehlenhoff at 2023-12-22T13:27:14+01:00 add openbabel reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69170,48 +69170,56 @@ CVE-2022-46295 (Multiple out-of-bounds write vulnerabilities exist in the transl [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46294 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46293 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46292 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46291 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46290 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46289 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46280 (A use of uninitialized pointer vulnerability exists in the PQS format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46278 RESERVED CVE-2022-46277 @@ -69254,6 +69262,7 @@ CVE-2022-44451 (A use of uninitialized pointer vulnerability exists in the MSI f [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-43664 (A use-after-free vulnerability exists within the way Ichitaro Word Pro ...) NOT-FOR-US: Ichitaro CVE-2022-43663 (An integer conversion vulnerability exists in the SORBAx64.dll RecvPac ...) @@ -69266,12 +69275,14 @@ CVE-2022-43467 (An out-of-bounds write vulnerability exists in the PQS format co [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-42885 (A use of uninitialized pointer vulnerability exists in the GRO format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com
[Git][security-tracker-team/security-tracker][master] add reference for proftpd-mod-proxy
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ad946e3a by Moritz Muehlenhoff at 2023-12-22T13:25:26+01:00 add reference for proftpd-mod-proxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1056,6 +1056,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: proftpd: https://github.com/proftpd/proftpd/commit/7fba68ebb3ded3047a35aa639e115eba7d585682 (v1.3.9rc2) NOTE: proftpd: https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b (v1.3.8b) NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/issues/257 + NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/commit/54612735629231de2242d6395d334539604872fb NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad946e3a0d07591d23702ce60d8ce75697f89965 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad946e3a0d07591d23702ce60d8ce75697f89965 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] no bugs needed for GCC 9/GCC10
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 342011c0 by Moritz Muehlenhoff at 2023-12-22T12:57:56+01:00 no bugs needed for GCC 9/GCC10 These wont get included in any new releases and will eventually be removed - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -13,3 +13,5 @@ chromium webkit2gtk wpewebkit xen +gcc-9 +gcc-10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342011c005d0321cdb00446ebb3efe94999b45f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342011c005d0321cdb00446ebb3efe94999b45f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add xen to packages not to flag as in need of bugs filed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a414a09 by Moritz Muehlenhoff at 2023-12-22T12:51:25+01:00 add xen to packages not to flag as in need of bugs filed The maintainers closely follow the XSA announcements and fixes land via tree updates anyway. - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -12,3 +12,4 @@ thunderbird chromium webkit2gtk wpewebkit +xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a414a0909bffea734eee3ece19ece527f0e809a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a414a0909bffea734eee3ece19ece527f0e809a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c6312bf by Moritz Muehlenhoff at 2023-12-22T10:58:53+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -114,7 +114,7 @@ CVE-2023-48685 (Railway Reservation System v1.0 is
vulnerable to multiple Unauth
CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker
can gain ...)
NOT-FOR-US: Nextcloud calendar app
CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database
management s ...)
- - clickhouse
+ - clickhouse (bug #1059261)
NOTE:
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795
CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified
that could ...)
@@ -231,7 +231,7 @@ CVE-2023-50119
CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has
been id ...)
TODO: check
CVE-2023-4255 (An out-of-bounds write issue has been discovered in the
backspace hand ...)
- - w3m
+ - w3m (bug #1059265)
NOTE:
https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
NOTE: https://github.com/tats/w3m/issues/268
NOTE: https://github.com/tats/w3m/pull/273
@@ -459,7 +459,7 @@ CVE-2023-47507 (Deserialization of Untrusted Data
vulnerability in Master Slider
CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin
CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database
management s ...)
- - clickhouse
+ - clickhouse (bug #1059261)
NOTE:
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability
in gVec ...)
NOT-FOR-US: WordPress plugin
@@ -4105,11 +4105,11 @@ CVE-2023-5332 (Patch in third party library Consul
requires 'enable-script-check
CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer
overflows ...)
- falcosecurity-libs (bug #1059256)
- gemmi (bug #1059257)
- - lwip (bug #1059259)
NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1
NOTE:
https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
NOTE:
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
NOTE:
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt
+ NOTE: lwip embeds a copy of tinydir, but it's unused, see bug #1059259
CVE-2023-49108 (Path traversal vulnerability exists in RakRak Document Plus
Ver.3.2.0. ...)
NOT-FOR-US: RakRak Document Plus
CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is
vulnerab ...)
@@ -76684,13 +76684,13 @@ CVE-2022-44013 (An issue was discovered in Simmeth
Lieferantenmanager before 5.6
CVE-2022-44012 (An issue was discovered in
/DS/LM_API/api/SelectionService/InsertQuery ...)
NOT-FOR-US: Simmeth Lieferantenmanager
CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An
authentic ...)
- - clickhouse
+ - clickhouse (bug #1059261)
[bookworm] - clickhouse (Minor issue)
[bullseye] - clickhouse (Minor issue)
[buster] - clickhouse (Minor issue, DoS)
NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241
CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An
attacker ...)
- - clickhouse
+ - clickhouse (bug #1059261)
[bookworm] - clickhouse (Minor issue)
[bullseye] - clickhouse (Minor issue)
[buster] - clickhouse (Minor issue, DoS)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new w3m issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e936c290 by Moritz Muehlenhoff at 2023-12-22T10:36:34+01:00 new w3m issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -231,7 +231,10 @@ CVE-2023-50119 CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) TODO: check CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - TODO: check + - w3m + NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 + NOTE: https://github.com/tats/w3m/issues/268 + NOTE: https://github.com/tats/w3m/pull/273 CVE-2023-49826 (Deserialization of Untrusted Data vulnerability in PenciDesign Soledad ...) NOT-FOR-US: WordPress plugin CVE-2023-49778 (Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e936c290b6d534494b7fdd8048981a9ad9d0bb9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e936c290b6d534494b7fdd8048981a9ad9d0bb9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b1cddff by Moritz Muehlenhoff at 2023-12-22T10:12:32+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,11 +78,11 @@ CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) @@ -4100,7 +4100,9 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check NOTE: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 NOTE: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - TODO: potentally affects falcosecurity-libs, gemmi, lwip + - falcosecurity-libs (bug #1059256) + - gemmi (bug #1059257) + - lwip (bug #1059259) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU / add tinydir references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6ba6b1ba by Moritz Muehlenhoff at 2023-12-22T09:49:53+01:00
NFU / add tinydir references
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -215,7 +215,7 @@ CVE-2023-50822 (Improper Neutralization of Input During Web
Page Generation ('Cr
CVE-2023-50732 (XWiki Platform is a generic wiki platform offering runtime
services fo ...)
NOT-FOR-US: XWiki
CVE-2023-50724 (Resque (pronounced like "rescue") is a Redis-backed library
for creati ...)
- TODO: check
+ NOT-FOR-US: Resque
CVE-2023-50481 (An issue was discovered in blinksocks version 3.3.8, allows
remote att ...)
NOT-FOR-US: blinksocks
CVE-2023-50477 (An issue was discovered in nos client version 0.6.6, allows
remote att ...)
@@ -4102,6 +4102,8 @@ CVE-2023-49287 (TinyDir is a lightweight C directory and
file reader. Buffer ove
TODO: potentally affects falcosecurity-libs, gemmi, lwip
NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1
NOTE:
https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
+ NOTE:
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
+ NOTE:
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt
CVE-2023-49108 (Path traversal vulnerability exists in RakRak Document Plus
Ver.3.2.0. ...)
NOT-FOR-US: RakRak Document Plus
CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is
vulnerab ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba6b1ba8336464c1551490aad6f7332f4ce4382
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba6b1ba8336464c1551490aad6f7332f4ce4382
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new clickhouse issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e5465a3 by Moritz Muehlenhoff at 2023-12-22T09:39:48+01:00 new clickhouse issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,7 +114,9 @@ CVE-2023-48685 (Railway Reservation System v1.0 is vulnerable to multiple Unauth CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain ...) NOT-FOR-US: Nextcloud calendar app CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...) - TODO: check + - clickhouse + NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 + NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) NOT-FOR-US: GitHub Enterprise Server CVE-2023-46648 (An insufficient entropy vulnerability was identified in GitHub Enterpr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e5465a3e91db999312049b6fe0106c6db8b560a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e5465a3e91db999312049b6fe0106c6db8b560a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cacti commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7647c309 by Moritz Muehlenhoff at 2023-12-22T09:36:01+01:00 cacti commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80,9 +80,11 @@ CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7647c3092cd4e417d5748b7a6f2b7ee874b4637e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7647c3092cd4e417d5748b7a6f2b7ee874b4637e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new cacti issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 490d841c by Moritz Muehlenhoff at 2023-12-22T09:31:44+01:00 new cacti issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,9 +78,11 @@ CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490d841c34027c6daa5c7d272e9b799e538a8aa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490d841c34027c6daa5c7d272e9b799e538a8aa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e7c1973f by Moritz Muehlenhoff at 2023-12-22T09:30:33+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,17 +19,17 @@ CVE-2023-7051 (A vulnerability was found in PHPGurukul Online Notes Sharing Syst CVE-2023-7050 (A vulnerability has been found in PHPGurukul Online Notes Sharing Syst ...) NOT-FOR-US: PHPGurukul Online Notes Sharing System CVE-2023-6847 (An improper authentication vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6804 (Improper privilege management allowed arbitrary workflows to be commit ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6803 (A race condition in GitHub Enterprise Server allows an outside collabo ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6802 (An insertion of sensitive information into the log file in the audit l ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6746 (An insertion of sensitive information into log file vulnerability was ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6690 (A race condition in GitHub Enterprise Server allowed an existing admin ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of- ...) - proftpd-dfsg 1.3.8.a+dfsg-1 NOTE: https://github.com/proftpd/proftpd/issues/1683 @@ -46,87 +46,87 @@ CVE-2023-51704 (An issue was discovered in MediaWiki before 1.35.14, 1.36.x thro NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/ NOTE: https://phabricator.wikimedia.org/T347726 CVE-2023-51380 (An incorrect authorization vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-51379 (An incorrect authorization vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-49690 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49689 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49688 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49687 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49686 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49685 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49684 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49683 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49682 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49681 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49680 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49679 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) TODO: check CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) TODO: check CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) - TODO: check + NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) - TODO: check + NOT-FOR-US: Student Result Management System CVE-2023-48720 (Student Result Management System v1.0 is vulnerable to multiple Unauth
[Git][security-tracker-team/security-tracker][master] new mediawiki issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 40720b12 by Moritz Muehlenhoff at 2023-12-22T09:27:30+01:00 new mediawiki issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,11 @@ CVE-2023-51708 (Bentley eB System Management Console applications within Assetwi CVE-2023-51707 (MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows r ...) NOT-FOR-US: MotionPro CVE-2023-51704 (An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1. ...) - TODO: check + - mediawiki + [bookworm] - mediawiki (Minor issue, fix along in next update) + [bullseye] - mediawiki (Minor issue, fix along in next update) + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/ + NOTE: https://phabricator.wikimedia.org/T347726 CVE-2023-51380 (An incorrect authorization vulnerability was identified in GitHub Ente ...) TODO: check CVE-2023-51379 (An incorrect authorization vulnerability was identified in GitHub Ente ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40720b1261a9724204f90d71c404367e4f62dfdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40720b1261a9724204f90d71c404367e4f62dfdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60d4ba8b by Moritz Muehlenhoff at 2023-12-21T20:51:04+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208 CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) NOT-FOR-US: KylinSoft hedron-domain-hook CVE-2023-7024 - - chromium + - chromium 120.0.6099.129-1 [buster] - chromium (see DSA 5046) CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) NOT-FOR-US: Tongda OA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add cross reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9a5242e by Moritz Mühlenhoff at 2023-12-21T20:20:01+01:00 add cross reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14985,6 +14985,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) [buster] - gst-plugins-bad1.0 (Vulnerable code not present) - gst-plugins-bad0.10 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gst-plugins-bad1.0, thunderbird DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0e2e33f3 by Moritz Mühlenhoff at 2023-12-21T20:18:23+01:00
gst-plugins-bad1.0, thunderbird DSAs
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,9 @@
+[21 Dec 2023] DSA-5583-1 gst-plugins-bad1.0 - security update
+ [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4
+[21 Dec 2023] DSA-5582-1 thunderbird - security update
+ {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860
CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761
CVE-2023-50762}
+ [bullseye] - thunderbird 1:115.6.0-1~deb11u1
+ [bookworm] - thunderbird 1:115.6.0-1~deb12u1
[20 Dec 2023] DSA-5581-1 firefox-esr - security update
{CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860
CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865
CVE-2023-6867}
[bullseye] - firefox-esr 115.6.0esr-1~deb11u1
=
data/dsa-needed.txt
=
@@ -29,8 +29,6 @@ frr
--
gpac/oldstable
--
-gst-plugins-bad1.0 (jmm)
---
h2o (jmm)
--
haproxy (carnil)
@@ -99,8 +97,6 @@ slurm-wlm
--
squid
--
-thunderbird (jmm)
---
varnish
--
zbar
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
66bc6291 by Moritz Muehlenhoff at 2023-12-21T15:43:36+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2023-48291
+ - airflow (bug #819700)
+CVE-2023-47265
+ - airflow (bug #819700)
+CVE-2023-49920
+ - airflow (bug #819700)
+CVE-2023-50783
+ - airflow (bug #819700)
+CVE-2023-51656
+ NOT-FOR-US: Apache IoTDB
CVE-2023- [RUSTSEC-2023-0075]
- rust-unsafe-libyaml
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html
@@ -50,7 +60,7 @@ CVE-2023-48433 (Online Voting System Project v1.0 is
vulnerable to multiple Unau
CVE-2023-47093 (An issue was discovered in Stormshield Network Security (SNS)
4.0.0 th ...)
NOT-FOR-US: Stormshield Network Security (SNS)
CVE-2023-46131 (Grails is a framework used to build web applications with the
Groovy p ...)
- TODO: check
+ - grails (bug #473213)
CVE-2023-45703 (HCL Launch may mishandle input validation of an uploaded
archive file ...)
NOT-FOR-US: HCL
CVE-2023-45700 (HCL Launch is vulnerable to HTML injection. This vulnerability
may all ...)
@@ -97,7 +107,7 @@ CVE-2023-51457 (Adobe Experience Manager versions 6.5.18 and
earlier are affecte
CVE-2023-50628 (Buffer Overflow vulnerability in libming version 0.4.8, allows
attacke ...)
- ming
CVE-2023-50249 (Sentry-Javascript is official Sentry SDKs for JavaScript. A
ReDoS (Reg ...)
- TODO: check
+ NOT-FOR-US: Sentry-Javascript
CVE-2023-50044 (Buffer Overflow vulnerability in Cesanta MJS version 2.22.0,
allows at ...)
NOT-FOR-US: Cesenta MJS
CVE-2023-49825 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
@@ -153,7 +163,7 @@ CVE-2023-40204 (Unrestricted Upload of File with Dangerous
Type vulnerability in
CVE-2023-40010 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin
CVE-2023-3742 (Insufficient policy enforcement in ADB in Google Chrome on
ChromeOS pr ...)
- TODO: check
+ NOT-FOR-US: Google Chrome on ChromeOS
CVE-2023-38519 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin
CVE-2023-38513 (Authorization Bypass Through User-Controlled Key vulnerability
in Jord ...)
@@ -38415,11 +38425,11 @@ CVE-2023-29489 (An issue was discovered in cPanel
before 11.109..116. XSS ca
CVE-2023-29488
RESERVED
CVE-2023-29487 (An issue was discovered in Heimdal Thor agent versions 3.4.2
and befor ...)
- TODO: check
+ NOT-FOR-US: Heimdal Thor
CVE-2023-29486 (An issue was discovered in Heimdal Thor agent versions 3.4.2
and befor ...)
- TODO: check
+ NOT-FOR-US: Heimdal Thor
CVE-2023-29485 (An issue was discovered in Heimdal Thor agent versions 3.4.2
and befor ...)
- TODO: check
+ NOT-FOR-US: Heimdal Thor
CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are
able to lo ...)
NOT-FOR-US: Terminalfour
CVE-2023-29483
@@ -65915,7 +65925,7 @@ CVE-2022-41834
CVE-2020-36611 (Incorrect Default Permissions vulnerability in Hitachi Tuning
Manager ...)
NOT-FOR-US: Hitachi
CVE-2023-0011 (A flaw in the input validation in TOBY-L2 allows a user to
execute arb ...)
- TODO: check
+ NOT-FOR-US: TOBY-L2
CVE-2022-47193
RESERVED
CVE-2022-47192 (Generex UPS CS141 below 2.06 version, could allow a remote
attacker to ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-unsafe-libyaml issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0dbdb9c by Moritz Muehlenhoff at 2023-12-21T15:25:24+01:00 new rust-unsafe-libyaml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023- [RUSTSEC-2023-0075] + - rust-unsafe-libyaml + NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html + NOTE: https://github.com/dtolnay/unsafe-libyaml/issues/21 CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) NOT-FOR-US: Lightxun IPTV Gateway CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6873 only affects src:firefox
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
83a0ef39 by Moritz Muehlenhoff at 2023-12-21T12:35:17+01:00
CVE-2023-6873 only affects src:firefox
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -388,9 +388,7 @@ CVE-2023-6862 (A use-after-free was identified in the
`nsDNSService::Init`. Thi
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6862
CVE-2023-6873 (Memory safety bugs present in Firefox 120. Some of these bugs
showed e ...)
- firefox 121.0-1
- - thunderbird
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6873
- NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6873
CVE-2023-6864 (Memory safety bugs present in Firefox 120, Firefox ESR 115.5,
and Thun ...)
{DSA-5581-1}
- firefox 121.0-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 433acc83 by Moritz Muehlenhoff at 2023-12-21T11:08:54+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingfac NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - systemd + [bookworm] - systemd (Minor issue) + [bullseye] - systemd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server @@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) vulnerability in KodeExplo NOT-FOR-US: kalcaddle KodExplorer CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version ...) - phpsysinfo 3.4.3-1 + [bookworm] - phpsysinfo (Minor issue) + [bullseye] - phpsysinfo (Minor issue) NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/ NOTE: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 (v3.4.3) CVE-2023-46804 (An attacker sending specially crafted data packets to the Mobile Devic ...) @@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) - dropbear (bug #1059001) - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) + [bookworm] - erlang (Minor issue) + [bullseye] - erlang (Minor issue) - golang-go.crypto (bug #1059003) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh (bug #1059004) @@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress (Minor issue) + [bullseye] - wordpress (Vulnerable code was introduced in 5.9) [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php @@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 - - gst-plugins-bad0.10 + [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) + [buster] - gst-plugins-bad1.0 (Vulnerable code not present) + - gst-plugins-bad0.10 (Vulnerable code not present) NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9 @@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P NOTE: Probably fixed with r1832 and r1836 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) + [bookworm] - freeimage (Revisit when patches are available) + [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit from patches are available) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected = data/dsa-needed.txt = @@ -29,6 +29,8 @@ frr -- gpac/oldstable -- +gst-plugins-bad1.0 (jmm) +-- h2o (jmm) -- haproxy (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b2ed78aa by Moritz Mühlenhoff at 2023-12-20T20:21:55+01:00
firefox-esr DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[20 Dec 2023] DSA-5581-1 firefox-esr - security update
+ {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860
CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865
CVE-2023-6867}
+ [bullseye] - firefox-esr 115.6.0esr-1~deb11u1
+ [bookworm] - firefox-esr 115.6.0esr-1~deb12u1
[18 Dec 2023] DSA-5580-1 webkit2gtk - security update
{CVE-2023-42883}
[bullseye] - webkit2gtk 2.42.4-1~deb11u1
=
data/dsa-needed.txt
=
@@ -23,8 +23,6 @@ curl
--
dnsdist (jmm)
--
-firefox-esr (jmm)
---
frr
--
gpac/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ed78aa2d79558ec8b23bb356ab0d73208097c0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ed78aa2d79558ec8b23bb356ab0d73208097c0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13215d71 by Moritz Muehlenhoff at 2023-12-20T17:00:33+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2728,7 +2728,7 @@ CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflo - libde265 NOTE: https://github.com/strukturag/libde265/issues/435 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -2736,21 +2736,21 @@ CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violati NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 NOTE: https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1043 NOTE: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -235358,25 +235358,25 @@ CVE-2020-24297 (httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allow CVE-2020-24296 RESERVED CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp i ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 09bac9fa by Moritz Muehlenhoff at 2023-12-20T15:09:53+01:00 proftpd fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -494,7 +494,9 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - libssh2 (ChaCha20-Poly1305 and CBC-EtM support not present) - openssh 1:9.6p1-1 - paramiko (bug #1059006) - - proftpd-dfsg (bug #1059144) + - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) + [bookworm] - proftpd-dfsg (Minor issue) + [bullseye] - proftpd-dfsg (Minor issue) - proftpd-mod-proxy - putty 0.80-1 - python-asyncssh (bug #1059007) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09bac9fabbab41996bf9e0f862282ebf3b8bee7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09bac9fabbab41996bf9e0f862282ebf3b8bee7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add trilead-ssh reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dede44ed by Moritz Muehlenhoff at 2023-12-20T12:36:50+01:00 add trilead-ssh reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -499,6 +499,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-mod-proxy - python-asyncssh (bug #1059007) - tinyssh (bug #1059058) + - trilead-ssh2 NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dede44ed820a5c333abbc956e131a8821c27cf3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dede44ed820a5c333abbc956e131a8821c27cf3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd terrapin reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6db34e0 by Moritz Muehlenhoff at 2023-12-20T11:27:21+01:00 proftpd terrapin reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -528,6 +528,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: asyncssh: https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55 NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) + NOTE: proftpd: https://github.com/proftpd/proftpd/issues/1760 + NOTE: proftpd: https://github.com/proftpd/proftpd/commit/7fba68ebb3ded3047a35aa639e115eba7d585682 CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6db34e0c63da168aa0f628395ead61434d4d667 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6db34e0c63da168aa0f628395ead61434d4d667 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8e72f9c5 by Moritz Muehlenhoff at 2023-12-20T11:18:30+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2023-37544
+ NOT-FOR-US: Apache Pulsar
CVE-2023-6977 (This vulnerability enables malicious users to read sensitive
files on ...)
NOT-FOR-US: mlflow
CVE-2023-6976 (This vulnerability is capable of writing arbitrary files into
arbitrar ...)
@@ -73,13 +75,13 @@ CVE-2023-45887 (DS Wireless Communication (DWC) with
DWC_VERSION_3 and DWC_VERSI
CVE-2023-45172 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged
local user ...)
NOT-FOR-US: IBM
CVE-2023-42940 (A session rendering issue was addressed with improved session
tracking ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42013 (IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through
7.2.3.7, ...)
NOT-FOR-US: IBM
CVE-2023-42012 (An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3
through 7.3 ...)
NOT-FOR-US: IBM
CVE-2023-38126 (Softing edgeAggregator Restore Configuration Directory
Traversal Remot ...)
- TODO: check
+ NOT-FOR-US: Softing edgeAggregator
CVE-2023-37982 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability in C ...)
NOT-FOR-US: WordPress plugin
CVE-2023-35883 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability in M ...)
@@ -183,7 +185,7 @@ CVE-2023-34382 (Deserialization of Untrusted Data
vulnerability in weDevs Dokan
CVE-2023-34027 (Deserialization of Untrusted Data vulnerability in Rajnish
Arora Recen ...)
NOT-FOR-US: WordPress plugin
CVE-2019-25158 (A vulnerability has been found in pedroetb tts-api up to 2.1.4
and cla ...)
- TODO: check
+ NOT-FOR-US: pedroetb tts-api
CVE-2023-50762 (When processing a PGP/MIME payload that contains digitally
signed text ...)
- thunderbird 1:115.6.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50762
@@ -46217,7 +46219,7 @@ CVE-2023-27174
CVE-2023-27173
RESERVED
CVE-2023-27172 (Xpand IT Write-back Manager v2.3.1 uses weak secret keys to
sign JWT t ...)
- TODO: check
+ NOT-FOR-US: Xpand IT Write-back manager
CVE-2023-27171
REJECTED
CVE-2023-27170 (Xpand IT Write-back manager v2.3.1 allows attackers to perform
a direc ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e72f9c54c6db8e710a8e924d54c96688eb31ee0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e72f9c54c6db8e710a8e924d54c96688eb31ee0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] espeakup commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e7b8f97 by Moritz Muehlenhoff at 2023-12-20T09:49:35+01:00 espeakup commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2040,30 +2040,35 @@ CVE-2023-49994 (Espeak-ng 1.52-dev was discovered to contain a Floating Point Ex [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1823 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49993 (Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1826 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49992 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow v ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1827 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49991 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1825 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49990 (Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1824 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49874 (Mattermost fails to check whether a user is a guest when updating the ...) - mattermost-server (bug #823556) CVE-2023-49809 (Mattermost fails to handle a null request body in the /add endpoint, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7b8f976d59da08869c78a628cc0afee58b2b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7b8f976d59da08869c78a628cc0afee58b2b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e70d44cd by Moritz Muehlenhoff at 2023-12-19T22:28:47+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195,7 +195,7 @@ CVE-2023-6856 (The WebGL `DrawElementsInstanced` method was susceptible to a hea NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856 CVE-2023-6135 (Multiple NSS NIST curves were susceptible to a side-channel attack kno ...) - - nss + - nss (bug #1059054) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1853908 (not public) @@ -1826,9 +1826,8 @@ CVE-2023-36639 (A use of externally-controlled format string in Fortinet FortiPr CVE-2023-6710 (A flaw was found in the mod_proxy_cluster in the Apache server. This i ...) - libapache2-mod-cluster (bug #731410) CVE-2023-5379 (A flaw was found in Undertow. When an AJP request is sent that exceeds ...) - - undertow + - undertow (bug #1059055) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2242099 - TODO: check, insufficient information for Debian specific assessment CVE-2023-49921 - elasticsearch CVE-2023-6687 (An issue was discovered by Elastic whereby Elastic Agent would log a r ...) @@ -2371,7 +2370,7 @@ CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 @@ -2379,7 +2378,7 @@ CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to c CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2669 NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b @@ -2694,7 +2693,7 @@ CVE-2023-49403 (Tenda W30E V16.01.0.12(4843) was discovered to contain a command CVE-2023-49402 (Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflo ...) NOT-FOR-US: Tenda CVE-2023-48958 (gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_ ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2689 @@ -2710,7 +2709,7 @@ CVE-2023-47440 (Gladys Assistant v4.27.0 and prior is vulnerable to Directory Tr CVE-2023-46974 (Cross Site Scripting vulnerability in Best Courier Management System v ...) NOT-FOR-US: Best Courier Management System CVE-2023-46871 (GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a mem ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2658 @@ -4552,25 +4551,25 @@ CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) NOT-FOR-US: PrestaShop module CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) - - busybox + - busybox (bug #1059053) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) - - busybox + - busybox (bug #1059052) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) - - busybox + - busybox (bug #1059051) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: h
[Git][security-tracker-team/security-tracker][master] new thunderbird issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 216f765b by Moritz Muehlenhoff at 2023-12-19T21:07:14+01:00 new thunderbird issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,13 +1,25 @@ +CVE-2023-50762 + - thunderbird + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50762 +CVE-2023-50761 + - thunderbird + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50761 CVE-2023-6862 - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6862 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6862 CVE-2023-6873 - firefox + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6873 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6873 CVE-2023-6864 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6864 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6864 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6864 CVE-2023-6863 - firefox @@ -32,7 +44,9 @@ CVE-2023-6868 CVE-2023-6861 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6861 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6861 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6861 CVE-2023-6867 - firefox @@ -42,7 +56,9 @@ CVE-2023-6867 CVE-2023-6860 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6860 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6860 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6860 CVE-2023-6866 - firefox @@ -50,17 +66,23 @@ CVE-2023-6866 CVE-2023-6859 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6859 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6859 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6859 CVE-2023-6858 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6858 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6858 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6858 CVE-2023-6857 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6857 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6857 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6857 CVE-2023-6865 - firefox @@ -70,7 +92,9 @@ CVE-2023-6865 CVE-2023-6856 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6856 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856 CVE-2023-6135 - nss = data/dsa-needed.txt = @@ -97,6 +97,8 @@ slurm-wlm -- squid -- +thunderbird (jmm) +-- varnish -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/216f765b03052f605e2f9b7880869d843d1e52c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/216f765b03052f605e2f9b7880869d843d1e52c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
