[Git][security-tracker-team/security-tracker][master] pypdf spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96898fb3 by Moritz Mühlenhoff at 2024-01-15T20:52:24+01:00 pypdf spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -84,3 +84,5 @@ CVE-2024- [spip XSS] [bookworm] - spip 4.1.9+dfsg-1+deb12u4 CVE-2023-48795 [bookworm] - proftpd-mod-proxy 0.9.2-1+deb12u1 +CVE-2023-36464 + [bookworm] - pypdf 3.4.1-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96898fb34451aefb06efd40493c89e6b009b8d75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96898fb34451aefb06efd40493c89e6b009b8d75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one gitlab issue fixed in sid (rest of them only for more recent release series)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b302ca48 by Moritz Muehlenhoff at 2024-01-15T16:27:32+01:00 one gitlab issue fixed in sid (rest of them only for more recent release series) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -329,7 +329,7 @@ CVE-2023-4812 (An issue has been discovered in GitLab EE affecting all versions CVE-2023-5356 (Incorrect authorization checks in GitLab CE/EE from all versions start ...) - gitlab CVE-2023-7028 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...) - - gitlab + - gitlab 16.4.5+ds2-1 CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) NOT-FOR-US: MediaWiki extension GlobalBlocking CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b302ca48ac8f9da78f8fab4dc32a60648728c83a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b302ca48ac8f9da78f8fab4dc32a60648728c83a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] netatalk ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dedfa63 by Moritz Mühlenhoff at 2024-01-15T16:22:17+01:00 netatalk ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -126,3 +126,5 @@ CVE-2023-49468 [bullseye] - libde265 1.0.11-0+deb11u3 CVE-2024-22368 [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u1 +CVE-2022-22995 + [bullseye] - netatalk 3.1.12~ds-8+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dedfa63781c0a24f8f8e75d9b2f983cd9ff4c92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dedfa63781c0a24f8f8e75d9b2f983cd9ff4c92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openssl issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 770f6309 by Moritz Muehlenhoff at 2024-01-15T14:15:50+01:00 new openssl issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2023-6237 [openssl: Checking excessively long invalid RSA public keys may take a long time] + - openssl + [bookworm] - openssl (Minor issue) + [bullseye] - openssl (Only affects 3.x) + [buster] - openssl (Only affects 3.x) + NOTE: https://www.openssl.org/news/secadv/20240115.txt + NOTE: https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db CVE-2024- [RUSTSEC-2023-0078] - rust-tracing [bookworm] - rust-tracing (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/770f6309c626cce57af1d61a098bc4177462b6b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/770f6309c626cce57af1d61a098bc4177462b6b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-vmm-sys-util issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c2c64a1 by Moritz Muehlenhoff at 2024-01-15T11:09:07+01:00 new rust-vmm-sys-util issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2476,7 +2476,10 @@ CVE-2023-6436 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-51652 (OWASP AntiSamy .NET is a library for performing cleansing of HTML comi ...) NOT-FOR-US: OWASP AntiSamy .NET library CVE-2023-50711 (vmm-sys-util is a collection of modules that provides helpers and util ...) - NOT-FOR-US: vmm-sys-util rust modules + - rust-vmm-sys-util + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0002.html + NOTE: https://github.com/advisories/GHSA-875g-mfp6-g7f9 + NOTE: https://github.com/rust-vmm/vmm-sys-util/commit/30172fca2a8e0a38667d934ee56682247e13f167 CVE-2023-50333 (Mattermost fails to update the permissions of the current session for ...) - mattermost-server (bug #823556) CVE-2023-4280 (An unvalidated input in Silicon Labs TrustZone implementation in v4.3. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c2c64a157426c866489379c82526263badbc38c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c2c64a157426c866489379c82526263badbc38c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-tracing issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cb3715e by Moritz Muehlenhoff at 2024-01-15T10:39:06+01:00 new rust-tracing issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [RUSTSEC-2023-0078] + - rust-tracing + [bookworm] - rust-tracing (Vulnerable code not present) + NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0078.html + NOTE: https://github.com/tokio-rs/tracing/pull/2765 + NOTE: Introduced in https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 CVE-2024-22028 (Insufficient technical documentation issue exists in thermal camera TM ...) NOT-FOR-US: thermal camera TMC series firmware CVE-2024-0552 (Intumit inc. SmartRobot's web framwork has a remote code execution vul ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cb3715e3eb11068e8ddf2968d809d2c92e793bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cb3715e3eb11068e8ddf2968d809d2c92e793bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd-mod-proxy spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca9f5cb by Moritz Mühlenhoff at 2024-01-13T23:34:27+01:00 proftpd-mod-proxy spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -82,3 +82,5 @@ CVE-2024-22368 [bookworm] - libspreadsheet-parsexlsx-perl 0.27-3+deb12u1 CVE-2024- [spip XSS] [bookworm] - spip 4.1.9+dfsg-1+deb12u4 +CVE-2023-48795 + [bookworm] - proftpd-mod-proxy 0.9.2-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9f5cbd20e1fffd830d11daa91e079696608b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9f5cbd20e1fffd830d11daa91e079696608b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f7fa5caa by Moritz Mühlenhoff at 2024-01-12T23:17:14+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -223,7 +223,7 @@ CVE-2022-4960 (A vulnerability, which was classified as problematic, has been fo CVE-2022-4959 (A vulnerability classified as problematic was found in qkmc-rk redbbs ...) NOT-FOR-US: qkmc-rk redbbs CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if m ...) - - libuev + - libuev (bug #1060692) [bookworm] - libuev (Minor issue) [bullseye] - libuev (Minor issue) NOTE: https://github.com/troglobit/libuev/issues/27 @@ -703,7 +703,7 @@ CVE-2023-50916 (Kyocera Device Manager before 3.1.1213.0 allows NTLM credential CVE-2023-50172 (A recovery notification bypass vulnerability exists in the userRecover ...) NOT-FOR-US: WWBN AVideo CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to ...) - - gpac + - gpac (bug #1060696) [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2698 NOTE: https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb @@ -860,28 +860,23 @@ CVE-2023-50136 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allo CVE-2023-48864 (SEMCMS v4.8 was discovered to contain a SQL injection vulnerability vi ...) NOT-FOR-US: SEMCMS CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 - TODO: check upstream reporting status CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 - TODO: check upstream reporting status CVE-2023-47995 (Buffer Overflow vulnerability in BitmapAccess.cpp::FreeImage_AllocateB ...) - - freeimage - TODO: check no sensible references in CVE entry + - freeimage + NOTE: no sensible references in CVE entry CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 - TODO: check upstream reporting status CVE-2023-47993 (A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in Fre ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 - TODO: check upstream reporting status CVE-2023-47992 (An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 - TODO: check upstream reporting status CVE-2023-41781 (There is a Cross-sitescripting (XSS) vulnerability in ZTE MF258. Due t ...) NOT-FOR-US: ZTE CVE-2023-3043 (AMI\u2019s SPx contains a vulnerability in the BMC where an Attacker m ...) @@ -3275,13 +3270,13 @@ CVE-2023-51772 (One Identity Password Manager before 5.13.1 allows Kiosk Escape. CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHead ...) NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - - qt6-base + - qt6-base (bug #1060693) [bookworm] - qt6-base (Minor issue) - - qtbase-opensource-src + - qtbase-opensource-src (bug #1060694) [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles (bug #1060695) [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https
[Git][security-tracker-team/security-tracker][master] solr n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 318a3665 by Moritz Mühlenhoff at 2024-01-12T22:53:19+01:00 solr n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-50290 + - lucene-solr (Vulnerable code not yet present) CVE-2024-0232 [use-after-free bug in jsonParseAddNodeArray] - sqlite3 3.43.2-1 [bullseye] - sqlite3 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318a366555fa3d97a8acd7ed885a0bd3fb6138d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318a366555fa3d97a8acd7ed885a0bd3fb6138d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new spip issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f407d9c by Moritz Muehlenhoff at 2024-01-12T14:55:58+01:00 new spip issue - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024- [spip XSS] + - spip 4.1.15+dfsg-1 + [bookworm] - spip (Minor issue) + [bullseye] - spip (Vulnerable code not present) CVE-2023-6955 - gitlab CVE-2023-4812 = data/next-point-update.txt = @@ -78,3 +78,5 @@ CVE-2024-21633 [bookworm] - apktool 2.7.0+dfsg-6+deb12u1 CVE-2023-46303 [bookworm] - calibre 6.13.0+repack-2+deb12u3 +CVE-2024- [spip XSS] + [bookworm] - spip 4.1.9+dfsg-1+deb12u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f407d9c2b83b023f1587ad207998943c270f1c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f407d9c2b83b023f1587ad207998943c270f1c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] calibre spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e468e284 by Moritz Muehlenhoff at 2024-01-12T14:54:10+01:00 calibre spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -76,3 +76,5 @@ CVE-2023-51713 [bookworm] - proftpd-dfsg 1.3.8+dfsg-4+deb12u3 CVE-2024-21633 [bookworm] - apktool 2.7.0+dfsg-6+deb12u1 +CVE-2023-46303 + [bookworm] - calibre 6.13.0+repack-2+deb12u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e468e284592c3e40ad99d05612f8e27460b42061 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e468e284592c3e40ad99d05612f8e27460b42061 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new quic-go issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b2ea7df by Moritz Muehlenhoff at 2024-01-12T14:52:20+01:00 new quic-go issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -404,7 +404,18 @@ CVE-2023-51123 (An issue discovered in D-Link dir815 v.1.01SSb08.bin allows a re CVE-2023-51073 (An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to exe ...) NOT-FOR-US: Buffalo CVE-2023-49295 (quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, ...) - TODO: check + - golang-github-lucas-clemente-quic-go + [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) + [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue) + NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf + NOTE: https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc + NOTE: https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965 + NOTE: https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a + NOTE: https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49 + NOTE: https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e + NOTE: https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc + NOTE: https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4 + NOTE: https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8 CVE-2023-45175 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user ...) NOT-FOR-US: IBM CVE-2023-45173 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user ...) @@ -16255,9 +16266,9 @@ CVE-2023-45133 (Babel is a compiler for writingJavaScript. In `@babel/traverse` {DSA-5528-1 DLA-3618-1} - node-babel - node-babel7 7.20.15+ds1+~cs214.269.168-5 (bug #1053880) - NOTE: github.com: https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 - NOTE: github.com: https://github.com/babel/babel/pull/16033 - NOTE: github.com: https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 + NOTE: https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 + NOTE: https://github.com/babel/babel/pull/16033 + NOTE: https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 CVE-2023-45106 (Cross-Site Request Forgery (CSRF) vulnerability in Fedor Urvanov, Aram ...) NOT-FOR-US: WordPress plugin CVE-2023-45103 (Cross-Site Request Forgery (CSRF) vulnerability in YAS Global Team Per ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ea7dfd0f2652b5d4a5ca2a100330db20c7bb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ea7dfd0f2652b5d4a5ca2a100330db20c7bb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" libuev issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 27b9ef49 by Moritz Muehlenhoff at 2024-01-12T13:21:21+01:00 new libuev issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,11 @@ CVE-2022-4960 (A vulnerability, which was classified as problematic, has been fo CVE-2022-4959 (A vulnerability classified as problematic was found in qkmc-rk redbbs ...) NOT-FOR-US: qkmc-rk redbbs CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if m ...) - TODO: check + - libuev + [bookworm] - libuev (Minor issue) + [bullseye] - libuev (Minor issue) + NOTE: https://github.com/troglobit/libuev/issues/27 + NOTE: https://github.com/troglobit/libuev/commit/2d9f1c9ce655cc38511aeeb6e95ac30914f7aec9 CVE-2022-48619 (An issue was discovered in drivers/input/input.c in the Linux kernel b ...) TODO: check CVE-2016-20021 (In Gentoo Portage before 3.0.47, there is missing PGP validation of ex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b9ef49f4ace702425fe0b6a50ffe83edf46781 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b9ef49f4ace702425fe0b6a50ffe83edf46781 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 891e060a by Moritz Muehlenhoff at 2024-01-12T13:08:35+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,7 +139,7 @@ CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wai CVE-2022-48619 (An issue was discovered in drivers/input/input.c in the Linux kernel b ...) TODO: check CVE-2016-20021 (In Gentoo Portage before 3.0.47, there is missing PGP validation of ex ...) - TODO: check + NOT-FOR-US: Portage CVE-2024-0443 (A flaw was found in the blkgs destruction path in block/blk-cgroup.c i ...) - linux 6.3.11-1 [bookworm] - linux (Vulnerable code not present) @@ -821,7 +821,7 @@ CVE-2024-22164 (In Splunk Enterprise Security (ES) versions below 7.1.2, an atta CVE-2024-21668 (react-native-mmkv is a library that allows easy use of MMKV inside Rea ...) NOT-FOR-US: react-native-mmkv CVE-2024-21664 (jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, othe ...) - TODO: check + NOT-FOR-US: jwx CVE-2024-21325 (Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution V ...) NOT-FOR-US: Microsoft CVE-2024-21320 (Windows Themes Spoofing Vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891e060ab7a7342a6f98fce5f51bea1fd4f5f61b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891e060ab7a7342a6f98fce5f51bea1fd4f5f61b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libebml issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f1d1cfb by Moritz Muehlenhoff at 2024-01-12T12:59:55+01:00 new libebml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,7 +89,12 @@ CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was rep NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) - TODO: check + - libebml 1.4.5-1 + [bookworm] - libebml (Minor issue) + [bullseye] - libebml (Minor issue) + NOTE: https://github.com/Matroska-Org/libebml/issues/147 + NOTE: https://github.com/Matroska-Org/libebml/pull/148 + NOTE: https://github.com/Matroska-Org/libebml/commit/4d577f5c3e267b2988d56dafebc82dedb4c45506 CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) NOT-FOR-US: ujcms CVE-2023-50920 (An issue was discovered on GL.iNet devices before version 4.5.0. They ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1d1cfba7f0fbcce4bfcf3bd4c3db1b990c6ac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1d1cfba7f0fbcce4bfcf3bd4c3db1b990c6ac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new liblivemedia issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c5773fdb by Moritz Muehlenhoff at 2024-01-12T12:40:27+01:00 new liblivemedia issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,8 @@ CVE-2023-40362 (An issue was discovered in CentralSquare Click2Gov Building Perm CVE-2023-40250 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) NOT-FOR-US: Hancom CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555 version 2023. ...) - TODO: check + - liblivemedia + NOTE: http://lists.live555.com/pipermail/live-devel/2023-June/022331.html CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) NOT-FOR-US: Juniper CVE-2023-34061 (Cloud Foundry routing release versions from v0.163.0 to v0.283.0 are v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5773fdb66c233217dd25d8d296e2479ae70b64f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5773fdb66c233217dd25d8d296e2479ae70b64f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e6911c5 by Moritz Muehlenhoff at 2024-01-12T11:29:55+01:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,7 +85,9 @@ CVE-2023-6740 (Privilege escalation in jar_signature agent plugin in Checkmk bef CVE-2023-6735 (Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17 ...) - check-mk CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was reported ...) - TODO: check + - linux 5.18.2-1 + NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/1 + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) TODO: check CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e6911c5692f5a8a2a296cb820643d405a161e35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e6911c5692f5a8a2a296cb820643d405a161e35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b6c3b8ce by Moritz Muehlenhoff at 2024-01-12T11:07:04+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,23 +7,23 @@ CVE-2023-5356 CVE-2023-7028 - gitlab CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension GlobalBlocking CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) - TODO: check + NOT-FOR-US: MediaWiki extension Phonos CVE-2024-23177 (An issue was discovered in the WatchAnalytics extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension WatchAnalytics CVE-2024-23174 (An issue was discovered in the PageTriage extension in MediaWiki befor ...) - TODO: check + NOT-FOR-US: MediaWiki extension PageTriage CVE-2024-23173 (An issue was discovered in the Cargo extension in MediaWiki before 1.3 ...) - TODO: check + NOT-FOR-US: MediaWiki extension Cargo CVE-2024-23172 (An issue was discovered in the CheckUser extension in MediaWiki before ...) - TODO: check + NOT-FOR-US: MediaWiki extension CheckUser CVE-2024-23171 (An issue was discovered in the CampaignEvents extension in MediaWiki b ...) - TODO: check + NOT-FOR-US: MediaWiki extension CampaignEvents CVE-2024-22027 (Improper input validation vulnerability in WordPress Quiz Maker Plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-21982 (ONTAP versions 9.4 and higher are susceptible to a vulnerability whic ...) - TODO: check + NOT-FOR-US: ONTAP CVE-2024-21617 (An Incomplete Cleanup vulnerability in Nonstop active routing (NSR) co ...) NOT-FOR-US: Juniper CVE-2024-21616 (An Improper Validation of Syntactic Correctness of Input vulnerability ...) @@ -69,63 +69,63 @@ CVE-2024-21587 (An Improper Handling of Exceptional Conditions vulnerability in CVE-2024-21585 (An Improper Handling of Exceptional Conditions vulnerability in BGP se ...) NOT-FOR-US: Juniper CVE-2024-21337 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-20675 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-0454 (ELAN Match-on-Chip FPR solution has design fault about potential risk ...) - TODO: check + NOT-FOR-US: ELAN Match-on-Chip FPR CVE-2024-0426 (A vulnerability, which was classified as critical, has been found in F ...) - TODO: check + NOT-FOR-US: ForU CMS CVE-2024-0393 REJECTED CVE-2023-7226 (A vulnerability was found in meetyoucrop big-whale 1.1 and classified ...) - TODO: check + NOT-FOR-US: meetyoucrop big-whale CVE-2023-6740 (Privilege escalation in jar_signature agent plugin in Checkmk before 2 ...) - TODO: check + - check-mk CVE-2023-6735 (Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17 ...) - TODO: check + - check-mk CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was reported ...) TODO: check CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...) TODO: check CVE-2023-51350 (A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain ...) - TODO: check + NOT-FOR-US: ujcms CVE-2023-50920 (An issue was discovered on GL.iNet devices before version 4.5.0. They ...) - TODO: check + NOT-FOR-US: GL.iNet CVE-2023-50919 (An issue was discovered on GL.iNet devices before version 4.5.0. There ...) - TODO: check + NOT-FOR-US: GL.iNet CVE-2023-50129 (Missing encryption in the NFC tags of the Flient Smart Door Lock v1.0 ...) - TODO: check + NOT-FOR-US: Flient Smart Door Lock CVE-2023-50128 (The remote keyless system of the Hozard alarm system (alarmsystemen) v ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50127 (Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Auth ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50126 (Missing encryption in the RFID tags of the Hozard alarm system (Alarms ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50125 (A default engineer password set on the Hozard alarm system (Alarmsyste ...) - TODO: check + NOT-FOR-US: Hozard alarm system CVE-2023-50124 (Flient Smart Door Lock v1.0 is vulnerable to Use of Default Credential ...) - TODO: check + NOT-FOR-US: Flient Smart Door Lock CVE-2023-50123 (The number of attempts to bring the Hozard Alarm system (alarmsystemen ...) - TODO: check
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e7e48cf by Moritz Muehlenhoff at 2024-01-12T10:13:39+01:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-6955 + - gitlab +CVE-2023-4812 + - gitlab +CVE-2023-5356 + - gitlab +CVE-2023-7028 + - gitlab CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) TODO: check CVE-2024-23178 (An issue was discovered in the Phonos extension in MediaWiki before 1. ...) @@ -39712,6 +39720,7 @@ CVE-2023-2031 (The Locatoraid Store Locator plugin for WordPress is vulnerable t NOT-FOR-US: WordPress plugin CVE-2023-2030 RESERVED + - gitlab CVE-2023-2029 (The PrePost SEO WordPress plugin through 3.0 does not properly sanitiz ...) NOT-FOR-US: WordPress plugin CVE-2023-2028 (The Call Now Accessibility Button WordPress plugin before 1.1 does not ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7e48cfcf79bcca6e1d5714952e87bcb29e7857 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7e48cfcf79bcca6e1d5714952e87bcb29e7857 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 51f368c9 by Moritz Muehlenhoff at 2024-01-12T09:47:35+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,49 +17,49 @@ CVE-2024-22027 (Improper input validation vulnerability in WordPress Quiz Maker CVE-2024-21982 (ONTAP versions 9.4 and higher are susceptible to a vulnerability whic ...) TODO: check CVE-2024-21617 (An Incomplete Cleanup vulnerability in Nonstop active routing (NSR) co ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21616 (An Improper Validation of Syntactic Correctness of Input vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21614 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21613 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21612 (An Improper Handling of Syntactically Invalid Structure vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21611 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21607 (An Unsupported Feature in the UI vulnerability in Juniper Networks Jun ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21606 (A Double Free vulnerability in the flow processing daemon (flowd) of J ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21604 (An Allocation of Resources Without Limits or Throttling vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21603 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21602 (A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21601 (A Concurrent Execution using Shared Resource with Improper Synchroniza ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21600 (An Improper Neutralization of Equivalent Special Elements vulnerabilit ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21599 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21597 (An Exposure of Resource to Wrong Sphere vulnerability in the Packet Fo ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21596 (A Heap-based Buffer Overflow vulnerability in the Routing Protocol Dae ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21595 (An Improper Validation of Syntactic Correctness of Input vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21594 (A Heap-based Buffer Overflow vulnerability in the Network Services Dae ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21591 (An Out-of-bounds Write vulnerability in J-Web of Juniper Networks Juno ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21589 (An Improper Access Control vulnerability in the Juniper Networks Parag ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21587 (An Improper Handling of Exceptional Conditions vulnerability in the br ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21585 (An Improper Handling of Exceptional Conditions vulnerability in BGP se ...) - TODO: check + NOT-FOR-US: Juniper CVE-2024-21337 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability) TODO: check CVE-2024-20675 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability) @@ -109,7 +109,7 @@ CVE-2023-40250 (Buffer Copy without Checking Size of Input ('Classic Buffer Over CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555 version 2023. ...) TODO: check CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) - TODO: check + NOT-FOR-US: Juniper CVE-2023-34061 (Cloud Foundry routing release versions from v0.163.0 to v0.283.0 are v ...) TODO: check CVE-2022-4961 (A vulnerability was found in Weitong Mall 1.0.0. It has been declared ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f368c9565691af5e383bafa00abd23bd878bf7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f368c9565691af5e383bafa00abd23bd878bf7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c01a5721 by Moritz Muehlenhoff at 2024-01-11T13:50:22+01:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -255,6 +255,7 @@ CVE-2023-50172 (A recovery notification bypass vulnerability exists in the userR NOT-FOR-US: WWBN AVideo CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to ...) - gpac + [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2698 NOTE: https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb CVE-2023-49864 (An information disclosure vulnerability exists in the aVideoEncoderRec ...) @@ -758,6 +759,8 @@ CVE-2024-21650 (XWiki Platform is a generic wiki platform offering runtime servi NOT-FOR-US: XWiki CVE-2024-21647 (Puma is a web server for Ruby/Rack applications built for parallelism. ...) - puma (bug #1060345) + [bookworm] - puma (Minor issue) + [bullseye] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 NOTE: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d (v5.6.8) CVE-2024-21645 (pyLoad is the free and open-source Download Manager written in pure Py ...) @@ -1516,6 +1519,8 @@ CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandli NOT-FOR-US: Newtonsoft.Json CVE-2024-21633 (Apktool is a tool for reverse engineering Android APK files. In versio ...) - apktool 2.7.0+dfsg-7 (bug #1060013) + [bookworm] - apktool (Minor issue) + [bullseye] - apktool (Minor issue) NOTE: https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w NOTE: https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712 CVE-2024-21631 (Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vap ...) @@ -1524,9 +1529,10 @@ CVE-2024-21622 (Craft is a content management system. This is a potential modera NOT-FOR-US: Craft CMS CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some conditions, th ...) - packagekit (bug #1060016) + [bookworm] - packagekit (Minor issue) + [bullseye] - packagekit (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624 NOTE: Reducing impact via: https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79 (v1.2.7) - TODO: check, RHBZ#2256624 claims fixed in upstream 1.2.7 but provides no references CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin CVE-2023-7068 (The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shippi ...) @@ -33240,6 +33246,8 @@ CVE-2023-34246 (Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Pri {DLA-3494-1} [experimental] - ruby-doorkeeper 5.6.6-1 - ruby-doorkeeper (bug #1038950) + [bookworm] - ruby-doorkeeper (Minor issue) + [bullseye] - ruby-doorkeeper (Minor issue) NOTE: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/1589 NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1646 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01a5721eb82c1ef27b35307726dcabf20720d5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01a5721eb82c1ef27b35307726dcabf20720d5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gtkwave bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 371c63cc by Moritz Muehlenhoff at 2024-01-10T20:42:19+01:00 gtkwave bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -515,250 +515,250 @@ CVE-2023-47211 (A directory traversal vulnerability exists in the uploadMib func CVE-2023-41710 (User-defined script code could be stored for a upsell related shop URL ...) NOT-FOR-US: Open-Xchange CVE-2023-39444 (Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsing ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826 CVE-2023-39443 (Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsing ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826 CVE-2023-39414 (Multiple integer underflow vulnerabilities exist in the LXT2 lxt2_rd_i ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824 CVE-2023-39413 (Multiple integer underflow vulnerabilities exist in the LXT2 lxt2_rd_i ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824 CVE-2023-39317 (Multiple integer overflow vulnerabilities exist in the LXT2 num_dict_e ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820 CVE-2023-39316 (Multiple integer overflow vulnerabilities exist in the LXT2 num_dict_e ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820 CVE-2023-39275 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39274 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39273 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39272 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39271 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39270 (Multiple integer overflow vulnerabilities exist in the LXT2 facgeometr ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 CVE-2023-39235 (Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_p ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817 CVE-2023-39234 (Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_p ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817 CVE-2023-38657 (An out-of-bounds write vulnerability exists in the LXT2 zlib block dec ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1823 CVE-2023-38653 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815 CVE-2023-38652 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815 CVE-2023-38651 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814 CVE-2023-38650 (Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_bloc ...) - - gtkwave + - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814 CVE-2023-38649 (Multiple out-of-bounds write vulnerabilities exist
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 28ec6493 by Moritz Muehlenhoff at 2024-01-10T17:25:46+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ +CVE-2023-49619 + NOT-FOR-US: Apache Answer CVE-2024-21643 (IdentityModel Extensions for .NET provide assemblies for web developer ...) - TODO: check + NOT-FOR-US: IdentityModel Extensions for .NET CVE-2024-0364 (A vulnerability, which was classified as critical, was found in PHPGur ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2024-0363 (A vulnerability, which was classified as critical, has been found in P ...) @@ -111,7 +113,7 @@ CVE-2024-22165 (In Splunk Enterprise Security (ES) versions lower than 7.1.2, an CVE-2024-22164 (In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker c ...) NOT-FOR-US: Splunk Enterprise Security (ES) CVE-2024-21668 (react-native-mmkv is a library that allows easy use of MMKV inside Rea ...) - TODO: check + NOT-FOR-US: react-native-mmkv CVE-2024-21664 (jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, othe ...) TODO: check CVE-2024-21325 (Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution V ...) @@ -179,7 +181,7 @@ CVE-2024-20676 (Azure Storage Mover Remote Code Execution Vulnerability) CVE-2024-20674 (Windows Kerberos Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2024-20672 (.NET Core and Visual Studio Denial of Service Vulnerability) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2024-20666 (BitLocker Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2024-20664 (Microsoft Message Queuing Information Disclosure Vulnerability) @@ -224,7 +226,7 @@ CVE-2024-0213 (A buffer overflow vulnerability in TA for Linux and TA for MacOS CVE-2024-0206 (A symbolic link manipulation vulnerability in Trellix Anti-Malware Eng ...) NOT-FOR-US: Trellix CVE-2024-0057 (NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnera ...) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2024-0056 (Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider S ...) NOT-FOR-US: Microsoft CVE-2023-7223 (A vulnerability classified as problematic has been found in Totolink T ...) @@ -300,7 +302,7 @@ CVE-2023-44120 (A vulnerability has been identified in Spectrum Power 7 (All ver CVE-2023-42797 (A vulnerability has been identified in CP-8031 MASTER MODULE (All vers ...) NOT-FOR-US: Siemens CVE-2022-48618 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-41056 [Buffer overflow in certain payloads may lead to remote code execution] - redis 5:7.0.15-1 (bug #1060316) [bullseye] - redis (Vulnerable code not present) @@ -329,7 +331,7 @@ CVE-2024-21651 (XWiki Platform is a generic wiki platform offering runtime servi CVE-2024-21648 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2024-21646 (Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP lib ...) - TODO: check + NOT-FOR-US: Azure uAMQP CVE-2023-7220 (A vulnerability was found in Totolink NR1800X 9.1.0u.6279_B20210910 an ...) NOT-FOR-US: Totolink CVE-2023-7219 (A vulnerability has been found in Totolink N350RT 9.3.5u.6139_B202012 ...) @@ -463,7 +465,7 @@ CVE-2023-5911 (The WP Custom Cursors | WordPress Cursor Plugin WordPress plugin CVE-2023-5235 (The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not li ...) NOT-FOR-US: WordPress plugin CVE-2023-5091 (Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allo ...) - TODO: check + NOT-FOR-US: Arm CVE-2023-52271 (The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-pr ...) NOT-FOR-US: Topaz Antifraud CVE-2023-52225 (Deserialization of Untrusted Data vulnerability in Tagbox Tagbox \u201 ...) @@ -499,13 +501,13 @@ CVE-2023-52200 (Cross-Site Request Forgery (CSRF), Deserialization of Untrusted CVE-2023-52190 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin CVE-2023-51701 (fastify-reply-from is a Fastify plugin to forward the current HTTP req ...) - TODO: check + NOT-FOR-US: fastify-reply-from CVE-2023-51508 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin CVE-2023-51246 (A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exi ...) NOT-FOR-US: GetSimple CMS CVE-2023-50982 (Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executab ...) - TODO: check
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1163408e by Moritz Muehlenhoff at 2024-01-10T14:56:59+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -290,7 +290,10 @@ CVE-2022-48618 (The issue was addressed with improved checks. This issue is fixe TODO: check CVE-2023-41056 [Buffer overflow in certain payloads may lead to remote code execution] - redis 5:7.0.15-1 (bug #1060316) - NOTE: Introduced with changes from: https://github.com/redis/redis/pull/11766 + [bullseye] - redis (Vulnerable code not present) + [buster] - redis (Vulnerable code not present) + NOTE: Introduced with changes from: https://github.com/redis/redis/pull/11766 (which landed + NOTE: in 7.2, but which also got backported to the 7.0. branch) NOTE: https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224 (7.0.15) CVE-2024-22125 (Under certain conditions the Microsoft Edge browser extension (SAP GUI ...) NOT-FOR-US: SAP = data/dsa-needed.txt = @@ -24,6 +24,8 @@ frr -- gpac/oldstable -- +gtkwave +-- h2o (jmm) -- libreswan (jmm) @@ -36,8 +38,11 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -php*seclib* (seb) - Maintainer prepared updates +php-phpseclib (seb) +-- +phpseclib (seb) +-- +php-phpseclib3/stable (seb) -- php-cas/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1163408e442801bcc293d0c93deb936912a1f9f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1163408e442801bcc293d0c93deb936912a1f9f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b49ba638 by Moritz Muehlenhoff at 2024-01-09T10:08:37+01:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -688,6 +688,8 @@ CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) - pycryptodome (bug #1060059) + [bookworm] - pycryptodome (Minor issue) + [bullseye] - pycryptodome (Minor issue) NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin @@ -3528,13 +3530,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 - [bookworm] - phpseclib (Minor issue) - [bullseye] - phpseclib (Minor issue) - php-phpseclib 2.0.46-1 - [bookworm] - php-phpseclib (Minor issue) - [bullseye] - php-phpseclib (Minor issue) - php-phpseclib3 3.0.35-1 - [bookworm] - php-phpseclib3 (Minor issue) - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -14649,6 +14646,8 @@ CVE-2023-5575 (Improper access control in the permission inheritance in Devoluti CVE-2023-5561 (WordPress does not properly restrict which user fields are searchable ...) {DLA-3658-1} - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress (Minor issue) + [bullseye] - wordpress (Minor issue) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://core.trac.wordpress.org/changeset/56840/ CVE-2023-5422 (The functions to fetch e-mail via POP3 or IMAP as well as sending e-ma ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49ba638bb8cf6726e4caa4b68beddabc056eb86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49ba638bb8cf6726e4caa4b68beddabc056eb86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b97b1d8b by Moritz Muehlenhoff at 2024-01-08T20:35:53+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3062,6 +3062,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bullseye] - filezilla (Minor issue) [buster] - filezilla (Minor issue) - golang-go.crypto 1:0.17.0-1 (bug #1059003) + [bookworm] - golang-go.crypto (Minor issue) + [bullseye] - golang-go.crypto (Minor issue) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh 0.10.6-1 (bug #1059004) - libssh2 1.11.0-4 (bug #1059005) @@ -3091,6 +3093,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - python-asyncssh (bug #1059007) - tinyssh 20230101-4 (bug #1059058; unimportant) - trilead-ssh2 (bug #1059294) + [bookworm] - trilead-ssh2 (Minor issue) + [bullseye] - trilead-ssh2 (Minor issue) NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 @@ -4451,6 +4455,8 @@ CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neu CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML ...) {DLA-3701-1} - tinyxml 2.6.2-6.1 (bug #1059315) + [bookworm] - tinyxml (Minor issue) + [bullseye] - tinyxml (Minor issue) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities NOTE: Debian (non upstream) patch: https://salsa.debian.org/debian/tinyxml/-/raw/2366e1f23d059d4c20c43c54176b6bd78d6a83fc/debian/patches/CVE-2023-34194.patch CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) @@ -7057,6 +7063,8 @@ CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 NOT-FOR-US: p2pa CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - tinyxml (bug #1059315) + [bookworm] - tinyxml (Minor issue) + [bullseye] - tinyxml (Minor issue) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) NOT-FOR-US: NEC @@ -15628,6 +15636,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - tomcat10 10.1.14-1 - trafficserver 9.2.3+ds-1 (bug #1053801; bug #1054427) - grpc + [bookworm] - grpc (Minor issue) + [bullseye] - grpc (Minor issue) - h2o 2.2.5+dfsg2-8 (bug #1054232) - haproxy 1.8.13-1 - nginx 1.24.0-2 (unimportant; bug #1053770) = data/dsa-needed.txt = @@ -39,6 +39,8 @@ php*seclib* (seb) -- php-cas/oldstable -- +php-dompdf-svg-lib/stable +-- php-horde-mime-viewer/oldstable -- php-horde-turba/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b97b1d8b86be85dbfe389ffe87b5dbe6f74a27c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b97b1d8b86be85dbfe389ffe87b5dbe6f74a27c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] condor fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1be025b1 by Moritz Muehlenhoff at 2024-01-05T14:31:09+01:00 condor fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -131238,7 +131238,7 @@ CVE-2022-26111 (The BeanShell components of IRISNext through 9.8.28 allow execut NOT-FOR-US: IRISNext CVE-2022-26110 (An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before ...) {DSA-5144-1 DLA-2984-1} - - condor (bug #1008634) + - condor 23.2.0+dfsg-1 (bug #1008634) NOTE: https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003 NOTE: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca (V8_8_16) NOTE: https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b (V8_8_16) @@ -147986,7 +147986,7 @@ CVE-2021-45102 (An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x - condor (Only affects 9.0.0 and above) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/ CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, ...) - - condor (bug #1002540) + - condor 23.2.0+dfsg-1 (bug #1002540) [buster] - condor (Patch is too intrusive to backport) [stretch] - condor (Patch is too destructive to backport it; Patch does not apply cleanly. Too many calls in patch, not existed in this version of the software) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/ @@ -297816,7 +297816,7 @@ CVE-2019-18824 (Barco ClickShare Button R9861500D01 devices before 1.10.0.13 hav NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and development serie ...) {DSA-5144-1 DLA-2724-1} - - condor (bug #963777) + - condor 23.2.0+dfsg-1 (bug #963777) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html NOTE: https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: baf17973 by Moritz Muehlenhoff at 2024-01-05T12:18:25+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1156,6 +1156,8 @@ CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop i NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - jayway-jsonpath + [bookworm] - jayway-jsonpath (Minor issue) + [bullseye] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro @@ -2854,8 +2856,13 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 + [bookworm] - phpseclib (Minor issue) + [bullseye] - phpseclib (Minor issue) - php-phpseclib 2.0.46-1 + [bookworm] - php-phpseclib (Minor issue) + [bullseye] - php-phpseclib (Minor issue) - php-phpseclib3 3.0.35-1 + [bookworm] - php-phpseclib3 (Minor issue) - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -2934,12 +2941,18 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - libcrypto++ (bug #1059312) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -3989,6 +4002,8 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - m2crypto (bug #1059292) + [bookworm] - m2crypto (Minor issue) + [bullseye] - m2crypto (Minor issue) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -13161,6 +13176,8 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - libxml-security-java (bug #1059313) + [bookworm] - libxml-security-java (Minor issue) + [bullseye] - libxml-security-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -18706,6 +18723,8 @@ CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allow NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - ansible (bug #1055300) + [bookworm] - ansible (Minor issue) + [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 NOTE: https://github.com/advisories/GHSA-ww3m-ffrm-qvqv = data/dsa-needed.txt = @@ -48,6 +48,8 @@ python3.11/stable (carnil) -- python3.9/oldstable -- +python-asyncssh +-- redmine/stable -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baf179734b0fede4b1a1c6cf53b59b1721456257 -- View it on GitLab: https://salsa.debian.org
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d468829 by Moritz Muehlenhoff at 2024-01-04T13:00:43+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,16 +43,16 @@ CVE-2023-49442 (Deserialization of Untrusted Data in jeecgFormDemoController in CVE-2023-41784 (Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro) NOT-FOR-US: ZTE CVE-2024-0225 (Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allo ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0224 (Use after free in WebAudio in Google Chrome prior to 120.0.6099.199 al ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0223 (Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199 ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 allow ...) - - chromium + - chromium 120.0.6099.199-1 [buster] - chromium (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d468829deb5605bf889151a87fc3e9297893d93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d468829deb5605bf889151a87fc3e9297893d93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 99f1bf0a by Moritz Muehlenhoff at 2024-01-04T12:39:24+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -133,6 +133,7 @@ CVE-2023-50090 (Arbitrary File Write vulnerability in the saveReportFile method NOT-FOR-US: ureport CVE-2023-46929 (An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box ...) - gpac + [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2662 NOTE: https://github.com/gpac/gpac/commit/4248def5d24325aeb0e35cacde3d56c9411816a6 CVE-2023-46742 (CubeFS is an open-source cloud-native file storage system. CubeFS prio ...) @@ -179,22 +180,34 @@ CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to com NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19501 + NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", + NOTE: the more severe "Bug log 1" only affected unreleased versions CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-01.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark (bug #1059925) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502 CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...) @@ -246,19 +259,24 @@ CVE-2023-50019 (An issue was discovered in open5gs v2.6.6. InitialUEMessage, Reg CVE-2023-4164 (There is a possible informationdisclosure due to a missing permission ...) NOT-FOR-US: Google Pixel Watch CVE-2023-49558 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/252 CVE-2023-49557 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/253 CVE-2023-49556 (Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote a ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/250 CVE-2023-49555 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/248 CVE-2023-49554 (Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote at ...) - - yasm + - yasm (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/yasm/yasm/issues/249 CVE-2023-49553 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) NOT-FOR-US: Cesenta MJS @@ -1246,6 +1264,8 @@ CVE-2023-51363 (VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacen NOT-FOR-US: VR-S1000 firmware CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to cause a ...) - golang-github-dvsekhvalnov-jose2go (bug #105950
[Git][security-tracker-team/security-tracker][master] cvelist.el: New defun to mark a CVE as a non issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 862f0bd0 by Moritz Muehlenhoff at 2024-01-04T10:23:09+01:00 cvelist.el: New defun to mark a CVE as a non issue - - - - - 1 changed file: - conf/cvelist.el Changes: = conf/cvelist.el = @@ -17,6 +17,7 @@ (setq last-nfu "") (setq bugnum "") +(setq non_issue_reason "Crash in CLI tool, no security impact") (setq newsrcpkg "") (setq default_distro "bullseye") @@ -41,6 +42,14 @@ (end-of-line) (insert " (bug #" bugnum ")" )) +(defun debian-cvelist-mark-non-issue () + "Mark an entry as a non issue." + (setq bugnum (read-string "Why is this a non-issue?: " non_issue_reason)) + (interactive) + (end-of-line) + (insert " (unimportant)" ) + (insert "\n\tNOTE: " non_issue_reason )) + ; TODO: Read supported distros from central config and prompt for applicable suites (defun debian-cvelist-insert-nodsa () "Insert no-dsa comment based on the current source entry." @@ -100,6 +109,7 @@ (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected) (define-key map (kbd "C-c C-p") 'debian-cvelist-insert-postponed) (define-key map (kbd "C-c C-b") 'debian-cvelist-insert-bug) + (define-key map (kbd "C-c C-u") 'debian-cvelist-mark-non-issue) (define-key map (kbd "C-c C-p") 'debian-cvelist-ptslookup) map) "Keymap for `debian-cvelist-mode'.") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862f0bd0052b3a4a99f64350711254dc85746638 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862f0bd0052b3a4a99f64350711254dc85746638 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bafdec8e by Moritz Muehlenhoff at 2024-01-04T09:21:01+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,47 +1,47 @@ CVE-2024-21634 (Amazon Ion is a Java implementation of the Ion data notation. Prior to ...) - TODO: check + NOT-FOR-US: Amazon Ion CVE-2024-20809 (Improper access control vulnerability in Nearby device scanning prior ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20808 (Improper access control vulnerability in Nearby device scanning prior ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20807 (Implicit intent hijacking vulnerability in Samsung Email prior to vers ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20806 (Improper access control in Notification service prior to SMR Jan-2024 ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20805 (Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20804 (Path traversal vulnerability in FileUriConverter of MyFiles prior to S ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20803 (Improper authentication vulnerability in Bluetooth pairing process pri ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-20802 (Improper access control vulnerability in Samsung DeX prior to SMR Jan- ...) - TODO: check + NOT-FOR-US: Samsung CVE-2023-6738 (The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6733 (The WP-Members Membership Plugin plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6540 (A vulnerability was reported in the Lenovo Browser Mobile and Lenovo B ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2023-6498 (The Complianz \u2013 GDPR/CCPA Cookie Consent plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6338 (Uncontrolled search path vulnerabilities were reported in the Lenovo U ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2023-5138 (Glitch detection is not enabled by default for the CortexM33 core in S ...) - TODO: check + NOT-FOR-US: Silabs CVE-2023-52141 REJECTED CVE-2023-52140 REJECTED CVE-2023-50630 (Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 al ...) - TODO: check + NOT-FOR-US: xiweicheng TMS CVE-2023-50256 (Froxlor is open source server administration software. Prior to versio ...) - TODO: check + - froxlor (bug #581792) CVE-2023-50082 (Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Con ...) - TODO: check + NOT-FOR-US: pbootcms CVE-2023-49442 (Deserialization of Untrusted Data in jeecgFormDemoController in JEECG ...) - TODO: check + NOT-FOR-US: JEECG CVE-2023-41784 (Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro) - TODO: check + NOT-FOR-US: ZTE CVE-2024-0225 (Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allo ...) - chromium [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bafdec8edeaae199a9974e5d7e786b41923028f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bafdec8edeaae199a9974e5d7e786b41923028f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f1734f7c by Moritz Muehlenhoff at 2024-01-03T16:32:27+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,17 @@ +CVE-2023-51785 + NOT-FOR-US: Apache InLong +CVE-2023-51784 + NOT-FOR-US: Apache InLong CVE-2024-21632 (omniauth-microsoft_graph provides an Omniauth strategy for the Microso ...) - TODO: check + NOT-FOR-US: omniauth-microsoft_graph CVE-2024-21629 (Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a ...) - TODO: check + NOT-FOR-US: Rust EVM CVE-2024-21628 (PrestaShop is an open-source e-commerce platform. Prior to version 8.1 ...) NOT-FOR-US: PrestaShop CVE-2024-21627 (PrestaShop is an open-source e-commerce platform. Prior to versions 8. ...) NOT-FOR-US: PrestaShop CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to commit db ...) - TODO: check + NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html @@ -29,9 +33,9 @@ CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502 CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...) - TODO: check + NOT-FOR-US: Magic-Api CVE-2024-0195 (A vulnerability, which was classified as critical, was found in spider ...) - TODO: check + NOT-FOR-US: spider-flow CVE-2024-0194 (A vulnerability, which was classified as critical, has been found in C ...) NOT-FOR-US: CodeAstro Internet Banking System CVE-2023-7027 (The POST SMTP Mailer \u2013 Email log, Delivery Failure Notifications ...) @@ -75,7 +79,7 @@ CVE-2023-50020 (An issue was discovered in open5gs v2.6.6. SIGPIPE can be used t CVE-2023-50019 (An issue was discovered in open5gs v2.6.6. InitialUEMessage, Registrat ...) NOT-FOR-US: Open5GS CVE-2023-4164 (There is a possible informationdisclosure due to a missing permission ...) - TODO: check + NOT-FOR-US: Google Pixel Watch CVE-2023-49558 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...) - yasm NOTE: https://github.com/yasm/yasm/issues/252 @@ -92,15 +96,15 @@ CVE-2023-49554 (Use After Free vulnerability in YASM 1.3.0.86.g9def allows a rem - yasm NOTE: https://github.com/yasm/yasm/issues/249 CVE-2023-49553 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49552 (An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49551 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49550 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-49549 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2023-48418 (In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a ...) TODO: check CVE-2023-47473 (Directory Traversal vulnerability in fuwushe.org iFair versions 23.8_a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1734f7c81fe0e5ea8d7bc46e52618c8cd8aee25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1734f7c81fe0e5ea8d7bc46e52618c8cd8aee25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libpod ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d46d3db3 by Moritz Mühlenhoff at 2024-01-02T12:34:09+01:00 libpod ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -119,3 +119,5 @@ CVE-2023-22084 [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 CVE-2022-4515 [bullseye] - exuberant-ctags 1:5.9~svn20110310-14+deb11u1 +CVE-2022-2989 + [bullseye] - libpod 3.0.1+dfsg1-3+deb11u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46d3db3bab344a65bdaba1ab7d5d89ca9f88816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46d3db3bab344a65bdaba1ab7d5d89ca9f88816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c49b2bc by Moritz Muehlenhoff at 2024-01-02T12:13:50+01:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -208,6 +208,7 @@ CVE-2021-46901 (examples/6lbr/apps/6lbr-webserver/httpd.c in CETIC-6LBR (aka 6lb NOT-FOR-US: CETIC-6LBR (aka 6lbr) CVE-2021-46900 (Sympa before 6.2.62 relies on a cookie parameter for certain security ...) - sympa 6.2.66~dfsg-1 + [bullseye] - sympa (Minor issue) NOTE: https://www.sympa.community/security/2021-001.html NOTE: https://github.com/sympa-community/sympa/issues/1091 CVE-2023-7192 [netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()] @@ -689,6 +690,7 @@ CVE-2023-50038 (There is an arbitrary file upload vulnerability in the backgroun - textpattern CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, ...) - shaarli 0.13.0+dfsg-1 + [bookworm] - shaarli (Minor issue) NOTE: https://github.com/shaarli/Shaarli/issues/2038 NOTE: https://github.com/shaarli/Shaarli/commit/326870f216ba52d80488cb4ba3fadcf1247d7cf8 (v0.13.0) CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) @@ -1062,6 +1064,8 @@ CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/C NOTE: https://git.exim.org/exim.git/commit/5bb786d5ad568a88d50d15452aacc8404047e5ca CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in certain conf ...) - sendmail (bug #1059386) + [bookworm] - sendmail (Minor issue) + [bullseye] - sendmail (Minor issue) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.openwall.com/lists/oss-security/2023/12/26/5 @@ -1133,14 +1137,20 @@ CVE-2023-50727 (Resque is a Redis-backed Ruby library for creating background jo CVE-2023-6937 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6936 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6935 [experimental] - wolfssl 5.6.6-1 - wolfssl 5.6.6-1.2 (bug #1059357) + [bookworm] - wolfssl (Minor issue) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-7076 (A vulnerability was found in slawkens MyAAC up to 0.8.13. It has been ...) NOT-FOR-US: slawkens MyAAC @@ -1314,6 +1324,8 @@ CVE-2023-6690 (A race condition in GitHub Enterprise Server allowed an existing NOT-FOR-US: GitHub Enterprise Server CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of- ...) - proftpd-dfsg 1.3.8.a+dfsg-1 + [bookworm] - proftpd-dfsg (Minor issue) + [bullseye] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/1683 NOTE: https://github.com/proftpd/proftpd/commit/1376d8ccc0966d1ce9a1c76b32c6a9ca61bbe67f (v1.3.9rc1) NOTE: https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 (v1.3.8a) @@ -2354,6 +2366,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - libssh2 (ChaCha20-Poly1305 and CBC-EtM support not present) - openssh 1:9.6p1-1 - paramiko (bug #1059006) + [bookworm] - paramiko (Minor issue) + [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 - php-phpseclib 2.0.46-1 - php-phpseclib3 3.0.35-1 @@ -3481,6 +3495,8 @@ CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allow NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - python-cryptography (bug #1059308) + [bookworm] - python-cryptography (Minor issue) + [bullseye] - python-cryptography (Minor issue) [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -14319,6 +14335,7 @@ CVE-2023-44689 (e-Gov Client Application (Windows version) versions prior to 2.1
[Git][security-tracker-team/security-tracker][master] vim fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 188104a7 by Moritz Muehlenhoff at 2024-01-01T19:46:21+01:00 vim fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6867,7 +6867,7 @@ CVE-2023-40002 (Exposure of Sensitive Information to an Unauthorized Actor vulne CVE-2023-39253 (Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 c ...) NOT-FOR-US: Dell CVE-2023-48706 (Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-a ...) - - vim (unimportant) + - vim 2:9.0.2189-1 (unimportant) NOTE: https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q NOTE: Fixed by: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf8 (v9.0.2121) NOTE: Crash in CLI tool, no security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188104a7f66d84781a58fdeb160dd7f22702ab72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188104a7f66d84781a58fdeb160dd7f22702ab72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gemmi fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e5d2231 by Moritz Muehlenhoff at 2023-12-31T13:42:45+01:00 gemmi fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5273,7 +5273,7 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - falcosecurity-libs (bug #1059256) [bookworm] - falcosecurity-libs (Minor issue) - - gemmi (bug #1059257) + - gemmi 0.6.4+ds-1 (bug #1059257) [bookworm] - gemmi (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5d22313182960144e0a01b72e8dcb36f584e33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5d22313182960144e0a01b72e8dcb36f584e33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libsass fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba45f82 by Moritz Muehlenhoff at 2023-12-30T20:55:56+01:00 libsass fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81656,14 +81656,14 @@ CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was disco NOT-FOR-US: Gifdec CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function Sass::C ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051895) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3178 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051893) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -128882,7 +128882,7 @@ CVE-2022-26593 (Cross-site scripting (XSS) vulnerability in the Asset module's a NOT-FOR-US: Liferay CVE-2022-26592 (Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051894) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -297083,7 +297083,7 @@ CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3000 - NOTE: Not considered a security issue be upstream + NOTE: Not considered a security issue by upstream CVE-2019-18796 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) NOT-FOR-US: BASS Audio Library CVE-2019-18795 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add putty reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d936efe by Moritz Mühlenhoff at 2023-12-29T23:35:15+01:00 add putty reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2087,6 +2087,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: proftpd: https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b (v1.3.8b) NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/issues/257 NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/commit/54612735629231de2242d6395d334539604872fb (v0.9.3) + NOTE: PuTTY: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d936efe0de530d3ea1a2522d619692dfa108b0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d936efe0de530d3ea1a2522d619692dfa108b0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] espeak-ng spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7e0305 by Moritz Mühlenhoff at 2023-12-29T23:19:04+01:00 espeak-ng spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -53,3 +53,13 @@ CVE-2023-51764 [bookworm] - postfix 3.7.9-0+deb12u1 CVE-2023-7008 [bookworm] - systemd 252.21-1~deb12u1 +CVE-2023-49994 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49993 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49992 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49991 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-49990 + [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7e030590834abcfb803026e65d9675ece43116 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7e030590834abcfb803026e65d9675ece43116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ff7c8434 by Moritz Mühlenhoff at 2023-12-29T23:16:38+01:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -696,8 +696,13 @@ CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _Par NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - qt6-base + [bookworm] - qt6-base (Minor issue) - qtbase-opensource-src + [bookworm] - qtbase-opensource-src (Minor issue) + [bullseye] - qtbase-opensource-src (Minor issue) - qtbase-opensource-src-gles + [bookworm] - qtbase-opensource-src-gles (Minor issue) + [bullseye] - qtbase-opensource-src-gles (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 CVE-2023-49954 (The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 ...) @@ -949,6 +954,8 @@ CVE-2023-49085 (Cacti provides an operational monitoring and fault management fr NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855 CVE-2023-48704 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1059367) + [bookworm] - clickhouse (Minor issue) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63 NOTE: https://github.com/ClickHouse/ClickHouse/pull/57107 CVE-2023-48670 (Dell SupportAssist for Home PCs version 3.14.1 and prior versions cont ...) @@ -1090,6 +1097,8 @@ CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can NOT-FOR-US: Nextcloud calendar app CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...) - clickhouse (bug #1059261) + [bookworm] - clickhouse (Minor issue) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) @@ -1110,6 +1119,8 @@ CVE-2023-37519 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. NOT-FOR-US: HCL CVE-2023-42465 (Sudo before 1.9.15 might allow row hammer attacks (for authentication ...) - sudo 1.9.15p2-2 + [bookworm] - sudo (Minor issue) + [bullseye] - sudo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9 NOTE: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f (SUDO_1_9_15p1) CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) @@ -1209,6 +1220,8 @@ CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has be NOTE: Crash in CLI tool, no security impact CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - w3m (bug #1059265) + [bookworm] - w3m (Minor issue) + [bullseye] - w3m (Minor issue) [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 NOTE: https://github.com/tats/w3m/issues/268 @@ -1442,6 +1455,8 @@ CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL Comma NOT-FOR-US: WordPress plugin CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database management s ...) - clickhouse (bug #1059261) + [bookworm] - clickhouse (Minor issue) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin @@ -1812,6 +1827,7 @@ CVE-2023-46104 (Uncontrolled resource consumption can be triggered by authentica NOT-FOR-US: Apache Superset CVE-2023- [RUSTSEC-2023-0074] - rust-zerocopy + [bookworm] - rust-zerocopy (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0074.html NOTE: https://github.com/google/zerocopy/issues/716 CVE-2023-6940 (with only one user interaction(download a malicious config), attackers ...) @@ -2014,11 +2030,15 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) {DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3694-1} - dropbear (bug #1059001
[Git][security-tracker-team/security-tracker][master] nodejs DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20d5621e by Moritz Mühlenhoff at 2023-12-27T23:02:34+01:00 nodejs DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[27 Dec 2023] DSA-5589-1 nodejs - security update + {CVE-2023-23918 CVE-2023-23919 CVE-2023-23920 CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 CVE-2023-32002 CVE-2023-32006 CVE-2023-32559 CVE-2023-38552 CVE-2023-39333} + [bookworm] - nodejs 18.19.0+dfsg-6~deb12u1 [24 Dec 2023] DSA-5588-1 putty - security update {CVE-2023-48795} [bullseye] - putty 0.74-1+deb11u1 = data/dsa-needed.txt = @@ -39,9 +39,6 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -nodejs (jmm) - maintainer proposed to follow the upstream 18.x LTS branch --- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20d5621ee3138c3d8cbffb3cee17fb4407ab008f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20d5621ee3138c3d8cbffb3cee17fb4407ab008f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one older nodejs issue fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1133e4aa by Moritz Mühlenhoff at 2023-12-27T20:30:02+01:00 one older nodejs issue fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56883,7 +56883,7 @@ CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14. NOTE: https://hackerone.com/reports/1808596 NOTE: https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...) - - nodejs (bug #1031834) + - nodejs 18.19.0+dfsg-2 (bug #1031834) [bullseye] - nodejs (Permissions policy introduced in v16.x) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1133e4aab48a47dd465f2973bd63d038b63b1292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1133e4aab48a47dd465f2973bd63d038b63b1292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove three postponed nodejs issues lined up for DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 097dcd38 by Moritz Mühlenhoff at 2023-12-27T20:27:46+01:00 remove three postponed nodejs issues lined up for DSA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56873,12 +56873,10 @@ CVE-2023-0407 CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...) {DSA-5395-1 DLA-3344-1} - nodejs 18.13.0+dfsg1-1.1 (bug #1031834) - [bookworm] - nodejs (Can be fixed along with next update) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920 NOTE: https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1 CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1031834) - [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (X509Certificate API introduced in v15.6.0) [buster] - nodejs (X509Certificate API introduced in v15.6.0) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919 @@ -56886,7 +56884,6 @@ CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14. NOTE: https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...) - nodejs (bug #1031834) - [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (Permissions policy introduced in v16.x) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/097dcd38fe6bd11c2ad64465e23518f2e49d528e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/097dcd38fe6bd11c2ad64465e23518f2e49d528e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 428aa1f7 by Moritz Mühlenhoff at 2023-12-27T20:23:06+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-52096 (SteVe Community ocpp-jaxb before 0.0.8 generates invalid timestamps su ...) - TODO: check + NOT-FOR-US: SteVe Community ocpp-jaxb CVE-2023-49438 (An open redirect vulnerability in the python package Flask-Security-To ...) TODO: check CVE-2023-48003 (An open redirect through HTML injection in user messages in Asp.Net Ze ...) - TODO: check + NOT-FOR-US: Asp.Net Zero CVE-2023-6268 (The JSON Content Importer WordPress plugin before 1.5.4 does not sanit ...) NOT-FOR-US: WordPress plugin CVE-2023-6250 (The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses ...) @@ -37,7 +37,7 @@ CVE-2023-5203 (The WP Sessions Time Monitoring Full Automatic WordPress plugin b CVE-2023-5180 (An issue was discovered in Open Design Alliance Drawings SDK before 20 ...) NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2023-52086 (resumable.php (aka PHP backend for resumable.js) 0.1.4 before 3c6dbf5 ...) - TODO: check + NOT-FOR-US: PHP backend for resumable.js CVE-2023-51107 (A floating point exception (divide-by-zero) vulnerability was discover ...) - mupdf (unimportant) NOTE: https://github.com/dongyuma/sox-defects/blob/main/mupdf-defects.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428aa1f7c7812adb4d0462c339d072da21201d45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428aa1f7c7812adb4d0462c339d072da21201d45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] librecad fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a6d2e3b by Moritz Mühlenhoff at 2023-12-27T20:21:16+01:00 librecad fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37571,7 +37571,7 @@ CVE-2023-30261 (Command Injection vulnerability in OpenWB 1.6 and 1.7 allows rem CVE-2023-30260 (Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earl ...) NOT-FOR-US: RaspAP CVE-2023-30259 (A Buffer Overflow vulnerability in importshp plugin in LibreCAD 2.2.0 ...) - - librecad (unimportant) + - librecad 2.2.0.2-1 (unimportant) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1481 NOTE: Crash in CLI tool, no security impact CVE-2023-30258 (Command Injection vulnerability in MagnusSolution magnusbilling 6.x an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a6d2e3b46e151696b95cd2167fc520f5fc6b477 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a6d2e3b46e151696b95cd2167fc520f5fc6b477 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix syntax for postfix issue, the fixed version will only with the next point update
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 891044d0 by Moritz Mühlenhoff at 2023-12-27T20:19:53+01:00 fix syntax for postfix issue, the fixed version will only with the next point update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,7 @@ CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in certai NOTE: https://www.openwall.com/lists/oss-security/2023/12/26/5 CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured with smt ...) - postfix 3.8.4-1 (bug #1059230) - [bookworm] - postfix 3.7.9-0+deb12u1 (Minor issue; mitigations exist) + [bookworm] - postfix (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891044d00dcd087b271d7e3817def7fa9d3411ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891044d00dcd087b271d7e3817def7fa9d3411ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d2f40c8 by Moritz Mühlenhoff at 2023-12-26T17:12:18+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-51467 + NOT-FOR-US: Apache OFBiz +CVE-2023-50968 + NOT-FOR-US: Apache OFBiz CVE-2023-7111 (A vulnerability, which was classified as critical, was found in code-p ...) NOT-FOR-US: code-projects Library Management System CVE-2023-7110 (A vulnerability, which was classified as critical, has been found in c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2f40c8bc1c65c1b6d7f51588d6eece7d8e881e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2f40c8bc1c65c1b6d7f51588d6eece7d8e881e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] systemd spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ee785aa by Moritz Mühlenhoff at 2023-12-26T17:03:01+01:00 systemd spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -51,3 +51,5 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] NOTE: For Debian bug #1059331 CVE-2023-51764 [bookworm] - postfix 3.7.9-0+deb12u1 +CVE-2023-7008 + [bookworm] - systemd 252.21-1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ee785aac5fd84e151fb49f199b123fe5e6f9fb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ee785aac5fd84e151fb49f199b123fe5e6f9fb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c13efea by Moritz Muehlenhoff at 2023-12-25T19:49:02+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36907,7 +36907,7 @@ CVE-2023-1963 (A vulnerability was found in PHPGurukul Bank Locker Management Sy CVE-2018-25084 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Ping Identity Self-Service Account Manager CVE-2023-30451 (In TYPO3 11.5.24, the filelist component allows attackers (who have ac ...) - TODO: check + NOT-FOR-US: Typo3 CVE-2023-30450 (rpk in Redpanda before 23.1.2 mishandles the redpanda.rpc_server_tls f ...) NOT-FOR-US: Redpanda CVE-2023-30449 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c13efeab2705876ba6cde02bab0173f6f528e16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c13efeab2705876ba6cde02bab0173f6f528e16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new Qt issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c1e5e8 by Moritz Muehlenhoff at 2023-12-25T19:45:06+01:00 new Qt issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,11 @@ CVE-2023-51772 (One Identity Password Manager before 5.13.1 allows Kiosk Escape. CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHead ...) NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - TODO: check + - qt6-base + - qtbase-opensource-src + - qtbase-opensource-src-gles + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 CVE-2023-49954 (The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 ...) NOT-FOR-US: 3CX CVE-2023-49944 (The Challenge Response feature of BeyondTrust Privilege Management for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c1e5e86095e06bc44615a400dd43f08431aada -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c1e5e86095e06bc44615a400dd43f08431aada You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one nodejs issue ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dcdba6bd by Moritz Muehlenhoff at 2023-12-25T19:42:30+01:00 one nodejs issue ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36163,6 +36163,7 @@ CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffi NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Minor issue, too intrusive to backport) [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcdba6bd33228550f0f67068a4ff69b986908357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcdba6bd33228550f0f67068a4ff69b986908357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] twisted fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6dc719a by Moritz Muehlenhoff at 2023-12-25T19:08:44+01:00 twisted fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10444,7 +10444,7 @@ CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior to CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer ...) NOT-FOR-US: era-compiler-vyper CVE-2023-46137 (Twisted is an event-based framework for internet applications. Prior t ...) - - twisted (bug #1054913) + - twisted 23.10.0-1 (bug #1054913) [bookworm] - twisted (Minor issue) [bullseye] - twisted (Minor issue) [buster] - twisted (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6dc719a7489ff99b0f419a8c0629d7c6e567775 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6dc719a7489ff99b0f419a8c0629d7c6e567775 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add upstream reference for hamster-time-tracker
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4f9d10 by Moritz Muehlenhoff at 2023-12-24T23:48:23+01:00 add upstream reference for hamster-time-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17464,7 +17464,7 @@ CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) - hamster-time-tracker (bug #1059296) NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md - NOTE: Report sounds a little dubious, it's not really clear whether this cross any security boundary + NOTE: https://github.com/projecthamster/hamster/issues/750 CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) NOT-FOR-US: Movim CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more gitlab issues fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 156430c8 by Moritz Muehlenhoff at 2023-12-24T23:37:26+01:00 more gitlab issues fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2240,11 +2240,11 @@ CVE-2023-3511 (An issue has been discovered in GitLab EE affecting all versions CVE-2023-3907 (A privilege escalation vulnerability in GitLab EE affecting all versio ...) - gitlab (Specific to EE) CVE-2023-5061 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5512 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-6051 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-6680 (An improper certificate validation issue in Smartcard authentication i ...) - gitlab (Specific to EE) CVE-2023-6564 @@ -4724,7 +4724,7 @@ CVE-2023-6442 (A vulnerability was found in PHPGurukul Nipah Virus Testing Manag CVE-2023-6440 (A vulnerability was found in SourceCodester Book Borrower System 1.0 a ...) NOT-FOR-US: SourceCodester CVE-2023-6033 (Improper neutralization of input in Jira integration configuration in ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5995 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-5915 (A vulnerability of Uncontrolled Resource Consumption has been identifi ...) @@ -4734,7 +4734,7 @@ CVE-2023-5909 (KEPServerEX does not properly validate certificates from clients CVE-2023-5908 (KEPServerEX is vulnerable to a buffer overflow which may allow an atta ...) NOT-FOR-US: KEPServerEX CVE-2023-5226 (An issue has been discovered in GitLab affecting all versions before 1 ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-4912 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-4658 (An issue has been discovered in GitLab EE affecting all versions start ...) @@ -9423,7 +9423,7 @@ CVE-2023-46695 (An issue was discovered in Django 3.2 before 3.2.23, 4.1 before - python-django (Only an issue on windows) NOTE: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ CVE-2023-5831 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-4700 (An authorization issue affecting GitLab EE affecting all versions from ...) - gitlab (Specific to EE) CVE-2023-5600 @@ -9433,7 +9433,7 @@ CVE-2023-3246 (An issue has been discovered in GitLab EE/CE affecting all versio CVE-2023-3909 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab 16.4.4+ds2-2 CVE-2023-5825 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3399 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab 16.4.4+ds2-2 CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) @@ -15108,7 +15108,7 @@ CVE-2023-5301 (A vulnerability classified as critical was found in DedeCMS 5.7.1 CVE-2023-5300 (A vulnerability classified as critical has been found in TTSPlanning u ...) NOT-FOR-US: TTSPlanning CVE-2023-5207 (A vulnerability was discovered in GitLab CE and EE affecting all versi ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-44488 (VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash rela ...) {DSA-5518-1 DLA-3598-1} - libvpx 1.12.0-1.2 @@ -15281,7 +15281,7 @@ CVE-2023-39410 (When deserializing untrusted or corrupted data, it is possible f CVE-2023-39308 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedbac ...) NOT-FOR-US: WordPress plugin CVE-2023-5198 (An issue has been discovered in GitLab affecting all versions prior to ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5185 (Gym Management System Project v1.0 is vulnerable to an Insecure File ...) NOT-FOR-US: Gym Management System Project CVE-2023-5077 (The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine d ...) @@ -16979,7 +16979,7 @@ CVE-2023-2567 (A SQL Injection vulnerability in Nozomi Networks Guardian and CMC CVE-2023-29245 (A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due ...) NOT-FOR-US: Nozomi Networks Guardian and CMC CVE-2023-4998 - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5060 (Cross-site Scripting (XSS) - DOM in GitHub repository libren
[Git][security-tracker-team/security-tracker][master] gitlab issues fixed in sid (more to investigate)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7368f17 by Moritz Muehlenhoff at 2023-12-24T20:48:00+01:00 gitlab issues fixed in sid (more to investigate) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4738,7 +4738,7 @@ CVE-2023-4912 (An issue has been discovered in GitLab EE affecting all versions CVE-2023-4658 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-4317 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-49735 (** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleRes ...) - tiles (unimportant; bug #1057315) NOTE: https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p @@ -4808,11 +4808,11 @@ CVE-2023-42916 (An out-of-bounds read was addressed with improved input validati [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2023-0011.html CVE-2023-3964 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3949 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3443 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-39226 (In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability ...) NOT-FOR-US: Delta Electronics CVE-2023-6439 (A vulnerability classified as problematic was found in ZenTao PMS 18.8 ...) @@ -9427,13 +9427,13 @@ CVE-2023-4700 (An authorization issue affecting GitLab EE affecting all versions CVE-2023-5600 - gitlab (Specific to EE) CVE-2023-3246 (An issue has been discovered in GitLab EE/CE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3909 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5825 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab CVE-2023-3399 (An issue has been discovered in GitLab EE affecting all versions start ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) NOT-FOR-US: pkp-lib CVE-2023-5903 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) @@ -15268,7 +15268,7 @@ CVE-2023-41657 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-41655 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andr ...) NOT-FOR-US: WordPress plugin CVE-2023-3413 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3024 (Forcing the Bluetooth LE stack to segment 'prepare write response' pac ...) NOT-FOR-US: Silabs CVE-2023-39410 (When deserializing untrusted or corrupted data, it is possible for a r ...) @@ -15286,7 +15286,7 @@ CVE-2023-5053 (Hospital management system version 378c157 allows to bypass authe CVE-2023-5004 (Hospital management system version 378c157 allows to bypass authentica ...) NOT-FOR-US: Hospital management system CVE-2023-4532 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of servic ...) NOT-FOR-US: Zod CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...) @@ -15342,13 +15342,13 @@ CVE-2023-43014 (Asset Management System v1.0 is vulnerable to an Authenticated CVE-2023-43013 (Asset Management System v1.0 is vulnerable to an unauthenticated SQL ...) NOT-FOR-US: Asset Management System CVE-2023-3979 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3922 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3920 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3917 (Denial of Service in pipelines affecting all versions of Gitlab EE and ...) - - gitlab + - gitlab 16.4.4+ds2-2 CVE-2023-3914 (A business logic error in GitLab EE affecting all versions prior to 16 ...) - gitlab (Specific to EE) CVE-2023-3906 (An input validation issue in the asset proxy in GitLab EE, affecting a ...) @@ -1932
[Git][security-tracker-team/security-tracker][master] zfs-linux fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 322ffb57 by Moritz Muehlenhoff at 2023-12-24T20:38:16+01:00 zfs-linux fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -197038,7 +197038,7 @@ CVE-2021-27206 RESERVED CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) [experimental] - zfs-linux 2.2.0-1~exp1 - - zfs-linux (bug #1059322) + - zfs-linux 2.2.2-1 (bug #1059322) [bookworm] - zfs-linux (contrib not supported) [bullseye] - zfs-linux (contrib not supported) NOTE: https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322ffb57627dceea622a5d35d70a632091e48d74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322ffb57627dceea622a5d35d70a632091e48d74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two nodejs issues n/a or ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e70ad7ca by Moritz Muehlenhoff at 2023-12-23T20:26:07+01:00 two nodejs issues n/a or ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36017,6 +36017,7 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x) CVE-2023-30588 (When an invalid public key is used to create an x509 certificate using ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Vulnerable code not present) [buster] - nodejs (X509Certificate API introduced later) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588 NOTE: https://hackerone.com/reports/1884159 @@ -36045,6 +36046,7 @@ CVE-2023-30582 NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fswatchfile-bypass-in-experimental-permission-model-medium-cve-2023-30582 CVE-2023-30581 (The use of __proto__ in process.mainModule.__proto__.require() can byp ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581 NOTE: https://hackerone.com/reports/1877919 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e70ad7cac8feace12637a67b1c48e3cdb372e910 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e70ad7cac8feace12637a67b1c48e3cdb372e910 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cc038894 by Moritz Mühlenhoff at 2023-12-23T19:59:24+01:00 curl DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3777,6 +3777,7 @@ CVE-2023-46218 (This flaw allows a malicious HTTP server to set "super cookies" NOTE: https://curl.se/docs/CVE-2023-46218.html CVE-2023-46219 (When saving HSTS data to an excessively long file name, curl could end ...) - curl 8.5.0-1 (bug #1057645) + [bookworm] - curl 7.88.1-10+deb12u5 [bullseye] - curl (curl is not built with HSTS support) [buster] - curl (Not affected by CVE-2022-32207) NOTE: Introduced by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) = data/DSA/list = @@ -1,3 +1,7 @@ +[23 Dec 2023] DSA-5587-1 curl - security update + {CVE-2023-46218} + [bullseye] - curl 7.74.0-1.3+deb11u11 + [bookworm] - curl 7.88.1-10+deb12u5 [22 Dec 2023] DSA-5586-1 openssh - security update {CVE-2023-48795 CVE-2023-51385} [bullseye] - openssh 1:8.4p1-5+deb11u3 = data/dsa-needed.txt = @@ -16,9 +16,6 @@ asterisk -- cryptojs -- -curl (jmm) - Samuel Henrique provided debdiffs for review --- dnsdist (jmm) -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc0388946ba384dfb0abc225b6148a867a1e0613 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc0388946ba384dfb0abc225b6148a867a1e0613 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] four nodejs issues ignored for bullseye
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0084a5ac by Moritz Muehlenhoff at 2023-12-22T20:15:49+01:00 four nodejs issues ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22162,6 +22162,7 @@ CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol might NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol CVE-2023-32559 (A privilege escalation vulnerability exists in the experimental policy ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559 NOTE: https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d (v18.x) @@ -22171,6 +22172,7 @@ CVE-2023-32558 (The use of the deprecated API `process.binding()` can bypass the NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558 CVE-2023-32006 (The use of `module.constructor.createRequire()` can bypass the policy ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006 NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x) @@ -22186,6 +22188,7 @@ CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003 CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism and requir ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1050739) + [bullseye] - nodejs (Only affects experimental policy manifests) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002 NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x) @@ -35819,6 +35822,7 @@ CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated at NOT-FOR-US: NodeBB CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffieHellm ...) - nodejs 18.13.0+dfsg1-1.1 (bug #1039990) + [bullseye] - nodejs (Minor issue, only updates documentation to clarify an API) [buster] - nodejs (minor issue - Inconsistency Between Implementation and Documented Design) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590 NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take nodejs and curl
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3552c875 by Moritz Muehlenhoff at 2023-12-22T19:47:11+01:00 take nodejs and curl - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,7 +16,7 @@ asterisk -- cryptojs -- -curl +curl (jmm) Samuel Henrique provided debdiffs for review -- dnsdist (jmm) @@ -39,7 +39,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -nodejs +nodejs (jmm) maintainer proposed to follow the upstream 18.x LTS branch -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3552c875568fccfd0e862cb2b924d15a1e8fe2cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3552c875568fccfd0e862cb2b924d15a1e8fe2cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ceecb73f by Moritz Muehlenhoff at 2023-12-22T15:03:39+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2376,7 +2376,7 @@ CVE-2023-43813 (GLPI is a free asset and IT management software package. Startin CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neutraliz ...) NOT-FOR-US: Dasan Networks W-Web CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) {DSA-5577-1} @@ -3938,7 +3938,7 @@ CVE-2023-40464 (Several versions of ALEOS, including ALEOS 4.16.0, use a hardcod CVE-2023-40463 (When configured in debugging mode by an authenticated user withadm ...) NOT-FOR-US: ALEOS CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not perform ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an authen ...) NOT-FOR-US: ALEOS @@ -4960,7 +4960,7 @@ CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0 CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and be ...) NOT-FOR-US: p2pa CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) NOT-FOR-US: NEC @@ -30542,10 +30542,10 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse NOTE: https://github.com/lloyd/yajl/issues/250 NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0) NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete. - - epics-base + - epics-base (bug #1059316) [bookworm] - epics-base (Minor issue) [buster] - epics-base (Minor issue; fix only after newer releases got a fix) - - r-cran-jsonlite + - r-cran-jsonlite (bug #1059317) [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue; fix only after newer releases got a fix) @@ -169626,15 +169626,15 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite [bullseye] - pdftk-java (Minor issue) [buster] - pdftk-java (Minor issue) - pdftk 2.02-5 - - libitext-java + - libitext-java (bug #1059318) [bookworm] - libitext-java (Minor issue) [bullseye] - libitext-java (Minor issue) [buster] - libitext-java (Minor issue) - - libitext1-java + - libitext1-java (bug #1059319) [bookworm] - libitext1-java (Minor issue) [bullseye] - libitext1-java (Minor issue) [buster] - libitext1-java (Minor issue) - - libitext5-java + - libitext5-java (bug #1059320) [bookworm] - libitext5-java (Minor issue) [bullseye] - libitext5-java (Minor issue) [buster] - libitext5-java (Minor issue) @@ -196775,7 +196775,7 @@ CVE-2021-27206 RESERVED CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) [experimental] - zfs-linux 2.2.0-1~exp1 - - zfs-linux + - zfs-linux (bug #1059322) [bookworm] - zfs-linux (contrib not supported) [bullseye] - zfs-linux (contrib not supported) NOTE: https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] tcpreplay unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 57259da0 by Moritz Muehlenhoff at 2023-12-22T15:00:35+01:00 tcpreplay unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -233,8 +233,9 @@ CVE-2023-50377 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2023-50119 REJECTED CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) - - tcpreplay + - tcpreplay (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/813 + NOTE: Crashnin CLI tool, no security impact CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - w3m (bug #1059265) NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57259da0849269f4071f844a887a7f0d66dd0816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57259da0849269f4071f844a887a7f0d66dd0816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f496e701 by Moritz Muehlenhoff at 2023-12-22T14:49:22+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1099,14 +1099,13 @@ CVE-2023-6903 (A vulnerability classified as critical has been found in Netentse CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - - libcrypto++ + - libcrypto++ (bug #1059312) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - - libcrypto++ + - libcrypto++ (bug #1059311) NOTE: https://github.com/weidai11/cryptopp/issues/1248 - TODO: check details about mitigation applied, but issue in per se "unfixed" CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - - libcrypto++ + - libcrypto++ (bug #1059310) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -1982,7 +1981,7 @@ CVE-2023-40628 (A reflected XSS vulnerability was discovered in the Extplorer co CVE-2023-40627 (A reflected XSS vulnerability was discovered in the LivingWord compone ...) NOT-FOR-US: Joomla module CVE-2023-37457 (Asterisk is an open source private branch exchange and telephony toolk ...) - - asterisk + - asterisk (bug #1059303) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh NOTE: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa CVE-2023-3904 (An issue has been discovered in GitLab EE affecting all versions start ...) @@ -2140,7 +2139,7 @@ CVE-2023-40921 (SQL Injection vulnerability in functions/point_list.php in Commo CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows atta ...) NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - - python-cryptography + - python-cryptography (bug #1059308) [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -11235,7 +11234,7 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9 NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - - libxml-security-java + - libxml-security-java (bug #1059313) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -13938,9 +13937,9 @@ CVE-2023-40008 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta CVE-2023-3725 (Potential buffer overflow vulnerability in the Zephyr CAN bus subsyste ...) NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-38703 (PJSIP is a free and open source multimedia communication library writt ...) - - asterisk + - asterisk (bug #1059303) - pjproject - - ring + - ring (bug #1059307) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 NOTE: https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14) CVE-2023-36465 (Decidim is a participatory democracy framework, written in Ruby on Rai ...) @@ -19701,7 +19700,7 @@ CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote a CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web interface ...) NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - - mathjax + - mathjax (bug #1059304) [bookworm] - mathjax (Minor issue) [bullseye] - mathjax (Minor issue) [buster] - mathjax (Minor issue) @@ -20263,11 +20262,11 @@ CVE-2023-40036 (Notepad++ is a free and open-source source code editor. Versions CVE-2023-40031 (Notepad++ is a free and open-source source code editor. Versions 8.5.6 ...) NOT-FOR-US: Notepad++ CVE-2023-40030 (Cargo
[Git][security-tracker-team/security-tracker][master] two more CVEs for tinyxml
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 90767b0e by Moritz Muehlenhoff at 2023-12-22T14:45:11+01:00 two more CVEs for tinyxml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2378,7 +2378,6 @@ CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neu CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML ...) - tinyxml NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities - TODO: check details and embedded copies once assessment for tinyxml done CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) {DSA-5577-1} - chromium 120.0.6099.109-1 @@ -3939,7 +3938,8 @@ CVE-2023-40464 (Several versions of ALEOS, including ALEOS 4.16.0, use a hardcod CVE-2023-40463 (When configured in debugging mode by an authenticated user withadm ...) NOT-FOR-US: ALEOS CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not perform ...) - NOT-FOR-US: ALEOS + - tinyxml + NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an authen ...) NOT-FOR-US: ALEOS CVE-2023-40460 (The ACEManager component of ALEOS 4.16 and earlier does not validat ...) @@ -4960,7 +4960,8 @@ CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0 CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and be ...) NOT-FOR-US: p2pa CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - NOT-FOR-US: Sierra Wireless + - tinyxml + NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) NOT-FOR-US: NEC CVE-2023-37928 (A post-authentication command injection vulnerability in the WSGI serv ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90767b0ea7a84688f34450c8f79ddd867ed13328 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90767b0ea7a84688f34450c8f79ddd867ed13328 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gomarkdown fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb288f8 by Moritz Muehlenhoff at 2023-12-22T14:30:41+01:00 gomarkdown fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16251,7 +16251,7 @@ CVE-2023-43270 (dst-admin v1.5.0 was discovered to contain a remote command exec CVE-2023-43144 (Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQ ...) NOT-FOR-US: Projectworldsl Assets-management-system-in-php CVE-2023-42821 (The package `github.com/gomarkdown/markdown` is a Go library for parsi ...) - - golang-github-gomarkdown-markdown + - golang-github-gomarkdown-markdown 0.0~git20231115.a660076-1 [bookworm] - golang-github-gomarkdown-markdown (Minor issue) NOTE: https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940 NOTE: https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb288f81e8fd22d7c3d6aa94c3d478f969ecc00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb288f81e8fd22d7c3d6aa94c3d478f969ecc00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32e9a182 by Moritz Muehlenhoff at 2023-12-22T14:22:18+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1039,7 +1039,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - putty 0.80-1 - python-asyncssh (bug #1059007) - tinyssh 20230101-4 (bug #1059058; unimportant) - - trilead-ssh2 + - trilead-ssh2 (bug #1059294) NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 @@ -2147,7 +2147,7 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: https://github.com/openssl/openssl/pull/13817 NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - - m2crypto + - m2crypto (bug #1059292) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -17201,7 +17201,7 @@ CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configu CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path trave ...) NOT-FOR-US: I-doit pro CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) - - hamster-time-tracker + - hamster-time-tracker (bug #1059296) NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md NOTE: Report sounds a little dubious, it's not really clear whether this cross any security boundary CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) @@ -21134,7 +21134,7 @@ CVE-2023-39970 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2023-39743 (lrzip-next LZMA v23.01 was discovered to contain an access violation v ...) - lrzip-next (bug #1042088) CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the libzpaq ...) - - lrzip + - lrzip (bug #1059293) [bookworm] - lrzip (Minor issue) [bullseye] - lrzip (Minor issue) [buster] - lrzip (Minor issue) @@ -24077,7 +24077,7 @@ CVE-2023-32427 (This issue was addressed by using HTTPS when sending information NOT-FOR-US: Apple CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before ...) {DLA-3539-1} - - qt6-base + - qt6-base (bug #1059302) [bookworm] - qt6-base (Minor issue) - qtbase-opensource-src-gles 5.15.10+dfsg-2 [bookworm] - qtbase-opensource-src-gles (Minor issue) @@ -31766,7 +31766,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie [bookworm] - python-tornado (Minor issue) [bullseye] - python-tornado (Minor issue) [buster] - python-tornado (Minor issue) - - salt + - salt (bug #1059297) NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) NOT-FOR-US: Wacom Tablet Driver installer @@ -42676,7 +42676,7 @@ CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed [bookworm] - ckeditor (Minor issue) [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) - - ckeditor3 + - ckeditor3 (bug #1059301) [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) @@ -47077,7 +47077,8 @@ CVE-2023-27045 CVE-2023-27044 RESERVED CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-mail ad ...) - - python3.11 + - python3.12 (bug #1059299) + - python3.11 (bug #1059298) [bookworm] - python3.11 (Minor issue) - python3.10 - python3.9 @@ -49404,7 +49405,7 @@ CVE-2023-26143 (Versions of the package blamer before 1.0.4 are vulnerable to Ar CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response Split ...) NOT-FOR-US: Crow CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) - - ruby-sidekiq + - ruby-sidekiq (bug #1059300) [bookworm] - ruby-sidekiq (Minor issue) [bullseye] - ruby-sidekiq (Minor issue) [buster] - ruby-sidekiq (Minor issue, DoS still possible) View
[Git][security-tracker-team/security-tracker][master] three QT issues fixed in the gles build
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ddf505fe by Moritz Muehlenhoff at 2023-12-22T14:17:15+01:00 three QT issues fixed in the gles build - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24079,7 +24079,7 @@ CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x {DLA-3539-1} - qt6-base [bookworm] - qt6-base (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles 5.15.10+dfsg-2 [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) - qtbase-opensource-src 5.15.10+dfsg-3 @@ -30770,7 +30770,7 @@ CVE-2023-34410 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles 5.15.10+dfsg-2 [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) - qt4-x11 @@ -32109,7 +32109,7 @@ CVE-2023-33285 (An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2 - qtbase-opensource-src 5.15.8+dfsg-11 [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles 5.15.10+dfsg-2 [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/477644 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddf505fe083b0ad1639e7c5e869aa3dc207e5871 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddf505fe083b0ad1639e7c5e869aa3dc207e5871 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] no bugs needed for py3.10, blocked from testind and soon removed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b747182 by Moritz Muehlenhoff at 2023-12-22T13:55:50+01:00 no bugs needed for py3.10, blocked from testind and soon removed - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -15,3 +15,4 @@ wpewebkit xen gcc-9 gcc-10 +python3.10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b74718200deb0442d4dae3f8fd99feb20cbc2d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b74718200deb0442d4dae3f8fd99feb20cbc2d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] keepass2 issue unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bf12703 by Moritz Muehlenhoff at 2023-12-22T13:51:16+01:00 keepass2 issue unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32730,12 +32730,10 @@ CVE-2023-31409 (Uncontrolled Resource Consumption in SICK FTMg AIR FLOW SENSOR w CVE-2023-31408 (Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSO ...) NOT-FOR-US: SICK CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to recover the cleartext ma ...) - - keepass2 - [bookworm] - keepass2 (Minor issue) - [bullseye] - keepass2 (Minor issue) - [buster] - keepass2 (Minor issue) + - keepass2 (unimportant) NOTE: https://github.com/vdohney/keepass-password-dumper NOTE: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/ + NOTE: Negligible security impact CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5. ...) NOT-FOR-US: git-url-parse CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf12703e2ca21a68e367607b1533fe13d87a061 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf12703e2ca21a68e367607b1533fe13d87a061 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d80e70 by Moritz Muehlenhoff at 2023-12-22T13:36:37+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -386,7 +386,7 @@ CVE-2023-41166 (An issue was discovered in Stormshield Network Security (SNS) 3. CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingface/tra ...) NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - - systemd + - systemd (bug #1059278) [bookworm] - systemd (Minor issue) [bullseye] - systemd (Minor issue) [buster] - systemd (Minor issue, should be fixed after newer releases are done) @@ -1033,7 +1033,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) - - proftpd-mod-proxy + - proftpd-mod-proxy (bug #1059290) - putty 0.80-1 - python-asyncssh (bug #1059007) - tinyssh 20230101-4 (bug #1059058; unimportant) @@ -1777,11 +1777,11 @@ CVE-2023-50564 (An arbitrary file upload vulnerability in the component /inc/mod CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerability vi ...) NOT-FOR-US: Semcms CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - - cjson + - cjson (bug #1059287) NOTE: https://github.com/DaveGamble/cJSON/issues/803 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - - cjson + - cjson (bug #1059287) NOTE: https://github.com/DaveGamble/cJSON/issues/802 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 CVE-2023-50371 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) @@ -1920,7 +1920,7 @@ CVE-2023-48631 (@adobe/css-tools versions 4.3.1 and earlier are affected by an I CVE-2023-47261 (Dokmee ECM 7.4.6 allows remote code execution because the response to ...) NOT-FOR-US: Dokmee ECM CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability when ...) - - shiro + - shiro (bug #1059288) [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) @@ -3264,14 +3264,14 @@ CVE-2023-49493 (DedeCMS v5.7.111 was discovered to contain a reflective cross-si CVE-2023-49492 (DedeCMS v5.7.111 was discovered to contain a reflective cross-site scr ...) NOT-FOR-US: DedeCMS CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer overflow vu ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/432 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb CVE-2023-49467 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/434 CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/435 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif (bug #1059151) @@ -7947,10 +7947,10 @@ CVE-2023-47005 (An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote att CVE-2023-46492 (Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a ...) NOT-FOR-US: MLDB.ai CVE-2023-46363 (jbig2enc v0.28 was discovered to contain a SEGV via jbig2_add_page in ...) - - jbig2enc + - jbig2enc (bug #1059285) NOTE: https://github.com/agl/jbig2enc/issues/85 CVE-2023-46362 (jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbi ...) - - jbig2enc + - jbig2enc (bug #1059284) NOTE: https://github.com/agl/jbig2enc/issues/84 CVE-2023-45875 (An issue was discovered in Couchbase Server 7.2.0. There is a private ...) NOT-FOR-US: Couchbase Server @@ -9720,7 +9720,7 @@ CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1c CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows an attack ...) NOT-FOR-US: Contec SolarView Compact CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker ...) - - cacti
[Git][security-tracker-team/security-tracker][master] add openbabel reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf21fe4 by Moritz Muehlenhoff at 2023-12-22T13:27:14+01:00 add openbabel reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69170,48 +69170,56 @@ CVE-2022-46295 (Multiple out-of-bounds write vulnerabilities exist in the transl [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46294 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46293 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46292 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46291 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46290 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46289 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46280 (A use of uninitialized pointer vulnerability exists in the PQS format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-46278 RESERVED CVE-2022-46277 @@ -69254,6 +69262,7 @@ CVE-2022-44451 (A use of uninitialized pointer vulnerability exists in the MSI f [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-43664 (A use-after-free vulnerability exists within the way Ichitaro Word Pro ...) NOT-FOR-US: Ichitaro CVE-2022-43663 (An integer conversion vulnerability exists in the SORBAx64.dll RecvPac ...) @@ -69266,12 +69275,14 @@ CVE-2022-43467 (An out-of-bounds write vulnerability exists in the PQS format co [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671 + NOTE: https://github.com/openbabel/openbabel/issues/2650 CVE-2022-42885 (A use of uninitialized pointer vulnerability exists in the GRO format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com
[Git][security-tracker-team/security-tracker][master] add reference for proftpd-mod-proxy
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ad946e3a by Moritz Muehlenhoff at 2023-12-22T13:25:26+01:00 add reference for proftpd-mod-proxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1056,6 +1056,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: proftpd: https://github.com/proftpd/proftpd/commit/7fba68ebb3ded3047a35aa639e115eba7d585682 (v1.3.9rc2) NOTE: proftpd: https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b (v1.3.8b) NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/issues/257 + NOTE: proftpd-mod-proxy: https://github.com/Castaglia/proftpd-mod_proxy/commit/54612735629231de2242d6395d334539604872fb NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab10e (0.80) NOTE: PuTTY: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62 (0.80) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad946e3a0d07591d23702ce60d8ce75697f89965 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad946e3a0d07591d23702ce60d8ce75697f89965 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] no bugs needed for GCC 9/GCC10
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 342011c0 by Moritz Muehlenhoff at 2023-12-22T12:57:56+01:00 no bugs needed for GCC 9/GCC10 These wont get included in any new releases and will eventually be removed - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -13,3 +13,5 @@ chromium webkit2gtk wpewebkit xen +gcc-9 +gcc-10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342011c005d0321cdb00446ebb3efe94999b45f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342011c005d0321cdb00446ebb3efe94999b45f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add xen to packages not to flag as in need of bugs filed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a414a09 by Moritz Muehlenhoff at 2023-12-22T12:51:25+01:00 add xen to packages not to flag as in need of bugs filed The maintainers closely follow the XSA announcements and fixes land via tree updates anyway. - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -12,3 +12,4 @@ thunderbird chromium webkit2gtk wpewebkit +xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a414a0909bffea734eee3ece19ece527f0e809a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a414a0909bffea734eee3ece19ece527f0e809a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c6312bf by Moritz Muehlenhoff at 2023-12-22T10:58:53+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,7 +114,7 @@ CVE-2023-48685 (Railway Reservation System v1.0 is vulnerable to multiple Unauth CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain ...) NOT-FOR-US: Nextcloud calendar app CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...) - - clickhouse + - clickhouse (bug #1059261) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) @@ -231,7 +231,7 @@ CVE-2023-50119 CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) TODO: check CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - - w3m + - w3m (bug #1059265) NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 NOTE: https://github.com/tats/w3m/issues/268 NOTE: https://github.com/tats/w3m/pull/273 @@ -459,7 +459,7 @@ CVE-2023-47507 (Deserialization of Untrusted Data vulnerability in Master Slider CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database management s ...) - - clickhouse + - clickhouse (bug #1059261) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin @@ -4105,11 +4105,11 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - falcosecurity-libs (bug #1059256) - gemmi (bug #1059257) - - lwip (bug #1059259) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d NOTE: https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt + NOTE: lwip embeds a copy of tinydir, but it's unused, see bug #1059259 CVE-2023-49108 (Path traversal vulnerability exists in RakRak Document Plus Ver.3.2.0. ...) NOT-FOR-US: RakRak Document Plus CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerab ...) @@ -76684,13 +76684,13 @@ CVE-2022-44013 (An issue was discovered in Simmeth Lieferantenmanager before 5.6 CVE-2022-44012 (An issue was discovered in /DS/LM_API/api/SelectionService/InsertQuery ...) NOT-FOR-US: Simmeth Lieferantenmanager CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An authentic ...) - - clickhouse + - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) [buster] - clickhouse (Minor issue, DoS) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An attacker ...) - - clickhouse + - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) [buster] - clickhouse (Minor issue, DoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new w3m issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e936c290 by Moritz Muehlenhoff at 2023-12-22T10:36:34+01:00 new w3m issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -231,7 +231,10 @@ CVE-2023-50119 CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) TODO: check CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - TODO: check + - w3m + NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 + NOTE: https://github.com/tats/w3m/issues/268 + NOTE: https://github.com/tats/w3m/pull/273 CVE-2023-49826 (Deserialization of Untrusted Data vulnerability in PenciDesign Soledad ...) NOT-FOR-US: WordPress plugin CVE-2023-49778 (Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e936c290b6d534494b7fdd8048981a9ad9d0bb9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e936c290b6d534494b7fdd8048981a9ad9d0bb9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b1cddff by Moritz Muehlenhoff at 2023-12-22T10:12:32+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,11 +78,11 @@ CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) @@ -4100,7 +4100,9 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check NOTE: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 NOTE: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - TODO: potentally affects falcosecurity-libs, gemmi, lwip + - falcosecurity-libs (bug #1059256) + - gemmi (bug #1059257) + - lwip (bug #1059259) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU / add tinydir references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ba6b1ba by Moritz Muehlenhoff at 2023-12-22T09:49:53+01:00 NFU / add tinydir references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -215,7 +215,7 @@ CVE-2023-50822 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2023-50732 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-50724 (Resque (pronounced like "rescue") is a Redis-backed library for creati ...) - TODO: check + NOT-FOR-US: Resque CVE-2023-50481 (An issue was discovered in blinksocks version 3.3.8, allows remote att ...) NOT-FOR-US: blinksocks CVE-2023-50477 (An issue was discovered in nos client version 0.6.6, allows remote att ...) @@ -4102,6 +4102,8 @@ CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer ove TODO: potentally affects falcosecurity-libs, gemmi, lwip NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf + NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d + NOTE: https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt CVE-2023-49108 (Path traversal vulnerability exists in RakRak Document Plus Ver.3.2.0. ...) NOT-FOR-US: RakRak Document Plus CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba6b1ba8336464c1551490aad6f7332f4ce4382 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba6b1ba8336464c1551490aad6f7332f4ce4382 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new clickhouse issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e5465a3 by Moritz Muehlenhoff at 2023-12-22T09:39:48+01:00 new clickhouse issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,7 +114,9 @@ CVE-2023-48685 (Railway Reservation System v1.0 is vulnerable to multiple Unauth CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain ...) NOT-FOR-US: Nextcloud calendar app CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...) - TODO: check + - clickhouse + NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 + NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) NOT-FOR-US: GitHub Enterprise Server CVE-2023-46648 (An insufficient entropy vulnerability was identified in GitHub Enterpr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e5465a3e91db999312049b6fe0106c6db8b560a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e5465a3e91db999312049b6fe0106c6db8b560a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cacti commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7647c309 by Moritz Muehlenhoff at 2023-12-22T09:36:01+01:00 cacti commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80,9 +80,11 @@ CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7647c3092cd4e417d5748b7a6f2b7ee874b4637e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7647c3092cd4e417d5748b7a6f2b7ee874b4637e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new cacti issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 490d841c by Moritz Muehlenhoff at 2023-12-22T09:31:44+01:00 new cacti issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,9 +78,11 @@ CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490d841c34027c6daa5c7d272e9b799e538a8aa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490d841c34027c6daa5c7d272e9b799e538a8aa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e7c1973f by Moritz Muehlenhoff at 2023-12-22T09:30:33+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,17 +19,17 @@ CVE-2023-7051 (A vulnerability was found in PHPGurukul Online Notes Sharing Syst CVE-2023-7050 (A vulnerability has been found in PHPGurukul Online Notes Sharing Syst ...) NOT-FOR-US: PHPGurukul Online Notes Sharing System CVE-2023-6847 (An improper authentication vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6804 (Improper privilege management allowed arbitrary workflows to be commit ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6803 (A race condition in GitHub Enterprise Server allows an outside collabo ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6802 (An insertion of sensitive information into the log file in the audit l ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6746 (An insertion of sensitive information into log file vulnerability was ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-6690 (A race condition in GitHub Enterprise Server allowed an existing admin ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of- ...) - proftpd-dfsg 1.3.8.a+dfsg-1 NOTE: https://github.com/proftpd/proftpd/issues/1683 @@ -46,87 +46,87 @@ CVE-2023-51704 (An issue was discovered in MediaWiki before 1.35.14, 1.36.x thro NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/ NOTE: https://phabricator.wikimedia.org/T347726 CVE-2023-51380 (An incorrect authorization vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-51379 (An incorrect authorization vulnerability was identified in GitHub Ente ...) - TODO: check + NOT-FOR-US: GitHub Enterprise Server CVE-2023-49690 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49689 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49688 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49687 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49686 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49685 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49684 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49683 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49682 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49681 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49680 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49679 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) - TODO: check + NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) TODO: check CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) TODO: check CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) - TODO: check + NOT-FOR-US: Student Result Management System CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) - TODO: check + NOT-FOR-US: Student Result Management System CVE-2023-48720 (Student Result Management System v1.0 is vulnerable to multiple Unauth
[Git][security-tracker-team/security-tracker][master] new mediawiki issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 40720b12 by Moritz Muehlenhoff at 2023-12-22T09:27:30+01:00 new mediawiki issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,11 @@ CVE-2023-51708 (Bentley eB System Management Console applications within Assetwi CVE-2023-51707 (MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows r ...) NOT-FOR-US: MotionPro CVE-2023-51704 (An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1. ...) - TODO: check + - mediawiki + [bookworm] - mediawiki (Minor issue, fix along in next update) + [bullseye] - mediawiki (Minor issue, fix along in next update) + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/ + NOTE: https://phabricator.wikimedia.org/T347726 CVE-2023-51380 (An incorrect authorization vulnerability was identified in GitHub Ente ...) TODO: check CVE-2023-51379 (An incorrect authorization vulnerability was identified in GitHub Ente ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40720b1261a9724204f90d71c404367e4f62dfdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40720b1261a9724204f90d71c404367e4f62dfdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60d4ba8b by Moritz Muehlenhoff at 2023-12-21T20:51:04+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208 CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) NOT-FOR-US: KylinSoft hedron-domain-hook CVE-2023-7024 - - chromium + - chromium 120.0.6099.129-1 [buster] - chromium (see DSA 5046) CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) NOT-FOR-US: Tongda OA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add cross reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9a5242e by Moritz Mühlenhoff at 2023-12-21T20:20:01+01:00 add cross reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14985,6 +14985,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) [buster] - gst-plugins-bad1.0 (Vulnerable code not present) - gst-plugins-bad0.10 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gst-plugins-bad1.0, thunderbird DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e2e33f3 by Moritz Mühlenhoff at 2023-12-21T20:18:23+01:00 gst-plugins-bad1.0, thunderbird DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[21 Dec 2023] DSA-5583-1 gst-plugins-bad1.0 - security update + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 +[21 Dec 2023] DSA-5582-1 thunderbird - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} + [bullseye] - thunderbird 1:115.6.0-1~deb11u1 + [bookworm] - thunderbird 1:115.6.0-1~deb12u1 [20 Dec 2023] DSA-5581-1 firefox-esr - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} [bullseye] - firefox-esr 115.6.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -29,8 +29,6 @@ frr -- gpac/oldstable -- -gst-plugins-bad1.0 (jmm) --- h2o (jmm) -- haproxy (carnil) @@ -99,8 +97,6 @@ slurm-wlm -- squid -- -thunderbird (jmm) --- varnish -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 66bc6291 by Moritz Muehlenhoff at 2023-12-21T15:43:36+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2023-48291 + - airflow (bug #819700) +CVE-2023-47265 + - airflow (bug #819700) +CVE-2023-49920 + - airflow (bug #819700) +CVE-2023-50783 + - airflow (bug #819700) +CVE-2023-51656 + NOT-FOR-US: Apache IoTDB CVE-2023- [RUSTSEC-2023-0075] - rust-unsafe-libyaml NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html @@ -50,7 +60,7 @@ CVE-2023-48433 (Online Voting System Project v1.0 is vulnerable to multiple Unau CVE-2023-47093 (An issue was discovered in Stormshield Network Security (SNS) 4.0.0 th ...) NOT-FOR-US: Stormshield Network Security (SNS) CVE-2023-46131 (Grails is a framework used to build web applications with the Groovy p ...) - TODO: check + - grails (bug #473213) CVE-2023-45703 (HCL Launch may mishandle input validation of an uploaded archive file ...) NOT-FOR-US: HCL CVE-2023-45700 (HCL Launch is vulnerable to HTML injection. This vulnerability may all ...) @@ -97,7 +107,7 @@ CVE-2023-51457 (Adobe Experience Manager versions 6.5.18 and earlier are affecte CVE-2023-50628 (Buffer Overflow vulnerability in libming version 0.4.8, allows attacke ...) - ming CVE-2023-50249 (Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Reg ...) - TODO: check + NOT-FOR-US: Sentry-Javascript CVE-2023-50044 (Buffer Overflow vulnerability in Cesanta MJS version 2.22.0, allows at ...) NOT-FOR-US: Cesenta MJS CVE-2023-49825 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -153,7 +163,7 @@ CVE-2023-40204 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2023-40010 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-3742 (Insufficient policy enforcement in ADB in Google Chrome on ChromeOS pr ...) - TODO: check + NOT-FOR-US: Google Chrome on ChromeOS CVE-2023-38519 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-38513 (Authorization Bypass Through User-Controlled Key vulnerability in Jord ...) @@ -38415,11 +38425,11 @@ CVE-2023-29489 (An issue was discovered in cPanel before 11.109..116. XSS ca CVE-2023-29488 RESERVED CVE-2023-29487 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29486 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29485 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are able to lo ...) NOT-FOR-US: Terminalfour CVE-2023-29483 @@ -65915,7 +65925,7 @@ CVE-2022-41834 CVE-2020-36611 (Incorrect Default Permissions vulnerability in Hitachi Tuning Manager ...) NOT-FOR-US: Hitachi CVE-2023-0011 (A flaw in the input validation in TOBY-L2 allows a user to execute arb ...) - TODO: check + NOT-FOR-US: TOBY-L2 CVE-2022-47193 RESERVED CVE-2022-47192 (Generex UPS CS141 below 2.06 version, could allow a remote attacker to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-unsafe-libyaml issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0dbdb9c by Moritz Muehlenhoff at 2023-12-21T15:25:24+01:00 new rust-unsafe-libyaml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023- [RUSTSEC-2023-0075] + - rust-unsafe-libyaml + NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html + NOTE: https://github.com/dtolnay/unsafe-libyaml/issues/21 CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) NOT-FOR-US: Lightxun IPTV Gateway CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6873 only affects src:firefox
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 83a0ef39 by Moritz Muehlenhoff at 2023-12-21T12:35:17+01:00 CVE-2023-6873 only affects src:firefox - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -388,9 +388,7 @@ CVE-2023-6862 (A use-after-free was identified in the `nsDNSService::Init`. Thi NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6862 CVE-2023-6873 (Memory safety bugs present in Firefox 120. Some of these bugs showed e ...) - firefox 121.0-1 - - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6873 - NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6873 CVE-2023-6864 (Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thun ...) {DSA-5581-1} - firefox 121.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 433acc83 by Moritz Muehlenhoff at 2023-12-21T11:08:54+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingfac NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - systemd + [bookworm] - systemd (Minor issue) + [bullseye] - systemd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server @@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) vulnerability in KodeExplo NOT-FOR-US: kalcaddle KodExplorer CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version ...) - phpsysinfo 3.4.3-1 + [bookworm] - phpsysinfo (Minor issue) + [bullseye] - phpsysinfo (Minor issue) NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/ NOTE: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 (v3.4.3) CVE-2023-46804 (An attacker sending specially crafted data packets to the Mobile Devic ...) @@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) - dropbear (bug #1059001) - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) + [bookworm] - erlang (Minor issue) + [bullseye] - erlang (Minor issue) - golang-go.crypto (bug #1059003) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh (bug #1059004) @@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress (Minor issue) + [bullseye] - wordpress (Vulnerable code was introduced in 5.9) [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php @@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 - - gst-plugins-bad0.10 + [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) + [buster] - gst-plugins-bad1.0 (Vulnerable code not present) + - gst-plugins-bad0.10 (Vulnerable code not present) NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9 @@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P NOTE: Probably fixed with r1832 and r1836 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) + [bookworm] - freeimage (Revisit when patches are available) + [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit from patches are available) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected = data/dsa-needed.txt = @@ -29,6 +29,8 @@ frr -- gpac/oldstable -- +gst-plugins-bad1.0 (jmm) +-- h2o (jmm) -- haproxy (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2ed78aa by Moritz Mühlenhoff at 2023-12-20T20:21:55+01:00 firefox-esr DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[20 Dec 2023] DSA-5581-1 firefox-esr - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} + [bullseye] - firefox-esr 115.6.0esr-1~deb11u1 + [bookworm] - firefox-esr 115.6.0esr-1~deb12u1 [18 Dec 2023] DSA-5580-1 webkit2gtk - security update {CVE-2023-42883} [bullseye] - webkit2gtk 2.42.4-1~deb11u1 = data/dsa-needed.txt = @@ -23,8 +23,6 @@ curl -- dnsdist (jmm) -- -firefox-esr (jmm) --- frr -- gpac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ed78aa2d79558ec8b23bb356ab0d73208097c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ed78aa2d79558ec8b23bb356ab0d73208097c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13215d71 by Moritz Muehlenhoff at 2023-12-20T17:00:33+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2728,7 +2728,7 @@ CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflo - libde265 NOTE: https://github.com/strukturag/libde265/issues/435 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -2736,21 +2736,21 @@ CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violati NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 NOTE: https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1043 NOTE: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -235358,25 +235358,25 @@ CVE-2020-24297 (httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allow CVE-2020-24296 RESERVED CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp i ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 09bac9fa by Moritz Muehlenhoff at 2023-12-20T15:09:53+01:00 proftpd fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -494,7 +494,9 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - libssh2 (ChaCha20-Poly1305 and CBC-EtM support not present) - openssh 1:9.6p1-1 - paramiko (bug #1059006) - - proftpd-dfsg (bug #1059144) + - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) + [bookworm] - proftpd-dfsg (Minor issue) + [bullseye] - proftpd-dfsg (Minor issue) - proftpd-mod-proxy - putty 0.80-1 - python-asyncssh (bug #1059007) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09bac9fabbab41996bf9e0f862282ebf3b8bee7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09bac9fabbab41996bf9e0f862282ebf3b8bee7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add trilead-ssh reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dede44ed by Moritz Muehlenhoff at 2023-12-20T12:36:50+01:00 add trilead-ssh reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -499,6 +499,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-mod-proxy - python-asyncssh (bug #1059007) - tinyssh (bug #1059058) + - trilead-ssh2 NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dede44ed820a5c333abbc956e131a8821c27cf3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dede44ed820a5c333abbc956e131a8821c27cf3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd terrapin reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6db34e0 by Moritz Muehlenhoff at 2023-12-20T11:27:21+01:00 proftpd terrapin reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -528,6 +528,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: asyncssh: https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55 NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) + NOTE: proftpd: https://github.com/proftpd/proftpd/issues/1760 + NOTE: proftpd: https://github.com/proftpd/proftpd/commit/7fba68ebb3ded3047a35aa639e115eba7d585682 CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6db34e0c63da168aa0f628395ead61434d4d667 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6db34e0c63da168aa0f628395ead61434d4d667 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e72f9c5 by Moritz Muehlenhoff at 2023-12-20T11:18:30+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-37544 + NOT-FOR-US: Apache Pulsar CVE-2023-6977 (This vulnerability enables malicious users to read sensitive files on ...) NOT-FOR-US: mlflow CVE-2023-6976 (This vulnerability is capable of writing arbitrary files into arbitrar ...) @@ -73,13 +75,13 @@ CVE-2023-45887 (DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSI CVE-2023-45172 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user ...) NOT-FOR-US: IBM CVE-2023-42940 (A session rendering issue was addressed with improved session tracking ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42013 (IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, ...) NOT-FOR-US: IBM CVE-2023-42012 (An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3 through 7.3 ...) NOT-FOR-US: IBM CVE-2023-38126 (Softing edgeAggregator Restore Configuration Directory Traversal Remot ...) - TODO: check + NOT-FOR-US: Softing edgeAggregator CVE-2023-37982 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in C ...) NOT-FOR-US: WordPress plugin CVE-2023-35883 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in M ...) @@ -183,7 +185,7 @@ CVE-2023-34382 (Deserialization of Untrusted Data vulnerability in weDevs Dokan CVE-2023-34027 (Deserialization of Untrusted Data vulnerability in Rajnish Arora Recen ...) NOT-FOR-US: WordPress plugin CVE-2019-25158 (A vulnerability has been found in pedroetb tts-api up to 2.1.4 and cla ...) - TODO: check + NOT-FOR-US: pedroetb tts-api CVE-2023-50762 (When processing a PGP/MIME payload that contains digitally signed text ...) - thunderbird 1:115.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50762 @@ -46217,7 +46219,7 @@ CVE-2023-27174 CVE-2023-27173 RESERVED CVE-2023-27172 (Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT t ...) - TODO: check + NOT-FOR-US: Xpand IT Write-back manager CVE-2023-27171 REJECTED CVE-2023-27170 (Xpand IT Write-back manager v2.3.1 allows attackers to perform a direc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e72f9c54c6db8e710a8e924d54c96688eb31ee0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e72f9c54c6db8e710a8e924d54c96688eb31ee0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] espeakup commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e7b8f97 by Moritz Muehlenhoff at 2023-12-20T09:49:35+01:00 espeakup commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2040,30 +2040,35 @@ CVE-2023-49994 (Espeak-ng 1.52-dev was discovered to contain a Floating Point Ex [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1823 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49993 (Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1826 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49992 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow v ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1827 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49991 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1825 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49990 (Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the ...) - espeak-ng (bug #1059060) [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1824 + NOTE: https://github.com/espeak-ng/espeak-ng/commit/58f1e0b6a4e6aa55621c6f01118994d01fd6f68c CVE-2023-49874 (Mattermost fails to check whether a user is a guest when updating the ...) - mattermost-server (bug #823556) CVE-2023-49809 (Mattermost fails to handle a null request body in the /add endpoint, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7b8f976d59da08869c78a628cc0afee58b2b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e7b8f976d59da08869c78a628cc0afee58b2b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e70d44cd by Moritz Muehlenhoff at 2023-12-19T22:28:47+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195,7 +195,7 @@ CVE-2023-6856 (The WebGL `DrawElementsInstanced` method was susceptible to a hea NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856 CVE-2023-6135 (Multiple NSS NIST curves were susceptible to a side-channel attack kno ...) - - nss + - nss (bug #1059054) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1853908 (not public) @@ -1826,9 +1826,8 @@ CVE-2023-36639 (A use of externally-controlled format string in Fortinet FortiPr CVE-2023-6710 (A flaw was found in the mod_proxy_cluster in the Apache server. This i ...) - libapache2-mod-cluster (bug #731410) CVE-2023-5379 (A flaw was found in Undertow. When an AJP request is sent that exceeds ...) - - undertow + - undertow (bug #1059055) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2242099 - TODO: check, insufficient information for Debian specific assessment CVE-2023-49921 - elasticsearch CVE-2023-6687 (An issue was discovered by Elastic whereby Elastic Agent would log a r ...) @@ -2371,7 +2370,7 @@ CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 @@ -2379,7 +2378,7 @@ CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to c CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2669 NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b @@ -2694,7 +2693,7 @@ CVE-2023-49403 (Tenda W30E V16.01.0.12(4843) was discovered to contain a command CVE-2023-49402 (Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflo ...) NOT-FOR-US: Tenda CVE-2023-48958 (gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_ ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2689 @@ -2710,7 +2709,7 @@ CVE-2023-47440 (Gladys Assistant v4.27.0 and prior is vulnerable to Directory Tr CVE-2023-46974 (Cross Site Scripting vulnerability in Best Courier Management System v ...) NOT-FOR-US: Best Courier Management System CVE-2023-46871 (GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a mem ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2658 @@ -4552,25 +4551,25 @@ CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) NOT-FOR-US: PrestaShop module CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) - - busybox + - busybox (bug #1059053) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) - - busybox + - busybox (bug #1059052) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) - - busybox + - busybox (bug #1059051) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: h
[Git][security-tracker-team/security-tracker][master] new thunderbird issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 216f765b by Moritz Muehlenhoff at 2023-12-19T21:07:14+01:00 new thunderbird issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,13 +1,25 @@ +CVE-2023-50762 + - thunderbird + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50762 +CVE-2023-50761 + - thunderbird + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-50761 CVE-2023-6862 - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6862 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6862 CVE-2023-6873 - firefox + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6873 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6873 CVE-2023-6864 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6864 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6864 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6864 CVE-2023-6863 - firefox @@ -32,7 +44,9 @@ CVE-2023-6868 CVE-2023-6861 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6861 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6861 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6861 CVE-2023-6867 - firefox @@ -42,7 +56,9 @@ CVE-2023-6867 CVE-2023-6860 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6860 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6860 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6860 CVE-2023-6866 - firefox @@ -50,17 +66,23 @@ CVE-2023-6866 CVE-2023-6859 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6859 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6859 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6859 CVE-2023-6858 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6858 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6858 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6858 CVE-2023-6857 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6857 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6857 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6857 CVE-2023-6865 - firefox @@ -70,7 +92,9 @@ CVE-2023-6865 CVE-2023-6856 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6856 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856 CVE-2023-6135 - nss = data/dsa-needed.txt = @@ -97,6 +97,8 @@ slurm-wlm -- squid -- +thunderbird (jmm) +-- varnish -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/216f765b03052f605e2f9b7880869d843d1e52c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/216f765b03052f605e2f9b7880869d843d1e52c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits