[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9060e04b by Moritz Muehlenhoff at 2024-05-29T19:39:42+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20265,7 +20265,7 @@ CVE-2024-25690 (There is an HTML injection vulnerability in Esri Portal for ArcG CVE-2024-25007 (Ericsson Network Manager (ENM), versions prior to 23.1, contains a vul ...) NOT-FOR-US: Ericsson Network Manager CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...) - - golang-github-lucas-clemente-quic-go + - golang-github-lucas-clemente-quic-go (bug #1072180) [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 @@ -26253,7 +26253,7 @@ CVE-2021-47157 (The Kossy module before 0.60 for Perl allows JSON hijacking beca CVE-2021-47156 (The Net::IPAddress::Util module before 5.000 for Perl does not properl ...) NOT-FOR-US: Net::IPAddress::Util Perl module CVE-2021-47155 (The Net::IPV4Addr module 0.10 for Perl does not properly consider extr ...) - - libnetwork-ipv4addr-perl + - libnetwork-ipv4addr-perl (bug #1072178) [bookworm] - libnetwork-ipv4addr-perl (Minor issue) [bullseye] - libnetwork-ipv4addr-perl (Minor issue) [buster] - libnetwork-ipv4addr-perl (Minor issue, revisit when fix is available) @@ -92257,7 +92257,7 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) [buster] - python2.7 (Minor issue, wait until upstream has decided whether to backport to older branches) - - pypy3 + - pypy3 (bug #1072179) [bookworm] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) [bullseye] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) [buster] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9060e04b3db8dc720ac690cb137ff0030c11a7b6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9060e04b3db8dc720ac690cb137ff0030c11a7b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Don't ask for bugs being filed for firmware-nonfree, similar to handling for Linux
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c08745c by Moritz Muehlenhoff at 2024-05-29T19:33:09+02:00 Dont ask for bugs being filed for firmware-nonfree, similar to handling for Linux - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -16,3 +16,4 @@ xen gcc-9 gcc-10 ffmpeg +firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c08745c4e0c865b8e3da53ca9f5e811f6a795be -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c08745c4e0c865b8e3da53ca9f5e811f6a795be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pymysql DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0f3adb0f by Moritz Mühlenhoff at 2024-05-29T19:26:00+02:00
pymysql DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[29 May 2024] DSA-5700-1 python-pymysql - security update
+ {CVE-2024-36039}
+ [bullseye] - python-pymysql 0.9.3-2+deb11u1
+ [bookworm] - python-pymysql 1.0.2-2+deb12u1
[24 May 2024] DSA-5699-1 redmine - security update
{CVE-2023-47258 CVE-2023-47259 CVE-2023-47260}
[bookworm] - redmine 5.0.4-5+deb12u1
=
data/dsa-needed.txt
=
@@ -61,8 +61,6 @@ python-aiohttp
--
python-asyncssh
--
-python-pymysql (jmm)
---
ring/oldstable
might make sense to rebase to current version
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f3adb0f7f194495f17028991e4ac897e768a410
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f3adb0f7f194495f17028991e4ac897e768a410
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one more mbedtls issue n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d2c8f4b5 by Moritz Muehlenhoff at 2024-05-29T15:47:45+02:00 one more mbedtls issue n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21462,8 +21462,12 @@ CVE-2024-29434 (An issue in the system image upload interface of Alldata v0.4.6 CVE-2024-29432 (Alldata v0.4.6 was discovered to contain a SQL injection vulnerability ...) NOT-FOR-US: Alldata CVE-2024-28836 (An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiati ...) - - mbedtls - TODO: check, missing details + - mbedtls (Vulnerable code not enabled in any build which supports TLS 1.3) + NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654 + NOTE: https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb5928a29fe115367c24495300c2 (mbedtls-3.6.0) + NOTE: Experimental TLS 1.3 support not enabled in 2.x packages, TLS 1.3 is enabled + NOTE: in Debian/experimental, but the first upload directly provides fixes, so mark + NOTE: as altogether CVE-2024-28755 (An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL co ...) - mbedtls [bookworm] - mbedtls (Minor issue) @@ -39333,10 +39337,12 @@ CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling because LF-terminated [buster] - chasquid (Minor issue, request smuggling) NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24 CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_sess ...) - - mbedtls (unimportant) + - mbedtls (Vulnerable code not enabled in any build which supports TLS 1.3) NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654 NOTE: https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb5928a29fe115367c24495300c2 (mbedtls-3.6.0) - NOTE: Experimental TLS 1.3 support not enabled in 2.x packages + NOTE: Experimental TLS 1.3 support not enabled in 2.x packages, TLS 1.3 is enabled + NOTE: in Debian/experimental, but the first upload directly provides fixes, so mark + NOTE: as altogether CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2 security pas ...) NOT-FOR-US: Technicolor CVE-2017-20189 (In Clojure before 1.9.0, classes can be used to construct a serialized ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c8f4b5e8a18ca2370c2d5a01297c15c2084fc5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c8f4b5e8a18ca2370c2d5a01297c15c2084fc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update one mbedtls entry
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 715e3da6 by Moritz Muehlenhoff at 2024-05-29T15:20:35+02:00 update one mbedtls entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39333,11 +39333,10 @@ CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling because LF-terminated [buster] - chasquid (Minor issue, request smuggling) NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24 CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_sess ...) - - mbedtls - [bookworm] - mbedtls (Minor issue) - [bullseye] - mbedtls (Minor issue) - [buster] - mbedtls (Minor issue) + - mbedtls (unimportant) NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654 + NOTE: https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb5928a29fe115367c24495300c2 (mbedtls-3.6.0) + NOTE: Experimental TLS 1.3 support not enabled in 2.x packages CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2 security pas ...) NOT-FOR-US: Technicolor CVE-2017-20189 (In Clojure before 1.9.0, classes can be used to construct a serialized ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/715e3da6d78a90b03bb00a11848b58fa2cfbed08 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/715e3da6d78a90b03bb00a11848b58fa2cfbed08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] designate n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 657cd3bc by Moritz Muehlenhoff at 2024-05-29T15:13:31+02:00 designate n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26645,9 +26645,8 @@ CVE-2023-7003 (The AES key utilized in the pairing process between a lock using CVE-2023-6960 (TTLock App virtual keys and settings are only deleted client side, and ...) NOT-FOR-US: TTLock App CVE-2023-6725 (An access-control flaw was found in the OpenStack Designate component ...) - - designate + - designate (Specific to RH OpenStack Platform packaging) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249273 - TODO: check, details unclear CVE-2023-51699 (Fluid is an open source Kubernetes-native Distributed Dataset Orchestr ...) NOT-FOR-US: Fluid CVE-2023-51525 (Cross-Site Request Forgery (CSRF) vulnerability in Veribo, Roland Murg ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/657cd3bcb2c09346d74b734fe025a766847e4e9e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/657cd3bcb2c09346d74b734fe025a766847e4e9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mbedtls n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 338cc281 by Moritz Muehlenhoff at 2024-05-29T14:40:18+02:00 mbedtls n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21447,8 +21447,8 @@ CVE-2024-30337 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution V CVE-2024-30336 (Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnera ...) NOT-FOR-US: Foxit PDF Reader CVE-2024-30166 (In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can c ...) - - mbedtls - TODO: check, missing details + - mbedtls (2.x not affected) + NOTE: https://github.com/Mbed-TLS/mbedtls/commit/a5c5c58107645c8d2ee3f2d59ef6924a66d4fb74 (mbedtls-3.6.0) CVE-2024-2879 (The LayerSlider plugin for WordPress is vulnerable to SQL Injection vi ...) NOT-FOR-US: WordPress plugin CVE-2024-2322 (The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/338cc2814063ed242f5400122a3d1d57d35cfbd0 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/338cc2814063ed242f5400122a3d1d57d35cfbd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mbedtls n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 539a2a43 by Moritz Muehlenhoff at 2024-05-29T13:56:09+02:00 mbedtls n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39307,10 +39307,7 @@ CVE-2024-23751 (LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection CVE-2024-23750 (MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary ...) NOT-FOR-US: MetaGPTLlamaIndex CVE-2024-23744 (An issue was discovered in Mbed TLS 3.5.1. There is persistent handsha ...) - - mbedtls - [bookworm] - mbedtls (Minor issue) - [bullseye] - mbedtls (Minor issue) - [buster] - mbedtls (Minor issue) + - mbedtls (2.x not affected) NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8694 NOTE: https://github.com/Mbed-TLS/mbedtls/pull/8595 NOTE: Likely specific to 3.5.1: https://github.com/Mbed-TLS/mbedtls/issues/8694#issuecomment-1889411367 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/539a2a43b3dba9b719ca962060ec838994963d48 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/539a2a43b3dba9b719ca962060ec838994963d48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new 389-ds issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ced37bde by Moritz Muehlenhoff at 2024-05-29T12:13:16+02:00 new 389-ds issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,7 +74,6 @@ CVE-2024-3969 (XML External Entity injection vulnerability foundin OpenText\u212 CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query can po ...) - 389-ds-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274401 - TODO: check provided details CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched automatic ...) - gnome-shell (bug #1072124) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 @@ -157,7 +156,8 @@ CVE-2024-30164 (Amazon AWS Client VPN has a buffer overflow that could potential CVE-2024-2451 (Improper fingerprint validation in the TeamViewer Client (Full & Host) ...) NOT-FOR-US: TeamViewer CVE-2024-2199 (A denial of service vulnerability was found in 389-ds-base ldap server ...) - TODO: check + - 389-ds-base + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2267976 CVE-2024-29072 (A privilege escalation vulnerability exists in the Foxit Reader 2024.2 ...) NOT-FOR-US: Foxit Reader CVE-2024-28061 (An issue was discovered in Apiris Kafeo 6.4.4. It permits a bypass, of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced37bdebd7897eb83ce960f34e6725e74124db2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced37bdebd7897eb83ce960f34e6725e74124db2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new tcpdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7cdd44a by Moritz Muehlenhoff at 2024-05-29T12:00:54+02:00 new tcpdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,8 @@ CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure encrypti CVE-2024-23579 (HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of ...) NOT-FOR-US: HCL CVE-2024-22641 (TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Express ...) - TODO: check + - tcpdf + NOTE: https://github.com/tecnickcom/TCPDF/issues/724 CVE-2024-21512 (Versions of the package mysql2 before 3.9.8 are vulnerable to Prototyp ...) NOT-FOR-US: Node mysql2 CVE-2024-0434 (The WordPress Tour & Travel Booking Plugin for WooCommerce \u2013 WpTr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7cdd44ac6f031b0b6519b31846a2216790970fe -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7cdd44ac6f031b0b6519b31846a2216790970fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new smarty issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b72340ca by Moritz Muehlenhoff at 2024-05-29T11:54:53+02:00 new smarty issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,11 @@ CVE-2024-35240 (Umbraco Commerce is an open source dotnet ecommerce solution. In CVE-2024-35239 (Umbraco Commerce is an open source dotnet web forms solution. In affec ...) NOT-FOR-US: Umbraco Commerce CVE-2024-35226 (Smarty is a template engine for PHP, facilitating the separation of pr ...) - TODO: check + - smarty3 + - smarty4 + NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w + NOTE: https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) + NOTE: https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure encryption of ...) NOT-FOR-US: HCL CVE-2024-23579 (HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72340cacd19b0248d1d16f75dbc8a5958fb0b5c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72340cacd19b0248d1d16f75dbc8a5958fb0b5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e30d0302 by Moritz Muehlenhoff at 2024-05-29T11:29:48+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,11 +15,11 @@ CVE-2024-3937 (The Playlist for Youtube WordPress plugin through 1.32 does not s CVE-2024-3921 (The Gianism WordPress plugin through 5.1.0 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin CVE-2024-3050 (The Site Reviews WordPress plugin before 7.0.0 retrieves client IP add ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36112 (Nautobot is a Network Source of Truth and Network Automation Platform. ...) - TODO: check + NOT-FOR-US: Nautobot CVE-2024-35548 (A SQL injection vulnerability in Mybatis plus versions below 3.5.6 all ...) - TODO: check + NOT-FOR-US: Mybatis CVE-2024-35511 (phpgurukul Men Salon Management System v2.0 is vulnerable to SQL Injec ...) NOT-FOR-US: phpgurukul Men Salon Management System CVE-2024-35240 (Umbraco Commerce is an open source dotnet ecommerce solution. In affec ...) @@ -29,17 +29,17 @@ CVE-2024-35239 (Umbraco Commerce is an open source dotnet web forms solution. In CVE-2024-35226 (Smarty is a template engine for PHP, facilitating the separation of pr ...) TODO: check CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure encryption of ...) - TODO: check + NOT-FOR-US: HCL CVE-2024-23579 (HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of ...) - TODO: check + NOT-FOR-US: HCL CVE-2024-22641 (TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Express ...) TODO: check CVE-2024-21512 (Versions of the package mysql2 before 3.9.8 are vulnerable to Prototyp ...) - TODO: check + NOT-FOR-US: Node mysql2 CVE-2024-0434 (The WordPress Tour & Travel Booking Plugin for WooCommerce \u2013 WpTr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6743 (The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36015 (In the Linux kernel, the following vulnerability has been resolved: p ...) - linux NOTE: https://git.kernel.org/linus/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e (6.10-rc1) @@ -74,13 +74,13 @@ CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched aut - gnome-shell (bug #1072124) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. Multiple f ...) - TODO: check + NOT-FOR-US: ansibleguy-webui CVE-2024-36109 (CoCalc is web-based software that enables collaboration in research, t ...) - TODO: check + NOT-FOR-US: CoCalc CVE-2024-36107 (MinIO is a High Performance Object Storage released under GNU Affero G ...) - minio (bug #859207) CVE-2024-35621 (A cross-site scripting (XSS) vulnerability in the Edit function of For ...) - TODO: check + NOT-FOR-US: Formwork CVE-2024-35583 (A cross-site scripting (XSS) vulnerability in Sourcecodester Laborator ...) NOT-FOR-US: Sourcecodester Laboratory Management System CVE-2024-35582 (A cross-site scripting (XSS) vulnerability in Sourcecodester Laborator ...) @@ -88,7 +88,7 @@ CVE-2024-35582 (A cross-site scripting (XSS) vulnerability in Sourcecodester Lab CVE-2024-35581 (A cross-site scripting (XSS) vulnerability in Sourcecodester Laborator ...) NOT-FOR-US: Sourcecodester Laboratory Management System CVE-2024-35563 (CDG-Server-V5.6.2.126.139 and earlier was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: CDG-Server CVE-2024-35510 (An arbitrary file upload vulnerability in /dede/file_manage_control.ph ...) NOT-FOR-US: DedeCMS CVE-2024-35403 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a sta ...) @@ -144,13 +144,13 @@ CVE-2024-33450 (SQL Injection in Finereport v.8.0 allows a remote attacker to ob CVE-2024-33402 (A SQL injection vulnerability in /model/approve_petty_cash.php in camp ...) NOT-FOR-US: campcodes Complete Web-Based School Management System CVE-2024-30212 (If a SCSI READ(10) command is initiated via USB using the largest LBA ...) - TODO: check + NOT-FOR-US: Microchip MPLAB CVE-2024-30165 (Amazon AWS Client VPN before 3.9.1 on macOS has a buffer overflow that ...) NOT-FOR-US: Amazon AWS Client VPN CVE-2024-30164 (Amazon AWS Client VPN has a buffer overflow that could potentially all ...) NOT-FOR-US: Amazon AWS Client VPN CVE-2024-2451 (Improper fingerprint validation in the TeamViewer Client (Full & Host) ...) - TODO: check + NOT-FOR-US: TeamViewer CVE-2024-2199 (A denial of
[Git][security-tracker-team/security-tracker][master] node-micromatch fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cbc42a5c by Moritz Muehlenhoff at 2024-05-29T10:58:43+02:00 node-micromatch fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7307,7 +7307,7 @@ CVE-2024-4068 (The NPM package `braces`, versions prior to 3.0.3, fails to limit [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - - node-micromatch (bug #1071631) + - node-micromatch 4.0.7+~4.0.7-1 (bug #1071631) [bookworm] - node-micromatch (Minor issue) [bullseye] - node-micromatch (Minor issue) [buster] - node-micromatch (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbc42a5c9a34333e321309173e29dda0e22f2c37 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbc42a5c9a34333e321309173e29dda0e22f2c37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cleanup rejects, OpenAnolis Linux issues will be reassigned by the kernel CNA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0480754 by Moritz Muehlenhoff at 2024-05-29T10:21:49+02:00 cleanup rejects, OpenAnolis Linux issues will be reassigned by the kernel CNA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7155,7 +7155,6 @@ CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a t NOT-FOR-US: Red Hat OpenStack Platform CVE-2024-4810 REJECTED - TODO: check CVE-2024-4712 (An arbitrary file creation vulnerability exists in PaperCut NG/MF that ...) NOT-FOR-US: PaperCut NG/MF CVE-2024-4445 (The WP Compress \u2013 Image Optimizer [All-In-One] plugin for WordPre ...) @@ -17361,18 +17360,8 @@ CVE-2024-3651 [potential DoS via resource consumption via specially crafted inpu NOTE: Fixed by: https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (v3.7) CVE-2024-24863 REJECTED - - linux - NOTE: https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1) - NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8750 CVE-2024-24862 REJECTED - - linux 6.8.9-1 - [bookworm] - linux (Vulnerable code not present) - [bullseye] - linux (Vulnerable code not present) - [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/1f886a7bfb3faf4c1021e73f045538008ce7634e (6.9-rc3) - NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8748 - NOTE: Duplicate of CVE-2024-35883. CVE-2024-3740 (A vulnerability, which was classified as critical, has been found in c ...) NOT-FOR-US: cym1102 nginxWebUI CVE-2024-3739 (A vulnerability classified as critical was found in cym1102 nginxWebUI ...) @@ -156257,7 +156246,6 @@ CVE-2022-1971 (The NextCellent Gallery WordPress plugin through 1.9.35 does not NOT-FOR-US: WordPress plugin CVE-2022-1970 REJECTED - NOT-FOR-US: Keycloak CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerable to ...) NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f048075425b407102fd967de378d4ea6078f29aa -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f048075425b407102fd967de378d4ea6078f29aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-ip fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd734718 by Moritz Muehlenhoff at 2024-05-29T10:19:41+02:00 node-ip fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -328,7 +328,7 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 al CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relational m ...) - ruby-kaminari (Doesn't affect Kaminari as shipped by Debian) CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...) - - node-ip (bug #1072121) + - node-ip 2.0.1+~1.1.3-2 (bug #1072121) [bookworm] - node-ip (Minor issue) [bullseye] - node-ip (Minor issue) NOTE: https://github.com/indutny/node-ip/issues/150 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd73471890d3495de380f0567ab5f16d9e709d12 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd73471890d3495de380f0567ab5f16d9e709d12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update one opennds entry
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 41e9fae3 by Moritz Muehlenhoff at 2024-05-29T10:18:14+02:00 update one opennds entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51324,8 +51324,10 @@ CVE-2023-38322 (An issue was discovered in OpenNDS Captive Portal before version NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2) CVE-2023-38321 (OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other p ...) - - opennds + - opennds 10.2.0+dfsg-1 (bug #1059451) + NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2) NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx + NOTE: While not specifically listed in the commit message, this appears to be the same fix as for CVE-2023-38320/CVE-2023-38322 CVE-2023-38320 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...) - opennds 10.2.0+dfsg-1 (bug #1059451) NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e9fae3d0ff2cd1cc50995cb934f802e4597bf3 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e9fae3d0ff2cd1cc50995cb934f802e4597bf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] opennds bug reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 49766927 by Moritz Muehlenhoff at 2024-05-29T00:07:23+02:00 opennds bug reference bogus ruby-json-jwt issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31882,6 +31882,7 @@ CVE-2024-25767 (nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq CVE-2024-25763 (openNDS 10.2.0 is vulnerable to Use-After-Free via /openNDS/src/auth.c ...) - opennds NOTE: https://github.com/LuMingYinDetect/openNDS_defects/blob/main/openNDS_detect_1.md + NOTE: https://github.com/openNDS/openNDS/issues/600 CVE-2024-25760 REJECTED CVE-2024-25410 (flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File with Dan ...) @@ -44170,10 +44171,7 @@ CVE-2023-51775 (The jose4j component before 0.9.4 for Java allows attackers to c NOTE: https://bitbucket.org/b_c/jose4j/issues/212 NOTE: https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3 CVE-2023-51774 (The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypa ...) - - ruby-json-jwt - [bookworm] - ruby-json-jwt (Revisit when addressed upstream) - [bullseye] - ruby-json-jwt (Revisit when addressed upstream) - [buster] - ruby-json-jwt (Revisit when addressed upstream) + NOTE: Disputed ruby-json-jwt issue NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md NOTE: https://github.com/nov/json-jwt/issues/113 CVE-2023-51773 (BACnet Stack before 1.3.2 has a decode function APDU buffer over-read ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/497669270382242f18ed58dc0d447d2834e3ecf5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/497669270382242f18ed58dc0d447d2834e3ecf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
00508eba by Moritz Muehlenhoff at 2024-05-28T23:40:20+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -23,7 +23,7 @@ CVE-2024-3657 (A flaw was found in 389-ds-base. A
specially-crafted LDAP query c
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274401
TODO: check provided details
CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched
automatic ...)
- - gnome-shell
+ - gnome-shell (bug #1072124)
NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible.
Multiple f ...)
TODO: check
@@ -19552,7 +19552,7 @@ CVE-2024-3431 (A vulnerability was found in EyouCMS
1.6.5. It has been declared
CVE-2024-3430 (A vulnerability was found in QKSMS up to 3.9.4 on Android. It
has been ...)
NOT-FOR-US: QKSMS
CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR)
through 9.1, ...)
- - frr
+ - frr (bug #1070377)
[bullseye] - frr (Vulnerable code not present)
[buster] - frr (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
@@ -19562,7 +19562,7 @@ CVE-2024-31951 (In the Opaque LSA Extended Link parser
in FRRouting (FRR) throug
NOTE:
https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0
NOTE: vulnerable feature introduced in
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
(first shipped with 8.0)
CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow
and dae ...)
- - frr
+ - frr (bug #1070377)
[bullseye] - frr (Vulnerable code not present)
[buster] - frr (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
@@ -19573,13 +19573,12 @@ CVE-2024-31950 (In FRRouting (FRR) through 9.1, there
can be a buffer overflow a
NOTE: vulnerable feature introduced in
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
(first shipped with 8.0)
CVE-2024-31949 (In FRRouting (FRR) through 9.1, an infinite loop can occur
when receiv ...)
{DLA-3797-1}
- - frr
+ - frr (bug #1072125)
NOTE: https://github.com/FRRouting/frr/pull/15640
- NOTE:
https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b
NOTE: Fixed by:
https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b
CVE-2024-31948 (In FRRouting (FRR) through 9.1, an attacker using a malformed
Prefix S ...)
{DLA-3797-1}
- - frr
+ - frr (bug #1072126)
NOTE: https://github.com/FRRouting/frr/pull/15628
NOTE: Fixed by:
https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138
NOTE: Fixed by:
https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07
@@ -43959,7 +43958,7 @@ CVE-2023-51079 (A long execution time can occur in the
ParseTools.subCompileExpr
CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop
in the ...)
NOT-FOR-US: Hutool
CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow
via the Cr ...)
- - jayway-jsonpath
+ - jayway-jsonpath (bug #1072123)
[bookworm] - jayway-jsonpath (Minor issue)
[bullseye] - jayway-jsonpath (Minor issue)
[buster] - jayway-jsonpath (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00508eba7d5c3741fecf3ed8077b4bf9c86d8293
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00508eba7d5c3741fecf3ed8077b4bf9c86d8293
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more frr references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
85df8eee by Moritz Muehlenhoff at 2024-05-28T23:29:53+02:00
more frr references
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19556,19 +19556,26 @@ CVE-2024-31951 (In the Opaque LSA Extended Link
parser in FRRouting (FRR) throug
[bullseye] - frr (Vulnerable code not present)
[buster] - frr (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
- NOTE: Proposed fix:
https://github.com/FRRouting/frr/pull/15674/commits/344fb4be2bc27316c74b17003c05ea40be395836
+ NOTE:
https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4
+ NOTE:
https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a
+ NOTE:
https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca
+ NOTE:
https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0
NOTE: vulnerable feature introduced in
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
(first shipped with 8.0)
CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow
and dae ...)
- frr
[bullseye] - frr (Vulnerable code not present)
[buster] - frr (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
- NOTE: Proposed fix:
https://github.com/FRRouting/frr/pull/15674/commits/6b84541df71772f697a7f9e6b2aaf72536aab775
+ NOTE:
https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4
+ NOTE:
https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a
+ NOTE:
https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca
+ NOTE:
https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0
NOTE: vulnerable feature introduced in
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
(first shipped with 8.0)
CVE-2024-31949 (In FRRouting (FRR) through 9.1, an infinite loop can occur
when receiv ...)
{DLA-3797-1}
- frr
NOTE: https://github.com/FRRouting/frr/pull/15640
+ NOTE:
https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b
NOTE: Fixed by:
https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b
CVE-2024-31948 (In FRRouting (FRR) through 9.1, an attacker using a malformed
Prefix S ...)
{DLA-3797-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85df8eee2a8790eeb2bf2d5fc99f28f4667f81c2
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85df8eee2a8790eeb2bf2d5fc99f28f4667f81c2
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add frr commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b070504b by Moritz Muehlenhoff at 2024-05-28T23:27:06+02:00 add frr commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12672,7 +12672,10 @@ CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the get_edge( [bullseye] - frr (Vulnerable code introduced later) [buster] - frr (Vulnerable code introduced later) NOTE: https://github.com/FRRouting/frr/pull/15674 - NOTE: Proposed fix: https://github.com/FRRouting/frr/commit/34d704fb0ea60dc5063af477a2c11d4884984d4f + NOTE: https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4 + NOTE: https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a + NOTE: https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca + NOTE: https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0 NOTE: Introduced by: https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (base_8.0) CVE-2024-33832 (OneNav v0.9.35-20240318 was discovered to contain a Server-Side Reques ...) NOT-FOR-US: OneNav View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b070504bbb5e4235cfc12cbb8fa4085479397b0b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b070504bbb5e4235cfc12cbb8fa4085479397b0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add commit reference for jsonpath
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0286b160 by Moritz Muehlenhoff at 2024-05-28T22:48:51+02:00 add commit reference for jsonpath bugnum - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -280,7 +280,7 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 al CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relational m ...) - ruby-kaminari (Doesn't affect Kaminari as shipped by Debian) CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...) - - node-ip + - node-ip (bug #1072121) [bookworm] - node-ip (Minor issue) [bullseye] - node-ip (Minor issue) NOTE: https://github.com/indutny/node-ip/issues/150 @@ -43958,6 +43958,8 @@ CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via [bullseye] - jayway-jsonpath (Minor issue) [buster] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 + NOTE: https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b (json-path-2.9.0) + NOTE: https://github.com/json-path/JsonPath/pull/985 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro CVE-2023-51006 (An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0286b160e6e152f88e6281777de5f1197f75e537 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0286b160e6e152f88e6281777de5f1197f75e537 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f38ac6d0 by Moritz Muehlenhoff at 2024-05-28T22:45:23+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,6 @@ CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a frame NOTE: Same upstream commit as CVE-2023-44488 CVE-2023-50977 REJECTED - NOTE: Disputed GNOME Shell issue CVE-2022-4969 (A vulnerability, which was classified as critical, has been found in b ...) NOT-FOR-US: rockhopper Python library (different from src:rockhopper) CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for certain ...) @@ -536,7 +535,7 @@ CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4 CVE-2024-33427 REJECTED CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker t ...) - - liboqs + - liboqs (bug #1072118) NOTE: https://github.com/liang-junkai/Fault-injection-of-ML-DSA CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.) NOT-FOR-US: Kwik @@ -4650,11 +4649,10 @@ CVE-2024-3745 (MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypas NOT-FOR-US: MSI Afterburner CVE-2024-3658 REJECTED - NOT-FOR-US: WordPress plugin CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows conten ...) NOT-FOR-US: SurveyJS Form Library CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...) - - python-aiosmtpd + - python-aiosmtpd (bug #1072119) [bookworm] - python-aiosmtpd (Minor issue) [bullseye] - python-aiosmtpd (Minor issue) NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 @@ -5452,7 +5450,7 @@ CVE-2024-22145 (Improper Privilege Management vulnerability in InstaWP Team Inst CVE-2024-22139 (Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordP ...) NOT-FOR-US: WordPress plugin CVE-2024-22120 (Zabbix server can perform command execution for configured scripts. Af ...) - - zabbix + - zabbix (bug #1072120) NOTE: https://support.zabbix.com/browse/ZBX-24505 CVE-2024-21746 (Authentication Bypass by Spoofing vulnerability in Wpmet Wp Ultimate R ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38ac6d0236380de377bbc03963ad6707c3ed5f4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38ac6d0236380de377bbc03963ad6707c3ed5f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 18fcb4c0 by Moritz Muehlenhoff at 2024-05-28T21:08:38+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -20348,6 +20348,8 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun - golang-1.11 [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-golang-x-net 1:0.23.0+dfsg-1 + [bookworm] - golang-golang-x-net (Minor issue) + [bullseye] - golang-golang-x-net (Minor issue) NOTE: https://github.com/golang/go/issues/65051 NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2) NOTE: https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3 (go1.21.9) @@ -24842,6 +24844,8 @@ CVE-2023-51444 (GeoServer is an open source software server written in Java that NOT-FOR-US: GeoServer CVE-2023-50967 (latchset jose through version 11 allows attackers to cause a denial of ...) - jose 13-1 (bug #1067457) + [bookworm] - jose (Minor issue) + [bullseye] - jose (Minor issue) [buster] - jose (DoS via a large p2c value but still appears minor; similar to CVE-2023-50966) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md NOTE: https://github.com/latchset/jose/issues/151 = data/dsa-needed.txt = @@ -73,7 +73,7 @@ ruby2.7/oldstable -- ruby-nokogiri/oldstable -- -ruby-rails-html-sanitizer +ruby-rails-html-sanitizer/oldstable -- ruby-sinatra/oldstable Maintainer posted packaging repository link with proposed changes for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18fcb4c06929cb67031002942443b6738ddcc3be -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18fcb4c06929cb67031002942443b6738ddcc3be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openssl issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bd8541c1 by Moritz Muehlenhoff at 2024-05-28T18:13:31+02:00 new openssl issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2024-4741 [Use After Free with SSL_free_buffers] + - openssl + [bookworm] - openssl (Minor issue, fix along with next update round) + [bullseye] - openssl (Minor issue, fix along with next update round) + NOTE: https://www.openssl.org/news/secadv/20240528.txt + NOTE: https://github.com/openssl/openssl/commit/c1bd38a003fa19fd0d8ade85e1bbc20d8ae59dab (master) + NOTE: https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b (openssl-3.2) + NOTE: https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b (openssl-3.0) CVE-2024-36428 (OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.) NOT-FOR-US: OrangeHRM CVE-2024-36426 (In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8541c1793743d9a8103d22672417b6be8ea707 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8541c1793743d9a8103d22672417b6be8ea707 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a39303b3 by Moritz Muehlenhoff at 2024-05-28T17:57:45+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -14052,23 +14052,31 @@ CVE-2024-32679 (Missing Authorization vulnerability in Shared Files PRO Shared F CVE-2024-32661 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p5m5-342g-pv9m NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793 (3.5.1) NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/1b2b1c4ac14ac43f4e475488763d8659bd934eb6 (2.0.0-beta1+android10) CVE-2024-32660 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47 (3.5.1) CVE-2024-32659 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e24d454d8566f54aae1b6b617b (3.5.1) NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/c697941de2b7062821e004411ec18ea71e50a30d (1.2.0-beta1+android7) CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1a755d898ddc028cc818d0dd9d49d5acff4c44bf (3.5.1) CVE-2024-32482 (The Tillitis TKey signer device application is an ed25519 signing tool ...) @@ -14290,36 +14298,48 @@ CVE-2015-10132 (A vulnerability classified as problematic was found in Thimo Gra CVE-2024-32041 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5r4p-mfx2-m44r NOTE: https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265 (2.11.6) CVE-2024-32039 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5h8-7j42-j4r9 NOTE: https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265 (2.11.6) CVE-2024-32040 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-23c5-cp23-h2h5 NOTE: https://github.com/FreeRDP/FreeRDP/commit/5893b5f277db38b0040c572b078de838b84cfc07 (2.11.6) CVE-2024-32458 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) + [bookworm] - freerdp2 (Minor issue) + [bullseye] - freerdp2 (Minor issue) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vvr6-h646-mp4p NOTE: https://github.com/FreeRDP/FreeRDP/commit/9bc624c721ecde8251cfabd1edf069bc713ccc97 (2.11.6) CVE-2024-32459 (FreeRDP
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 48b0a219 by Moritz Muehlenhoff at 2024-05-28T14:54:29+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,6 +68,8 @@ CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relati - ruby-kaminari (Doesn't affect Kaminari as shipped by Debian) CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...) - node-ip + [bookworm] - node-ip (Minor issue) + [bullseye] - node-ip (Minor issue) NOTE: https://github.com/indutny/node-ip/issues/150 NOTE: https://github.com/indutny/node-ip/pull/144 NOTE: https://github.com/indutny/node-ip/pull/143 @@ -4445,6 +4447,8 @@ CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows NOT-FOR-US: SurveyJS Form Library CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...) - python-aiosmtpd + [bookworm] - python-aiosmtpd (Minor issue) + [bullseye] - python-aiosmtpd (Minor issue) NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 NOTE: https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) CVE-2024-31879 (IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbit ...) @@ -9927,16 +9931,22 @@ CVE-2023-51597 (Kofax Power PDF U3D File Parsing Out-Of-Bounds Write Remote Code NOT-FOR-US: Kofax Power PDF CVE-2023-51596 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1902/ CVE-2023-51595 (Voltronic Power ViewPower Pro selectDeviceListBy SQL Injection Remote ...) NOT-FOR-US: Voltronic Power ViewPower Pro CVE-2023-51594 (BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerabi ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1901/ CVE-2023-51593 (Voltronic Power ViewPower Pro Expression Language Injection Remote Cod ...) NOT-FOR-US: Voltronic Power ViewPower Pro CVE-2023-51592 (BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Inform ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1905/ CVE-2023-51591 (Voltronic Power ViewPower Pro doDocument XML External Entity Processin ...) NOT-FOR-US: Voltronic Power ViewPower Pro @@ -9944,6 +9954,8 @@ CVE-2023-51590 (Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upl NOT-FOR-US: Voltronic Power ViewPower Pro CVE-2023-51589 (BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Infor ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1904/ CVE-2023-51588 (Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Loca ...) NOT-FOR-US: Voltronic Power ViewPower Pro @@ -9963,6 +9975,8 @@ CVE-2023-51581 (Voltronic Power ViewPower MacMonitorConsole Exposed Dangerous Me NOT-FOR-US: Voltronic Power ViewPower CVE-2023-51580 (BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Rea ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1903/ CVE-2023-51579 (Voltronic Power ViewPower Incorrect Permission Assignment Local Privil ...) NOT-FOR-US: Voltronic Power ViewPower @@ -10162,6 +10176,8 @@ CVE-2023-44432 (Kofax Power PDF PDF File Parsing Out-Of-Bounds Write Remote Code NOT-FOR-US: Kofax Power PDF CVE-2023-44431 (BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Exec ...) - bluez + [bookworm] - bluez (Minor issue, revisit when/if fixed upstream) + [bullseye] - bluez (Minor issue, revisit when/if fixed upstream) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1900/ CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vul ...) NOT-FOR-US: Bentley @@ -30349,6 +30365,8
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4060b332 by Moritz Muehlenhoff at 2024-05-28T14:22:39+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86,7 +86,7 @@ CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a frame CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code execution can ...) NOTE: Disputed GNOME Shell issue CVE-2022-4969 (A vulnerability, which was classified as critical, has been found in b ...) - TODO: check + NOT-FOR-US: rockhopper Python library (different from src:rockhopper) CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for certain ...) NOT-FOR-US: ASKEY CVE-2024-5400 (Openfind Mail2000 does not properly filter parameters of specific CGI. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4060b332e58f61e096c26b708f87cb3b50137c4c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4060b332e58f61e096c26b708f87cb3b50137c4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new node-ip issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
be537af6 by Moritz Muehlenhoff at 2024-05-28T11:46:52+02:00
new node-ip issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -67,7 +67,10 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in
FOG through 1.5.10 al
CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object
relational m ...)
- ruby-kaminari (Doesn't affect Kaminari as shipped by
Debian)
CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF
because some ...)
- TODO: check
+ - node-ip
+ NOTE: https://github.com/indutny/node-ip/issues/150
+ NOTE: https://github.com/indutny/node-ip/pull/144
+ NOTE: https://github.com/indutny/node-ip/pull/143
CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are
vulnerable ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be537af61e138068be52aa7b0bb2d0622e47ddc4
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be537af61e138068be52aa7b0bb2d0622e47ddc4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 21c219d9 by Moritz Muehlenhoff at 2024-05-28T11:40:31+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,27 +1,27 @@ CVE-2024-36428 (OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.) - TODO: check + NOT-FOR-US: OrangeHRM CVE-2024-36426 (In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session ...) - TODO: check + NOT-FOR-US: TARGIT Decision Suite CVE-2024-32944 (Path traversal vulnerability exists in UTAU versions prior to v0.4.19. ...) - TODO: check + NOT-FOR-US: UTAU CVE-2024-29078 (Incorrect permission assignment for critical resource issue exists in ...) - TODO: check + NOT-FOR-US: MosP kintai kanri CVE-2024-28886 (OS command injection vulnerability exists in UTAU versions prior to v0 ...) - TODO: check + NOT-FOR-US: UTAU CVE-2024-28880 (Path traversal vulnerability in MosP kintai kanri V4.6.6 and earlier a ...) - TODO: check + NOT-FOR-US: MosP kintai kanri CVE-2023-52712 (Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The firs ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52711 (Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The firs ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52710 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26), As the communicati ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52548 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26) Arbitrary Memory Co ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52547 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26. Memory Corruption i ...) - TODO: check + NOT-FOR-US: Huawei CVE-2022-48681 (Some Huawei smart speakers have a memory overflow vulnerability. Succe ...) - TODO: check + NOT-FOR-US: Huawei CVE-2024-5409 (RhinOS 3.0-1190 is vulnerable to an XSS via the "tamper" parameter in ...) NOT-FOR-US: RhinOS CVE-2024-5408 (Vulnerability in RhinOS 3.0-1190 consisting of an XSS through the "sea ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21c219d985bc8dade4c0a95a42f8bb0be1ca8c38 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21c219d985bc8dade4c0a95a42f8bb0be1ca8c38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] kaminari n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 64b23b53 by Moritz Muehlenhoff at 2024-05-28T10:34:21+02:00 kaminari n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65,7 +65,7 @@ CVE-2024-34923 (In Avocent DSR2030 Appliance firmware 03.04.00.07 before 03.07.0 CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 allows l ...) NOT-FOR-US: FOG CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relational m ...) - TODO: check + - ruby-kaminari (Doesn't affect Kaminari as shipped by Debian) CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...) TODO: check CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are vulnerable ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b23b5345bb929f75f100117340a4c3ec9b4027 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b23b5345bb929f75f100117340a4c3ec9b4027 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libarchive issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cea85de by Moritz Muehlenhoff at 2024-05-28T10:07:58+02:00 new libarchive issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -18635,7 +18635,10 @@ CVE-2024-26275 (A vulnerability has been identified in Parasolid V35.1 (All vers CVE-2024-26257 (Microsoft Excel Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft CVE-2024-26256 (libarchive Remote Code Execution Vulnerability) - TODO: check + - libarchive + NOTE: https://github.com/advisories/GHSA-2jc9-36w4-pmqw + NOTE: https://github.com/libarchive/libarchive/pull/2135 + NOTE: https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237 (v3.7.4) CVE-2024-26255 (Windows Remote Access Connection Manager Information Disclosure Vulner ...) NOT-FOR-US: Microsoft CVE-2024-26254 (Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability) = data/dsa-needed.txt = @@ -31,6 +31,8 @@ gst-plugins-base1.0 (carnil) -- h2o (jmm) -- +libarchive +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cea85de655d5793dafcdc57cde308df368486fa -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cea85de655d5793dafcdc57cde308df368486fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] disputed gnome-shell issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 26d39577 by Moritz Muehlenhoff at 2024-05-28T09:54:16+02:00 disputed gnome-shell issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,7 +53,7 @@ CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a frame NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1642 NOTE: Fixed by: https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937 (v1.13.1) CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code execution can ...) - TODO: check + NOTE: Disputed GNOME Shell issue CVE-2022-4969 (A vulnerability, which was classified as critical, has been found in b ...) TODO: check CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for certain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d39577bdac77bf503ab138937d9f51a0d65ce9 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d39577bdac77bf503ab138937d9f51a0d65ce9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ruby-rack-contrib issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 02493fee by Moritz Muehlenhoff at 2024-05-28T09:45:17+02:00 new ruby-rack-contrib issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,9 @@ CVE-2024-35237 (MIT IdentiBot is an open-source Discord bot written in Node.js t CVE-2024-35236 (Audiobookshelf is a self-hosted audiobook and podcast server. Prior to ...) NOT-FOR-US: Audiobookshelf CVE-2024-35231 (rack-contrib provides contributed rack middleware and utilities for Ra ...) - TODO: check + - ruby-rack-contrib + NOTE: https://github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869 + NOTE: https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7 (v2.5.0) CVE-2024-35229 (ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scal ...) NOT-FOR-US: ZKsync Era CVE-2024-35219 (OpenAPI Generator allows generation of API client libraries (SDK gener ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02493fee1cd4eba6f1806d2dcf28c75b5d7c1024 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02493fee1cd4eba6f1806d2dcf28c75b5d7c1024 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fa313055 by Moritz Muehlenhoff at 2024-05-28T09:16:23+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -11,9 +11,9 @@ CVE-2024-5405 (A vulnerability had been discovered in WinNMP
19.02 consisting of
CVE-2024-3381
REJECTED
CVE-2024-36383 (An issue was discovered in Logpoint SAML Authentication before
6.0.3. ...)
- TODO: check
+ NOT-FOR-US: Logpoint
CVE-2024-36105 (dbt enables data analysts and engineers to transform their
data using ...)
- TODO: check
+ NOT-FOR-US: dbt-core
CVE-2024-36037 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows
unauthor ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-36036 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows
unauthor ...)
@@ -23,21 +23,21 @@ CVE-2024-35238 (Minder by Stacklok is an open source
software supply chain secur
CVE-2024-35237 (MIT IdentiBot is an open-source Discord bot written in Node.js
that ve ...)
NOT-FOR-US: MIT IdentiBot
CVE-2024-35236 (Audiobookshelf is a self-hosted audiobook and podcast server.
Prior to ...)
- TODO: check
+ NOT-FOR-US: Audiobookshelf
CVE-2024-35231 (rack-contrib provides contributed rack middleware and
utilities for Ra ...)
TODO: check
CVE-2024-35229 (ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs
to scal ...)
NOT-FOR-US: ZKsync Era
CVE-2024-35219 (OpenAPI Generator allows generation of API client libraries
(SDK gener ...)
- TODO: check
+ NOT-FOR-US: OpenAPI Generator
CVE-2024-35182 (Meshery is an open source, cloud native manager that enables
the desig ...)
- TODO: check
+ NOT-FOR-US: Meshery
CVE-2024-35181 (Meshery is an open source, cloud native manager that enables
the desig ...)
- TODO: check
+ NOT-FOR-US: Meshery
CVE-2024-34923 (In Avocent DSR2030 Appliance firmware 03.04.00.07 before
03.07.01.23, ...)
NOT-FOR-US: Avocent DSR2030 Appliance firmware
CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10
allows l ...)
- TODO: check
+ NOT-FOR-US: FOG
CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object
relational m ...)
TODO: check
CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF
because some ...)
@@ -45,7 +45,7 @@ CVE-2024-29415 (The ip package through 2.0.1 for Node.js
might allow SSRF becaus
CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are
vulnerable ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Grup Arge Energy and Control Systems Smartpower
CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a
frame that ...)
- libvpx 1.13.1-2
NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1642
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa3130557957c9967f43930cd37a074203463f69
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa3130557957c9967f43930cd37a074203463f69
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pymysql fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a876ecc5 by Moritz Muehlenhoff at 2024-05-28T08:59:00+02:00
pymysql fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1584,7 +1584,7 @@ CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows,
allows attackers to spoof
NOT-FOR-US: WinRAR
CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON ...)
{DLA-3822-1}
- - python-pymysql (bug #1071628)
+ - python-pymysql 1.1.1-1 (bug #1071628)
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
NOTE:
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
(v1.1.1)
CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to
cause a den ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a876ecc58d010b8c6fe908566b6465e5479cacae
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a876ecc58d010b8c6fe908566b6465e5479cacae
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] iperf3 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c02db07b by Moritz Muehlenhoff at 2024-05-27T16:48:48+02:00 iperf3 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7230,7 +7230,7 @@ CVE-2024-2299 (A stored Cross-Site Scripting (XSS) vulnerability exists in the p CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Service Pr ...) NOT-FOR-US: Veeam CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...) - - iperf3 (bug #1071751) + - iperf3 3.17.1-1 (bug #1071751) [bookworm] - iperf3 (Minor issue) [bullseye] - iperf3 (Minor issue) [buster] - iperf3 (Minor issue; can be fixed in next update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c02db07b1a0ef83005f4d3bf50103e4849130797 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c02db07b1a0ef83005f4d3bf50103e4849130797 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issues via OpenAnolis
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3be714d1 by Moritz Muehlenhoff at 2024-05-27T16:47:18+02:00 new linux issues via OpenAnolis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16983,9 +16983,11 @@ CVE-2024-3651 [potential DoS via resource consumption via specially crafted inpu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274779 NOTE: Fixed by: https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (v3.7) CVE-2024-24863 (In malidp_mw_connector_reset, new memory is allocated with kzalloc, bu ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1) CVE-2024-24862 (In function pci1_spi_probe, there is a potential null pointer that ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/1f886a7bfb3faf4c1021e73f045538008ce7634e (6.9-rc3) CVE-2024-3740 (A vulnerability, which was classified as critical, has been found in c ...) NOT-FOR-US: cym1102 nginxWebUI CVE-2024-3739 (A vulnerability classified as critical was found in cym1102 nginxWebUI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be714d1f0878024d1e1e70b4bed46898837d6d2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be714d1f0878024d1e1e70b4bed46898837d6d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new acpica-unix non issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b65f9915 by Moritz Muehlenhoff at 2024-05-27T16:37:29+02:00 new acpica-unix non issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15158,7 +15158,11 @@ CVE-2024-29035 (Umbraco is an ASP.NET CMS. Failing webhooks logs are available w CVE-2024-28073 (SolarWinds Serv-U was found to be susceptible to a Directory Traversal ...) NOT-FOR-US: SolarWinds CVE-2024-24856 (The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee ...) - TODO: check + - acpica-unix (unimportant) + NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8764 + NOTE: https://github.com/acpica/acpica/pull/946 + NOTE: https://github.com/acpica/acpica/commit/4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 + NOTE: Crash in CLI tool, no security impact CVE-2024-21990 (ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1. ...) NOT-FOR-US: ONTAP / NetAPP CVE-2024-21989 (ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b65f9915392bdb928b91728c29ab93adc117f697 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b65f9915392bdb928b91728c29ab93adc117f697 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new strongswan issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d53c47aa by Moritz Muehlenhoff at 2024-05-27T16:20:18+02:00 new strongswan issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -873,7 +873,7 @@ CVE-2024-3711 (The Brizy \u2013 Page Builder plugin for WordPress is vulnerable NOT-FOR-US: WordPress plugin CVE-2024-3708 (A condition exists in lighttpd version prior to 1.4.51 whereby a remot ...) - lighttpd 1.4.52-1 - TODO: check details (will be only pubished on July 9th, 2024), but said to be an issue fixed by maintainer in 2018 in version 1.4.51 + NOTE: will only be published on July 9th, 2024, but said to be an issue fixed by maintainer in 2018 in version 1.4.51 CVE-2024-3648 (The ShareThis Share Buttons plugin for WordPress is vulnerable to Stor ...) NOT-FOR-US: WordPress plugin CVE-2024-3626 (The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsl ...) @@ -7161,7 +7161,11 @@ CVE-2023-49781 (NocoDB is software for building databases as spreadsheets. Prior CVE-2023-46870 (extcap/nrf_sniffer_ble.py, extcap/nrf_sniffer_ble.sh, extcap/SnifferAP ...) NOT-FOR-US: Nordic Semiconductor nRF Sniffer for Bluetooth CVE-2022-4967 (strongSwan versions 5.9.2 through 5.9.5 are affected by authorization ...) - TODO: check + - strongswan 5.9.4-1 + [bullseye] - strongswan (Introduced in 5.9.2) + [buster] - strongswan (Introduced in 5.9.2) + NOTE: https://www.strongswan.org/blog/2024/05/13/strongswan-vulnerability-(cve-2022-4967).html + NOTE: https://github.com/strongswan/strongswan/commit/e4b4aabc4996fc61c37deab7858d07bc4d220136 (5.9.6rc1) CVE-2024-27401 (In the Linux kernel, the following vulnerability has been resolved: f ...) - linux 6.8.11-1 NOTE: https://git.kernel.org/linus/38762a0763c10c24a4915feee722d7aa6e73eb98 (6.9-rc7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53c47aa0e68dba09629401cb0ec280463b60608 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53c47aa0e68dba09629401cb0ec280463b60608 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new zabbix issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 864b4999 by Moritz Muehlenhoff at 2024-05-27T16:13:36+02:00 new zabbix issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5157,7 +5157,8 @@ CVE-2024-22145 (Improper Privilege Management vulnerability in InstaWP Team Inst CVE-2024-22139 (Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordP ...) NOT-FOR-US: WordPress plugin CVE-2024-22120 (Zabbix server can perform command execution for configured scripts. Af ...) - TODO: check + - zabbix + NOTE: https://support.zabbix.com/browse/ZBX-24505 CVE-2024-21746 (Authentication Bypass by Spoofing vulnerability in Wpmet Wp Ultimate R ...) NOT-FOR-US: WordPress plugin CVE-2023-5597 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/864b49992e955bf680f54b313b9d4ef0c52e3309 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/864b49992e955bf680f54b313b9d4ef0c52e3309 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-aiosmtpd issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 275fe914 by Moritz Muehlenhoff at 2024-05-27T16:12:34+02:00 new python-aiosmtpd issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4359,7 +4359,9 @@ CVE-2024-3658 (The Build App Online plugin for WordPress is vulnerable to authen CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows conten ...) NOT-FOR-US: SurveyJS Form Library CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...) - TODO: check + - python-aiosmtpd + NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 + NOTE: https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) CVE-2024-31879 (IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbit ...) NOT-FOR-US: IBM CVE-2024-5069 (A vulnerability, which was classified as critical, has been found in S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/275fe914c624a16781f70c8ca04110b8dc6ade87 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/275fe914c624a16781f70c8ca04110b8dc6ade87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new liboqs issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 15438022 by Moritz Muehlenhoff at 2024-05-27T16:10:42+02:00 new liboqs issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -236,7 +236,8 @@ CVE-2024-33427 NOTE: https://github.com/squid-cache/squid/commit/1891ce596237b45e0a675f75c49a5f6a840d NOTE: OOB read in config file parsing, doesn't cross any reasonable security boundary CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker t ...) - TODO: check + - liboqs + NOTE: https://github.com/liang-junkai/Fault-injection-of-ML-DSA CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.) NOT-FOR-US: Kwik CVE-2023-49575 (A vulnerability has been discovered in VX Search Enterprise affecting ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1543802267a19d1a8642e8f98baf793de142b129 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1543802267a19d1a8642e8f98baf793de142b129 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add PHP references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6c543caa by Moritz Muehlenhoff at 2024-05-27T15:36:40+02:00
add PHP references
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -15215,6 +15215,8 @@ CVE-2024-2961 (The iconv() function in the GNU C
Library versions 2.39 and older
NOTE:
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
NOTE: Introduced by:
https://sourceware.org/git?p=glibc.git;a=commit;h=755104edc75c53f4a0e7440334e944ad3c6b32fc
(cvs/libc-2_1_94)
NOTE: Fixed by:
https://sourceware.org/git?p=glibc.git;a=commit;h=f9dc609e06b1136bb0408be9605ce7973a767ada
+ NOTE: https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
+ NOTE: https://github.com/ambionics/cnext-exploits/
CVE-2024-26920 (In the Linux kernel, the following vulnerability has been
resolved: t ...)
{DSA-5681-1}
- linux 6.7.7-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c543caa3a3e130534922b1860329b984fc4f669
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c543caa3a3e130534922b1860329b984fc4f669
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dd3e771 by Moritz Muehlenhoff at 2024-05-27T13:44:02+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,7 +81,7 @@ CVE-2024-30657 CVE-2024-27314 (Zoho ManageEngineServiceDesk Plus versions below14730,ServiceDesk Plus ...) NOT-FOR-US: Zoho CVE-2024-26289 (Deserialization of Untrusted Data vulnerability in PMB Services PMB al ...) - TODO: check + NOT-FOR-US: PMB Services PMB CVE-2024-5375 (A vulnerability has been found in Kashipara College Management System ...) NOT-FOR-US: Kashipara College Management System CVE-2024-5374 (A vulnerability, which was classified as problematic, was found in Kas ...) @@ -163,7 +163,7 @@ CVE-2024-5337 (A vulnerability was found in Ruijie RG-UAC up to 20240516 and cla CVE-2024-5336 (A vulnerability has been found in Ruijie RG-UAC up to 20240516 and cla ...) NOT-FOR-US: Ruijie RG-UAC CVE-2024-30056 (Microsoft Edge (Chromium-based) Information Disclosure Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-5229 (The Primary Addon for Elementor plugin for WordPress is vulnerable to ...) NOT-FOR-US: WordPress plugin CVE-2024-5220 (The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-S ...) @@ -181,7 +181,7 @@ CVE-2024-35374 (Mocodo Mocodo Online 4.2.6 and below does not properly sanitize CVE-2024-35373 (Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Exec ...) NOT-FOR-US: Mocodo Mocodo Online CVE-2024-35232 (github.com/huandu/facebook is a Go package that fully supports the Fac ...) - TODO: check + NOT-FOR-US: Huando/Facebook CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab (Vulnerable code introduced later) CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and al ...) @@ -238,7 +238,7 @@ CVE-2024-33427 CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker t ...) TODO: check CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.) - TODO: check + NOT-FOR-US: Kwik CVE-2023-49575 (A vulnerability has been discovered in VX Search Enterprise affecting ...) NOT-FOR-US: VX Search Enterprise CVE-2023-49574 (A vulnerability has been discovered in VX Search Enterprise affecting ...) @@ -250,7 +250,7 @@ CVE-2023-49572 (A vulnerability has been discovered in VX Search Enterprise affe CVE-2023-47710 (IBM Security Guardium 11.4, 11.5, and 12.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2023-46442 (An infinite loop in the retrieveActiveBody function of Soot before v4. ...) - TODO: check + NOT-FOR-US: Soot CVE-2023-52880 (In the Linux kernel, the following vulnerability has been resolved: t ...) - linux 6.6.8-1 [bookworm] - linux 6.1.85-1 @@ -7015,9 +7015,9 @@ CVE-2024-34706 (Valtimo is an open source business process and case management p CVE-2024-34704 (era-compiler-solidity is the ZKsync compiler for Solidity. The proble ...) NOT-FOR-US: era-compiler-solidity CVE-2024-34701 (CreateWiki is Miraheze's MediaWiki extension for requesting & creating ...) - TODO: check + NOT-FOR-US: CreateWiki MediaWiki extension CVE-2024-34699 (GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged ...) - TODO: check + NOT-FOR-US: GZ::CTF CVE-2024-34698 (FreeScout is a free, self-hosted help desk and shared mailbox. Version ...) NOT-FOR-US: FreeScout CVE-2024-34697 (FreeScout is a free, self-hosted help desk and shared mailbox. A store ...) @@ -7037,7 +7037,7 @@ CVE-2024-34416 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2024-34411 (Unrestricted Upload of File with Dangerous Type vulnerability in Thoma ...) NOT-FOR-US: WordPress plugin CVE-2024-34353 (The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is a ...) - TODO: check + NOT-FOR-US: matrix-sdk-crypto Rust crate CVE-2024-34340 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.27+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m @@ -90576,7 +90576,7 @@ CVE-2023-27298 (Uncontrolled search path in the WULT software maintained by Inte CVE-2023-25772 (Improper input validation in the Intel(R) Retail Edge Mobile Android a ...) NOT-FOR-US: Intel CVE-2023-24460 (Incorrect default permissions in some Intel(R) GPA software installers ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-23572 (Cross-site scripting vulnerability in SEIKO EPSON printers/network int ...) NOT-FOR-US: Epson CVE-2023-1151 (A vulnerability was found in
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 292b400b by Moritz Muehlenhoff at 2024-05-27T10:51:35+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,85 +1,85 @@ CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for certain ...) - TODO: check + NOT-FOR-US: ASKEY CVE-2024-5400 (Openfind Mail2000 does not properly filter parameters of specific CGI. ...) - TODO: check + NOT-FOR-US: Openfind Mail2000 CVE-2024-5399 (Openfind Mail2000 does not properly filter parameters of specific API. ...) - TODO: check + NOT-FOR-US: Openfind Mail2000 CVE-2024-5397 (A vulnerability classified as critical was found in itsourcecode Onlin ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5396 (A vulnerability classified as critical has been found in itsourcecode ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5395 (A vulnerability was found in itsourcecode Online Student Enrollment Sy ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5394 (A vulnerability was found in itsourcecode Online Student Enrollment Sy ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5393 (A vulnerability was found in itsourcecode Online Student Enrollment Sy ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5392 (A vulnerability was found in itsourcecode Online Student Enrollment Sy ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5391 (A vulnerability has been found in itsourcecode Online Student Enrollme ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5390 (A vulnerability, which was classified as critical, was found in itsour ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5385 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: SourceCodester CVE-2024-5384 (A vulnerability classified as critical was found in SourceCodester Fac ...) - TODO: check + NOT-FOR-US: SourceCodester CVE-2024-5383 (A vulnerability classified as problematic has been found in lakernote ...) - TODO: check + NOT-FOR-US: lakernote EasyAdmin CVE-2024-5381 (A vulnerability classified as critical was found in itsourcecode Stude ...) - TODO: check + NOT-FOR-US: itsourcecode Online Student Enrollment System CVE-2024-5380 (A vulnerability classified as problematic has been found in jsy-1 shor ...) - TODO: check + NOT-FOR-US: jsy-1 short-url CVE-2024-5379 (A vulnerability was found in JFinalCMS up to 20240111. It has been rat ...) - TODO: check + NOT-FOR-US: JFinalCMS CVE-2024-5378 (A vulnerability was found in SourceCodester School Intramurals Student ...) - TODO: check + NOT-FOR-US: SourceCodester CVE-2024-5377 (A vulnerability was found in SourceCodester Vehicle Management System ...) - TODO: check + NOT-FOR-US: SourceCodester CVE-2024-5376 (A vulnerability was found in Kashipara College Management System 1.0 a ...) - TODO: check + NOT-FOR-US: Kashipara College Management System CVE-2024-5035 (The affected device expose a network service called "rftest" that is v ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-4535 (The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not hav ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4534 (The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not hav ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4533 (The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4532 (The Business Card WordPress plugin through 1.0.0 does not have CSRF ch ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4531 (The Business Card WordPress plugin through 1.0.0 does not have CSRF ch ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4530 (The Business Card WordPress plugin through 1.0.0 does not have CSRF ch ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4529 (The Business Card WordPress plugin through 1.0.0 does not have CSRF ch ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4286 (Mintplex-Labs' anything-llm application is vulnerable to improper neut ...) - TODO: check + NOT-FOR-US: anything-llm CVE-2024-3939 (The Ditty WordPress plugin before 3.1.36 does not
[Git][security-tracker-team/security-tracker][master] lots of bogus ROS CVEs finally rejected
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e1f125f7 by Moritz Muehlenhoff at 2024-05-27T10:47:13+02:00 lots of bogus ROS CVEs finally rejected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17373,7 +17373,6 @@ CVE-2024-30271 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an NOT-FOR-US: Adobe CVE-2024-29454 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-25852 (Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution v ...) NOT-FOR-US: Linksys CVE-2024-22722 (Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1. ...) @@ -17490,7 +17489,6 @@ CVE-2024-30878 (A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43 NOT-FOR-US: RageFrame2 CVE-2024-30728 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-2966 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) NOT-FOR-US: WordPress plugin CVE-2024-29903 (Cosign provides code signing and transparency for containers and binar ...) @@ -17503,37 +17501,26 @@ CVE-2024-29460 (An issue in PX4 Autopilot v.1.14.0 allows an attacker to manipul NOT-FOR-US: PX4 Autopilot CVE-2024-29455 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29452 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29450 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29449 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29448 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29447 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29445 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29444 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29443 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29441 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29439 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29399 (An issue was discovered in GNU Savane v.3.13 and before, allows a remo ...) NOT-FOR-US: GNU Savane CVE-2024-29220 (Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerabili ...) @@ -18066,70 +18053,48 @@ CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up t NOT-FOR-US: WordPress plugin CVE-2024-30737 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30736 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30735 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30733 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30730 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30729 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30727 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30726 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30724 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30723 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30722 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30721 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30719 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30718 REJECTED - NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-30716 REJECTED - NOTE: Bogus report on ROS, lacks all
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4141e038 by Moritz Muehlenhoff at 2024-05-26T18:04:12+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91,10 +91,11 @@ CVE-2024-33471 (An issue in the Sensor Settings of AVTECH Room Alert 4E v4.4.0 a CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4.0 all ...) NOT-FOR-US: AVTECH Room Alert CVE-2024-33427 (Buffer Overflow vulnerability in Squid version before v.6.10 allows a ...) - - squid - - squid3 + - squid (unimportant) + - squid3 (unimportant) NOTE: https://github.com/squid-cache/squid/pull/1763 NOTE: https://github.com/squid-cache/squid/commit/1891ce596237b45e0a675f75c49a5f6a840d + NOTE: OOB read in config file parsing, doesn't cross any reasonable security boundary CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker t ...) TODO: check CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.) @@ -4193,7 +4194,10 @@ CVE-2024-36050 (Nix through 2.22.1 mishandles certain usage of hash caches, whic TODO: check details and verify if same code (and only then) is present in guix CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x b ...) - qtnetworkauth-everywhere-src + [bookworm] - qtnetworkauth-everywhere-src (Minor issue) + [bullseye] - qtnetworkauth-everywhere-src (Minor issue) - qt6-networkauth + [bookworm] - qt6-networkauth (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368 CVE-2024-28064 (Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows /responsiveUI/Env ...) @@ -31308,6 +31312,8 @@ CVE-2021-46907 REJECTED CVE-2024-26144 (Rails is a web-application framework. Starting with version 5.2.0, the ...) - rails (bug #1065119) + [bookworm] - rails (Minor issue) + [bullseye] - rails (Minor issue) NOTE: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945 CVE-2024-27092 (Hoppscotch is an API development ecosystem. Due to lack of validation ...) NOT-FOR-US: Hoppscotch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4141e03819b535befca43c6659f00524d2830326 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4141e03819b535befca43c6659f00524d2830326 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ruby, redmine DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e94712b6 by Moritz Mühlenhoff at 2024-05-24T18:40:57+02:00
ruby, redmine DSAs
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,10 @@
+[24 May 2024] DSA-5699-1 redmine - security update
+ {CVE-2023-47258 CVE-2023-47259 CVE-2023-47260}
+ [bookworm] - redmine 5.0.4-5+deb12u1
+[24 May 2024] DSA-5698-1 ruby-rack - security update
+ {CVE-2024-25126 CVE-2024-26141 CVE-2024-26146}
+ [bullseye] - ruby-rack 2.1.4-3+deb11u2
+ [bookworm] - ruby-rack 2.2.6.4-1+deb12u1
[24 May 2024] DSA-5697-1 chromium - security update
{CVE-2024-5274}
[bookworm] - chromium 125.0.6422.112-1~deb12u1
=
data/dsa-needed.txt
=
@@ -59,8 +59,6 @@ python-asyncssh
--
python-pymysql
--
-redmine/stable (jmm)
---
ring/oldstable
might make sense to rebase to current version
--
@@ -71,9 +69,6 @@ ruby2.7/oldstable
--
ruby-nokogiri/oldstable
--
-ruby-rack (jmm)
- Adrian Bunk proposed debdiffs for review
---
ruby-rails-html-sanitizer
--
ruby-sinatra/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94712b6a79cdd60ac74aaeef80f881daf3a8ec9
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94712b6a79cdd60ac74aaeef80f881daf3a8ec9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new qt networkauth issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fffc193 by Moritz Muehlenhoff at 2024-05-24T17:26:14+02:00 new qt networkauth issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3728,7 +3728,10 @@ CVE-2024-36050 (Nix through 2.22.1 mishandles certain usage of hash caches, whic NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441 TODO: check details and verify if same code (and only then) is present in guix CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x b ...) - TODO: check + - qtnetworkauth-everywhere-src + - qt6-networkauth + NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 + NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368 CVE-2024-28064 (Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows /responsiveUI/Env ...) NOT-FOR-US: Kiteworks Totemomail CVE-2024-28063 (Kiteworks Totemomail through 7.0.0 allows /responsiveUI/EnvelopeOpenSe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fffc193d2c1dbdeedfb232d412f52f76d553f55 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fffc193d2c1dbdeedfb232d412f52f76d553f55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] disputed KeePassXC issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e14d29a by Moritz Muehlenhoff at 2024-05-24T17:08:47+02:00 disputed KeePassXC issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2814,9 +2814,9 @@ CVE-2024-35191 (Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, CVE-2024-34710 (Wiki.js is al wiki app built on Node.js. Client side template injectio ...) NOT-FOR-US: Wiki.js CVE-2024-33901 (Issue in KeePassXC 2.7.7 allows an attacker (who has the privileges of ...) - TODO: check + NOTE: Disputed KeePassXC issue CVE-2024-33900 (KeePassXC 2.7.7 allows an attacker (who has the privileges of the vict ...) - TODO: check + NOTE: Disputed KeePassXC issue CVE-2024-2189 (The Social Icons Widget & Block by WPZOOM WordPress plugin before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2024-0816 (The buffer overflow vulnerability in the DX3300-T1 firmware version V5 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e14d29ae1f8c2c08dffe125cad3de44ffecdcc2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e14d29ae1f8c2c08dffe125cad3de44ffecdcc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a2e8f18 by Moritz Muehlenhoff at 2024-05-24T17:00:36+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6610,7 +6610,7 @@ CVE-2023-52655 (In the Linux kernel, the following vulnerability has been resolv [bullseye] - linux 5.10.205-1 NOTE: https://git.kernel.org/linus/ccab434e674ca95d483788b1895a70c21b7f016a (6.7-rc3) CVE-2024-25581 (When incoming DNS over HTTPS support is enabled using the nghttp2 prov ...) - - dnsdist + - dnsdist (bug #1071750) [bookworm] - dnsdist (Vulnerable code not present) [bullseye] - dnsdist (Vulnerable code not present) [buster] - dnsdist (Vulnerable code not present) @@ -6649,7 +6649,7 @@ CVE-2024-2299 (A stored Cross-Site Scripting (XSS) vulnerability exists in the p CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Service Pr ...) NOT-FOR-US: Veeam CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...) - - iperf3 + - iperf3 (bug #1071751) [bookworm] - iperf3 (Minor issue) [bullseye] - iperf3 (Minor issue) [buster] - iperf3 (Minor issue; can be fixed in next update) @@ -8989,7 +8989,7 @@ CVE-2024-31963 (A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones CVE-2024-31673 (Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php via t ...) NOT-FOR-US: Kliqqi-CMS CVE-2024-31636 (An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive ...) - - lief + - lief (bug #1071743) [bookworm] - lief (Minor issue) [bullseye] - lief (Minor issue) [buster] - lief (Minor issue) @@ -12761,7 +12761,7 @@ CVE-2024-32406 (Server-Side Template Injection (SSTI) vulnerability in inducer r CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer relate ...) NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - - cjson + - cjson (bug #1071742) [bookworm] - cjson (Minor issue) [bullseye] - cjson (Minor issue) [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) @@ -27042,7 +27042,7 @@ CVE-2024-2364 (A vulnerability classified as problematic has been found in Music CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in AOL AIM T ...) NOT-FOR-US: AOL AIM Triton CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load them ...) - - bpfcc + - bpfcc (bug #1071747) [bookworm] - bpfcc (Minor issue) [bullseye] - bpfcc (Minor issue) [buster] - bpfcc (Vulnerable code introduced later) @@ -27051,7 +27051,7 @@ CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load NOTE: Attempt to mitigate in https://bugs.debian.org/1028479 (applied in 0.25.0+ds-2), and NOTE: resulting in the additional problem in https://bugs.debian.org/1068297 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt to load ...) - - bpftrace + - bpftrace (bug #1071748) [bookworm] - bpftrace (Minor issue) [bullseye] - bpftrace (Minor issue) [buster] - bpftrace (Vulnerable code introduced later) @@ -29661,7 +29661,7 @@ CVE-2024-23302 (Couchbase Server before 7.2.4 has a private key leak in goxdcr.l CVE-2024-22983 (SQL injection vulnerability in Projectworlds Visitor Management System ...) NOT-FOR-US: Projectworlds Visitor Management System CVE-2024-22871 (An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker ...) - - clojure + - clojure (bug #1071746) NOTE: https://github.com/advisories/GHSA-vr64-r9qj-h27f NOTE: https://hackmd.io/@fe1w0/rymmJGida CVE-2024-22532 (Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x8 ...) @@ -36191,7 +36191,7 @@ CVE-2024-24569 (The Pixee Java Code Security Toolkit is a set of security APIs m CVE-2024-24561 (Vyper is a pythonic Smart Contract Language for the ethereum virtual m ...) NOT-FOR-US: Vyper CVE-2024-24557 (Moby is an open-source project created by Docker to enable software co ...) - - docker.io + - docker.io (bug #1071745) [bookworm] - docker.io (Minor issue) [bullseye] - docker.io (Minor issue) [buster] - docker.io (Minor issue with workarounds) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a2e8f18e760db5951a641560bdf259098dcde85 -- This project does not include diff previews in email notifications. View it on GitLab:
[Git][security-tracker-team/security-tracker][master] - add clojure reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c3ca5cee by Moritz Muehlenhoff at 2024-05-24T16:52:52+02:00 - add clojure reference - one cacti issue n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6525,10 +6525,9 @@ CVE-2024-31443 (Cacti provides an operational monitoring and fault management fr CVE-2024-31377 (Unrestricted Upload of File with Dangerous Type vulnerability in J.N. ...) NOT-FOR-US: WordPress plugin CVE-2024-30268 (Cacti provides an operational monitoring and fault management framewor ...) - - cacti + - cacti (Vulnerable code not present in 1.2, only affects 1.3) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q NOTE: https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e - TODO: check, might be only affecting 1.3.y CVE-2024-30259 (FastDDS is a C++ implementation of the DDS (Data Distribution Service) ...) - fastdds 2.14.1+ds-1 NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662 @@ -29662,7 +29661,8 @@ CVE-2024-23302 (Couchbase Server before 7.2.4 has a private key leak in goxdcr.l CVE-2024-22983 (SQL injection vulnerability in Projectworlds Visitor Management System ...) NOT-FOR-US: Projectworlds Visitor Management System CVE-2024-22871 (An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker ...) - - clojure + - clojure + NOTE: https://github.com/advisories/GHSA-vr64-r9qj-h27f NOTE: https://hackmd.io/@fe1w0/rymmJGida CVE-2024-22532 (Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x8 ...) NOT-FOR-US: XNSoft NConvert View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3ca5cee4fae709cb1d13c07ad8ea3e805a63630 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3ca5cee4fae709cb1d13c07ad8ea3e805a63630 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c8c0a5ec by Moritz Muehlenhoff at 2024-05-24T16:32:44+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,79 +13,79 @@ CVE-2024-4691 CVE-2024-5273 NOT-FOR-US: Jenkins plugin CVE-2024-5299 (D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code E ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5298 (D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5297 (D-Link D-View executeWmicCmd Command Injection Remote Code Execution V ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5296 (D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypas ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5295 (D-Link G416 flupl self Command Injection Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5294 (D-Link DIR-3040 prog.cgi websSecurityHandler Memory Leak Denial-of-Ser ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5293 (D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code E ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5292 (D-Link Network Assistant Uncontrolled Search Path Element Local Privil ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5291 (D-Link DIR-2150 GetDeviceSettings Target Command Injection Remote Code ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-5279 (A vulnerability was found in Qiwen Netdisk up to 1.4.0. It has been de ...) - TODO: check + NOT-FOR-US: Qiwen Netdisk CVE-2024-5247 (NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted F ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-5246 (NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-5245 (NETGEAR ProSAFE Network Management System Default Credentials Local Pr ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-5244 (TP-Link Omada ER605 Reliance on Security Through Obscurity Vulnerabili ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-5243 (TP-Link Omada ER605 Buffer Overflow Remote Code Execution Vulnerabilit ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-5242 (TP-Link Omada ER605 Stack-based Buffer Overflow Remote Code Execution ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-5228 (TP-Link Omada ER605 Comexe DDNS Response Handling Heap-based Buffer O ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-5227 (TP-Link Omada ER605 PPTP VPN username Command Injection Remote Code Ex ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-5205 (The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5142 (Stored Cross-Site Scripting vulnerability in Social Module in M-Files ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5060 (The LottieFiles \u2013 JSON Based Animation Lottie & Bodymovin for Ele ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4544 (The Pie Register - Social Sites Login (Add on) plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4485 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4484 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4409 (The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Reques ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4366 (The Spectra \u2013 WordPress Gutenberg Blocks plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3718 (The The Plus Addons for Elementor plugin for WordPress is vulnerable t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3557 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36361 (Pug through 3.0.2 allows JavaScript code execution if an application a ...) - TODO: check + NOT-FOR-US: Node pug CVE-2024-2784 (The The Plus Addons for Elementor plugin for WordPress is vulnerable t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2618 (The Elementor Header & Footer Builder plugin for WordPress is vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1376 (The Event post plugin for WordPress is vulnerable to unauthorized bulk ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93c070d9 by Moritz Muehlenhoff at 2024-05-24T16:10:00+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2024-28793 + NOT-FOR-US: Jenkins plugin +CVE-2024-4189 + NOT-FOR-US: Jenkins plugin +CVE-2024-4184 + NOT-FOR-US: Jenkins plugin +CVE-2024-4690 + NOT-FOR-US: Jenkins plugin +CVE-2024-4211 + NOT-FOR-US: Jenkins plugin +CVE-2024-4691 + NOT-FOR-US: Jenkins plugin +CVE-2024-5273 + NOT-FOR-US: Jenkins plugin CVE-2024-5299 (D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code E ...) TODO: check CVE-2024-5298 (D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c070d9474a74bfbf911abe8578e43f7d4b5a25 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c070d9474a74bfbf911abe8578e43f7d4b5a25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ofono fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b46cc8e by Moritz Muehlenhoff at 2024-05-24T11:44:58+02:00 ofono fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17205,7 +17205,7 @@ CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive informat CVE-2023-52070 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) NOT-FOR-US: Disputed JFreeChart issue CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono (bug #1069679) + - ofono 1.31-4 (bug #1069679) [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) [buster] - ofono (Minor issue, follow bullseye) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b46cc8ef13be6dc024989aba5319b0a14420582 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b46cc8ef13be6dc024989aba5319b0a14420582 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f99fd8b8 by Moritz Muehlenhoff at 2024-05-24T09:06:54+02:00 new gitlab issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2024-5274 CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above allows ...) NOT-FOR-US: Thales Luna EFT CVE-2024-5258 (An authorization vulnerability exists within GitLab from versions 16.1 ...) - TODO: check + - gitlab CVE-2024-5202 (Arbitrary File Readin OpenText Dimensions RM allowsauthenticated users ...) NOT-FOR-US: OpenText Dimensions RM CVE-2024-5201 (Privilege Escalationin OpenText Dimensions RM allows an authenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f99fd8b8a2d7db7021a89a5bfb81cff354e5f3a9 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f99fd8b8a2d7db7021a89a5bfb81cff354e5f3a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 235c5fb0 by Moritz Muehlenhoff at 2024-05-24T09:05:43+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,13 +7,13 @@ CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above al CVE-2024-5258 (An authorization vulnerability exists within GitLab from versions 16.1 ...) TODO: check CVE-2024-5202 (Arbitrary File Readin OpenText Dimensions RM allowsauthenticated users ...) - TODO: check + NOT-FOR-US: OpenText Dimensions RM CVE-2024-5201 (Privilege Escalationin OpenText Dimensions RM allows an authenticated ...) - TODO: check + NOT-FOR-US: OpenText Dimensions RM CVE-2024-5168 (Improper access control vulnerability in Prodys' Quantum Audio codec a ...) - TODO: check + NOT-FOR-US: Prodys Quantum Audio codec CVE-2024-5165 (In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several in ...) - TODO: check + NOT-FOR-US: Eclipse Ditto CVE-2024-5143 (A user with device administrative privileges can change existing SMTP ...) NOT-FOR-US: HP CVE-2024-5085 (The Hash Form \u2013 Drag & Drop Form Builder plugin for WordPress is ...) @@ -37,11 +37,11 @@ CVE-2024-35570 (An arbitrary file upload vulnerability in the component \control CVE-2024-35375 (There is an arbitrary file upload vulnerability on the media add .php ...) NOT-FOR-US: DedeCMS CVE-2024-35224 (OpenProject is the leading open source project management software. Op ...) - TODO: check + NOT-FOR-US: OpenProject CVE-2024-35223 (Dapr is a portable, event-driven, runtime for building distributed app ...) - TODO: check + NOT-FOR-US: Dapr CVE-2024-35222 (Tauri is a framework for building binaries for all major desktop platf ...) - TODO: check + NOT-FOR-US: Tauri CVE-2024-35197 (gitoxide is a pure Rust implementation of Git. On Windows, fetching re ...) - rust-gitoxide (bug #1043208) CVE-2024-35186 (gitoxide is a pure Rust implementation of Git. During checkout, `gix-w ...) @@ -87,9 +87,9 @@ CVE-2024-34928 (A SQL injection vulnerability in /model/update_subject_routing.p CVE-2024-34927 (A SQL injection vulnerability in /model/update_classroom.php in Campco ...) NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-34060 (IrisEVTXModule is an interface module for Evtx2Splunk and Iris in orde ...) - TODO: check + NOT-FOR-US: IrisEVTXModule CVE-2024-32969 (vantage6 is an open-source infrastructure for privacy preserving analy ...) - TODO: check + NOT-FOR-US: vantage6 CVE-2024-31843 (An issue was discovered in Italtel Embrace 1.6.4. The Web application ...) NOT-FOR-US: Italtel Embrace CVE-2024-30280 (Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are aff ...) @@ -99,17 +99,17 @@ CVE-2024-30279 (Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier a CVE-2024-2861 (The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Si ...) NOT-FOR-US: WordPress plugin CVE-2024-2301 (Certain HP LaserJet Pro devices are potentially vulnerable to a Cross- ...) - TODO: check + NOT-FOR-US: HP CVE-2024-28188 (Jupyter Scheduler is collection of extensions for programming jobs to ...) TODO: check CVE-2024-26139 (OpenCTI is an open source platform allowing organizations to manage th ...) - TODO: check + NOT-FOR-US: OpenCTI CVE-2024-1815 (The Spectra \u2013 WordPress Gutenberg Blocks plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1814 (The Spectra \u2013 WordPress Gutenberg Blocks plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1803 (The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed You ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4859 REJECTED CVE-2024-5241 (A vulnerability was found in Huashi Private Cloud CDN Live Streaming A ...) @@ -153,9 +153,9 @@ CVE-2024-4486 (The Awesome Contact Form7 for Elementor plugin for WordPress is v CVE-2024-4431 (The LA-Studio Element Kit for Elementor plugin for WordPress is vulner ...) NOT-FOR-US: WordPress plugin CVE-2024-4399 (The does not validate a parameter before making a request to it, whic ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4388 (This does not validate a path generated with user input when download ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4347 (The WP Fastest Cache plugin for WordPress is vulnerable to Directory T ...) NOT-FOR-US: WordPress plugin CVE-2024-4043 (The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored ...) @@ -182,9 +182,9 @@
[Git][security-tracker-team/security-tracker][master] maxima fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7905a3c1 by Moritz Muehlenhoff at 2024-05-23T17:02:02+02:00 maxima fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8314,7 +8314,7 @@ CVE-2024-4492 (A vulnerability, which was classified as critical, has been found CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21 1.0.0.14 ...) NOT-FOR-US: Tenda CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities make u ...) - - maxima (bug #1071630) + - maxima 5.47.0-1 (bug #1071630) [bookworm] - maxima (Minor issue) [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7905a3c16a23f0d4db4560bf213b2ecc64d4c532 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7905a3c16a23f0d4db4560bf213b2ecc64d4c532 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cf0f6dee by Moritz Muehlenhoff at 2024-05-23T16:59:55+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2673,6 +2673,8 @@ CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0 NOT-FOR-US: @bit/loader CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...) - python-scrapy 2.11.2-1 + [bookworm] - python-scrapy (Minor issue) + [bullseye] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f NOTE: https://github.com/scrapy/scrapy/commit/f8d6c456e0669ea5344e93fe9206bd1ffebc2008 (2.11.2) @@ -5379,6 +5381,7 @@ CVE-2024-20256 (A vulnerability in the web-based management interface of Cisco A NOT-FOR-US: Cisco CVE-2023-7258 (A denial of service exists in Gvisor Sandbox where a bug in reference ...) - golang-gvisor-gvisor + [bookworm] - golang-gvisor-gvisor (Minor issue) NOTE: https://github.com/google/gvisor/commit/6a112c60a257dadac59962e0bc9e9b5aee70b5b6 CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session ...) NOT-FOR-US: ThroughTek Kalay SDK @@ -11557,6 +11560,8 @@ CVE-2023-52647 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/eb2f932100288dbb881eadfed02e1459c6b9504c (6.9-rc1) CVE-2024-4340 (Passing a heavily nested list to sqlparse.parse() leads to a Denial of ...) - sqlparse 0.5.0-1 (bug #1070148) + [bookworm] - sqlparse (Minor issue) + [bullseye] - sqlparse (Minor issue) [buster] - sqlparse (Minor issue) NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0) NOTE: https://github.com/advisories/GHSA-2m57-hf25-phgg @@ -11679,6 +11684,8 @@ CVE-2023-36268 (An issue in The Document Foundation Libreoffice v.7.4.7 allows a NOTE: Resource overload in desktop app, no security impact CVE-2024-29040 - tpm2-tss 4.1.0-1 (bug #1070140) + [bookworm] - tpm2-tss (Minor issue) + [bullseye] - tpm2-tss (Minor issue) NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0) CVE-2024-29039 - tpm2-tools 5.7-1 (bug #1070139) @@ -12515,10 +12522,14 @@ CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key th NOT-FOR-US: angular-translate CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...) - python-jose (bug #1070375) + [bookworm] - python-jose (Minor issue) + [bullseye] - python-jose (Minor issue) NOTE: https://github.com/mpdavis/python-jose/issues/344 NOTE: https://github.com/mpdavis/python-jose/pull/345 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...) - python-jose (bug #1070375) + [bookworm] - python-jose (Minor issue) + [bullseye] - python-jose (Minor issue) NOTE: https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...) NOT-FOR-US: Portainer @@ -12544,6 +12555,8 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - cjson + [bookworm] - cjson (Minor issue) + [bullseye] - cjson (Minor issue) [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) NOTE: https://github.com/DaveGamble/cJSON/issues/839 NOTE: https://github.com/DaveGamble/cJSON/pull/840 @@ -13675,6 +13688,8 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - python-flask-cors 4.0.1-1 (bug #1069764) + [bookworm] - python-flask-cors (Minor issue) + [bullseye] - python-flask-cors (Minor issue) [buster] - python-flask-cors (Minor issue) NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 NOTE: https://github.com/corydolphin/flask-cors/issues/349 @@ -15160,6 +15175,7 @@ CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.37-1 (bug #1069189) - mariadb 1:10.11.8-1 +
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b19b64ea by Moritz Muehlenhoff at 2024-05-22T23:26:56+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -7625,6 +7625,8 @@ CVE-2024-33120 (Roothub v2.5 was discovered to contain an
arbitrary file upload
NOT-FOR-US: Roothub
CVE-2024-32867 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5
NOTE:
https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66
(suricata-7.0.5)
NOTE:
https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9
(suricata-7.0.5)
@@ -7637,11 +7639,15 @@ CVE-2024-32867 (Suricata is a network Intrusion
Detection System, Intrusion Prev
NOTE: https://redmine.openinfosecfoundation.org/issues/6677
CVE-2024-32664 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7
NOTE:
https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379
(suricata-7.0.5)
NOTE:
https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4
(suricata-6.0.19)
CVE-2024-32663 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
NOTE:
https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64
(suricata-6.0.19)
NOTE:
https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019
(suricata-6.0.19)
@@ -60244,6 +60250,7 @@ CVE-2023-40930 (An issue in the directory
/system/bin/blkid of Skyworth v3.0 all
CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization
of untr ...)
{DLA-3644-1}
- phppgadmin 7.14.7+dfsg-1 (bug #1053004)
+ [bookworm] - phppgadmin (Package in stable is broken and will
be removed)
NOTE: https://github.com/phppgadmin/phppgadmin/issues/174
NOTE: https://github.com/hestiacp/phppgadmin/pull/4
CVE-2023-40618 (A reflected cross-site scripting (XSS) vulnerability in
OpenKnowledgeM ...)
@@ -367772,7 +367779,7 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site
Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be
performed wit ...)
- phppgadmin 7.14.7+dfsg-1 (bug #953945)
- [bookworm] - phppgadmin (Minor issue)
+ [bookworm] - phppgadmin (Package in stable is broken and will
be removed)
[bullseye] - phppgadmin (Minor issue)
[buster] - phppgadmin (Minor issue)
[stretch] - phppgadmin (Minor issue)
=
data/dsa-needed.txt
=
@@ -47,8 +47,6 @@ php-horde-mime-viewer/oldstable
--
php-horde-turba/oldstable
--
-phppgadmin
---
pillow (jmm)
--
pymatgen/stable
@@ -79,5 +77,7 @@ ruby-tzinfo/oldstable
--
squid
--
+tinyproxy (jmm)
+--
zabbix
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] redmine commit refs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9feb2a by Moritz Muehlenhoff at 2024-05-22T19:54:58+02:00 redmine commit refs - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -52110,12 +52110,15 @@ CVE-2017-20187 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Mag CVE-2023-47260 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/15d0ea8c596f306131de2bd7edd1ae28ff122103 (5.0-stable) CVE-2023-47259 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/ea4bf1eba4b680159a873aa468364826f4d13385 (5.0-stable) CVE-2023-47258 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/03bcf782463c9b84c6fe53b17cb1b781df6d8771 (5.0-stable) CVE-2023-47249 (In International Color Consortium DemoIccMAX 79ecb74, a CIccXmlArrayTy ...) NOT-FOR-US: International Color Consortium DemoIccMAX CVE-2023-46981 (SQL injection vulnerability in Novel-Plus v.4.2.0 allows a remote atta ...) = data/dsa-needed.txt = @@ -57,7 +57,7 @@ python-asyncssh -- python-pymysql -- -redmine/stable +redmine/stable (jmm) -- ring/oldstable might make sense to rebase to current version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d0e106d4 by Moritz Muehlenhoff at 2024-05-22T17:23:03+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -447,7 +447,7 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube
Showcase \u2013 Video Galler
CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to
spoof the s ...)
NOT-FOR-US: WinRAR
CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON ...)
- - python-pymysql
+ - python-pymysql (bug #1071628)
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
NOTE:
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
(v1.1.1)
CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to
cause a den ...)
@@ -4869,8 +4869,8 @@ CVE-2024-35184 (Paperless-ngx is a document management
system that transforms ph
CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git
authenti ...)
TODO: check
CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6
has a den ...)
- - ruby3.2
- - ruby3.1
+ - ruby3.2 (bug #1071627)
+ - ruby3.1 (bug #1071626)
[bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
@@ -5919,13 +5919,13 @@ CVE-2024-4813 (A vulnerability classified as critical
has been found in Ruijie R
CVE-2024-4747 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2024-4068 (The NPM package `braces` fails to limit the number of
characters it ca ...)
- - node-braces
+ - node-braces (bug #1071632)
[bookworm] - node-braces (Minor issue)
[bullseye] - node-braces (Minor issue)
[buster] - node-braces (Minor issue)
NOTE: https://github.com/micromatch/braces/issues/35
CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular
Expression Denia ...)
- - node-micromatch
+ - node-micromatch (bug #1071631)
[bookworm] - node-micromatch (Minor issue)
[bullseye] - node-micromatch (Minor issue)
[buster] - node-micromatch (Minor issue)
@@ -7146,7 +7146,7 @@ CVE-2024-34257 (TOTOLINK EX1800T V9.1.0cu.2112_B20220316
has a vulnerability in
CVE-2024-34255 (jizhicms v2.5.1 contains a Cross-Site Scripting(XSS)
vulnerability in ...)
NOT-FOR-US: jizhicms
CVE-2024-34244 (libmodbus v3.1.10 is vulnerable to Buffer Overflow via the
modbus_writ ...)
- - libmodbus
+ - libmodbus (bug #1071633)
[bookworm] - libmodbus (Minor issue)
[bullseye] - libmodbus (Minor issue)
[buster] - libmodbus (Minor issue; out-of-bounds read, DoS)
@@ -8048,7 +8048,7 @@ CVE-2024-4492 (A vulnerability, which was classified as
critical, has been found
CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21
1.0.0.14 ...)
NOT-FOR-US: Tenda
CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting
facilities make u ...)
- - maxima
+ - maxima (bug #1071630)
[bookworm] - maxima (Minor issue)
[bullseye] - maxima (Minor issue)
[buster] - maxima (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] maxima commit reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: afab11fd by Moritz Muehlenhoff at 2024-05-22T17:17:52+02:00 maxima commit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8053,6 +8053,7 @@ CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) NOTE: https://sourceforge.net/p/maxima/bugs/3755/ + NOTE: https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/ CVE-2024-34489 (OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause ...) NOT-FOR-US: Faucet SDN Ryu CVE-2024-34488 (OFPMultipartReply in parser.py in Faucet SDN Ryu 4.34 allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker,
WooCommerce Blocks, Post
NOT-FOR-US: WordPress plugin
CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making
requests thro ...)
- requests (bug #1071593)
+ [bookworm] - requests (Minor issue)
+ [bullseye] - requests (Minor issue)
NOTE:
https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
NOTE: https://github.com/psf/requests/pull/6655
NOTE:
https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
(v2.32.0)
@@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK
all versions and some
NOT-FOR-US: Intel
CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless
WiFi softw ...)
- firmware-nonfree
+ [bookworm] - firmware-nonfree (Minor issue)
+ [bullseye] - firmware-nonfree (Minor issue)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software
all versio ...)
@@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R)
Power Gadget software for
NOT-FOR-US: Intel
CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless
WiFi softw ...)
- firmware-nonfree
+ [bookworm] - firmware-nonfree (Minor issue)
+ [bullseye] - firmware-nonfree (Minor issue)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
@@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for
working with Wolfi. A git au
CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6
has a den ...)
- ruby3.2
- ruby3.1
+ [bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
@@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have
claimed a newly connected audi
- firefox 126.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764
CVE-2024-4855 (Use after free issue in editcap could cause denial of service
via craf ...)
- - wireshark 4.2.5-1
- [buster] - wireshark (can be piggyback'd with the next
update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784
CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark
4.2.0 to 4. ...)
- wireshark 4.2.5-1
+ [bookworm] - wireshark (Minor issue)
+ [bullseye] - wireshark (Minor issue)
[buster] - wireshark (can be piggyback'd with the next
update)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499
CVE-2024-4853 (Memory handling issue in editcap could cause denial of service
via cra ...)
- - wireshark 4.2.5-1
- [buster] - wireshark (can be piggyback'd with the next
update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724
CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a
toolse ...)
@@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server.
GoCD versions from 19.4.0
NOT-FOR-US: GoCD
CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt
function in cr ...)
- libcrypto++
- TODO: check details
+ [bookworm] - libcrypto++ (Minor issue)
+ [bullseye] - libcrypto++ (Minor issue)
+ NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
+ NOTE: https://github.com/weidai11/cryptopp/issues/1262
CVE-2024-28279
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1d96f0d5 by Moritz Muehlenhoff at 2024-05-22T13:27:12+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -433,7 +433,7 @@ CVE-2024-3345 (The ShopLentor plugin for WordPress is
vulnerable to Stored Cross
CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video
Gallery Plu ...)
NOT-FOR-US: WordPress plugin
CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to
spoof the s ...)
- TODO: check
+ NOT-FOR-US: WinRAR
CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON ...)
- python-pymysql
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
@@ -2390,7 +2390,7 @@ CVE-2024-34193 (smanga 3.2.7 does not filter the file
parameter at the PHP/get f
CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before
allows ...)
NOT-FOR-US: Waxlab wax
CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been
identified ...)
- TODO: check
+ NOT-FOR-US: ArcSight Enterprise Security Manager
CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools
json-schema-ref-parser v. ...)
NOT-FOR-US: Node json-schema-ref-parser
CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a
reflected c ...)
@@ -2398,9 +2398,9 @@ CVE-2024-29000 (The SolarWinds Platform was determined to
be affected by a refle
CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to
authorization v ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-24294 (A Prototype Pollution issue in Blackprint @blackprint/engine
v.0.9.0 a ...)
- TODO: check
+ NOT-FOR-US: @blackprint/engine
CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader
v.10.0.3 all ...)
- TODO: check
+ NOT-FOR-US: @bit/loader
CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the
Authorization head ...)
- python-scrapy 2.11.2-1
NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
@@ -2812,7 +2812,7 @@ CVE-2024-36078 (In Zammad before 6.3.1, a Ruby gem
bundled by Zammad is installe
CVE-2024-36076 (Cross-Site WebSocket Hijacking in SysReptor from version
2024.28 to ve ...)
NOT-FOR-US: Syslifters SysReptor
CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows
anonymous ...)
- TODO: check
+ NOT-FOR-US: Tine groupware
CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint,
service-name m ...)
NOT-FOR-US: mintupload
CVE-2024-35947 (In the Linux kernel, the following vulnerability has been
resolved: d ...)
@@ -3322,7 +3322,7 @@ CVE-2024-23556 (SSL/TLS Renegotiation functionality
potentially leading to DoS a
CVE-2024-23554 (Cross-Site Request Forgery (CSRF) on Session Token
vulnerability that ...)
NOT-FOR-US: HCL
CVE-2023-52424 (The IEEE 802.11 standard sometimes enables an adversary to
trick a vic ...)
- TODO: check
+ NOT-FOR-US: IEEE 802.11 standard
CVE-2024-5072 (Improper input validation in PAM JIT elevation feature in
Devolutions ...)
NOT-FOR-US: Devolutions Server
CVE-2024-5066 (A vulnerability classified as critical was found in PHPGurukul
Online ...)
@@ -3810,7 +3810,7 @@ CVE-2024-34370 (Improper Privilege Management
vulnerability in WPFactory EAN for
CVE-2024-34241 (A cross-site scripting (XSS) vulnerability in Rocketsoft
Rocket LMS 1. ...)
NOT-FOR-US: Rocketsoft Rocket LMS
CVE-2024-34058 (The WebTop package for NethServer 7 and 8 allows stored XSS
(for examp ...)
- TODO: check
+ NOT-FOR-US: WebTop package for NethServer
CVE-2024-33917 (Authentication Bypass by Spoofing vulnerability in
webtechideas WTI Li ...)
NOT-FOR-US: WordPress plugin
CVE-2024-33644 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -4556,7 +4556,7 @@ CVE-2023-40071 (Improper access control in some Intel(R)
GPA software installers
CVE-2023-40070 (Improper access control in some Intel(R) Power Gadget software
for mac ...)
NOT-FOR-US: Intel
CVE-2023-39929 (Uncontrolled search path in some Libva software maintained by
Intel(R) ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2023-39433 (Improper access control for some Intel(R) CST software before
version ...)
NOT-FOR-US: Intel
CVE-2023-39163 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
@@ -4564,49 +4564,49 @@ CVE-2023-39163 (Improper Limitation of a Pathname to a
Restricted Directory ('Pa
CVE-2023-38654 (Improper input validation for some some Intel(R)
PROSet/Wireless WiFi ...)
TODO: check
CVE-2023-38581 (Buffer overflow in Intel(R) Power Gadget software for Windows
all vers ...)
- TODO: check
+
[Git][security-tracker-team/security-tracker][master] new python-pymysql issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96c8f1ae by Moritz Muehlenhoff at 2024-05-22T12:31:00+02:00 new python-pymysql issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -435,7 +435,9 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Galler CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - TODO: check + - python-pymysql + NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp + NOTE: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 619e7ca5 by Moritz Muehlenhoff at 2024-05-22T10:39:49+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -287,7 +287,7 @@ CVE-2024-5157 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) - TODO: check + NOT-FOR-US: com.transsion.videocallenhancer CVE-2024-4876 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) NOT-FOR-US: WordPress plugin CVE-2024-4875 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) @@ -305,107 +305,107 @@ CVE-2024-4553 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for Wo CVE-2024-4452 (The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross ...) NOT-FOR-US: WordPress plugin CVE-2024-4435 (When storing unbounded types in a BTreeMap, a node is represented as a ...) - TODO: check + NOT-FOR-US: ic-stable-structures CVE-2024-4420 (There exists a Denial of service vulnerability in Tink-cc in versions ...) - TODO: check + NOT-FOR-US: Tink-cc CVE-2024-4361 (The Page Builder by SiteOrigin plugin for WordPress is vulnerable to S ...) NOT-FOR-US: WordPress plugin CVE-2024-4154 (In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulner ...) NOT-FOR-US: lunary-ai/lunary CVE-2024-3345 (The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) TODO: check CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35384 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35361 (MTab Bookmark v1.9.5 has an SQL injection vulnerability in /LinkStore/ ...) - TODO: check + NOT-FOR-US: MTab Bookmark CVE-2024-35218 (Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stor ...) NOT-FOR-US: Umbraco CMS CVE-2024-35180 (OMERO.web provides a web based client and plugin infrastructure. There ...) - TODO: check + NOT-FOR-US: OMERO.web CVE-2024-35061 (NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exc ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35060 (An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows att ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35059 (An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows a ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35058 (An issue in the API wait function of NASA AIT-Core v2.5.2 allows attac ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35057 (An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35056 (NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-34274 (OpenBD 20210306203917-6cbe797 is vulnerable to Deserialization of Untr ...) - TODO: check + NOT-FOR-US: OpenBD CVE-2024-34240 (QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) r ...) - TODO: check + NOT-FOR-US: QDOCS Smart School CVE-2024-34071 (Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco ...) - TODO: check + NOT-FOR-US: Umbraco CVE-2024-33529 (ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33528 (A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7. ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33527 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33526 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33525 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of or ...) - TODO:
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6d16cff1 by Moritz Muehlenhoff at 2024-05-22T10:23:47+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,79 +1,79 @@
CVE-2024-5190
REJECTED
CVE-2024-5147 (The WPZOOM Addons for Elementor (Templates, Widgets) plugin for
WordPr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-5092 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-5040 (There are multiple ways in LCDS LAquis SCADA for an attacker
to acces ...)
- TODO: check
+ NOT-FOR-US: LCDS LAquis SCADA
CVE-2024-4980 (The WPKoi Templates for Elementor plugin for WordPress is
vulnerable t ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4971 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress
is vul ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4443 (The Business Directory Plugin \u2013 Easy Listing Directories
for Word ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4157 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and
Drag & D ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3927 (The Element Pack Elementor Addons (Header Footer, Template
Library, Dy ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3671 (The Print-O-Matic plugin for WordPress is vulnerable to Stored
Cross-S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3666 (The Opal Estate Pro \u2013 Property Management and Submission
plugin f ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3663 (The WP Scraper plugin for WordPress is vulnerable to
unauthorized acce ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3611 (The Toolbar Extras for Elementor & More \u2013 WordPress Admin
Bar Enh ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3519 (The Media Library Assistant plugin for WordPress is vulnerable
to Refl ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3518 (The Media Library Assistant plugin for WordPress is vulnerable
to SQL ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3198 (The WP Font Awesome Share Icons plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3066 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-35220 (@fastify/session is a session plugin for fastify. Requires the
@fastif ...)
- TODO: check
+ NOT-FOR-US: @fastify/session
CVE-2024-35162 (Path traversal vulnerability exists in Download Plugins and
Themes fro ...)
- TODO: check
+ NOT-FOR-US: @fastify/session
CVE-2024-32988 ('OfferBox' App for Android versions 2.0.0 to 2.3.17 and
'OfferBox' App ...)
- TODO: check
+ NOT-FOR-US: OffBox
CVE-2024-31396 (Code injection vulnerability exists in a-blog cms Ver.3.1.x
series ver ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31395 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31394 (Directory traversal vulnerability exists in a-blog cms
Ver.3.1.x serie ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31340 (TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo
versions prio ...)
- TODO: check
+ NOT-FOR-US: TP-Link
CVE-2024-30420 (Server-side request forgery (SSRF) vulnerability exists in
a-blog cms ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-30419 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-2953 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to St ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2163 (The Ninja Beaver Add-ons for Beaver Builder plugin for
WordPress is vu ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2119 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to Re ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2088 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-21683 (This High severity RCE (Remote Code Execution) vulnerability
was intro ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2024-1762 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-1446 (The
[Git][security-tracker-team/security-tracker][master] NFUs (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7c6d543 by Moritz Muehlenhoff at 2024-05-22T09:48:47+02:00 NFUs (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2198,7 +2198,7 @@ CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before a CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) TODO: check CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v. ...) - TODO: check + NOT-FOR-US: Node json-schema-ref-parser CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a reflected c ...) NOT-FOR-US: SolarWinds CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to authorization v ...) @@ -4972,7 +4972,7 @@ CVE-2024-3749 (The SP Project & Document Manager WordPress plugin through 4.71 l CVE-2024-3748 (The SP Project & Document Manager WordPress plugin through 4.71 is mis ...) NOT-FOR-US: WordPress plugin CVE-2024-3744 (A security issue was discovered in azure-file-csi-driver where an acto ...) - TODO: check + NOT-FOR-US: azure-file-csi-driver CVE-2024-3634 (The month name translation benaceur WordPress plugin before 2.3.8 does ...) NOT-FOR-US: WordPress plugin CVE-2024-3631 (The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cf5f6510 by Moritz Muehlenhoff at 2024-05-21T23:20:48+02:00 new chromium issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2024-5160 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) +CVE-2024-5159 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) +CVE-2024-5158 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) +CVE-2024-5157 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) TODO: check CVE-2024-4876 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +chromium (dilinger) -- dnsdist (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf5f6510609976b005c6f2689f8059b76da0544b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf5f6510609976b005c6f2689f8059b76da0544b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] squirrel3 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 11ee5931 by Moritz Mühlenhoff at 2024-05-20T20:13:11+02:00 squirrel3 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158085,7 +158085,7 @@ CVE-2022-1590 (A vulnerability was found in Bludit 3.13.1. It has been declared CVE-2022-1589 (The Change wp-admin login WordPress plugin before 1.1.0 does not prope ...) NOT-FOR-US: WordPress plugin CVE-2022-30292 (Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lac ...) - - squirrel3 (bug #1014539) + - squirrel3 3.1-8.2 (bug #1014539) [bullseye] - squirrel3 (Minor issue) [buster] - squirrel3 (Minor issue) [stretch] - squirrel3 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ee593197d704216ac13abba9a40a006d57b4b6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ee593197d704216ac13abba9a40a006d57b4b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sssd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
696de6b3 by Moritz Mühlenhoff at 2024-05-20T20:11:08+02:00
sssd fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -11261,7 +11261,7 @@ CVE-2023-47843 (Improper Limitation of a Pathname to a
Restricted Directory ('Pa
CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev.
Group Pe ...)
NOT-FOR-US: WordPress plugin
CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is
not co ...)
- - sssd (bug #1070369)
+ - sssd 2.9.5-1 (bug #1070369)
[bookworm] - sssd (Minor issue)
[bullseye] - sssd (Minor issue)
[buster] - sssd (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/696de6b32474110b75877eef4c8da38e9a5c08e5
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/696de6b32474110b75877eef4c8da38e9a5c08e5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2d539012 by Moritz Mühlenhoff at 2024-05-17T18:34:48+02:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[17 May 2024] DSA-5693-1 thunderbird - security update
+ {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770
CVE-2024-4777}
+ [bullseye] - thunderbird 1:115.11.0-1~deb11u1
+ [bookworm] - thunderbird 1:115.11.0-1~deb12u1
[15 May 2024] DSA-5692-1 ghostscript - security update
{CVE-2023-52722 CVE-2024-29510 CVE-2024-33869 CVE-2024-33870
CVE-2024-33871}
[bullseye] - ghostscript 9.53.3~dfsg-7+deb11u7
=
data/dsa-needed.txt
=
@@ -75,7 +75,5 @@ ruby-tzinfo/oldstable
--
squid
--
-thunderbird (jmm)
---
zabbix
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d539012996f36b1e05c740e04c9f280d3750869
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d539012996f36b1e05c740e04c9f280d3750869
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libreoffice, firefox DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c575ff05 by Moritz Mühlenhoff at 2024-05-15T19:41:58+02:00
libreoffice, firefox DSAs
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,11 @@
+[15 May 2024] DSA-5691-1 firefox-esr - security update
+ {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770
CVE-2024-4777}
+ [bullseye] - firefox-esr 115.11.0esr-1~deb11u1
+ [bookworm] - firefox-esr 115.11.0esr-1~deb12u1
+[15 May 2024] DSA-5690-1 libreoffice - security update
+ {CVE-2024-3044}
+ [bullseye] - libreoffice 1:7.0.4-4+deb11u9
+ [bookworm] - libreoffice 4:7.4.7-1+deb12u2
[15 May 2024] DSA-5689-1 chromium - security update
{CVE-2024-4761}
[bookworm] - chromium 124.0.6367.207-1~deb12u1
=
data/dsa-needed.txt
=
@@ -16,8 +16,6 @@ dnsdist (jmm)
--
dnsmasq
--
-firefox-esr (jmm)
---
frr
Tobias Frost (tobi) proposed to work on preparing an update
--
@@ -27,8 +25,6 @@ gpac/oldstable
--
h2o (jmm)
--
-libreoffice (jmm)
---
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c575ff05f443fdf1bece9a2568084fc82318c09c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c575ff05f443fdf1bece9a2568084fc82318c09c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4787f35a by Moritz Muehlenhoff at 2024-05-15T13:32:17+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -821,10 +821,11 @@ CVE-2024-34697 (FreeScout is a free, self-hosted help desk and shared mailbox. A CVE-2024-34555 (Unrestricted Upload of File with Dangerous Type vulnerability in URBAN ...) NOT-FOR-US: WordPress plugin CVE-2024-34459 (An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2. ...) - - libxml2 (bug #1071162) + - libxml2 (unimportant; bug #1071162) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145 (v2.11.8) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce (v2.12.7) + NOTE: Crash in CLI tool, no security impact CVE-2024-34440 (Unrestricted Upload of File with Dangerous Type vulnerability in Jordy ...) NOT-FOR-US: WordPress plugin CVE-2024-34416 (Unrestricted Upload of File with Dangerous Type vulnerability in Pk Fa ...) @@ -1434,6 +1435,8 @@ CVE-2024-3806 (The Porto theme for WordPress is vulnerable to Local File Inclusi NOT-FOR-US: WordPress theme CVE-2024-3727 (A flaw was found in the github.com/containers/image library. This flaw ...) - golang-github-opencontainers-go-digest (bug #1070858) + [bookworm] - golang-github-opencontainers-go-digest (Minor issue) + [bullseye] - golang-github-opencontainers-go-digest (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274767 CVE-2024-3722 (The Swift Performance Lite plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin @@ -3828,7 +3831,11 @@ CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Executi NOT-FOR-US: Bentley CVE-2023-44428 (MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code Exec ...) - musescore2 + [bookworm] - musescore2 (Minor issue) + [bullseye] - musescore2 (Minor issue) - musescore3 (bug #1070860) + [bookworm] - musescore3 (Minor issue) + [bullseye] - musescore3 (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ CVE-2023-44427 (D-Link DIR-X3260 SetSysEmailSettings SMTPServerAddress Command Injecti ...) NOT-FOR-US: D-Link View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4787f35af1bfe5dd00a2f84dca237a6412d21e3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4787f35af1bfe5dd00a2f84dca237a6412d21e3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3c0762bc by Moritz Muehlenhoff at 2024-05-15T13:07:02+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -755,9 +755,13 @@ CVE-2024-4747 (Improper Neutralization of Input During Web
Page Generation ('Cro
NOT-FOR-US: WordPress plugin
CVE-2024-4068 (The NPM package `braces` fails to limit the number of
characters it ca ...)
- node-braces
+ [bookworm] - node-braces (Minor issue)
+ [bullseye] - node-braces (Minor issue)
NOTE: https://github.com/micromatch/braces/issues/35
CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular
Expression Denia ...)
- node-micromatch
+ [bookworm] - node-micromatch (Minor issue)
+ [bullseye] - node-micromatch (Minor issue)
NOTE: https://github.com/micromatch/micromatch/issues/243
NOTE: https://github.com/micromatch/micromatch/pull/247
CVE-2024-3462 (Ant Media Server Community Edition in a default configuration
is vulne ...)
@@ -1949,6 +1953,8 @@ CVE-2024-34255 (jizhicms v2.5.1 contains a Cross-Site
Scripting(XSS) vulnerabili
NOT-FOR-US: jizhicms
CVE-2024-34244 (libmodbus v3.1.10 is vulnerable to Buffer Overflow via the
modbus_writ ...)
- libmodbus
+ [bookworm] - libmodbus (Minor issue)
+ [bullseye] - libmodbus (Minor issue)
[buster] - libmodbus (Minor issue; out-of-bounds read, DoS)
NOTE: https://github.com/stephane/libmodbus/issues/743
CVE-2024-33612 (An improper certificate validation vulnerability exists in
BIG-IP Next ...)
=
data/dsa-needed.txt
=
@@ -29,6 +29,8 @@ gpac/oldstable
--
h2o (jmm)
--
+libreoffice (jmm)
+--
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0762bc3fadf05e5a19542747a53345f25170ce
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0762bc3fadf05e5a19542747a53345f25170ce
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] golang-github-elazarl-goproxy fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 718d6220 by Moritz Muehlenhoff at 2024-05-14T20:38:21+02:00 golang-github-elazarl-goproxy fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62919,7 +62919,7 @@ CVE-2023-37892 (Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI CVE-2023-37889 (Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS ...) NOT-FOR-US: WordPress plugin CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead to a De ...) - - golang-github-elazarl-goproxy (bug #1042474) + - golang-github-elazarl-goproxy 1.1+git20231117.7cc037d+dfsg-1 (bug #1042474) [bookworm] - golang-github-elazarl-goproxy (Minor issue) [bullseye] - golang-github-elazarl-goproxy (Minor issue) [buster] - golang-github-elazarl-goproxy (Limited support, minor issue, follow bullseye DSAs/point-releases) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/718d6220dfb8dd81bb091c6f8f7d5e398415a116 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/718d6220dfb8dd81bb091c6f8f7d5e398415a116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new thunderbird issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a4d385f by Moritz Muehlenhoff at 2024-05-14T20:37:03+02:00 new thunderbird issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -4,8 +4,10 @@ CVE-2024-4778 CVE-2024-4777 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4777 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4777 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4777 CVE-2024-4776 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4776 @@ -27,23 +29,31 @@ CVE-2024-4771 CVE-2024-4770 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4770 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4770 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4769 CVE-2024-4769 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4769 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4769 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4769 CVE-2024-4768 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4768 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4768 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4768 CVE-2024-4767 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4767 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4767 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4767 CVE-2024-4766 - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4766 @@ -53,8 +63,10 @@ CVE-2024-4765 CVE-2024-4367 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4367 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4367 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4367 CVE-2024-4764 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 = data/dsa-needed.txt = @@ -79,5 +79,7 @@ ruby-tzinfo/oldstable -- squid -- +thunderbird (jmm) +-- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a4d385f27abc822cda0d4ee9cd965b914cad297 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a4d385f27abc822cda0d4ee9cd965b914cad297 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new firefox-esr issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 15b0aff4 by Moritz Muehlenhoff at 2024-05-14T20:34:54+02:00 new firefox-esr issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2024-4778 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4778 CVE-2024-4777 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4777 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4777 CVE-2024-4776 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4776 @@ -24,16 +26,24 @@ CVE-2024-4771 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4771 CVE-2024-4770 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4770 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4770 CVE-2024-4769 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4769 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4769 CVE-2024-4768 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4768 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4768 CVE-2024-4767 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4767 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4767 CVE-2024-4766 - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4766 @@ -42,7 +52,9 @@ CVE-2024-4765 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4765 CVE-2024-4367 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4367 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4367 CVE-2024-4764 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 = data/dsa-needed.txt = @@ -18,6 +18,8 @@ dnsdist (jmm) -- dnsmasq -- +firefox-esr (jmm) +-- frr Tobias Frost (tobi) proposed to work on preparing an update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15b0aff477ff8a8afe717a4717c008399d90717d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15b0aff477ff8a8afe717a4717c008399d90717d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new firefox issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 46c93cdb by Moritz Muehlenhoff at 2024-05-14T20:32:32+02:00 new firefox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,51 @@ +CVE-2024-4778 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4778 +CVE-2024-4777 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4777 +CVE-2024-4776 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4776 +CVE-2024-4775 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4775 +CVE-2024-4774 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4774 +CVE-2024-4773 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4773 +CVE-2024-4772 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4772 +CVE-2024-4771 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4771 +CVE-2024-4770 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4770 +CVE-2024-4769 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4769 +CVE-2024-4768 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4768 +CVE-2024-4767 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4767 +CVE-2024-4766 + - firefox (Android-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4766 +CVE-2024-4765 + - firefox (Android-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4765 +CVE-2024-4367 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4367 +CVE-2024-4764 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...) - wireshark NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c93cdbe7787091f34168ebf727177bd85da81e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c93cdbe7787091f34168ebf727177bd85da81e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mysql-8.0 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2e9299fe by Moritz Muehlenhoff at 2024-05-14T16:20:14+02:00
mysql-8.0 fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -9046,7 +9046,7 @@ CVE-2024-21104 (Vulnerability in the Oracle ZFS Storage
Appliance Kit product of
CVE-2024-21103 (Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualiza ...)
- virtualbox 7.0.16-dfsg-1
CVE-2024-21102 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21101 (Vulnerability in the MySQL Cluster product of Oracle MySQL
(component: ...)
NOT-FOR-US: MySQL Cluster
CVE-2024-21100 (Vulnerability in the Oracle Commerce Platform product of
Oracle Commer ...)
@@ -9058,7 +9058,7 @@ CVE-2024-21098 (Vulnerability in the Oracle GraalVM for
JDK, Oracle GraalVM Ente
CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product
of Orac ...)
NOT-FOR-US: Oracle
CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio
Managem ...)
NOT-FOR-US: Oracle
CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK,
Oracle Gr ...)
@@ -9081,7 +9081,7 @@ CVE-2024-21089 (Vulnerability in the Oracle Concurrent
Processing product of Ora
CVE-2024-21088 (Vulnerability in the Oracle Production Scheduling product of
Oracle E- ...)
NOT-FOR-US: Oracle
CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product
of Oracle ...)
NOT-FOR-US: Oracle
CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
Edition ...)
@@ -9119,7 +9119,7 @@ CVE-2024-21071 (Vulnerability in the Oracle Workflow
product of Oracle E-Busines
CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product
of Orac ...)
NOT-FOR-US: Oracle
CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK,
Oracle Gr ...)
{DSA-5672-1 DSA-5671-1 DLA-3793-1}
- openjdk-8 8u412-ga-1 (bug #1069678)
@@ -9137,11 +9137,11 @@ CVE-2024-21064 (Vulnerability in the Oracle Business
Intelligence Enterprise Edi
CVE-2024-21063 (Vulnerability in the PeopleSoft Enterprise HCM Benefits
Administration ...)
NOT-FOR-US: Oracle
CVE-2024-21062 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21061 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0 8.0.36-1
CVE-2024-21060 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21059 (Vulnerability in the Oracle Solaris product of Oracle Systems
(compone ...)
NOT-FOR-US: Oracle
CVE-2024-21058 (Vulnerability in the Unified Audit component of Oracle
Database Server ...)
@@ -9153,7 +9153,7 @@ CVE-2024-21056 (Vulnerability in the MySQL Server product
of Oracle MySQL (compo
CVE-2024-21055 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0 8.0.36-1
CVE-2024-21054 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21053 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0 8.0.35-1
CVE-2024-21052 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
@@ -9167,7 +9167,7 @@ CVE-2024-21049 (Vulnerability in the MySQL Server product
of Oracle MySQL (compo
CVE-2024-21048 (Vulnerability in the Oracle Web Applications Desktop
Integrator produc ...)
NOT-FOR-US: Oracle
CVE-2024-21047 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- - mysql-8.0 (bug #1069189)
+ - mysql-8.0 8.0.37-1 (bug #1069189)
CVE-2024-21046 (Vulnerability in the Oracle Complex Maintenance, Repair, and
Overhaul ...)
NOT-FOR-US: Oracle
CVE-2024-21045 (Vulnerability in the Oracle Complex Maintenance, Repair, and
Overhaul ...)
@@ -9235,7 +9235,7 @@ CVE-2024-21015 (Vulnerability in the MySQL Server product
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 12c419fe by Moritz Muehlenhoff at 2024-05-14T11:22:54+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,117 +13,117 @@ CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...) TODO: check CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...) - TODO: check + NOT-FOR-US: Red Hat OpenStack Platform CVE-2024-4810 (In register_device, the return value of ida_simple_get is unchecked, i ...) TODO: check CVE-2024-4712 (An arbitrary file creation vulnerability exists in PaperCut NG/MF that ...) - TODO: check + NOT-FOR-US: PaperCut NG/MF CVE-2024-4445 (The WP Compress \u2013 Image Optimizer [All-In-One] plugin for WordPre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4144 (The Simple Basic Contact Form plugin for WordPress for WordPress is vu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4139 (Manage Bank Statement ReProcessing Rules does not perform necessary au ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-4138 (Manage Bank Statement ReProcessing Rules does not perform necessary au ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-3241 (The Ultimate Blocks WordPress plugin before 3.1.7 does not validate a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3037 (An arbitrary file deletion vulnerability exists in PaperCut NG/MF that ...) - TODO: check + NOT-FOR-US: PaperCut NG/MF CVE-2024-34687 (SAP NetWeaver Application Server for ABAP and ABAP Platform do not suf ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33878 REJECTED CVE-2024-33009 (SAP Global Label Management is vulnerable to SQL injection. On exploit ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33008 (SAP Replication Server allows an attacker to use gateway for executing ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33007 (PDFViewer is a control delivered as part of SAPUI5 product which shows ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33006 (An unauthenticated attacker can upload a malicious file to the server ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33004 (SAP Business Objects Business Intelligence Platform is vulnerable to I ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33002 (Document Service handler (obsolete) in Data Provisioning Service does ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-33000 (SAP Bank Account Management does not perform necessary authorization c ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-32733 (Due to missing input validation and output encoding of untrusted data, ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-32731 (SAP My Travel Requests does not perform necessary authorization checks ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-28165 (SAP Business Objects Business Intelligence Platform is vulnerable to s ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-27852 (A privacy issue was addressed with improved client ID handling for alt ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27847 (This issue was addressed with improved checks This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27843 (A logic issue was addressed with improved checks. This issue is fixed ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27842 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27841 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27839 (A privacy issue was addressed by moving sensitive data to a more secur ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27837 (A downgrade issue was addressed with additional code-signing restricti ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27835 (This issue was addressed through improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27834 (The issue was addressed with improved checks. This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27829 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27827 (This issue was addressed through improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27825 (A downgrade issue affecting Intel-based Mac computers was
[Git][security-tracker-team/security-tracker][master] new wireshark issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 386c5b66 by Moritz Muehlenhoff at 2024-05-14T11:12:54+02:00 new wireshark issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,15 @@ CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784 CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726 + NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 + NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...) TODO: check CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/386c5b66f8d0ece322b8447e2c24006fb5913455 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/386c5b66f8d0ece322b8447e2c24006fb5913455 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvidia-cuda-toolkit fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a88e16b by Moritz Muehlenhoff at 2024-05-13T13:39:37+02:00 nvidia-cuda-toolkit fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89213,7 +89213,7 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers (Minor issue, revisit when/if fixed upstream) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) + - nvidia-cuda-toolkit 12.1.1-1 (unimportant; bug #1034793; bug #1034799) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 NOTE: Crash in CLI tool, no security impact CVE-2023-25513 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) @@ -89226,11 +89226,11 @@ CVE-2023-25512 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerabili NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 NOTE: Crash in CLI tool, no security impact CVE-2023-25511 (NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) + - nvidia-cuda-toolkit 12.1.1-1 (unimportant; bug #1034793; bug #1034799) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 NOTE: Crash in CLI tool, no security impact CVE-2023-25510 (NVIDIA CUDA Toolkit SDK for Linux and Windows contains a NULL pointer ...) - - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) + - nvidia-cuda-toolkit 12.1.1-1 (unimportant; bug #1034793; bug #1034799) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 NOTE: Crash in CLI tool, no security impact CVE-2023-25509 (NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a88e16bfbaa931fdaf1536c8fa8c393e08f1c48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a88e16bfbaa931fdaf1536c8fa8c393e08f1c48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aa7ab4c by Moritz Muehlenhoff at 2024-05-13T12:15:15+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,21 +19,21 @@ CVE-2024-4801 (A vulnerability was found in Kashipara College Management System CVE-2024-4800 (A vulnerability has been found in Kashipara College Management System ...) NOT-FOR-US: Kashipara College Management System CVE-2024-3239 (The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress pl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-35205 (The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for ...) - TODO: check + NOT-FOR-US: WPS Office CVE-2024-35204 (Veritas System Recovery before 23.2_Hotfix has incorrect permissions f ...) - TODO: check + NOT-FOR-US: Veritas CVE-2024-32700 (Unrestricted Upload of File with Dangerous Type vulnerability in Kogne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2299 (A stored Cross-Site Scripting (XSS) vulnerability exists in the parisn ...) - TODO: check + NOT-FOR-US: lollms-webui CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Service Pr ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...) TODO: check CVE-2023-5052 (vulnerability in Uniform Server Zero, version 10.2.5, consisting of an ...) - TODO: check + NOT-FOR-US: Uniform Zero Server CVE-2024-4799 (A vulnerability, which was classified as critical, was found in Kaship ...) NOT-FOR-US: Kashipara College Management System CVE-2024-4798 (A vulnerability, which was classified as critical, has been found in S ...) @@ -111,17 +111,17 @@ CVE-2024-28760 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1 CVE-2024-27460 (A privilege escalation exists in the updater for Plantronics Hub 3.25. ...) NOT-FOR-US: HP CVE-2023-5447 (Missing lock check in SynHsaService may create a use-after-free condit ...) - TODO: check + NOT-FOR-US: Synaptics CVE-2023-52721 (The WindowManager module has a vulnerability in permission control. Im ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52720 (Race condition vulnerability in the soundtrigger module Impact: Succes ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52719 (Privilege escalation vulnerability in the PMS module Impact: Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52384 (Double-free vulnerability in the RSMC module Impact: Successful exploi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-52383 (Double-free vulnerability in the RSMC module Impact: Successful exploi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-47712 (IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local u ...) NOT-FOR-US: IBM CVE-2023-47711 (IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow an authen ...) @@ -171,7 +171,7 @@ CVE-2024-4714 (A vulnerability, which was classified as problematic, has been fo CVE-2024-4713 (A vulnerability classified as problematic was found in Campcodes Compl ...) NOT-FOR-US: Campcodes Complete Web-Based School Management System CVE-2024-4701 (A path traversal issue potentially leading to remote code execution in ...) - TODO: check + NOT-FOR-US: Netflix CVE-2024-4699 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified ...) NOT-FOR-US: D-Link CVE-2024-4689 (Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPix ...) @@ -211,7 +211,7 @@ CVE-2024-4231 (This vulnerability exists in Digisol Router (DG-GR1321: Hardware CVE-2024-4129 (Improper Authentication vulnerability in Snow Software AB Snow License ...) NOT-FOR-US: Snow Software AB Snow License Manager CVE-2024-4044 (A deserialization of untrusted data vulnerability exists in common cod ...) - TODO: check + NOT-FOR-US: National Instruments CVE-2024-4039 (The The Orders Tracking for WooCommerce plugin for WordPress for WordP ...) NOT-FOR-US: WordPress plugin CVE-2024-3956 (The Pods \u2013 Custom Content Types and Fields plugin for WordPress i ...) @@ -255,19 +255,19 @@ CVE-2024-34814 (Cross-Site Request Forgery (CSRF) vulnerability in ThemeFuse Uny CVE-2024-34695 (WOWS Karma is a reputation system for Wargaming's World of Warships. A ...) NOT-FOR-US: WOWS Karma CVE-2024-34360 (go-spacemesh is a Go implementation of the Spacemesh protocol full nod ...) - TODO: check + NOT-FOR-US: go-spacemesh CVE-2024-34359 (llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-pyth ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] atril DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0009ae42 by Moritz Mühlenhoff at 2024-05-12T15:13:50+02:00
atril DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -33095,7 +33095,7 @@ CVE-2023-51804 (An issue in rymcu forest v.0.02 allows
a remote attacker to obta
CVE-2023-51698 (Atril is a simple multi-page document viewer. Atril is
vulnerable to a ...)
- atril 1.26.1-4 (bug #1060751)
[bookworm] - atril 1.26.0-2+deb12u2
- [bullseye] - atril (Minor issue)
+ [bullseye] - atril 1.24.0-1+deb11u1
- evince 3.25.92-1
NOTE:
https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
NOTE: Fixed by:
https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[12 May 2024] DSA-5688-1 atril - security update
+ {CVE-2023-52076}
+ [bullseye] - atril 1.24.0-1+deb11u1
+ [bookworm] - atril 1.26.0-2+deb12u3
[10 May 2024] DSA-5687-1 chromium - security update
{CVE-2024-4671}
[bookworm] - chromium 124.0.6367.201-1~deb12u1
=
data/dsa-needed.txt
=
@@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source
package.
---
-atril (jmm)
--
dnsdist (jmm)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0009ae42154ddd3bfe9b5c0bcf7eb37e688e4d40
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0009ae42154ddd3bfe9b5c0bcf7eb37e688e4d40
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f475b9aa by Moritz Muehlenhoff at 2024-05-10T19:34:29+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,7 @@ CVE-2024-3807 (The Porto theme for WordPress is vulnerable to Local File Inclusi CVE-2024-3806 (The Porto theme for WordPress is vulnerable to Local File Inclusion in ...) NOT-FOR-US: WordPress theme CVE-2024-3727 (A flaw was found in the github.com/containers/image library. This flaw ...) - - golang-github-opencontainers-go-digest + - golang-github-opencontainers-go-digest (bug #1070858) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274767 CVE-2024-3722 (The Swift Performance Lite plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin @@ -289,7 +289,7 @@ CVE-2024-32717 (Missing Authorization vulnerability in WPDeveloper SchedulePress CVE-2024-32712 (Missing Authorization vulnerability in Podlove Podlove Podcast Publish ...) NOT-FOR-US: WordPress plugin CVE-2024-32655 (Npgsql is the .NET data provider for PostgreSQL. In 8.0.2 and earlier, ...) - - npgsql + - npgsql (bug #1070859) NOTE: https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c NOTE: https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 CVE-2024-32624 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) @@ -2502,7 +2502,7 @@ CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Executi NOT-FOR-US: Bentley CVE-2023-44428 (MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code Exec ...) - musescore2 - - musescore3 + - musescore3 (bug #1070860) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ CVE-2023-44427 (D-Link DIR-X3260 SetSysEmailSettings SMTPServerAddress Command Injecti ...) NOT-FOR-US: D-Link View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f475b9aa1d4e9c0b83c7a6ac3753cd9c2895a671 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f475b9aa1d4e9c0b83c7a6ac3753cd9c2895a671 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
644cd696 by Moritz Muehlenhoff at 2024-05-10T18:04:15+02:00
bullseye/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1310,11 +1310,15 @@ CVE-2024-34078 (html-sanitizer is an allowlist-based
HTML cleaner. If using `kee
NOTE:
https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550
(2.4.2)
CVE-2024-34069 (Werkzeug is a comprehensive WSGI web application library. The
debugger ...)
- python-werkzeug 3.0.3-1 (bug #1070711)
+ [bookworm] - python-werkzeug (Minor issue)
+ [bullseye] - python-werkzeug (Minor issue)
NOTE:
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
NOTE: Fixed by:
https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967
(3.0.3)
NOTE: Fixed by:
https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01
(3.0.3)
CVE-2024-34064 (Jinja is an extensible templating engine. The `xmlattr` filter
in affe ...)
- jinja2 (bug #1070712)
+ [bookworm] - jinja2 (Minor issue)
+ [bullseye] - jinja2 (Minor issue)
NOTE:
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
NOTE: Fixed by:
https://github.com/pallets/jinja/commit/d655030770081e2dfe46f90e27620472a502289d
(3.1.4)
CVE-2024-33912 (Missing Authorization vulnerability in Academy LMS.This issue
affects ...)
@@ -6701,6 +6705,8 @@ CVE-2024-32478 (Git Credential Manager (GCM) is a secure
Git credential helper.
- git-credential-manager (bug #1002300)
CVE-2024-32473 (Moby is an open source container framework that is a key
component of ...)
- docker.io (bug #1070378)
+ [bookworm] - docker.io (Minor issue)
+ [bullseye] - docker.io (Minor issue)
NOTE:
https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9
NOTE:
https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa
CVE-2024-32409 (An issue in SEMCMS v.4.8 allows a remote attacker to execute
arbitrary ...)
@@ -17532,6 +17538,7 @@ CVE-2024-0450 (An issue was found in the CPython
`zipfile` module affecting vers
[bookworm] - python3.11 (Minor issue)
- python3.10
- python3.9
+ [bullseye] - python3.9 (Minor issue)
- python3.7
- python2.7
[bullseye] - python2.7 (Unsupported in Bullseye, only
included to build a few applications)
@@ -78571,6 +78578,7 @@ CVE-2023-28757
CVE-2023-28756 (A ReDoS issue was discovered in the Time component through
0.2.1 in Ru ...)
{DLA-3447-1 DLA-3408-1}
- ruby3.1 (bug #1038408)
+ [bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
[experimental] - jruby 9.4.3.0+ds-1~exp1
@@ -78586,6 +78594,7 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI
component through 0.12.0
[bookworm] - rubygems (Minor issue)
[bullseye] - rubygems (Minor issue)
- ruby3.1 (bug #1038408)
+ [bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
[experimental] - jruby 9.4.3.0+ds-1~exp1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/644cd696af6b99d787c462f7c3c228d9a9ce54d8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/644cd696af6b99d787c462f7c3c228d9a9ce54d8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjfx n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c360575c by Moritz Muehlenhoff at 2024-05-10T16:45:53+02:00 openjfx n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8542,13 +8542,13 @@ CVE-2024-21007 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2024-21006 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2024-21005 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - TODO: check + - openjfx (Only affects JavaFX 8) CVE-2024-21004 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - TODO: check + - openjfx (Only affects JavaFX 8) CVE-2024-21003 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - TODO: check + - openjfx (Only affects JavaFX 8) CVE-2024-21002 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - TODO: check + - openjfx (Only affects JavaFX 8) CVE-2024-21001 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2024-21000 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c360575c5183165ea7dfb95503c10b7ab2554c13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c360575c5183165ea7dfb95503c10b7ab2554c13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f2325d1 by Moritz Muehlenhoff at 2024-05-10T16:43:40+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6703,7 +6703,6 @@ CVE-2024-32473 (Moby is an open source container framework that is a key compone - docker.io (bug #1070378) NOTE: https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 NOTE: https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa - TODO: check, said to be specific to the 26.0.0 and 26.0.1 versions but needs double-checking CVE-2024-32409 (An issue in SEMCMS v.4.8 allows a remote attacker to execute arbitrary ...) NOT-FOR-US: SEMCMS CVE-2024-32206 (A stored cross-site scripting (XSS) vulnerability in the component \af ...) @@ -8279,7 +8278,7 @@ CVE-2024-2101 (The Salon booking system WordPress plugin before 9.6.3 does not p CVE-2024-29402 (cskefu v7 suffers from Insufficient Session Expiration, which allows a ...) NOT-FOR-US: cskefu CVE-2024-29291 (An issue in Laravel Framework 8 through 11 might allow a remote attack ...) - TODO: check + NOT-FOR-US: Disputed Laravel issue CVE-2024-27086 (The MSAL library enabled acquisition of security tokens to call protec ...) NOT-FOR-US: microsoft-authentication-library-for-dotnet CVE-2024-25911 (Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f2325d13ffd4789738de6ada4ae785724971178 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f2325d13ffd4789738de6ada4ae785724971178 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new musescore issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 79fb4c58 by Moritz Muehlenhoff at 2024-05-10T16:39:29+02:00 new musescore issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2497,7 +2497,9 @@ CVE-2023-44431 (BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Cod CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vul ...) NOT-FOR-US: Bentley CVE-2023-44428 (MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code Exec ...) - TODO: check + - musescore2 + - musescore3 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ CVE-2023-44427 (D-Link DIR-X3260 SetSysEmailSettings SMTPServerAddress Command Injecti ...) NOT-FOR-US: D-Link CVE-2023-44426 (D-Link DIR-X3260 SetSysEmailSettings AccountPassword Command Injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79fb4c58f1516ac4c5edb00ccdbc6d3ce1766af5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79fb4c58f1516ac4c5edb00ccdbc6d3ce1766af5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new npgsql issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: df251cc7 by Moritz Muehlenhoff at 2024-05-10T14:56:48+02:00 new npgsql issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -289,7 +289,9 @@ CVE-2024-32717 (Missing Authorization vulnerability in WPDeveloper SchedulePress CVE-2024-32712 (Missing Authorization vulnerability in Podlove Podlove Podcast Publish ...) NOT-FOR-US: WordPress plugin CVE-2024-32655 (Npgsql is the .NET data provider for PostgreSQL. In 8.0.2 and earlier, ...) - TODO: check + - npgsql + NOTE: https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c + NOTE: https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 CVE-2024-32624 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - hdf5 [bookworm] - hdf5 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df251cc7319e0e896ff4c846fa5b30733b19209e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df251cc7319e0e896ff4c846fa5b30733b19209e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e10774d2 by Moritz Muehlenhoff at 2024-05-10T14:25:33+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -456,7 +456,7 @@ CVE-2024-29157 (HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read CVE-2024-28075 (The SolarWinds Access Rights Manager was susceptible to Remote Code Ex ...) NOT-FOR-US: SolarWinds CVE-2024-24157 (Gnuboard g6 / https://github.com/gnuboard/g6 commit c2cc1f5069e00491ea ...) - TODO: check + NOT-FOR-US: Gnuboard CVE-2024-23473 (The SolarWinds Access Rights Manager was found to contain a hard-coded ...) NOT-FOR-US: SolarWinds CVE-2024-22910 (Cross Site Scripting (XSS) vulnerability in CrushFTP v.10.6.0 and v.10 ...) @@ -1209,7 +1209,7 @@ CVE-2024-3755 (The MF Gig Calendar WordPress plugin through 1.2.1 does not sanit CVE-2024-3752 (The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2024-3661 (DHCP can add routes to a client\u2019s routing table via the classless ...) - TODO: check + NOT-FOR-US: DHCP protocol issue CVE-2024-3576 (The NPort 5100A Series firmware version v1.6 and prior versions are af ...) NOT-FOR-US: Moxa CVE-2024-34538 (Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.) @@ -1436,23 +1436,23 @@ CVE-2023-43530 (Memory corruption in HLOS while checking for the storage type.) CVE-2023-43529 (Transient DOS while processing IKEv2 Informational request messages, w ...) NOT-FOR-US: Qualcomm CVE-2023-43528 (Information disclosure when the ADSP payload size received in HLOS in ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43527 (Information disclosure while parsing dts header atom in Video.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43526 (Memory corruption while querying module parameters from Listen Sound m ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43525 (Memory corruption while copying the sound model data from user to kern ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43524 (Memory corruption when the bandpass filter order received from AHAL is ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43521 (Memory corruption when multiple listeners are being registered with th ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33119 (Memory corruption while loading a VM from a signed VM image that is no ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-32873 (In keyInstall, there is a possible out of bounds write due to a missin ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2023-32871 (In DA, there is a possible permission bypass due to an incorrect statu ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-29857 (An issue was discovered in Bouncy Castle Java Cryptography APIs before ...) - bouncycastle (bug #1070655) [bookworm] - bouncycastle (Minor issue) @@ -2563,13 +2563,13 @@ CVE-2023-42125 (Avast Premium Security Sandbox Protection Link Following Privile CVE-2023-42124 (Avast Premium Security Sandbox Protection Incorrect Authorization Priv ...) NOT-FOR-US: Avast Premium Security Sandbox Protection CVE-2023-42123 (Control Web Panel mysql_manager Command Injection Remote Code Executio ...) - TODO: check + NOT-FOR-US: Control Web Panel CVE-2023-42122 (Control Web Panel wloggui Command Injection Local Privilege Escalation ...) - TODO: check + NOT-FOR-US: Control Web Panel CVE-2023-42121 (Control Web Panel Missing Authentication Remote Code Execution Vulnera ...) - TODO: check + NOT-FOR-US: Control Web Panel CVE-2023-42120 (Control Web Panel dns_zone_editor Command Injection Remote Code Execut ...) - TODO: check + NOT-FOR-US: Control Web Panel CVE-2023-42113 (PDF-XChange Editor EMF File Parsing Out-Of-Bounds Read Information Dis ...) NOT-FOR-US: PDF-XChange Editor EMF CVE-2023-42112 (PDF-XChange Editor EMF File Parsing Out-Of-Bounds Read Information Dis ...) @@ -70814,7 +70814,7 @@ CVE-2023-31236 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-31235 (Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau ...) NOT-FOR-US: WordPress plugin CVE-2023-31234 (Missing Authorization vulnerability in Tilda Publishing.This issue aff ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-31233 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Haoq ...) NOT-FOR-US: WordPress plugin CVE-2023-31232 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Davi ...) @@ -74831,7 +74831,7 @@ CVE-2023-29883 CVE-2023-29882 RESERVED CVE-2023-29881 (phpok 6.4.003 is
[Git][security-tracker-team/security-tracker][master] also mark CVE-2024-2971 as NFU, poppler forked from xpdf almost 20 years ago
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b20944ba by Moritz Muehlenhoff at 2024-05-10T13:09:08+02:00
also mark CVE-2024-2971 as NFU, poppler forked from xpdf almost 20 years ago
and is regularly fuzzed by oss-fuzz, no real point to assume that new xpdf
issues still affect it and if no PoC is available we cant reliably track
this down anyway and these end up causing spam
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -15314,8 +15314,7 @@ CVE-2024-30193 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2024-30192 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2024-2971 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered
by negat ...)
- - poppler
- NOTE: Might possibly affect poppler, pdf in Debian uses it
+ NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
CVE-2024-2956 (The Simple Ajax Chat \u2013 Add a Fast, Secure Chat Box plugin
for Wor ...)
NOT-FOR-US: WordPress plugin
CVE-2024-2954 (The Action Network plugin for WordPress is vulnerable to SQL
Injection ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20944ba103135080d4abbcb7a0ea2e8fb99c6ee
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20944ba103135080d4abbcb7a0ea2e8fb99c6ee
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] poppler fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 885fb708 by Moritz Muehlenhoff at 2024-05-10T13:07:39+02:00 poppler fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60853,7 +60853,7 @@ CVE-2023-34916 (Fuge CMS v1.0 contains an Open Redirect vulnerability via /front NOT-FOR-US: Fuge CMS CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a re ...) [experimental] - poppler 23.08.0-1 - - poppler (bug #1042811) + - poppler 24.02.0-2 (bug #1042811) [bookworm] - poppler (Minor issue) [bullseye] - poppler (Vulnerable code introduced later) [buster] - poppler (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/885fb70850ee0d657c17401fb773a03c09372a69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/885fb70850ee0d657c17401fb773a03c09372a69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new hdf5 issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a144a51f by Moritz Muehlenhoff at 2024-05-10T10:50:26+02:00 new hdf5 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -242,15 +242,30 @@ CVE-2024-34200 (TOTOLINK CPE CP450 v4.1.0cu.747_B20191224 was discovered to cont CVE-2024-34074 (Frappe is a full-stack web application framework. Prior to 15.26.0 and ...) NOT-FOR-US: Frappe Framework CVE-2024-33877 (HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__c ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33876 (HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_d ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33875 (HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__l ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33874 (HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_n ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33873 (HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__s ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33454 (Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacke ...) NOT-FOR-US: esp-idf CVE-2024-32874 (Frigate is a network video recorder (NVR) with realtime local object d ...) @@ -276,43 +291,100 @@ CVE-2024-32712 (Missing Authorization vulnerability in Podlove Podlove Podcast P CVE-2024-32655 (Npgsql is the .NET data provider for PostgreSQL. In 8.0.2 and earlier, ...) TODO: check CVE-2024-32624 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32623 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32622 (HDF5 Library through 1.14.3 contains a out-of-bounds read operation in ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32621 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32620 (HDF5 Library through 1.14.3 contains a heap-based buffer over-read in ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32619 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32618 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32617 (HDF5 Library through 1.14.3 contains a heap-based buffer over-read cau ...) - TODO: check + - hdf5 + [bookworm] - hdf5 (Minor issue) + [bullseye] - hdf5 (Minor issue) + NOTE: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-32616 (HDF5 Library through 1.14.3 contains a heap-based buffer over-read in ...) - TODO: check + - hdf5 +
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c8dc491d by Moritz Muehlenhoff at 2024-05-10T10:18:56+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -39,7 +39,7 @@ CVE-2024-4571
CVE-2024-4567 (The Themify Shortcodes plugin for WordPress is vulnerable to
Stored Cr ...)
NOT-FOR-US: WordPress plugin
CVE-2024-4545 (All versions of EnterpriseDB Postgres Advanced Server (EPAS)
from 15.0 ...)
- TODO: check
+ NOT-FOR-US: EnterpriseDB
CVE-2024-4542 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for
WordPre ...)
NOT-FOR-US: WordPress plugin
CVE-2024-4463 (The Squelch Tabs and Accordions Shortcodes plugin for WordPress
is vul ...)
@@ -138,9 +138,9 @@ CVE-2024-3068 (The Custom Field Suite plugin for WordPress
is vulnerable to Stor
CVE-2024-34559 (Insertion of Sensitive Information into Log File vulnerability
in Ghos ...)
NOT-FOR-US: WordPress plugin
CVE-2024-34557 (Cross-Site Request Forgery (CSRF) vulnerability in UkrSolution
Barcode ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-34556 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-34550 (Insertion of Sensitive Information into Log File vulnerability
in Alex ...)
NOT-FOR-US: WordPress plugin
CVE-2024-34549 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
@@ -192,15 +192,15 @@ CVE-2024-34417 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2024-34415 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2024-34354 (CMSaaSStarter is a SaaS template/boilerplate built with
SvelteKit, Tai ...)
- TODO: check
+ NOT-FOR-US: CMSaaSStarter
CVE-2024-34352 (1Panel is an open source Linux server operation and
maintenance manage ...)
- TODO: check
+ NOT-FOR-US: 1Panel
CVE-2024-34351 (Next.js is a React framework that can provide building blocks
to creat ...)
- TODO: check
+ NOT-FOR-US: Next.js
CVE-2024-34350 (Next.js is a React framework that can provide building blocks
to creat ...)
- TODO: check
+ NOT-FOR-US: Next.js
CVE-2024-34345 (The CycloneDX JavaScript library contains the core
functionality of OW ...)
- TODO: check
+ NOT-FOR-US: CycloneDX
CVE-2024-34338 (A Blind command injection vulnerability in Tenda O3V2
V1.0.0.12 and ea ...)
NOT-FOR-US: Tenda
CVE-2024-34220 (Sourcecodester Human Resource Management System 1.0 is
vulnerable to S ...)
@@ -214,7 +214,7 @@ CVE-2024-34217 (TOTOLINK CP450 v4.1.0cu.747_B20191224 was
discovered to contain
CVE-2024-34215 (TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to
contain a stac ...)
NOT-FOR-US: TOTOLINK
CVE-2024-34213 (TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to
contain a stac ...)
- TODO: check
+ NOT-FOR-US: TOTOLINK
CVE-2024-34212 (TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to
contain a stac ...)
NOT-FOR-US: TOTOLINK
CVE-2024-34211 (TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to
contain a hard ...)
@@ -252,27 +252,27 @@ CVE-2024-33874 (HDF5 Library through 1.14.3 has a heap
buffer overflow in H5O__m
CVE-2024-33873 (HDF5 Library through 1.14.3 has a heap-based buffer overflow
in H5D__s ...)
TODO: check
CVE-2024-33454 (Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote
attacke ...)
- TODO: check
+ NOT-FOR-US: esp-idf
CVE-2024-32874 (Frigate is a network video recorder (NVR) with realtime local
object d ...)
- TODO: check
+ NOT-FOR-US: Frigate
CVE-2024-32739 (A sql injection vulnerability exists in CyberPower PowerPanel
Enterpri ...)
- TODO: check
+ NOT-FOR-US: CyberPower PowerPanel
CVE-2024-32738 (A sql injection vulnerability exists in CyberPower PowerPanel
Enterpri ...)
- TODO: check
+ NOT-FOR-US: CyberPower PowerPanel
CVE-2024-32737 (A sql injection vulnerability exists in CyberPower PowerPanel
Enterpri ...)
- TODO: check
+ NOT-FOR-US: CyberPower PowerPanel
CVE-2024-32736 (A sql injection vulnerability exists in CyberPower PowerPanel
Enterpri ...)
- TODO: check
+ NOT-FOR-US: CyberPower PowerPanel
CVE-2024-32735 (An issue regarding missing authentication for certain
utilities exists ...)
- TODO: check
+ NOT-FOR-US: CyberPower PowerPanel
CVE-2024-32724 (Missing Authorization vulnerability in Woo product importer
Sharkdrops ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-32719 (Missing Authorization vulnerability in WP Club Manager.This
issue affe ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-32717 (Missing Authorization vulnerability in
[Git][security-tracker-team/security-tracker][master] new golang-github-opencontainers-go-digest issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2005332 by Moritz Muehlenhoff at 2024-05-10T09:49:01+02:00 new golang-github-opencontainers-go-digest issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,8 @@ CVE-2024-3807 (The Porto theme for WordPress is vulnerable to Local File Inclusi CVE-2024-3806 (The Porto theme for WordPress is vulnerable to Local File Inclusion in ...) NOT-FOR-US: WordPress theme CVE-2024-3727 (A flaw was found in the github.com/containers/image library. This flaw ...) - TODO: check + - golang-github-opencontainers-go-digest + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274767 CVE-2024-3722 (The Swift Performance Lite plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin CVE-2024-3680 (The Enter Addons \u2013 Ultimate Template Builder for Elementor plugin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2005332243b2993ed2f397bf23eabf2613487d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2005332243b2993ed2f397bf23eabf2613487d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new unbound issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e04dc2f by Moritz Muehlenhoff at 2024-05-09T21:03:16+02:00 new unbound issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-33655 + - unbound 1.20.0-1 + NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt CVE-2024-4693 [virtio-pci: fix use of a released vector] - qemu 1:8.2.3+ds-1 [bookworm] - qemu (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e04dc2f9968e8dd89e9294beaa0ee4241f31834 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e04dc2f9968e8dd89e9294beaa0ee4241f31834 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 347defbe by Moritz Mühlenhoff at 2024-05-09T16:41:45+02:00 qemu spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -172,3 +172,11 @@ CVE-2024- [tryton zipbomb DoS] [bookworm] - tryton-server 6.0.29-2+deb12u2 CVE-2024-1141 [bookworm] - python-glance-store 4.1.1-1+deb12u1 +CVE-2024-3446 + [bookworm] - qemu 1:7.2+dfsg-7+deb12u6 +CVE-2024-3447 + [bookworm] - qemu 1:7.2+dfsg-7+deb12u6 +CVE-2024-26327 + [bookworm] - qemu 1:7.2+dfsg-7+deb12u6 +CVE-2024-26328 + [bookworm] - qemu 1:7.2+dfsg-7+deb12u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/347defbebe102534688a1db80e56b0ab30b6cf63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/347defbebe102534688a1db80e56b0ab30b6cf63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
