[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2024-35226

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
204ddf9c by Salvatore Bonaccorso at 2024-05-29T22:43:11+02:00
Add upstream tag information for CVE-2024-35226

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -125,7 +125,7 @@ CVE-2024-35226 (Smarty is a template engine for PHP, 
facilitating the separation
- smarty3 
- smarty4 
NOTE: 
https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
-   NOTE: 
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
 (support/4)
+   NOTE: 
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
 (v4.5.3)
NOTE: 
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
 (v5.2.0)
 CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure 
encryption of  ...)
NOT-FOR-US: HCL



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/204ddf9c79fa0f52dd5001c9ca84f1ff50d32323

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/204ddf9c79fa0f52dd5001c9ca84f1ff50d32323
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28826/check-mk

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b92a2f2 by Salvatore Bonaccorso at 2024-05-29T22:34:00+02:00
Add CVE-2024-28826/check-mk

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -74,7 +74,7 @@ CVE-2024-31079 (When NGINX Plus or NGINX OSS are configured 
to use the HTTP/3 QU
 CVE-2024-28974 (Dell Data Protection Advisor, version(s) 19.9, contain(s) an 
Inadequat ...)
NOT-FOR-US: Dell
 CVE-2024-28826 (Improper restriction of local upload and download paths in 
check_sftp  ...)
-   TODO: check
+   - check-mk 
 CVE-2024-27313 (Zoho ManageEngine PAM360 is vulnerable to Stored XSS 
vulnerability. Th ...)
NOT-FOR-US: Zoho ManageEngine
 CVE-2024-25977 (The application does not change the session token when using 
the login ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b92a2f229f53f30f54609b9b0330996d2424550

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b92a2f229f53f30f54609b9b0330996d2424550
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
77c38f97 by Salvatore Bonaccorso at 2024-05-29T22:31:56+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,7 +5,7 @@ CVE-2024-5039 (The HUSKY \u2013 Products Filter Professional 
for WooCommerce plu
 CVE-2024-4358 (In Progress Telerik Report Server, version 2024 Q1 
(10.0.24.305) or ea ...)
NOT-FOR-US: Progress Telerik Report Server
 CVE-2024-3412 (The WP STAGING WordPress Backup Plugin \u2013 Migration Backup 
Restore ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-36470 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36427 (The file-serving function in TARGIT Decision Suite 23.2.15007 
allows a ...)
@@ -58,13 +58,13 @@ CVE-2024-35333 (A stack-buffer-overflow vulnerability 
exists in the read_charset
 CVE-2024-35311 (Yubico YubiKey 5 Series before 5.7.0, Security Key Series 
before 5.7.0 ...)
TODO: check
 CVE-2024-35284 (A vulnerability in the legacy chat component of Mitel 
MiContact Center ...)
-   TODO: check
+   NOT-FOR-US: Mitel
 CVE-2024-35283 (A vulnerability in the Ignite component of Mitel MiContact 
Center Busi ...)
-   TODO: check
+   NOT-FOR-US: Mitel
 CVE-2024-35200 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
TODO: check
 CVE-2024-34715 (Fides is an open-source privacy engineering platform. The 
Fides webser ...)
-   TODO: check
+   NOT-FOR-US: Fides
 CVE-2024-34161 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
TODO: check
 CVE-2024-32760 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
@@ -72,11 +72,11 @@ CVE-2024-32760 (When NGINX Plus or NGINX OSS are configured 
to use the HTTP/3 QU
 CVE-2024-31079 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
TODO: check
 CVE-2024-28974 (Dell Data Protection Advisor, version(s) 19.9, contain(s) an 
Inadequat ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2024-28826 (Improper restriction of local upload and download paths in 
check_sftp  ...)
TODO: check
 CVE-2024-27313 (Zoho ManageEngine PAM360 is vulnerable to Stored XSS 
vulnerability. Th ...)
-   TODO: check
+   NOT-FOR-US: Zoho ManageEngine
 CVE-2024-25977 (The application does not change the session token when using 
the login ...)
TODO: check
 CVE-2024-25976 (When LDAP authentication is activated in the configuration it 
is possi ...)
@@ -306,7 +306,7 @@ CVE-2024-23948 (Multiple improper array index validation 
vulnerabilities exist i
 CVE-2024-23947 (Multiple improper array index validation vulnerabilities exist 
in the  ...)
TODO: check
 CVE-2024-23601 (A code injection vulnerability exists in the scan_lib.bin 
functionalit ...)
-   TODO: check
+   NOT-FOR-US: AutomationDirect
 CVE-2024-23315 (A read-what-where vulnerability exists in the Programming 
Software Con ...)
TODO: check
 CVE-2024-22590 (The TLS engine in Kwik commit 745fd4e2 does not track the 
current stat ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77c38f97ab77842a7e609b1d962159eb77b48014

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77c38f97ab77842a7e609b1d962159eb77b48014
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process NFUs

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a8e1a846 by Salvatore Bonaccorso at 2024-05-29T22:26:12+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,49 +1,49 @@
 CVE-2024-5185 (The EmbedAI application is susceptible to security issues that 
enable  ...)
-   TODO: check
+   NOT-FOR-US: EmbedAI application
 CVE-2024-5039 (The HUSKY \u2013 Products Filter Professional for WooCommerce 
plugin f ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4358 (In Progress Telerik Report Server, version 2024 Q1 
(10.0.24.305) or ea ...)
-   TODO: check
+   NOT-FOR-US: Progress Telerik Report Server
 CVE-2024-3412 (The WP STAGING WordPress Backup Plugin \u2013 Migration Backup 
Restore ...)
TODO: check
 CVE-2024-36470 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36427 (The file-serving function in TARGIT Decision Suite 23.2.15007 
allows a ...)
-   TODO: check
+   NOT-FOR-US: TARGIT Decision Suite
 CVE-2024-36378 (In JetBrains TeamCity before 2024.03.2 server was susceptible 
to DoS a ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36377 (In JetBrains TeamCity before 2024.03.2 certain TeamCity API 
endpoints  ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36376 (In JetBrains TeamCity before 2024.03.2 users could perform 
actions tha ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36375 (In JetBrains TeamCity before 2024.03.2 technical information 
regarding ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36374 (In JetBrains TeamCity before 2024.03.2 stored XSS via build 
step setti ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36373 (In JetBrains TeamCity before 2024.03.2 several stored XSS in 
untrusted ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36372 (In JetBrains TeamCity before 2023.05.5 reflected XSS on the 
subscripti ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36371 (In JetBrains TeamCity before 2023.05.5, 2023.11.5 stored XSS 
in Commit ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36370 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36369 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36368 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36367 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36366 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36365 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36364 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36363 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36362 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
-   TODO: check
+   NOT-FOR-US: JetBrains TeamCity
 CVE-2024-36016 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)
- linux 
NOTE: 
https://git.kernel.org/linus/47388e807f85948eefc403a8a5fdc5b406a65d5a (6.10-rc1)
@@ -86,7 +86,7 @@ CVE-2024-25975 (The application implements an up- and 
downvote function which al
 CVE-2023-46297 (An issue was discovered on Mercusys MW325R EU V3 
MW325R(EU)_V3_1.11.0  ...)
TODO: check
 CVE-2023-42005 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak 
for Data  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-52881 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.69-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8e1a846082136d154059e6013e98ba16ab292ef

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8e1a846082136d154059e6013e98ba16ab292ef
You're receiving this email because of your account on salsa.debian.org.



[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36016/linux

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c95236f6 by Salvatore Bonaccorso at 2024-05-29T22:13:19+02:00
Add CVE-2024-36016/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -45,7 +45,8 @@ CVE-2024-36363 (In JetBrains TeamCity before 2022.04.6, 
2022.10.5, 2023.05.5, 20
 CVE-2024-36362 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
TODO: check
 CVE-2024-36016 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)
-   TODO: check
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/47388e807f85948eefc403a8a5fdc5b406a65d5a (6.10-rc1)
 CVE-2024-35512 (An issue in hmq v1.5.5 allows attackers to cause a Denial of 
Service ( ...)
TODO: check
 CVE-2024-35492 (Cesanta Mongoose commit b316989 was discovered to contain a 
NULL point ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c95236f6d1aded55679e2f66f1d09586667c6348

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c95236f6d1aded55679e2f66f1d09586667c6348
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d2a6af29 by security tracker role at 2024-05-29T20:11:54+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,4 +1,92 @@
-CVE-2023-52881 [tcp: do not accept ACK of bytes we never sent]
+CVE-2024-5185 (The EmbedAI application is susceptible to security issues that 
enable  ...)
+   TODO: check
+CVE-2024-5039 (The HUSKY \u2013 Products Filter Professional for WooCommerce 
plugin f ...)
+   TODO: check
+CVE-2024-4358 (In Progress Telerik Report Server, version 2024 Q1 
(10.0.24.305) or ea ...)
+   TODO: check
+CVE-2024-3412 (The WP STAGING WordPress Backup Plugin \u2013 Migration Backup 
Restore ...)
+   TODO: check
+CVE-2024-36470 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36427 (The file-serving function in TARGIT Decision Suite 23.2.15007 
allows a ...)
+   TODO: check
+CVE-2024-36378 (In JetBrains TeamCity before 2024.03.2 server was susceptible 
to DoS a ...)
+   TODO: check
+CVE-2024-36377 (In JetBrains TeamCity before 2024.03.2 certain TeamCity API 
endpoints  ...)
+   TODO: check
+CVE-2024-36376 (In JetBrains TeamCity before 2024.03.2 users could perform 
actions tha ...)
+   TODO: check
+CVE-2024-36375 (In JetBrains TeamCity before 2024.03.2 technical information 
regarding ...)
+   TODO: check
+CVE-2024-36374 (In JetBrains TeamCity before 2024.03.2 stored XSS via build 
step setti ...)
+   TODO: check
+CVE-2024-36373 (In JetBrains TeamCity before 2024.03.2 several stored XSS in 
untrusted ...)
+   TODO: check
+CVE-2024-36372 (In JetBrains TeamCity before 2023.05.5 reflected XSS on the 
subscripti ...)
+   TODO: check
+CVE-2024-36371 (In JetBrains TeamCity before 2023.05.5, 2023.11.5 stored XSS 
in Commit ...)
+   TODO: check
+CVE-2024-36370 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36369 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36368 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36367 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36366 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36365 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36364 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36363 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36362 (In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 
2023.11. ...)
+   TODO: check
+CVE-2024-36016 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)
+   TODO: check
+CVE-2024-35512 (An issue in hmq v1.5.5 allows attackers to cause a Denial of 
Service ( ...)
+   TODO: check
+CVE-2024-35492 (Cesanta Mongoose commit b316989 was discovered to contain a 
NULL point ...)
+   TODO: check
+CVE-2024-35434 (Irontec Sngrep v1.8.1 was discovered to contain a heap buffer 
overflow ...)
+   TODO: check
+CVE-2024-35333 (A stack-buffer-overflow vulnerability exists in the 
read_charset_decl  ...)
+   TODO: check
+CVE-2024-35311 (Yubico YubiKey 5 Series before 5.7.0, Security Key Series 
before 5.7.0 ...)
+   TODO: check
+CVE-2024-35284 (A vulnerability in the legacy chat component of Mitel 
MiContact Center ...)
+   TODO: check
+CVE-2024-35283 (A vulnerability in the Ignite component of Mitel MiContact 
Center Busi ...)
+   TODO: check
+CVE-2024-35200 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
+   TODO: check
+CVE-2024-34715 (Fides is an open-source privacy engineering platform. The 
Fides webser ...)
+   TODO: check
+CVE-2024-34161 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
+   TODO: check
+CVE-2024-32760 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
+   TODO: check
+CVE-2024-31079 (When NGINX Plus or NGINX OSS are configured to use the HTTP/3 
QUIC mod ...)
+   TODO: check
+CVE-2024-28974 (Dell Data Protection Advisor, version(s) 19.9, contain(s) an 
Inadequat ...)
+   TODO: check
+CVE-2024-28826 (Improper restriction of local upload and download paths in 
check_sftp  ...)
+   TODO: check
+CVE-2024-27313 (Zoho ManageEngine PAM360 is vulnerable to Stored XSS 
vulnerability. Th ...)
+   TODO: check
+CVE-2024-25977 (The application does not change the session token when using 
the login ...)
+   TODO: check
+CVE-2024-25976 (When LDAP 

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-4956{8,9} via unstable

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c942c9eb by Salvatore Bonaccorso at 2024-05-29T20:44:17+02:00
Track fixed version for CVE-2023-4956{8,9} via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40946,11 +40946,11 @@ CVE-2023-51806 (File Upload vulnerability in Ujcms 
v.8.0.2 allows a local attack
 CVE-2023-51790 (Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a 
remote  ...)
- piwigo 
 CVE-2023-49569 (A path traversal vulnerability was discovered in go-git 
versions prior ...)
-   - golang-github-go-git-go-git  (bug #1060701)
+   - golang-github-go-git-go-git 5.11.0-1 (bug #1060701)
[bookworm] - golang-github-go-git-go-git  (Minor issue)
NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
 CVE-2023-49568 (A denial of service (DoS) vulnerability was discovered in 
go-git versi ...)
-   - golang-github-go-git-go-git  (bug #1060701)
+   - golang-github-go-git-go-git 5.11.0-1 (bug #1060701)
[bookworm] - golang-github-go-git-go-git  (Minor issue)
NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r
 CVE-2023-49262 (The authentication mechanism can be bypassed by overflowing 
the value  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c942c9eb7a51740a22762d33c40fb2adb24b7118

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c942c9eb7a51740a22762d33c40fb2adb24b7118
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2024-29415

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f75fd0dd by Salvatore Bonaccorso at 2024-05-29T20:40:59+02:00
Update notes for CVE-2024-29415

The fix landed for now only in experimental, so move the fixing version
there.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -339,7 +339,8 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in 
FOG through 1.5.10 al
 CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object 
relational m ...)
- ruby-kaminari  (Doesn't affect Kaminari as shipped by 
Debian)
 CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF 
because some ...)
-   - node-ip 2.0.1+~1.1.3-2 (bug #1072121)
+   [experimental] - node-ip 2.0.1+~1.1.3-2
+   - node-ip  (bug #1072121)
[bookworm] - node-ip  (Minor issue)
[bullseye] - node-ip  (Minor issue)
NOTE: https://github.com/indutny/node-ip/issues/150



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52881/linux

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c5c8c2b by Salvatore Bonaccorso at 2024-05-29T16:48:52+02:00
Add CVE-2023-52881/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2023-52881 [tcp: do not accept ACK of bytes we never sent]
+   - linux 6.6.8-1
+   [bookworm] - linux 6.1.69-1
+   [bullseye] - linux 5.10.205-1
+   [buster] - linux 4.19.304-1
+   NOTE: 
https://git.kernel.org/linus/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 (6.7-rc5)
 CVE-2024-5437 (A vulnerability was found in SourceCodester Simple Online 
Bidding Syst ...)
NOT-FOR-US: SourceCodester Simple Online Bidding System
 CVE-2024-5204 (The Swiss Toolkit For WP plugin for WordPress is vulnerable to 
authent ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c5c8c2b5b43aca66856537f04a2066b42ea769f

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c5c8c2b5b43aca66856537f04a2066b42ea769f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Note potential behaviour change for CVE-2024-3202{0,4}

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b7a41f22 by Salvatore Bonaccorso at 2024-05-29T15:50:02+02:00
Note potential behaviour change for CVE-2024-3202{0,4}

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6821,10 +6821,12 @@ CVE-2024-32020 (Git is a revision control system. Prior 
to versions 2.45.1, 2.44
NOTE: https://github.com/git/git/security/advisories/GHSA-5rfh-556j-fhgj
NOTE: 
https://github.com/git/git/commit/1204e1a824c34071019fe106348eaa6d88f9528d
NOTE: 
https://github.com/git/git/commit/9e65df5eab274bf74c7b570107aacd1303a1e703
+   NOTE: Regression: 
https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u
 CVE-2024-32004 (Git is a revision control system. Prior to versions 2.45.1, 
2.44.1, 2. ...)
- git 1:2.45.1-1 (bug #1071160)
NOTE: https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
NOTE: 
https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
+   NOTE: Regression: 
https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u
 CVE-2024-32002 (Git is a revision control system. Prior to versions 2.45.1, 
2.44.1, 2. ...)
- git 1:2.45.1-1 (bug #1071160)
NOTE: https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7a41f2245112ccee083837fa0ad69f2a1398108

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7a41f2245112ccee083837fa0ad69f2a1398108
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fe2fc4ce by Salvatore Bonaccorso at 2024-05-29T11:22:14+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,19 +1,19 @@
 CVE-2024-5437 (A vulnerability was found in SourceCodester Simple Online 
Bidding Syst ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Simple Online Bidding System
 CVE-2024-5204 (The Swiss Toolkit For WP plugin for WordPress is vulnerable to 
authent ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5150 (The Login with phone number plugin for WordPress is vulnerable 
to auth ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5086 (The Essential Addons for Elementor PRO \u2013 Best Elementor 
Templates ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4611 (The AppPresser plugin for WordPress is vulnerable to improper 
missing  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4419 (The Fetch JFT plugin for WordPress is vulnerable to Stored 
Cross-Site  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3937 (The Playlist for Youtube WordPress plugin through 1.32 does not 
saniti ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3921 (The Gianism WordPress plugin through 5.1.0 does not sanitise 
and escap ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3050 (The Site Reviews WordPress plugin before 7.0.0 retrieves client 
IP add ...)
TODO: check
 CVE-2024-36112 (Nautobot is a Network Source of Truth and Network Automation 
Platform. ...)
@@ -21,11 +21,11 @@ CVE-2024-36112 (Nautobot is a Network Source of Truth and 
Network Automation Pla
 CVE-2024-35548 (A SQL injection vulnerability in Mybatis plus versions below 
3.5.6 all ...)
TODO: check
 CVE-2024-35511 (phpgurukul Men Salon Management System v2.0 is vulnerable to 
SQL Injec ...)
-   TODO: check
+   NOT-FOR-US: phpgurukul Men Salon Management System
 CVE-2024-35240 (Umbraco Commerce is an open source dotnet ecommerce solution. 
In affec ...)
-   TODO: check
+   NOT-FOR-US: Umbraco Commerce
 CVE-2024-35239 (Umbraco Commerce is an open source dotnet web forms solution. 
In affec ...)
-   TODO: check
+   NOT-FOR-US: Umbraco Commerce
 CVE-2024-35226 (Smarty is a template engine for PHP, facilitating the 
separation of pr ...)
TODO: check
 CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure 
encryption of  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2fc4cef2dd35ca89a21ea3609ccdf814e597c4

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2fc4cef2dd35ca89a21ea3609ccdf814e597c4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3fa11a25 by security tracker role at 2024-05-29T08:11:54+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,49 @@
-CVE-2024-36015 [ppdev: Add an error check in register_device]
+CVE-2024-5437 (A vulnerability was found in SourceCodester Simple Online 
Bidding Syst ...)
+   TODO: check
+CVE-2024-5204 (The Swiss Toolkit For WP plugin for WordPress is vulnerable to 
authent ...)
+   TODO: check
+CVE-2024-5150 (The Login with phone number plugin for WordPress is vulnerable 
to auth ...)
+   TODO: check
+CVE-2024-5086 (The Essential Addons for Elementor PRO \u2013 Best Elementor 
Templates ...)
+   TODO: check
+CVE-2024-4611 (The AppPresser plugin for WordPress is vulnerable to improper 
missing  ...)
+   TODO: check
+CVE-2024-4419 (The Fetch JFT plugin for WordPress is vulnerable to Stored 
Cross-Site  ...)
+   TODO: check
+CVE-2024-3937 (The Playlist for Youtube WordPress plugin through 1.32 does not 
saniti ...)
+   TODO: check
+CVE-2024-3921 (The Gianism WordPress plugin through 5.1.0 does not sanitise 
and escap ...)
+   TODO: check
+CVE-2024-3050 (The Site Reviews WordPress plugin before 7.0.0 retrieves client 
IP add ...)
+   TODO: check
+CVE-2024-36112 (Nautobot is a Network Source of Truth and Network Automation 
Platform. ...)
+   TODO: check
+CVE-2024-35548 (A SQL injection vulnerability in Mybatis plus versions below 
3.5.6 all ...)
+   TODO: check
+CVE-2024-35511 (phpgurukul Men Salon Management System v2.0 is vulnerable to 
SQL Injec ...)
+   TODO: check
+CVE-2024-35240 (Umbraco Commerce is an open source dotnet ecommerce solution. 
In affec ...)
+   TODO: check
+CVE-2024-35239 (Umbraco Commerce is an open source dotnet web forms solution. 
In affec ...)
+   TODO: check
+CVE-2024-35226 (Smarty is a template engine for PHP, facilitating the 
separation of pr ...)
+   TODO: check
+CVE-2024-23580 (HCL DRYiCE Optibot Reset Station is impacted byinsecure 
encryption of  ...)
+   TODO: check
+CVE-2024-23579 (HCL DRYiCE Optibot Reset Station is impacted by insecure 
encryption of ...)
+   TODO: check
+CVE-2024-22641 (TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular 
Express ...)
+   TODO: check
+CVE-2024-21512 (Versions of the package mysql2 before 3.9.8 are vulnerable to 
Prototyp ...)
+   TODO: check
+CVE-2024-0434 (The WordPress Tour & Travel Booking Plugin for WooCommerce 
\u2013 WpTr ...)
+   TODO: check
+CVE-2023-6743 (The Unlimited Elements For Elementor (Free Widgets, Addons, 
Templates) ...)
+   TODO: check
+CVE-2024-36015 (In the Linux kernel, the following vulnerability has been 
resolved:  p ...)
- linux 
NOTE: 
https://git.kernel.org/linus/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e (6.10-rc1)
-CVE-2024-36014 [drm/arm/malidp: fix a possible null pointer dereference]
+CVE-2024-36014 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 
NOTE: 
https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1)
 CVE-2024-5434 (The Campbell Scientific CSI Web Server stores web 
authentication crede ...)
@@ -7111,7 +7153,8 @@ CVE-2024-4853 (Memory handling issue in editcap could 
cause denial of service vi
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724
 CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a 
toolse ...)
NOT-FOR-US: Red Hat OpenStack Platform
-CVE-2024-4810 (In register_device, the return value of ida_simple_get is 
unchecked, i ...)
+CVE-2024-4810
+   REJECTED
TODO: check
 CVE-2024-4712 (An arbitrary file creation vulnerability exists in PaperCut 
NG/MF that ...)
NOT-FOR-US: PaperCut NG/MF
@@ -17316,11 +17359,13 @@ CVE-2024-3651 [potential DoS via resource consumption 
via specially crafted inpu
NOTE: 
https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274779
NOTE: Fixed by: 
https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 
(v3.7)
-CVE-2024-24863 (In malidp_mw_connector_reset, new memory is allocated with 
kzalloc, bu ...)
+CVE-2024-24863
+   REJECTED
- linux 
NOTE: 
https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1)
NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8750
-CVE-2024-24862 (In function pci1_spi_probe, there is a potential null 
pointer that ...)
+CVE-2024-24862
+   REJECTED
- linux 6.8.9-1
[bookworm] - linux  (Vulnerable code not present)
[bullseye] - linux  (Vulnerable code not present)
@@ -58220,7 +58265,7 @@ CVE-2023-36701 (Microsoft Resilient File System (ReFS) 
Elevation of 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36015/linux

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f1910496 by Salvatore Bonaccorso at 2024-05-29T09:59:23+02:00
Add CVE-2024-36015/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,6 @@
+CVE-2024-36015 [ppdev: Add an error check in register_device]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e (6.10-rc1)
 CVE-2024-36014 [drm/arm/malidp: fix a possible null pointer dereference]
- linux 
NOTE: 
https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1910496155aea46caaf4d58da1fc4be05fdbee2

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1910496155aea46caaf4d58da1fc4be05fdbee2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36014/linux

2024-05-29 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e02e4ed5 by Salvatore Bonaccorso at 2024-05-29T08:25:40+02:00
Add CVE-2024-36014/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,6 @@
+CVE-2024-36014 [drm/arm/malidp: fix a possible null pointer dereference]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1)
 CVE-2024-5434 (The Campbell Scientific CSI Web Server stores web 
authentication crede ...)
NOT-FOR-US: Campbell Scientific CSI Web Server
 CVE-2024-5433 (The Campbell Scientific CSI Web Server supports a command that 
will re ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e02e4ed56d115e05c3cbb0d83033bd71d0fdbcdf

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e02e4ed56d115e05c3cbb0d83033bd71d0fdbcdf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-3205

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ea51b757 by Salvatore Bonaccorso at 2024-05-28T23:01:02+02:00
Remove notes from CVE-2024-3205

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21302,10 +21302,6 @@ CVE-2024-3207 (A vulnerability was found in ermig1979 
Simd up to 6.0.134. It has
NOT-FOR-US: ermig1979 Simd
 CVE-2024-3205
REJECTED
-   NOTE: Non issue reported for libyaml:
-   NOTE: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931
-   NOTE: https://vuldb.com/?submit.304561
-   NOTE: https://github.com/yaml/libyaml/issues/289
 CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and 
classified ...)
- c-blosc2 2.13.1+ds-3
NOTE: 
https://github.com/Blosc/c-blosc2/commit/892f6d9c8ffc6e3c4d571df8fc02114f88c69b52
 (v2.14.2)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea51b757a013c75e3ae0e8fa7b1dca398943212c

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea51b757a013c75e3ae0e8fa7b1dca398943212c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-3657/389-ds-base

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03284306 by Salvatore Bonaccorso at 2024-05-28T22:42:14+02:00
Add CVE-2024-3657/389-ds-base

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19,7 +19,9 @@ CVE-2024-4429 (Cross-Site Request Forgery vulnerabilityhas 
been discovered in Op
 CVE-2024-3969 (XML External Entity injection vulnerability foundin 
OpenText\u2122 iMa ...)
NOT-FOR-US: OpenText iManager
 CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query 
can po ...)
-   TODO: check
+   - 389-ds-base 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274401
+   TODO: check provided details
 CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched 
automatic ...)
- gnome-shell 
NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03284306e27f50d0150be67583e40b75f3867135

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03284306e27f50d0150be67583e40b75f3867135
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36472/gnome-shell

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4de3989f by Salvatore Bonaccorso at 2024-05-28T22:40:05+02:00
Add CVE-2024-36472/gnome-shell

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21,7 +21,8 @@ CVE-2024-3969 (XML External Entity injection vulnerability 
foundin OpenText\u212
 CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query 
can po ...)
TODO: check
 CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched 
automatic ...)
-   TODO: check
+   - gnome-shell 
+   NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
 CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. 
Multiple f ...)
TODO: check
 CVE-2024-36109 (CoCalc is web-based software that enables collaboration in 
research, t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4de3989f3523db601fbb25eb6edfd40575e141dc

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4de3989f3523db601fbb25eb6edfd40575e141dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0bb978b1 by Salvatore Bonaccorso at 2024-05-28T22:38:55+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39,65 +39,65 @@ CVE-2024-35581 (A cross-site scripting (XSS) vulnerability 
in Sourcecodester Lab
 CVE-2024-35563 (CDG-Server-V5.6.2.126.139 and earlier was discovered to 
contain a SQL  ...)
TODO: check
 CVE-2024-35510 (An arbitrary file upload vulnerability in 
/dede/file_manage_control.ph ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-35403 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35401 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a com ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35400 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35399 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35398 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35397 (TOTOLINK CP900L v4.1.5cu.798_B20221228 weas discovered to 
contain a co ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35344 (Certain Anpviz products contain a hardcoded cryptographic key 
stored i ...)
-   TODO: check
+   NOT-FOR-US: Anpviz
 CVE-2024-35343 (Certain Anpviz products allow unauthenticated users to 
download arbitr ...)
-   TODO: check
+   NOT-FOR-US: Anpviz
 CVE-2024-35342 (Certain Anpviz products allow unauthenticated users to modify 
or disab ...)
-   TODO: check
+   NOT-FOR-US: Anpviz
 CVE-2024-35341 (Certain Anpviz products allow unauthenticated users to 
download the ru ...)
-   TODO: check
+   NOT-FOR-US: Anpviz
 CVE-2024-35324 (Douchat 4.0.5 suffers from an arbitrary file upload 
vulnerability via  ...)
-   TODO: check
+   NOT-FOR-US: Douchat
 CVE-2024-34854 (F-logic DataCube3 v1.0 is vulnerable to File Upload via 
`/admin/transc ...)
-   TODO: check
+   NOT-FOR-US: F-logic DataCube3
 CVE-2024-34852 (F-logic DataCube3 v1.0 is affected by command injection due to 
imprope ...)
-   TODO: check
+   NOT-FOR-US: F-logic DataCube3
 CVE-2024-33849 (ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a 
Hard-code ...)
-   TODO: check
+   NOT-FOR-US: ci solution CI-Out-of-Office Manager
 CVE-2024-33808 (A SQL injection vulnerability in /model/get_timetable.php in 
campcodes ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33807 (A SQL injection vulnerability in 
/model/get_teacher_timetable.php in c ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33806 (A SQL injection vulnerability in /model/get_grade.php in 
campcodes Com ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33805 (A SQL injection vulnerability in /model/get_student.php in 
campcodes C ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33804 (A SQL injection vulnerability in /model/get_subject.php in 
campcodes C ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33803 (A SQL injection vulnerability in /model/get_exam.php in 
campcodes Comp ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33802 (A SQL injection vulnerability in 
/model/get_student_subject.php in cam ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33801 (A SQL injection vulnerability in 
/model/get_subject_routing.php in cam ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33800 (A SQL injection vulnerability in /model/get_student1.php in 
campcodes  ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33799 (A SQL injection vulnerability in /model/get_teacher.php in 
campcodes C ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-33450 (SQL Injection in Finereport v.8.0 allows a remote attacker to 
obtain s ...)
-   TODO: check
+   NOT-FOR-US: Finereport
 CVE-2024-33402 (A SQL injection vulnerability in /model/approve_petty_cash.php 
in camp ...)
-   TODO: check
+   NOT-FOR-US: campcodes Complete Web-Based School Management System
 CVE-2024-30212 (If a SCSI READ(10) command is 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36107/minio, itp'ed

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee53cefa by Salvatore Bonaccorso at 2024-05-28T22:31:08+02:00
Add CVE-2024-36107/minio, itped

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27,7 +27,7 @@ CVE-2024-36110 (ansibleguy-webui is an open source WebUI for 
using Ansible. Mult
 CVE-2024-36109 (CoCalc is web-based software that enables collaboration in 
research, t ...)
TODO: check
 CVE-2024-36107 (MinIO is a High Performance Object Storage released under GNU 
Affero G ...)
-   TODO: check
+   - minio  (bug #859207)
 CVE-2024-35621 (A cross-site scripting (XSS) vulnerability in the Edit 
function of For ...)
TODO: check
 CVE-2024-35583 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee53cefa5bb5b65601466b21a79c4c555635a0d4

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee53cefa5bb5b65601466b21a79c4c555635a0d4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b6185ad6 by Salvatore Bonaccorso at 2024-05-28T22:30:28+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,23 +1,23 @@
 CVE-2024-5434 (The Campbell Scientific CSI Web Server stores web 
authentication crede ...)
-   TODO: check
+   NOT-FOR-US: Campbell Scientific CSI Web Server
 CVE-2024-5433 (The Campbell Scientific CSI Web Server supports a command that 
will re ...)
-   TODO: check
+   NOT-FOR-US: Campbell Scientific CSI Web Server
 CVE-2024-5428 (A vulnerability classified as problematic was found in 
SourceCodester  ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Simple Online Bidding System
 CVE-2024-5415 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
-   TODO: check
+   NOT-FOR-US: PhpMyBackupPro
 CVE-2024-5414 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
-   TODO: check
+   NOT-FOR-US: PhpMyBackupPro
 CVE-2024-5413 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
-   TODO: check
+   NOT-FOR-US: PhpMyBackupPro
 CVE-2024-5411 (Missing input validation and OS command integration of the 
input in th ...)
-   TODO: check
+   NOT-FOR-US: ORing IAP-420 web-interface
 CVE-2024-5410 (Missing input validation in the ORing IAP-420 web-interface 
allows sto ...)
-   TODO: check
+   NOT-FOR-US: ORing IAP-420 web-interface
 CVE-2024-4429 (Cross-Site Request Forgery vulnerabilityhas been discovered in 
OpenTex ...)
-   TODO: check
+   NOT-FOR-US: OpenText iManager
 CVE-2024-3969 (XML External Entity injection vulnerability foundin 
OpenText\u2122 iMa ...)
-   TODO: check
+   NOT-FOR-US: OpenText iManager
 CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query 
can po ...)
TODO: check
 CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched 
automatic ...)
@@ -31,11 +31,11 @@ CVE-2024-36107 (MinIO is a High Performance Object Storage 
released under GNU Af
 CVE-2024-35621 (A cross-site scripting (XSS) vulnerability in the Edit 
function of For ...)
TODO: check
 CVE-2024-35583 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
-   TODO: check
+   NOT-FOR-US: Sourcecodester Laboratory Management System
 CVE-2024-35582 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
-   TODO: check
+   NOT-FOR-US: Sourcecodester Laboratory Management System
 CVE-2024-35581 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
-   TODO: check
+   NOT-FOR-US: Sourcecodester Laboratory Management System
 CVE-2024-35563 (CDG-Server-V5.6.2.126.139 and earlier was discovered to 
contain a SQL  ...)
TODO: check
 CVE-2024-35510 (An arbitrary file upload vulnerability in 
/dede/file_manage_control.ph ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6185ad688cf2d794fc5e71c44b3d565884b8f6e

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6185ad688cf2d794fc5e71c44b3d565884b8f6e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process two NFUs

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee1f63f5 by Salvatore Bonaccorso at 2024-05-28T22:21:55+02:00
Process two NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -103,7 +103,7 @@ CVE-2024-2451 (Improper fingerprint validation in the 
TeamViewer Client (Full &
 CVE-2024-2199 (A denial of service vulnerability was found in 389-ds-base ldap 
server ...)
TODO: check
 CVE-2024-29072 (A privilege escalation vulnerability exists in the Foxit 
Reader 2024.2 ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2024-28061 (An issue was discovered in Apiris Kafeo 6.4.4. It permits a 
bypass, of ...)
TODO: check
 CVE-2024-28060 (An issue was discovered in Apiris Kafeo 6.4.4. It permits DLL 
hijackin ...)
@@ -189,7 +189,7 @@ CVE-2023-43843 (Incorrect access control in the account 
management function of w
 CVE-2023-43842 (Incorrect access control in the account management function of 
web int ...)
TODO: check
 CVE-2023-37411 (IBM Aspera Faspex 5.0.0 through 5.0.6 is vulnerable to 
cross-site scri ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-35953 (Multiple stack-based buffer overflow vulnerabilities exist in 
the read ...)
TODO: check
 CVE-2023-35952 (Multiple stack-based buffer overflow vulnerabilities exist in 
the read ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee1f63f56291cae52eaf9f2880ee00f622981b72

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee1f63f56291cae52eaf9f2880ee00f622981b72
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for freerdp2 issues

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c14515c7 by Salvatore Bonaccorso at 2024-05-28T22:17:48+02:00
Add Debian bug reference for freerdp2 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14254,7 +14254,7 @@ CVE-2024-32679 (Missing Authorization vulnerability in 
Shared Files PRO Shared F
NOT-FOR-US: WordPress plugin
 CVE-2024-32661 (FreeRDP is a free implementation of the Remote Desktop 
Protocol. FreeR ...)
- freerdp3 3.5.1+dfsg1-1 (bug #1069752)
-   - freerdp2 
+   - freerdp2  (bug #1072112)
[bookworm] - freerdp2  (Minor issue)
[bullseye] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p5m5-342g-pv9m
@@ -14262,14 +14262,14 @@ CVE-2024-32661 (FreeRDP is a free implementation of 
the Remote Desktop Protocol.
NOTE: Introduced by: 
https://github.com/FreeRDP/FreeRDP/commit/1b2b1c4ac14ac43f4e475488763d8659bd934eb6
 (2.0.0-beta1+android10)
 CVE-2024-32660 (FreeRDP is a free implementation of the Remote Desktop 
Protocol. Prior ...)
- freerdp3 3.5.1+dfsg1-1 (bug #1069752)
-   - freerdp2 
+   - freerdp2  (bug #1072112)
[bookworm] - freerdp2  (Minor issue)
[bullseye] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx
NOTE: Fixed by: 
https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47
 (3.5.1)
 CVE-2024-32659 (FreeRDP is a free implementation of the Remote Desktop 
Protocol. FreeR ...)
- freerdp3 3.5.1+dfsg1-1 (bug #1069752)
-   - freerdp2 
+   - freerdp2  (bug #1072112)
[bookworm] - freerdp2  (Minor issue)
[bullseye] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w
@@ -14277,7 +14277,7 @@ CVE-2024-32659 (FreeRDP is a free implementation of the 
Remote Desktop Protocol.
NOTE: Introduced by: 
https://github.com/FreeRDP/FreeRDP/commit/c697941de2b7062821e004411ec18ea71e50a30d
 (1.2.0-beta1+android7)
 CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop 
Protocol. FreeR ...)
- freerdp3 3.5.1+dfsg1-1 (bug #1069752)
-   - freerdp2 
+   - freerdp2  (bug #1072112)
[bookworm] - freerdp2  (Minor issue)
[bullseye] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c14515c79a9ded2a350487c24a3553875a8b7b9a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c14515c79a9ded2a350487c24a3553875a8b7b9a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-4741

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b4885b05 by Salvatore Bonaccorso at 2024-05-28T22:14:50+02:00
Add Debian bug reference for CVE-2024-4741

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -201,7 +201,7 @@ CVE-2023-35950 (Multiple stack-based buffer overflow 
vulnerabilities exist in th
 CVE-2023-35949 (Multiple stack-based buffer overflow vulnerabilities exist in 
the read ...)
TODO: check
 CVE-2024-4741 [Use After Free with SSL_free_buffers]
-   - openssl 
+   - openssl  (bug #1072113)
[bookworm] - openssl  (Minor issue, fix along with next 
update round)
[bullseye] - openssl  (Minor issue, fix along with next 
update round)
NOTE: https://www.openssl.org/news/secadv/20240528.txt



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4885b05afde21045b9f349e24947d618ddef55f

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4885b05afde21045b9f349e24947d618ddef55f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cfed740 by security tracker role at 2024-05-28T20:12:41+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,205 @@
+CVE-2024-5434 (The Campbell Scientific CSI Web Server stores web 
authentication crede ...)
+   TODO: check
+CVE-2024-5433 (The Campbell Scientific CSI Web Server supports a command that 
will re ...)
+   TODO: check
+CVE-2024-5428 (A vulnerability classified as problematic was found in 
SourceCodester  ...)
+   TODO: check
+CVE-2024-5415 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
+   TODO: check
+CVE-2024-5414 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
+   TODO: check
+CVE-2024-5413 (A vulnerability have been discovered in PhpMyBackupPro 
affecting versi ...)
+   TODO: check
+CVE-2024-5411 (Missing input validation and OS command integration of the 
input in th ...)
+   TODO: check
+CVE-2024-5410 (Missing input validation in the ORing IAP-420 web-interface 
allows sto ...)
+   TODO: check
+CVE-2024-4429 (Cross-Site Request Forgery vulnerabilityhas been discovered in 
OpenTex ...)
+   TODO: check
+CVE-2024-3969 (XML External Entity injection vulnerability foundin 
OpenText\u2122 iMa ...)
+   TODO: check
+CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query 
can po ...)
+   TODO: check
+CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched 
automatic ...)
+   TODO: check
+CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. 
Multiple f ...)
+   TODO: check
+CVE-2024-36109 (CoCalc is web-based software that enables collaboration in 
research, t ...)
+   TODO: check
+CVE-2024-36107 (MinIO is a High Performance Object Storage released under GNU 
Affero G ...)
+   TODO: check
+CVE-2024-35621 (A cross-site scripting (XSS) vulnerability in the Edit 
function of For ...)
+   TODO: check
+CVE-2024-35583 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
+   TODO: check
+CVE-2024-35582 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
+   TODO: check
+CVE-2024-35581 (A cross-site scripting (XSS) vulnerability in Sourcecodester 
Laborator ...)
+   TODO: check
+CVE-2024-35563 (CDG-Server-V5.6.2.126.139 and earlier was discovered to 
contain a SQL  ...)
+   TODO: check
+CVE-2024-35510 (An arbitrary file upload vulnerability in 
/dede/file_manage_control.ph ...)
+   TODO: check
+CVE-2024-35403 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
+   TODO: check
+CVE-2024-35401 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a com ...)
+   TODO: check
+CVE-2024-35400 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
+   TODO: check
+CVE-2024-35399 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
+   TODO: check
+CVE-2024-35398 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a sta ...)
+   TODO: check
+CVE-2024-35397 (TOTOLINK CP900L v4.1.5cu.798_B20221228 weas discovered to 
contain a co ...)
+   TODO: check
+CVE-2024-35344 (Certain Anpviz products contain a hardcoded cryptographic key 
stored i ...)
+   TODO: check
+CVE-2024-35343 (Certain Anpviz products allow unauthenticated users to 
download arbitr ...)
+   TODO: check
+CVE-2024-35342 (Certain Anpviz products allow unauthenticated users to modify 
or disab ...)
+   TODO: check
+CVE-2024-35341 (Certain Anpviz products allow unauthenticated users to 
download the ru ...)
+   TODO: check
+CVE-2024-35324 (Douchat 4.0.5 suffers from an arbitrary file upload 
vulnerability via  ...)
+   TODO: check
+CVE-2024-34854 (F-logic DataCube3 v1.0 is vulnerable to File Upload via 
`/admin/transc ...)
+   TODO: check
+CVE-2024-34852 (F-logic DataCube3 v1.0 is affected by command injection due to 
imprope ...)
+   TODO: check
+CVE-2024-33849 (ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a 
Hard-code ...)
+   TODO: check
+CVE-2024-33808 (A SQL injection vulnerability in /model/get_timetable.php in 
campcodes ...)
+   TODO: check
+CVE-2024-33807 (A SQL injection vulnerability in 
/model/get_teacher_timetable.php in c ...)
+   TODO: check
+CVE-2024-33806 (A SQL injection vulnerability in /model/get_grade.php in 
campcodes Com ...)
+   TODO: check
+CVE-2024-33805 (A SQL injection vulnerability in /model/get_student.php in 
campcodes C ...)
+   TODO: check
+CVE-2024-33804 (A SQL injection vulnerability in /model/get_subject.php in 
campcodes C ...)
+   TODO: check
+CVE-2024-33803 (A SQL injection vulnerability in /model/get_exam.php in 
campcodes Comp ...)
+

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
527e2919 by Salvatore Bonaccorso at 2024-05-28T22:07:23+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -275856,7 +275856,7 @@ CVE-2020-26314
 CVE-2020-26313
REJECTED
 CVE-2020-26312 (Dotmesh is a git-like command-line interface for capturing, 
organizing ...)
-   TODO: check
+   NOT-FOR-US: Dotmesh
 CVE-2020-26311
RESERVED
 CVE-2020-26310
@@ -293892,7 +293892,7 @@ CVE-2020-18307
 CVE-2020-18306
RESERVED
 CVE-2020-18305 (Extreme Networks EXOS before v.22.7 and before v.30.2 was 
discovered t ...)
-   TODO: check
+   NOT-FOR-US: Extreme Networks EXOS
 CVE-2020-18304
RESERVED
 CVE-2020-18303



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/527e29198aa3ad7d9a43c2c29d1772509aa88fef

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/527e29198aa3ad7d9a43c2c29d1772509aa88fef
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove notes from rejected Linux CVEs

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06aa3a97 by Salvatore Bonaccorso at 2024-05-28T21:13:37+02:00
Remove notes from rejected Linux CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1234,10 +1234,8 @@ CVE-2021-47488 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux 5.10.84-1
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/04f8ef5643bcd8bcde25dfdebef998aea480b2ba (5.15)
-CVE-2021-47487 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 5.15.3-1
-   [bullseye] - linux 5.10.84-1
-   NOTE: 
https://git.kernel.org/linus/5afa7898ab7a0ec9c28556a91df714bf3c2f725e (5.15)
+CVE-2021-47487
+   REJECTED
 CVE-2021-47486 (In the Linux kernel, the following vulnerability has been 
resolved:  r ...)
- linux 5.15.3-1
[bullseye] - linux 5.10.84-1
@@ -2467,10 +2465,8 @@ CVE-2023-52736 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2023-52735 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 6.1.15-1
NOTE: 
https://git.kernel.org/linus/5b4a79ba65a1ab479903fff2e604865d229b70a9 (6.2-rc7)
-CVE-2023-52734 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.1.15-1
-   [bullseye] - linux 5.10.178-1
-   NOTE: 
https://git.kernel.org/linus/de5ca4c3852f896cacac2bf259597aab5e17d9e3 (6.2-rc7)
+CVE-2023-52734
+   REJECTED
 CVE-2023-52733 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
- linux 6.1.15-1
[bullseye] - linux 5.10.178-1
@@ -2804,11 +2800,8 @@ CVE-2021-47378 (In the Linux kernel, the following 
vulnerability has been resolv
- linux 5.14.9-1
[bullseye] - linux 5.10.70-1
NOTE: 
https://git.kernel.org/linus/9817d763dbe15327b9b3ff4404fa6f27f927e744 (5.15-rc2)
-CVE-2021-47377 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
-   - linux 5.14.9-1
-   [bullseye] - linux 5.10.70-1
-   [buster] - linux 4.19.232-1
-   NOTE: 
https://git.kernel.org/linus/8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 (5.15-rc2)
+CVE-2021-47377
+   REJECTED
 CVE-2021-47376 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 5.14.9-1
[bullseye] - linux 5.10.70-1
@@ -4850,10 +4843,8 @@ CVE-2024-35803 (In the Linux kernel, the following 
vulnerability has been resolv
- linux 6.7.12-1
[bookworm] - linux 6.1.85-1
NOTE: 
https://git.kernel.org/linus/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02 (6.9-rc1)
-CVE-2024-35802 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.85-1
-   NOTE: 
https://git.kernel.org/linus/1c811d403afd73f04bde82b83b24c754011bd0e8 (6.9-rc1)
+CVE-2024-35802
+   REJECTED
 CVE-2024-35801 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
- linux 6.7.12-1
[bookworm] - linux 6.1.85-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06aa3a97551c5a275388fe8791dad0768c65ceb6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06aa3a97551c5a275388fe8791dad0768c65ceb6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove additional space for entry in CVE-2024-26256

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
89d05ed0 by Salvatore Bonaccorso at 2024-05-28T21:01:10+02:00
Remove additional space for entry in CVE-2024-26256

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18711,7 +18711,7 @@ CVE-2024-26257 (Microsoft Excel Remote Code Execution 
Vulnerability)
NOT-FOR-US: Microsoft
 CVE-2024-26256 (libarchive Remote Code Execution Vulnerability)
- libarchive  (bug #1072107)
-   [bullseye] - libarchive   (Vulnerable code introduced in 
3.6.0)
+   [bullseye] - libarchive  (Vulnerable code introduced in 
3.6.0)
[buster] - libarchive  (Vulnerable code introduced in 
3.6.0)
NOTE: https://github.com/advisories/GHSA-2jc9-36w4-pmqw
NOTE: https://github.com/libarchive/libarchive/pull/2135



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d05ed0fd09d2fe4dffb396d31ddc073b228ceb

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d05ed0fd09d2fe4dffb396d31ddc073b228ceb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] CVE-2024-4741: Refer to commits from advisory

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cdaa268e by Salvatore Bonaccorso at 2024-05-28T20:45:27+02:00
CVE-2024-4741: Refer to commits from advisory

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4,8 +4,8 @@ CVE-2024-4741 [Use After Free with SSL_free_buffers]
[bullseye] - openssl  (Minor issue, fix along with next 
update round)
NOTE: https://www.openssl.org/news/secadv/20240528.txt
NOTE: 
https://github.com/openssl/openssl/commit/c1bd38a003fa19fd0d8ade85e1bbc20d8ae59dab
 (master)
-   NOTE: 
https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b
 (openssl-3.2)
-   NOTE: 
https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b
 (openssl-3.0)
+   NOTE: 
https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac
 (openssl-3.2)
+   NOTE: 
https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d
 (openssl-3.0)
 CVE-2024-36428 (OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL 
injection.)
NOT-FOR-US: OrangeHRM
 CVE-2024-36426 (In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the 
session  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdaa268e18b2a86bd57bff28fb5578bccd16

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdaa268e18b2a86bd57bff28fb5578bccd16
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-26256/libarchive

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c962d2c8 by Salvatore Bonaccorso at 2024-05-28T20:26:15+02:00
Add Debian bug reference for CVE-2024-26256/libarchive

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18710,7 +18710,7 @@ CVE-2024-26275 (A vulnerability has been identified in 
Parasolid V35.1 (All vers
 CVE-2024-26257 (Microsoft Excel Remote Code Execution Vulnerability)
NOT-FOR-US: Microsoft
 CVE-2024-26256 (libarchive Remote Code Execution Vulnerability)
-   - libarchive 
+   - libarchive  (bug #1072107)
[bullseye] - libarchive   (Vulnerable code introduced in 
3.6.0)
[buster] - libarchive  (Vulnerable code introduced in 
3.6.0)
NOTE: https://github.com/advisories/GHSA-2jc9-36w4-pmqw



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c962d2c8fbb97a59f68fcab8102d92ba02b5cb2b

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c962d2c8fbb97a59f68fcab8102d92ba02b5cb2b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-6349 and CVE-2023-44488

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bfddebb7 by Salvatore Bonaccorso at 2024-05-28T14:06:11+02:00
Update information for CVE-2023-6349 and CVE-2023-44488

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -77,8 +77,12 @@ CVE-2024-0851 (Improper Neutralization of Special Elements 
used in an SQL Comman
NOT-FOR-US: Grup Arge Energy and Control Systems Smartpower
 CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a 
frame that  ...)
- libvpx 1.13.1-2
+   [bookworm] - libvpx 1.12.0-1+deb12u2
+   [bullseye] - libvpx 1.9.0-1+deb11u2
+   [buster] - libvpx 1.7.0-3+deb10u2
NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1642
NOTE: Fixed by: 
https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937
 (v1.13.1)
+   NOTE: Same upstream commit as CVE-2023-44488
 CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code 
execution can ...)
NOTE: Disputed GNOME Shell issue
 CVE-2022-4969 (A vulnerability, which was classified as critical, has been 
found in b ...)
@@ -59551,6 +59555,7 @@ CVE-2023-44488 (VP9 in libvpx before 1.13.1 mishandles 
widths, leading to a cras
NOTE: 
https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f
 (main)
NOTE: 
https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937
 (v1.13.1)
NOTE: http://www.openwall.com/lists/oss-security/2023/09/30/4
+   NOTE: Same commit as CVE-2023-6349
 CVE-2022-4956 (A vulnerability classified as critical has been found in 
Caphyon Advan ...)
NOT-FOR-US: Caphyon Advanced Installer
 CVE-2023-5320 (Cross-site Scripting (XSS) - DOM in GitHub repository 
thorsten/phpmyfa ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfddebb7351411a90392860e8dcf667f15b95d22

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfddebb7351411a90392860e8dcf667f15b95d22
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-26256

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3ebbec8 by Salvatore Bonaccorso at 2024-05-28T13:53:57+02:00
Update status for CVE-2024-26256

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18663,11 +18663,12 @@ CVE-2024-26257 (Microsoft Excel Remote Code Execution 
Vulnerability)
NOT-FOR-US: Microsoft
 CVE-2024-26256 (libarchive Remote Code Execution Vulnerability)
- libarchive 
+   [bullseye] - libarchive   (Vulnerable code introduced in 
3.6.0)
[buster] - libarchive  (Vulnerable code introduced in 
3.6.0)
NOTE: https://github.com/advisories/GHSA-2jc9-36w4-pmqw
NOTE: https://github.com/libarchive/libarchive/pull/2135
-   NOTE: 
https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237
 (v3.7.4)
-   NOTE: Introduced by: 
https://github.com/libarchive/libarchive/commit/01a2d329dfc71741892e2b590cf9fb25092474a0
 (v.3.6.0)
+   NOTE: Introduced by: 
https://github.com/libarchive/libarchive/commit/01a2d329dfc71741892e2b590cf9fb25092474a0
 (v3.6.0)
+   NOTE: Fixed by: 
https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237
 (v3.7.4)
 CVE-2024-26255 (Windows Remote Access Connection Manager Information 
Disclosure Vulner ...)
NOT-FOR-US: Microsoft
 CVE-2024-26254 (Microsoft Virtual Machine Bus (VMBus) Denial of Service 
Vulnerability)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ebbec843fca5002baa00adef95fd36afacb9e0

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ebbec843fca5002baa00adef95fd36afacb9e0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-28 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5aeb324b by security tracker role at 2024-05-28T08:12:09+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,27 @@
+CVE-2024-36428 (OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL 
injection.)
+   TODO: check
+CVE-2024-36426 (In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the 
session  ...)
+   TODO: check
+CVE-2024-32944 (Path traversal vulnerability exists in UTAU versions prior to 
v0.4.19. ...)
+   TODO: check
+CVE-2024-29078 (Incorrect permission assignment for critical resource issue 
exists in  ...)
+   TODO: check
+CVE-2024-28886 (OS command injection vulnerability exists in UTAU versions 
prior to v0 ...)
+   TODO: check
+CVE-2024-28880 (Path traversal vulnerability in MosP kintai kanri V4.6.6 and 
earlier a ...)
+   TODO: check
+CVE-2023-52712 (Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. 
The firs ...)
+   TODO: check
+CVE-2023-52711 (Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. 
The firs ...)
+   TODO: check
+CVE-2023-52710 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26), As the 
communicati ...)
+   TODO: check
+CVE-2023-52548 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26) Arbitrary 
Memory Co ...)
+   TODO: check
+CVE-2023-52547 (Huawei Matebook D16(Model: CREM-WXX9, BIOS: v2.26. Memory 
Corruption i ...)
+   TODO: check
+CVE-2022-48681 (Some Huawei smart speakers have a memory overflow 
vulnerability. Succe ...)
+   TODO: check
 CVE-2024-5409 (RhinOS 3.0-1190 is vulnerable to an XSS via the "tamper" 
parameter in  ...)
NOT-FOR-US: RhinOS
 CVE-2024-5408 (Vulnerability in RhinOS 3.0-1190 consisting of an XSS through 
the "sea ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aeb324b056f16341b59a6716864a89c01590979

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aeb324b056f16341b59a6716864a89c01590979
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Reference commit from github mirror for CVE-2023-6349/libvpx

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9cd1ffa by Salvatore Bonaccorso at 2024-05-27T22:53:47+02:00
Reference commit from github mirror for CVE-2023-6349/libvpx

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -49,7 +49,7 @@ CVE-2024-0851 (Improper Neutralization of Special Elements 
used in an SQL Comman
 CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a 
frame that  ...)
- libvpx 1.13.1-2
NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1642
-   NOTE: 
https://chromium.googlesource.com/webm/libvpx/+/df9fd9d5b7325060b2b921558a1eb20ca7880937
 (v1.13.1)
+   NOTE: Fixed by: 
https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937
 (v1.13.1)
 CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code 
execution can ...)
TODO: check
 CVE-2022-4969 (A vulnerability, which was classified as critical, has been 
found in b ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9cd1ffa9842382959a39721e79e2196b8919b73

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9cd1ffa9842382959a39721e79e2196b8919b73
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6349/libvpx

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8751b782 by Salvatore Bonaccorso at 2024-05-27T22:39:55+02:00
Add CVE-2023-6349/libvpx

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -47,7 +47,9 @@ CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions 
below6401 are vulne
 CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
TODO: check
 CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a 
frame that  ...)
-   TODO: check
+   - libvpx 1.13.1-2
+   NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1642
+   NOTE: 
https://chromium.googlesource.com/webm/libvpx/+/df9fd9d5b7325060b2b921558a1eb20ca7880937
 (v1.13.1)
 CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code 
execution can ...)
TODO: check
 CVE-2022-4969 (A vulnerability, which was classified as critical, has been 
found in b ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8751b782ff8ca6e23bad23a8bc31e8e84bd41fe0

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8751b782ff8ca6e23bad23a8bc31e8e84bd41fe0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e46e56a2 by Salvatore Bonaccorso at 2024-05-27T22:36:45+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,13 +1,13 @@
 CVE-2024-5409 (RhinOS 3.0-1190 is vulnerable to an XSS via the "tamper" 
parameter in  ...)
-   TODO: check
+   NOT-FOR-US: RhinOS
 CVE-2024-5408 (Vulnerability in RhinOS 3.0-1190 consisting of an XSS through 
the "sea ...)
-   TODO: check
+   NOT-FOR-US: RhinOS
 CVE-2024-5407 (A vulnerability in RhinOS 3.0-1190 could allow PHP code 
injection thro ...)
-   TODO: check
+   NOT-FOR-US: RhinOS
 CVE-2024-5406 (A vulnerability had been discovered in WinNMP 19.02 consisting 
of an X ...)
-   TODO: check
+   NOT-FOR-US: WinNMP
 CVE-2024-5405 (A vulnerability had been discovered in WinNMP 19.02 consisting 
of an X ...)
-   TODO: check
+   NOT-FOR-US: WinNMP
 CVE-2024-3381
REJECTED
 CVE-2024-36383 (An issue was discovered in Logpoint SAML Authentication before 
6.0.3.  ...)
@@ -15,19 +15,19 @@ CVE-2024-36383 (An issue was discovered in Logpoint SAML 
Authentication before 6
 CVE-2024-36105 (dbt enables data analysts and engineers to transform their 
data using  ...)
TODO: check
 CVE-2024-36037 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows 
unauthor ...)
-   TODO: check
+   NOT-FOR-US: Zoho ManageEngine
 CVE-2024-36036 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows 
unauthor ...)
-   TODO: check
+   NOT-FOR-US: Zoho ManageEngine
 CVE-2024-35238 (Minder by Stacklok is an open source software supply chain 
security pl ...)
-   TODO: check
+   NOT-FOR-US: Minder by Stacklok
 CVE-2024-35237 (MIT IdentiBot is an open-source Discord bot written in Node.js 
that ve ...)
-   TODO: check
+   NOT-FOR-US: MIT IdentiBot
 CVE-2024-35236 (Audiobookshelf is a self-hosted audiobook and podcast server. 
Prior to ...)
TODO: check
 CVE-2024-35231 (rack-contrib provides contributed rack middleware and 
utilities for Ra ...)
TODO: check
 CVE-2024-35229 (ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs 
to scal ...)
-   TODO: check
+   NOT-FOR-US: ZKsync Era
 CVE-2024-35219 (OpenAPI Generator allows generation of API client libraries 
(SDK gener ...)
TODO: check
 CVE-2024-35182 (Meshery is an open source, cloud native manager that enables 
the desig ...)
@@ -35,7 +35,7 @@ CVE-2024-35182 (Meshery is an open source, cloud native 
manager that enables the
 CVE-2024-35181 (Meshery is an open source, cloud native manager that enables 
the desig ...)
TODO: check
 CVE-2024-34923 (In Avocent DSR2030 Appliance firmware 03.04.00.07 before 
03.07.01.23,  ...)
-   TODO: check
+   NOT-FOR-US: Avocent DSR2030 Appliance firmware
 CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 
allows l ...)
TODO: check
 CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object 
relational m ...)
@@ -43,7 +43,7 @@ CVE-2024-32978 (Kaminari is a paginator for web app 
frameworks and object relati
 CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF 
because some ...)
TODO: check
 CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are 
vulnerable  ...)
-   TODO: check
+   NOT-FOR-US: Zoho ManageEngine
 CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
TODO: check
 CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a 
frame that  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46e56a25c12b44222a7ee274f4c363ca88b3733

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46e56a25c12b44222a7ee274f4c363ca88b3733
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60065691 by security tracker role at 2024-05-27T20:12:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,57 @@
+CVE-2024-5409 (RhinOS 3.0-1190 is vulnerable to an XSS via the "tamper" 
parameter in  ...)
+   TODO: check
+CVE-2024-5408 (Vulnerability in RhinOS 3.0-1190 consisting of an XSS through 
the "sea ...)
+   TODO: check
+CVE-2024-5407 (A vulnerability in RhinOS 3.0-1190 could allow PHP code 
injection thro ...)
+   TODO: check
+CVE-2024-5406 (A vulnerability had been discovered in WinNMP 19.02 consisting 
of an X ...)
+   TODO: check
+CVE-2024-5405 (A vulnerability had been discovered in WinNMP 19.02 consisting 
of an X ...)
+   TODO: check
+CVE-2024-3381
+   REJECTED
+CVE-2024-36383 (An issue was discovered in Logpoint SAML Authentication before 
6.0.3.  ...)
+   TODO: check
+CVE-2024-36105 (dbt enables data analysts and engineers to transform their 
data using  ...)
+   TODO: check
+CVE-2024-36037 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows 
unauthor ...)
+   TODO: check
+CVE-2024-36036 (Zoho ManageEngine ADAudit Plus versions 7260 and below allows 
unauthor ...)
+   TODO: check
+CVE-2024-35238 (Minder by Stacklok is an open source software supply chain 
security pl ...)
+   TODO: check
+CVE-2024-35237 (MIT IdentiBot is an open-source Discord bot written in Node.js 
that ve ...)
+   TODO: check
+CVE-2024-35236 (Audiobookshelf is a self-hosted audiobook and podcast server. 
Prior to ...)
+   TODO: check
+CVE-2024-35231 (rack-contrib provides contributed rack middleware and 
utilities for Ra ...)
+   TODO: check
+CVE-2024-35229 (ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs 
to scal ...)
+   TODO: check
+CVE-2024-35219 (OpenAPI Generator allows generation of API client libraries 
(SDK gener ...)
+   TODO: check
+CVE-2024-35182 (Meshery is an open source, cloud native manager that enables 
the desig ...)
+   TODO: check
+CVE-2024-35181 (Meshery is an open source, cloud native manager that enables 
the desig ...)
+   TODO: check
+CVE-2024-34923 (In Avocent DSR2030 Appliance firmware 03.04.00.07 before 
03.07.01.23,  ...)
+   TODO: check
+CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 
allows l ...)
+   TODO: check
+CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object 
relational m ...)
+   TODO: check
+CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF 
because some ...)
+   TODO: check
+CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are 
vulnerable  ...)
+   TODO: check
+CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
+   TODO: check
+CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a 
frame that  ...)
+   TODO: check
+CVE-2023-50977 (In GNOME Shell through 45.2, unauthenticated remote code 
execution can ...)
+   TODO: check
+CVE-2022-4969 (A vulnerability, which was classified as critical, has been 
found in b ...)
+   TODO: check
 CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for 
certain ...)
NOT-FOR-US: ASKEY
 CVE-2024-5400 (Openfind Mail2000 does not properly filter parameters of 
specific CGI. ...)
@@ -1527,6 +1581,7 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube 
Showcase \u2013 Video Galler
 CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to 
spoof the s ...)
NOT-FOR-US: WinRAR
 CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with 
untrusted JSON ...)
+   {DLA-3822-1}
- python-pymysql  (bug #1071628)
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
NOTE: 
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
 (v1.1.1)
@@ -17012,7 +17067,7 @@ CVE-2024-3662 (The WPZOOM Social Feed Widget & Block 
plugin for WordPress is vul
 CVE-2023-6494 (The WPC Smart Quick View for WooCommerce plugin for WordPress 
is vulne ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-32487 (less through 653 allows OS command execution via a newline 
character i ...)
-   {DSA-5679-1}
+   {DSA-5679-1 DLA-3823-1}
- less 590-2.1 (bug #1068938)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/12/5
NOTE: Fixed by: 
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
@@ -20962,7 +21017,8 @@ CVE-2024-3209 (A vulnerability was found in UPX up to 
4.2.2. It has been rated a
TODO: check upstream report status, seems not filled as issue
 CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It 
has been ...)
NOT-FOR-US: ermig1979 

[Git][security-tracker-team/security-tracker][master] Remove notes from rejected CVEs which were duplicates

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
80b3452c by Salvatore Bonaccorso at 2024-05-27T21:34:28+02:00
Remove notes from rejected CVEs which were duplicates

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -72808,10 +72808,8 @@ CVE-2023-34098 (Shopware is an open source e-commerce 
software. Due to an incorr
NOT-FOR-US: Shopware
 CVE-2023-33567
REJECTED
-   NOTE: Duplicate of CVE-2021-38425
 CVE-2023-33566
REJECTED
-   NOTE: Duplicate of CVE-2021-38425
 CVE-2023-32339 (IBM Business Automation Workflow is vulnerable to cross-site 
scripting ...)
NOT-FOR-US: IBM
 CVE-2023-2996 (The Jetpack WordPress plugin before 12.1.1 does not validate 
uploaded  ...)
@@ -73168,7 +73166,6 @@ CVE-2023-34012 (Unauth. Reflected Cross-Site Scripting 
(XSS) vulnerability in Pr
NOT-FOR-US: WordPress plugin
 CVE-2023-33565
REJECTED
-   NOTE: Duplicate of CVE-2021-38425
 CVE-2023-32580 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability 
in WPEx ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-32480 (Dell BIOS contains an Improper Input Validation vulnerability. 
An unau ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80b3452c11a11495ca412bc7b4e8cbeb741d9d07

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80b3452c11a11495ca412bc7b4e8cbeb741d9d07
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-33427

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9a9fedad by Salvatore Bonaccorso at 2024-05-27T21:32:51+02:00
Remove notes from CVE-2024-33427

Further investigation showed that this was not a security issue for
squid.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -230,11 +230,6 @@ CVE-2024-33470 (An issue in the SMTP Email Settings of 
AVTECH Room Alert 4E v4.4
NOT-FOR-US: AVTECH Room Alert
 CVE-2024-33427
REJECTED
-   - squid  (unimportant)
-   - squid3  (unimportant)
-   NOTE: https://github.com/squid-cache/squid/pull/1763
-   NOTE: 
https://github.com/squid-cache/squid/commit/1891ce596237b45e0a675f75c49a5f6a840d
-   NOTE: OOB read in config file parsing, doesn't cross any reasonable 
security boundary
 CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote 
attacker t ...)
- liboqs 
NOTE: https://github.com/liang-junkai/Fault-injection-of-ML-DSA



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9fedad946f8706599700577c5d6876adcaa1ae

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9fedad946f8706599700577c5d6876adcaa1ae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-1135/gunicorn via unstable

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
31dbe789 by Salvatore Bonaccorso at 2024-05-27T20:23:55+02:00
Track fixed version for CVE-2024-1135/gunicorn via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16490,7 +16490,7 @@ CVE-2024-1456 (An S3 bucket takeover vulnerability was 
identified in the h2oai/h
 CVE-2024-1183 (An SSRF (Server-Side Request Forgery) vulnerability exists in 
the grad ...)
NOT-FOR-US: Gradio
 CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, 
leading ...)
-   - gunicorn  (bug #1069126)
+   - gunicorn 22.0.0-1 (bug #1069126)
[bookworm] - gunicorn  (Minor issue)
[bullseye] - gunicorn  (Minor issue)
[buster] - gunicorn  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dbe78998411673120f9945931ce15c4ca4acc5

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dbe78998411673120f9945931ce15c4ca4acc5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update version number to 5.9.6-1 for CVE-2022-4967

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d01c980 by Salvatore Bonaccorso at 2024-05-27T17:54:50+02:00
Update version number to 5.9.6-1 for CVE-2022-4967

The change is only contained in 5.9.6-1 and 5.6.4-1 did not carry the
patch separately. Bump thus the version to the 5.9.6 based one.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7161,7 +7161,7 @@ CVE-2023-49781 (NocoDB is software for building databases 
as spreadsheets. Prior
 CVE-2023-46870 (extcap/nrf_sniffer_ble.py, extcap/nrf_sniffer_ble.sh, 
extcap/SnifferAP ...)
NOT-FOR-US: Nordic Semiconductor nRF Sniffer for Bluetooth
 CVE-2022-4967 (strongSwan versions 5.9.2 through 5.9.5 are affected by 
authorization  ...)
-   - strongswan 5.9.4-1
+   - strongswan 5.9.6-1
[bullseye] - strongswan  (Introduced in 5.9.2)
[buster] - strongswan  (Introduced in 5.9.2)
NOTE: 
https://www.strongswan.org/blog/2024/05/13/strongswan-vulnerability-(cve-2022-4967).html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d01c9809671926a1e572f0114bea08d303acd6f

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d01c9809671926a1e572f0114bea08d303acd6f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update references for CVE-2024-2486{2,3}/linux

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
27cbdd4c by Salvatore Bonaccorso at 2024-05-27T17:43:17+02:00
Update references for CVE-2024-2486{2,3}/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16985,9 +16985,15 @@ CVE-2024-3651 [potential DoS via resource consumption 
via specially crafted inpu
 CVE-2024-24863 (In malidp_mw_connector_reset, new memory is allocated with 
kzalloc, bu ...)
- linux 
NOTE: 
https://git.kernel.org/linus/a1f95aede6285dba6dd036d907196f35ae3a11ea (6.10-rc1)
+   NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8750
 CVE-2024-24862 (In function pci1_spi_probe, there is a potential null 
pointer that ...)
-   - linux 
+   - linux 6.8.9-1
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/1f886a7bfb3faf4c1021e73f045538008ce7634e (6.9-rc3)
+   NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8748
+   NOTE: Duplicate of CVE-2024-35883.
 CVE-2024-3740 (A vulnerability, which was classified as critical, has been 
found in c ...)
NOT-FOR-US: cym1102 nginxWebUI
 CVE-2024-3739 (A vulnerability classified as critical was found in cym1102 
nginxWebUI ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27cbdd4c2ccee194f310e09f2ed7b5601ac0f717

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27cbdd4c2ccee194f310e09f2ed7b5601ac0f717
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7ebb9273 by security tracker role at 2024-05-27T08:12:11+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,87 @@
+CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for 
certain ...)
+   TODO: check
+CVE-2024-5400 (Openfind Mail2000 does not properly filter parameters of 
specific CGI. ...)
+   TODO: check
+CVE-2024-5399 (Openfind Mail2000 does not properly filter parameters of 
specific API. ...)
+   TODO: check
+CVE-2024-5397 (A vulnerability classified as critical was found in 
itsourcecode Onlin ...)
+   TODO: check
+CVE-2024-5396 (A vulnerability classified as critical has been found in 
itsourcecode  ...)
+   TODO: check
+CVE-2024-5395 (A vulnerability was found in itsourcecode Online Student 
Enrollment Sy ...)
+   TODO: check
+CVE-2024-5394 (A vulnerability was found in itsourcecode Online Student 
Enrollment Sy ...)
+   TODO: check
+CVE-2024-5393 (A vulnerability was found in itsourcecode Online Student 
Enrollment Sy ...)
+   TODO: check
+CVE-2024-5392 (A vulnerability was found in itsourcecode Online Student 
Enrollment Sy ...)
+   TODO: check
+CVE-2024-5391 (A vulnerability has been found in itsourcecode Online Student 
Enrollme ...)
+   TODO: check
+CVE-2024-5390 (A vulnerability, which was classified as critical, was found in 
itsour ...)
+   TODO: check
+CVE-2024-5385 (A vulnerability, which was classified as problematic, has been 
found i ...)
+   TODO: check
+CVE-2024-5384 (A vulnerability classified as critical was found in 
SourceCodester Fac ...)
+   TODO: check
+CVE-2024-5383 (A vulnerability classified as problematic has been found in 
lakernote  ...)
+   TODO: check
+CVE-2024-5381 (A vulnerability classified as critical was found in 
itsourcecode Stude ...)
+   TODO: check
+CVE-2024-5380 (A vulnerability classified as problematic has been found in 
jsy-1 shor ...)
+   TODO: check
+CVE-2024-5379 (A vulnerability was found in JFinalCMS up to 20240111. It has 
been rat ...)
+   TODO: check
+CVE-2024-5378 (A vulnerability was found in SourceCodester School Intramurals 
Student ...)
+   TODO: check
+CVE-2024-5377 (A vulnerability was found in SourceCodester Vehicle Management 
System  ...)
+   TODO: check
+CVE-2024-5376 (A vulnerability was found in Kashipara College Management 
System 1.0 a ...)
+   TODO: check
+CVE-2024-5035 (The affected device expose a network service called "rftest" 
that is v ...)
+   TODO: check
+CVE-2024-4535 (The KKProgressbar2 Free  WordPress plugin through 1.1.4.2 does 
not hav ...)
+   TODO: check
+CVE-2024-4534 (The KKProgressbar2 Free  WordPress plugin through 1.1.4.2 does 
not hav ...)
+   TODO: check
+CVE-2024-4533 (The KKProgressbar2 Free  WordPress plugin through 1.1.4.2 does 
not san ...)
+   TODO: check
+CVE-2024-4532 (The Business Card WordPress plugin through 1.0.0 does not have 
CSRF ch ...)
+   TODO: check
+CVE-2024-4531 (The Business Card WordPress plugin through 1.0.0 does not have 
CSRF ch ...)
+   TODO: check
+CVE-2024-4530 (The Business Card WordPress plugin through 1.0.0 does not have 
CSRF ch ...)
+   TODO: check
+CVE-2024-4529 (The Business Card WordPress plugin through 1.0.0 does not have 
CSRF ch ...)
+   TODO: check
+CVE-2024-4286 (Mintplex-Labs' anything-llm application is vulnerable to 
improper neut ...)
+   TODO: check
+CVE-2024-3939 (The Ditty  WordPress plugin before 3.1.36 does not sanitise and 
escape ...)
+   TODO: check
+CVE-2024-3933 (In Eclipse OpenJ9 release versions prior to 0.44.0 and after 
0.13.0, w ...)
+   TODO: check
+CVE-2024-36384 (Pointsharp Cryptshare Server before 7.0.0 has an XSS issue 
that is rel ...)
+   TODO: check
+CVE-2024-36056 (Hw64.sys in Marvin Test HW.exe before 5.0.5.0 allows 
unprivileged user ...)
+   TODO: check
+CVE-2024-36055 (Hw64.sys in Marvin Test HW.exe before 5.0.5.0 allows 
unprivileged user ...)
+   TODO: check
+CVE-2024-36054 (Hw64.sys in Marvin Test HW.exe before 5.0.5.0 allows 
unprivileged user ...)
+   TODO: check
+CVE-2024-35297 (Cross-site scripting vulnerability exists in WP Booking 
versions prior ...)
+   TODO: check
+CVE-2024-35291 (Cross-site scripting vulnerability exists in Splunk Config 
Explorer ve ...)
+   TODO: check
+CVE-2024-34454 (Nintendo Wii U OS 5.5.5 allows man-in-the-middle attackers to 
forge SS ...)
+   TODO: check
+CVE-2024-30658
+   REJECTED
+CVE-2024-30657
+   REJECTED
+CVE-2024-27314 (Zoho ManageEngineServiceDesk Plus versions 
below14730,ServiceDesk Plus ...)
+   TODO: check
+CVE-2024-26289 (Deserialization of Untrusted Data vulnerability in PMB 
Services PMB al ...)
+   TODO: check
 CVE-2024-5375 (A vulnerability has been found in 

[Git][security-tracker-team/security-tracker][master] Process some more NFUs

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d3184040 by Salvatore Bonaccorso at 2024-05-27T10:09:25+02:00
Process some more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29,11 +29,11 @@ CVE-2024-5362 (A vulnerability classified as critical has 
been found in SourceCo
 CVE-2024-5361 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5360 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5359 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5358 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1 and  ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5272 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 
8.1.12 fa ...)
- mattermost-server  (bug #823556)
 CVE-2024-5270 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 
9.6.1 and ...)
@@ -91,7 +91,7 @@ CVE-2024-4858 (The Testimonial Carousel For Elementor plugin 
for WordPress is vu
 CVE-2024-4045 (The Popup Builder by OptinMonster \u2013 WordPress Popups for 
Optins,  ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-36079 (An issue was discovered in Vaultize 21.07.27. When uploading 
files, th ...)
-   TODO: check
+   NOT-FOR-US: Vaultize
 CVE-2024-35374 (Mocodo Mocodo Online 4.2.6 and below does not properly 
sanitize the sq ...)
NOT-FOR-US: Mocodo Mocodo Online
 CVE-2024-35373 (Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote 
Code Exec ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3184040736d09d03f3fbee22ce6e74096497343

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3184040736d09d03f3fbee22ce6e74096497343
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-27 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ae7b7e68 by Salvatore Bonaccorso at 2024-05-27T08:49:15+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,33 +1,33 @@
 CVE-2024-5375 (A vulnerability has been found in Kashipara College Management 
System  ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5374 (A vulnerability, which was classified as problematic, was found 
in Kas ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5373 (A vulnerability, which was classified as problematic, has been 
found i ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5372 (A vulnerability classified as problematic was found in 
Kashipara Colle ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5371 (A vulnerability classified as problematic has been found in 
Kashipara  ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5370 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5369 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5368 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5367 (A vulnerability was found in Kashipara College Management 
System 1.0 a ...)
-   TODO: check
+   NOT-FOR-US: Kashipara College Management System
 CVE-2024-5366 (A vulnerability has been found in SourceCodester Best House 
Rental Man ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best House Rental Management System
 CVE-2024-5365 (A vulnerability, which was classified as critical, was found in 
Source ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best House Rental Management System
 CVE-2024-5364 (A vulnerability, which was classified as critical, has been 
found in S ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best House Rental Management System
 CVE-2024-5363 (A vulnerability classified as critical was found in 
SourceCodester Bes ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best House Rental Management System
 CVE-2024-5362 (A vulnerability classified as critical has been found in 
SourceCodeste ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Online Hospital Management System
 CVE-2024-5361 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5360 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
TODO: check
 CVE-2024-5359 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae7b7e687b6251981c280dc7b8dcfa2e32759020

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae7b7e687b6251981c280dc7b8dcfa2e32759020
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some CVEs for mattermost-server, itp'ed

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
459bd79c by Salvatore Bonaccorso at 2024-05-27T07:40:47+02:00
Process some CVEs for mattermost-server, itped

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -35,23 +35,23 @@ CVE-2024-5359 (A vulnerability was found in PHPGurukul Zoo 
Management System 2.1
 CVE-2024-5358 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1 and  ...)
TODO: check
 CVE-2024-5272 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 
8.1.12 fa ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-5270 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 
9.6.1 and ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-36255 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-36241 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-34152 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-34029 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x 
<= 8.1.12 ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-32045 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 
8.1.12 fa ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-31859 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-29215 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 
9.6.1, 8. ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2024-5357 (A vulnerability has been found in PHPGurukul Zoo Management 
System 2.1 ...)
NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5356 (A vulnerability, which was classified as critical, was found in 
anji-p ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/459bd79c1a74939df70bd0822558edfa7c54984c

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/459bd79c1a74939df70bd0822558edfa7c54984c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
307c33fb by security tracker role at 2024-05-26T20:11:53+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,57 @@
+CVE-2024-5375 (A vulnerability has been found in Kashipara College Management 
System  ...)
+   TODO: check
+CVE-2024-5374 (A vulnerability, which was classified as problematic, was found 
in Kas ...)
+   TODO: check
+CVE-2024-5373 (A vulnerability, which was classified as problematic, has been 
found i ...)
+   TODO: check
+CVE-2024-5372 (A vulnerability classified as problematic was found in 
Kashipara Colle ...)
+   TODO: check
+CVE-2024-5371 (A vulnerability classified as problematic has been found in 
Kashipara  ...)
+   TODO: check
+CVE-2024-5370 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
+   TODO: check
+CVE-2024-5369 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
+   TODO: check
+CVE-2024-5368 (A vulnerability was found in Kashipara College Management 
System 1.0.  ...)
+   TODO: check
+CVE-2024-5367 (A vulnerability was found in Kashipara College Management 
System 1.0 a ...)
+   TODO: check
+CVE-2024-5366 (A vulnerability has been found in SourceCodester Best House 
Rental Man ...)
+   TODO: check
+CVE-2024-5365 (A vulnerability, which was classified as critical, was found in 
Source ...)
+   TODO: check
+CVE-2024-5364 (A vulnerability, which was classified as critical, has been 
found in S ...)
+   TODO: check
+CVE-2024-5363 (A vulnerability classified as critical was found in 
SourceCodester Bes ...)
+   TODO: check
+CVE-2024-5362 (A vulnerability classified as critical has been found in 
SourceCodeste ...)
+   TODO: check
+CVE-2024-5361 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
+   TODO: check
+CVE-2024-5360 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
+   TODO: check
+CVE-2024-5359 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1. It  ...)
+   TODO: check
+CVE-2024-5358 (A vulnerability was found in PHPGurukul Zoo Management System 
2.1 and  ...)
+   TODO: check
+CVE-2024-5272 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 
8.1.12 fa ...)
+   TODO: check
+CVE-2024-5270 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 
9.6.1 and ...)
+   TODO: check
+CVE-2024-36255 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
+   TODO: check
+CVE-2024-36241 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
+   TODO: check
+CVE-2024-34152 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
+   TODO: check
+CVE-2024-34029 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x 
<= 8.1.12 ...)
+   TODO: check
+CVE-2024-32045 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 
8.1.12 fa ...)
+   TODO: check
+CVE-2024-31859 (Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x 
<= 8.1.12 ...)
+   TODO: check
+CVE-2024-29215 (Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 
9.6.1, 8. ...)
+   TODO: check
 CVE-2024-5357 (A vulnerability has been found in PHPGurukul Zoo Management 
System 2.1 ...)
NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5356 (A vulnerability, which was classified as critical, was found in 
anji-p ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/307c33fbacebd310f4b02a4c3f1c1a4693485a76

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/307c33fbacebd310f4b02a4c3f1c1a4693485a76
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for QAbstractOAuth issue

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4b4c16cb by Salvatore Bonaccorso at 2024-05-26T21:11:25+02:00
Add Debian bug reference for QAbstractOAuth issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4193,10 +4193,10 @@ CVE-2024-36050 (Nix through 2.22.1 mishandles certain 
usage of hash caches, whic
NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
TODO: check details and verify if same code (and only then) is present 
in guix
 CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before 
5.15.17, 6.x b ...)
-   - qtnetworkauth-everywhere-src 
+   - qtnetworkauth-everywhere-src  (bug #1071974)
[bookworm] - qtnetworkauth-everywhere-src  (Minor issue)
[bullseye] - qtnetworkauth-everywhere-src  (Minor issue)
-   - qt6-networkauth 
+   - qt6-networkauth  (bug #1071973)
[bookworm] - qt6-networkauth  (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b4c16cb0175832aa6842c6d6bf39486478a7e1e

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b4c16cb0175832aa6842c6d6bf39486478a7e1e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-4603/openssl

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
51c8e3bf by Salvatore Bonaccorso at 2024-05-26T21:05:47+02:00
Add Debian bug reference for CVE-2024-4603/openssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7423,7 +7423,7 @@ CVE-2024-4606 (Deserialization of Untrusted Data 
vulnerability in BdThemes Ultim
 CVE-2024-4605 (The Breakdance plugin for WordPress is vulnerable to Remote 
Code Execu ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-4603 (Issue summary: Checking excessively long DSA keys or parameters 
may be ...)
-   - openssl 
+   - openssl  (bug #1071972)
[bookworm] - openssl  (Minor issue, fix along with next 
update round)
[bullseye] - openssl  (Vulnerable code not present)
[buster] - openssl  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51c8e3bf52d1b38570a43f7f6ce8f737f03fc192

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51c8e3bf52d1b38570a43f7f6ce8f737f03fc192
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-3708/lighttpd

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
17b2ea62 by Salvatore Bonaccorso at 2024-05-26T20:58:12+02:00
Update status for CVE-2024-3708/lighttpd

The CNA will publish details only on July 9th, 2024 but the pre-announce
in [1] declares it to be an issue fixed in 2018 siently by the
maintainer in 1.4.51 upstream. The first version in unstable containing
the fix was 1.4.52-1, so mark it as the fixed version.

 [1] 
https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -732,8 +732,8 @@ CVE-2024-3917 (The Pet Manager WordPress plugin through 1.4 
does not sanitise an
 CVE-2024-3711 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to un ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3708 (A condition exists in lighttpd version prior to 1.4.51 whereby 
a remot ...)
-   - lighttpd 
-   TODO: check, maybe fixed in 1.4.51, details will be only pubished on 
July 9th, 2024
+   - lighttpd 1.4.52-1
+   TODO: check details (will be only pubished on July 9th, 2024), but said 
to be an issue fixed by maintainer in 2018 in version 1.4.51
 CVE-2024-3648 (The ShareThis Share Buttons plugin for WordPress is vulnerable 
to Stor ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3626 (The Email Subscribers by Icegram Express \u2013 Email 
Marketing, Newsl ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b2ea62b125b0fedfb07428bddf308cdff31160

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b2ea62b125b0fedfb07428bddf308cdff31160
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-29895/cacti

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b37447a9 by Salvatore Bonaccorso at 2024-05-26T20:45:55+02:00
Update status for CVE-2024-29895/cacti

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6971,11 +6971,10 @@ CVE-2024-30258 (FastDDS is a C++ implementation of the 
DDS (Data Distribution Se
NOTE: 
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh
NOTE: 
https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b
 CVE-2024-29895 (Cacti provides an operational monitoring and fault management 
framewor ...)
-   - cacti 
+   - cacti  (Vulnerable code not present)
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
NOTE: Fixed by: 
https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
NOTE: But fix reverted again: 
https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
-   TODO: check, might affect only 1.3.x
 CVE-2024-29894 (Cacti provides an operational monitoring and fault management 
framewor ...)
- cacti 1.2.27+ds1-1
NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37447a9e09cd04673b0cb08aedc50d9f55f5fae

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37447a9e09cd04673b0cb08aedc50d9f55f5fae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
411767f9 by Salvatore Bonaccorso at 2024-05-26T13:31:23+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,21 +1,21 @@
 CVE-2024-5357 (A vulnerability has been found in PHPGurukul Zoo Management 
System 2.1 ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul Zoo Management System
 CVE-2024-5356 (A vulnerability, which was classified as critical, was found in 
anji-p ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5355 (A vulnerability, which was classified as critical, has been 
found in a ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5354 (A vulnerability classified as problematic was found in 
anji-plus AJ-Re ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5353 (A vulnerability classified as critical has been found in 
anji-plus AJ- ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5352 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5351 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5350 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
-   TODO: check
+   NOT-FOR-US: anji-plus AJ-Report
 CVE-2024-5340 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
-   TODO: check
+   NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5339 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5338 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/411767f9e83873d0a41bfec6bc46d28bbd73242a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/411767f9e83873d0a41bfec6bc46d28bbd73242a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5465e8ce by security tracker role at 2024-05-26T08:12:34+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2024-5357 (A vulnerability has been found in PHPGurukul Zoo Management 
System 2.1 ...)
+   TODO: check
+CVE-2024-5356 (A vulnerability, which was classified as critical, was found in 
anji-p ...)
+   TODO: check
+CVE-2024-5355 (A vulnerability, which was classified as critical, has been 
found in a ...)
+   TODO: check
+CVE-2024-5354 (A vulnerability classified as problematic was found in 
anji-plus AJ-Re ...)
+   TODO: check
+CVE-2024-5353 (A vulnerability classified as critical has been found in 
anji-plus AJ- ...)
+   TODO: check
+CVE-2024-5352 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
+   TODO: check
+CVE-2024-5351 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
+   TODO: check
+CVE-2024-5350 (A vulnerability was found in anji-plus AJ-Report up to 1.4.1. 
It has b ...)
+   TODO: check
+CVE-2024-5340 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
+   TODO: check
 CVE-2024-5339 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5338 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
@@ -6130,7 +6148,7 @@ CVE-2024-0437 (The Password Protected \u2013 Ultimate 
Plugin to Password Protect
 CVE-2023-33327 (Improper Privilege Management vulnerability in Teplitsa of 
social tech ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3044 (Unchecked script execution in Graphic on-click binding in 
affected Lib ...)
-   {DSA-5690-1}
+   {DSA-5690-1 DLA-3821-1}
- libreoffice 4:24.2.3~rc1-2
NOTE: 
https://www.libreoffice.org/about-us/security/advisories/cve-2024-3044/
NOTE: 
https://git.libreoffice.org/core/+/8b2402b16df185119c91222b33ff1b8d55e0afe4%5E%21



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5465e8ce11c9b15e2c655d37ae6870ed79e9fb8a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5465e8ce11c9b15e2c655d37ae6870ed79e9fb8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track fixed version for linux update via unstable

2024-05-26 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
10a958cd by Salvatore Bonaccorso at 2024-05-26T09:06:08+02:00
Track fixed version for linux update via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -752,15 +752,15 @@ CVE-2023-46807 (An SQL Injection vulnerability in web 
component of EPMM before 1
 CVE-2023-46806 (An SQL Injection vulnerability in a web component of EPMM 
versions bef ...)
NOT-FOR-US: Ivanti
 CVE-2024-36013 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/4d7b41c0e43995b0e992b9f8903109275744b658 (6.9)
 CVE-2024-36012 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
-   - linux 
+   - linux 6.8.11-1
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/10f9f426ac6e752c8d87bf4346930ba347aaabac (6.9)
 CVE-2024-36011 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
-   - linux 
+   - linux 6.8.11-1
[bookworm] - linux  (Vulnerable code not present)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
@@ -3669,7 +3669,7 @@ CVE-2024-35950 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux 5.10.216-1
NOTE: 
https://git.kernel.org/linus/3eadd887dbac1df8f25f701e5d404d1b90fd0fea (6.9-rc4)
 CVE-2024-35949 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/e03418abde871314e1a3a550f4c8afb7b89cb273 (6.9)
 CVE-2024-35948 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 
@@ -3739,7 +3739,7 @@ CVE-2024-36070 (tine before 2023.11.8, when an LDAP 
backend is used, allows anon
 CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint, 
service-name m ...)
NOT-FOR-US: mintupload
 CVE-2024-35947 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c (6.9-rc7)
 CVE-2024-35946 (In the Linux kernel, the following vulnerability has been 
resolved:  w ...)
- linux 6.8.9-1
@@ -5499,7 +5499,7 @@ CVE-2023-27504 (Improper conditions check in some 
Intel(R) BIOS Guard firmware m
 CVE-2023-22662 (Improper input validation of EpsdSrMgmtConfig in UEFI firmware 
for som ...)
NOT-FOR-US: Intel
 CVE-2024-21823 (Hardware logic with insecure de-synchronization in Intel(R) 
DSA and In ...)
-   - linux 
+   - linux 6.8.11-1
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html
 CVE-2023-47855 (Improper input validation in some Intel(R) TDX module software 
before  ...)
@@ -6999,18 +6999,18 @@ CVE-2023-46870 (extcap/nrf_sniffer_ble.py, 
extcap/nrf_sniffer_ble.sh, extcap/Sni
 CVE-2022-4967 (strongSwan versions 5.9.2 through 5.9.5 are affected by 
authorization  ...)
TODO: check
 CVE-2024-27401 (In the Linux kernel, the following vulnerability has been 
resolved:  f ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/38762a0763c10c24a4915feee722d7aa6e73eb98 (6.9-rc7)
 CVE-2024-27400 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 
+   - linux 6.8.11-1
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/d3a9331a6591e9df64791e076f6591f440af51c3 (6.9-rc7)
 CVE-2024-27399 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/adf0398cee86643b8eacde95f17d073d022f782c (6.9)
 CVE-2024-27398 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
-   - linux 
+   - linux 6.8.11-1
NOTE: 
https://git.kernel.org/linus/483bc08181827fc475643272ffb69c533007e546 (6.9)
 CVE-2023-52656 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
- linux 6.7.12-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10a958cdb9d222388bd2682639df16f27ac4dfec

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10a958cdb9d222388bd2682639df16f27ac4dfec
You're receiving this email because of your account on 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-33427/squid

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0befe408 by Salvatore Bonaccorso at 2024-05-26T07:51:57+02:00
Add CVE-2024-33427/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -73,7 +73,10 @@ CVE-2024-33471 (An issue in the Sensor Settings of AVTECH 
Room Alert 4E v4.4.0 a
 CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E 
v4.4.0 all ...)
NOT-FOR-US: AVTECH Room Alert
 CVE-2024-33427 (Buffer Overflow vulnerability in Squid version before v.6.10 
allows a  ...)
-   TODO: check
+   - squid 
+   - squid3 
+   NOTE: https://github.com/squid-cache/squid/pull/1763
+   NOTE: 
https://github.com/squid-cache/squid/commit/1891ce596237b45e0a675f75c49a5f6a840d
 CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote 
attacker t ...)
TODO: check
 CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0befe408dbcd83114efd2ca35546b87d7759ae41

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0befe408dbcd83114efd2ca35546b87d7759ae41
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0857c4db by Salvatore Bonaccorso at 2024-05-26T07:49:30+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,11 +1,11 @@
 CVE-2024-5339 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
-   TODO: check
+   NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5338 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
-   TODO: check
+   NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5337 (A vulnerability was found in Ruijie RG-UAC up to 20240516 and 
classifi ...)
-   TODO: check
+   NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-5336 (A vulnerability has been found in Ruijie RG-UAC up to 20240516 
and cla ...)
-   TODO: check
+   NOT-FOR-US: Ruijie RG-UAC
 CVE-2024-30056 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
TODO: check
 CVE-2024-5229 (The Primary Addon for Elementor plugin for WordPress is 
vulnerable to  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0857c4dbd1226fd9d2551f57ba84518ebddeb51c

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0857c4dbd1226fd9d2551f57ba84518ebddeb51c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
887ef5c3 by security tracker role at 2024-05-25T20:11:51+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2024-5339 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
+   TODO: check
+CVE-2024-5338 (A vulnerability was found in Ruijie RG-UAC up to 20240516. It 
has been ...)
+   TODO: check
+CVE-2024-5337 (A vulnerability was found in Ruijie RG-UAC up to 20240516 and 
classifi ...)
+   TODO: check
+CVE-2024-5336 (A vulnerability has been found in Ruijie RG-UAC up to 20240516 
and cla ...)
+   TODO: check
+CVE-2024-30056 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
+   TODO: check
 CVE-2024-5229 (The Primary Addon for Elementor plugin for WordPress is 
vulnerable to  ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-5220 (The ND Shortcodes plugin for WordPress is vulnerable to Stored 
Cross-S ...)
@@ -90853,6 +90863,7 @@ CVE-2023-27351 (This vulnerability allows remote 
attackers to bypass authenticat
 CVE-2023-27350 (This vulnerability allows remote attackers to bypass 
authentication on ...)
NOT-FOR-US: PaperCut
 CVE-2023-27349 (BlueZ Audio Profile AVRCP Improper Validation of Array Index 
Remote Co ...)
+   {DLA-3820-1}
- bluez 5.68-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-386/
NOTE: 
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9
 (5.67)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887ef5c334c9ca7ccc7e0e2d24133cd8ec7c1ba8

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887ef5c334c9ca7ccc7e0e2d24133cd8ec7c1ba8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-25581/dnsdist

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4242cbf1 by Salvatore Bonaccorso at 2024-05-25T21:24:00+02:00
Track fixed version for CVE-2024-25581/dnsdist

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7010,7 +7010,7 @@ CVE-2023-52655 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux 5.10.205-1
NOTE: 
https://git.kernel.org/linus/ccab434e674ca95d483788b1895a70c21b7f016a (6.7-rc3)
 CVE-2024-25581 (When incoming DNS over HTTPS support is enabled using the 
nghttp2 prov ...)
-   - dnsdist  (bug #1071750)
+   - dnsdist 1.9.4-1 (bug #1071750)
[bookworm] - dnsdist  (Vulnerable code not present)
[bullseye] - dnsdist  (Vulnerable code not present)
[buster] - dnsdist  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4242cbf1b289ca347bf43f20634ca52d441ac3d0

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4242cbf1b289ca347bf43f20634ca52d441ac3d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track sendmail for proposed update via bookworm-pu

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
743091ab by Salvatore Bonaccorso at 2024-05-25T21:03:01+02:00
Track sendmail for proposed update via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -182,3 +182,5 @@ CVE-2024-26328
[bookworm] - qemu 1:7.2+dfsg-7+deb12u6
 CVE-2023-4237
[bookworm] - ansible 7.7.0+dfsg-3+deb12u1
+CVE-2023-51765
+   [bookworm] - sendmail 8.17.1.9-2+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743091ab65ee36822750f292100eb54d87ba1b34

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743091ab65ee36822750f292100eb54d87ba1b34
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track proposed update for ansible via bookworm-pu

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52f13b23 by Salvatore Bonaccorso at 2024-05-25T20:52:45+02:00
Track proposed update for ansible via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -180,3 +180,5 @@ CVE-2024-26327
[bookworm] - qemu 1:7.2+dfsg-7+deb12u6
 CVE-2024-26328
[bookworm] - qemu 1:7.2+dfsg-7+deb12u6
+CVE-2023-4237
+   [bookworm] - ansible 7.7.0+dfsg-3+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f13b23fac813a6e147b05e36a16145bda582db

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f13b23fac813a6e147b05e36a16145bda582db
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Revert "Remove notes from CVE-2023-52656"

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
733067fc by Salvatore Bonaccorso at 2024-05-25T20:39:01+02:00
Revert Remove notes from CVE-2023-52656

This reverts commit abb9601745fbbae5fb06e1c2ff9c79d8851e5b4c.

CVE was restored again by the Linux Kernel CNA.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6999,8 +6999,11 @@ CVE-2024-27399 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2024-27398 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
- linux 
NOTE: 
https://git.kernel.org/linus/483bc08181827fc475643272ffb69c533007e546 (6.9)
-CVE-2023-52656
-   REJECTED
+CVE-2023-52656 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
+   - linux 6.7.12-1
+   [bookworm] - linux 6.1.85-1
+   [bullseye] - linux 5.10.216-1
+   NOTE: 
https://git.kernel.org/linus/6e5e6d274956305f1fc0340522b38f5f5be74bdb (6.8-rc1)
 CVE-2023-52655 (In the Linux kernel, the following vulnerability has been 
resolved:  u ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.69-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/733067fc5c8c55bcecf6cf04960895444cad70f1

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/733067fc5c8c55bcecf6cf04960895444cad70f1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-31208/matrix-synapse via unstable

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
936939f8 by Salvatore Bonaccorso at 2024-05-25T16:45:24+02:00
Track fixed version for CVE-2024-31208/matrix-synapse via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13796,7 +13796,7 @@ CVE-2024-32258 (The network server of fceux 2.7.0 has a 
path traversal vulnerabi
 CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire 
USB v.1.2 ...)
NOT-FOR-US: Terratec
 CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix 
user with ...)
-   - matrix-synapse  (bug #1069763)
+   - matrix-synapse 1.103.0-2 (bug #1069763)
NOTE: 
https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v
NOTE: 
https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a
 (v1.105.1)
 CVE-2024-30800 (PX4 Autopilot v.1.14 allows an attacker to fly the drone into 
no-fly z ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/936939f8e86d0d76f6773de892a976b9ab648b68

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/936939f8e86d0d76f6773de892a976b9ab648b68
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add some notes for frr and git

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
97886111 by Salvatore Bonaccorso at 2024-05-25T16:21:18+02:00
Add some notes for frr and git

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -19,9 +19,11 @@ dnsdist (jmm)
 dnsmasq
 --
 frr
-  Tobias Frost (tobi) proposed to work on preparing an update
+  Tobias Frost (tobi) proposed to work on preparing an update, but discussion
+  with Debian maintainer for status on bullseye + updates
 --
 git
+  Maintainer is queried to prepare an update
 --
 gpac/oldstable
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978861114bc80d7d0b5af7e171769aabedff7388

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978861114bc80d7d0b5af7e171769aabedff7388
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] 2 commits: Deassociate CVE-2024-24795 from fossil

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb3757d3 by Salvatore Bonaccorso at 2024-05-25T16:15:03+02:00
Deassociate CVE-2024-24795 from fossil

CVE-2024-24795 is for apache2.

- - - - -
a63a6d31 by Salvatore Bonaccorso at 2024-05-25T16:19:20+02:00
Several Linux CVEs rejected

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -2385,9 +2385,8 @@ CVE-2021-47413 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2021-47412 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 5.14.12-1
NOTE: 
https://git.kernel.org/linus/a647a524a46736786c95cdb553a070322ca096e3 (5.15-rc3)
-CVE-2021-47411 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
-   - linux 5.14.12-1
-   NOTE: 
https://git.kernel.org/linus/8bab4c09f24ec8d4a7a78ab343620f89d3a24804 (5.15-rc3)
+CVE-2021-47411
+   REJECTED
 CVE-2021-47410 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 5.14.12-1
NOTE: 
https://git.kernel.org/linus/197ae17722e989942b36e33e044787877f158574 (5.15-rc3)
@@ -3819,10 +3818,8 @@ CVE-2024-35925 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2024-35924 (In the Linux kernel, the following vulnerability has been 
resolved:  u ...)
- linux 6.8.9-1
NOTE: 
https://git.kernel.org/linus/b3db266fb031fba88c423d4bb8983a73a3db6527 (6.9-rc1)
-CVE-2024-35923 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
-   - linux 6.8.9-1
-   [bookworm] - linux 6.1.90-1
-   NOTE: 
https://git.kernel.org/linus/e21e1c45e1fe2e31732f40256b49c04e76a17cee (6.9-rc1)
+CVE-2024-35923
+   REJECTED
 CVE-2024-35922 (In the Linux kernel, the following vulnerability has been 
resolved:  f ...)
- linux 6.8.9-1
[bookworm] - linux 6.1.90-1
@@ -4492,12 +4489,8 @@ CVE-2024-35821 (In the Linux kernel, the following 
vulnerability has been resolv
[bookworm] - linux 6.1.85-1
[bullseye] - linux 5.10.216-1
NOTE: 
https://git.kernel.org/linus/723012cab779eee8228376754e22c6594229bf8f (6.9-rc1)
-CVE-2024-35820 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
-   - linux 6.7.12-1
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
-   NOTE: 
https://git.kernel.org/linus/1a8ec63b2b6c91caec87d4e132b1f71b5df342be (6.9-rc1)
+CVE-2024-35820
+   REJECTED
 CVE-2024-35819 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
- linux 6.7.12-1
[bookworm] - linux 6.1.85-1
@@ -4847,58 +4840,28 @@ CVE-2024-27431 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux 5.10.216-1
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/2487007aa3b9fafbd2cb14068f49791ce1d7ede5 (6.8)
-CVE-2024-27430 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/958d6145a6d9ba9e075c921aead8753fb91c9101 (6.8)
+CVE-2024-27430
+   REJECTED
 CVE-2024-27429
REJECTED
-CVE-2024-27428 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/119cae5ea3f9e35cdada8e572cc067f072fa825a (6.8)
-CVE-2024-27427 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/60a7a152abd494ed4f69098cf0f322e6bb140612 (6.8)
-CVE-2024-27426 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/e799299aafed417cc1f32adccb2a0e5268b3f6d5 (6.8)
-CVE-2024-27425 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/806f462ba9029d41aadf8ec93f2f99c5305deada (6.8)
-CVE-2024-27424 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.82-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/43547d8699439a67b78d6bb39015113f7aa360fd (6.8)
-CVE-2024-27423 (In the Linux kernel, the 

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2024-4453

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
94659a5e by Salvatore Bonaccorso at 2024-05-25T13:23:36+02:00
Add reference for CVE-2024-4453

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -790,6 +790,7 @@ CVE-2024-4454 (WithSecure Elements Endpoint Protection Link 
Following Local Priv
 CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code 
Execution ...)
- gst-plugins-base1.0 1.24.3-1
- gst-plugins-base0.10 
+   NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0002.html
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
NOTE: Backport: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94659a5e05fcdb35d7d1a489143f73d80289472e

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94659a5e05fcdb35d7d1a489143f73d80289472e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bc349f36 by Salvatore Bonaccorso at 2024-05-25T13:19:40+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,19 +1,19 @@
 CVE-2024-5229 (The Primary Addon for Elementor plugin for WordPress is 
vulnerable to  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5220 (The ND Shortcodes plugin for WordPress is vulnerable to Stored 
Cross-S ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5218 (The Reviews and Rating \u2013 Google Reviews plugin for 
WordPress is v ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4858 (The Testimonial Carousel For Elementor plugin for WordPress is 
vulnera ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4045 (The Popup Builder by OptinMonster \u2013 WordPress Popups for 
Optins,  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-36079 (An issue was discovered in Vaultize 21.07.27. When uploading 
files, th ...)
TODO: check
 CVE-2024-35374 (Mocodo Mocodo Online 4.2.6 and below does not properly 
sanitize the sq ...)
-   TODO: check
+   NOT-FOR-US: Mocodo Mocodo Online
 CVE-2024-35373 (Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote 
Code Exec ...)
-   TODO: check
+   NOT-FOR-US: Mocodo Mocodo Online
 CVE-2024-35232 (github.com/huandu/facebook is a Go package that fully supports 
the Fac ...)
TODO: check
 CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc349f36758c15aa52bacaa92002aa16332dc801

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc349f36758c15aa52bacaa92002aa16332dc801
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54a17456 by security tracker role at 2024-05-25T08:11:55+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2024-5229 (The Primary Addon for Elementor plugin for WordPress is 
vulnerable to  ...)
+   TODO: check
+CVE-2024-5220 (The ND Shortcodes plugin for WordPress is vulnerable to Stored 
Cross-S ...)
+   TODO: check
+CVE-2024-5218 (The Reviews and Rating \u2013 Google Reviews plugin for 
WordPress is v ...)
+   TODO: check
+CVE-2024-4858 (The Testimonial Carousel For Elementor plugin for WordPress is 
vulnera ...)
+   TODO: check
+CVE-2024-4045 (The Popup Builder by OptinMonster \u2013 WordPress Popups for 
Optins,  ...)
+   TODO: check
+CVE-2024-36079 (An issue was discovered in Vaultize 21.07.27. When uploading 
files, th ...)
+   TODO: check
+CVE-2024-35374 (Mocodo Mocodo Online 4.2.6 and below does not properly 
sanitize the sq ...)
+   TODO: check
+CVE-2024-35373 (Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote 
Code Exec ...)
+   TODO: check
+CVE-2024-35232 (github.com/huandu/facebook is a Go package that fully supports 
the Fac ...)
+   TODO: check
 CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
- gitlab  (Vulnerable code introduced later)
 CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
@@ -19901,7 +19919,7 @@ CVE-2024-26745 (In the Linux kernel, the following 
vulnerability has been resolv
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/09a3c1e46142199adcee372a420b024b4fc61051 (6.8-rc7)
 CVE-2024-24795 (HTTP Response splitting in multiple modules in Apache HTTP 
Server allo ...)
-   {DSA-5662-1}
+   {DSA-5662-1 DLA-3818-1}
- apache2 2.4.59-1 (bug #1068412)
- uwsgi  (unimportant)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/5
@@ -19913,13 +19931,13 @@ CVE-2024-24795 (HTTP Response splitting in multiple 
modules in Apache HTTP Serve
NOTE: packages which are provided by src:apache2 itself.
NOTE: https://github.com/unbit/uwsgi/issues/2635
 CVE-2023-38709 (Faulty input validation in the core of Apache allows malicious 
or expl ...)
-   {DSA-5662-1}
+   {DSA-5662-1 DLA-3818-1}
- apache2 2.4.59-1 (bug #1068412)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/3
NOTE: 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-38709
NOTE: 
https://github.com/apache/httpd/commit/ac20389f3c816d990aba21720f1492b69ac5cb44
 CVE-2024-27316 (HTTP/2 incoming headers exceeding the limit are temporarily 
buffered i ...)
-   {DSA-5662-1}
+   {DSA-5662-1 DLA-3818-1}
- apache2 2.4.59-1 (bug #1068412)
NOTE: https://www.kb.cert.org/vuls/id/421644
NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/4
@@ -55873,7 +55891,7 @@ CVE-2020-36706 (The Simple:Press \u2013 WordPress Forum 
Plugin for WordPress is
 CVE-2020-36698 (The Security & Malware scan by CleanTalk plugin for WordPress 
is vulne ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-45802 (When a HTTP/2 stream was reset (RST frame) by a client, there 
was a ti ...)
-   {DSA-5662-1}
+   {DSA-5662-1 DLA-3818-1}
- apache2 2.4.58-1
NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/6
NOTE: 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802
@@ -78703,7 +78721,7 @@ CVE-2023-2259 (Improper Neutralization of Special 
Elements Used in a Template En
 CVE-2023-2258 (Improper Neutralization of Formula Elements in a CSV File in 
GitHub re ...)
NOT-FOR-US: Alf.io
 CVE-2023-31122 (Out-of-bounds Read vulnerability in mod_macro of Apache HTTP 
Server.Th ...)
-   {DSA-5662-1}
+   {DSA-5662-1 DLA-3818-1}
- apache2 2.4.58-1
NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/4
NOTE: 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-31122
@@ -347017,6 +347035,7 @@ CVE-2019-17569 (The refactoring present in Apache 
Tomcat 9.0.28 to 9.0.30, 8.5.4
 CVE-2019-17568
REJECTED
 CVE-2019-17567 (Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel 
configu ...)
+   {DLA-3818-1}
[experimental] - apache2 2.4.48-1
- apache2 2.4.48-2
[stretch] - apache2  (Intrusive and risky backport)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54a1745646757b78eb1007dd43941003ea258867

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52656

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
abb96017 by Salvatore Bonaccorso at 2024-05-25T09:44:37+02:00
Remove notes from CVE-2023-52656

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7017,11 +7017,8 @@ CVE-2024-27399 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2024-27398 (In the Linux kernel, the following vulnerability has been 
resolved:  B ...)
- linux 
NOTE: 
https://git.kernel.org/linus/483bc08181827fc475643272ffb69c533007e546 (6.9)
-CVE-2023-52656 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
-   - linux 6.7.12-1
-   [bookworm] - linux 6.1.85-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/6e5e6d274956305f1fc0340522b38f5f5be74bdb (6.8-rc1)
+CVE-2023-52656
+   REJECTED
 CVE-2023-52655 (In the Linux kernel, the following vulnerability has been 
resolved:  u ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.69-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb9601745fbbae5fb06e1c2ff9c79d8851e5b4c

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb9601745fbbae5fb06e1c2ff9c79d8851e5b4c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f5515d4d by Salvatore Bonaccorso at 2024-05-25T08:53:53+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,45 +5,45 @@ CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that 
affect version 9.0.1 a
 CVE-2024-5314 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
- dolibarr 
 CVE-2024-5312 (PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via 
the /ph ...)
-   TODO: check
+   NOT-FOR-US: PHP Server Monitor
 CVE-2024-5310 (A vulnerability classified as problematic has been found in 
JFinalCMS  ...)
-   TODO: check
+   NOT-FOR-US: JFinalCMS
 CVE-2024-4455 (The YITH WooCommerce Ajax Search plugin for WordPress is 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4037 (The WP Photo Album Plus plugin for WordPress is vulnerable to 
arbitrar ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-36049 (Aptos Wisal payroll accounting before 7.1.6 uses hardcoded 
credentials ...)
-   TODO: check
+   NOT-FOR-US: Aptos Wisal payroll accounting
 CVE-2024-35618 (PingCAP TiDB v7.5.1 was discovered to contain a NULL pointer 
dereferen ...)
-   TODO: check
+   NOT-FOR-US: PingCAP TiDB
 CVE-2024-35595 (An arbitrary file upload vulnerability in the File Preview 
function of ...)
-   TODO: check
+   NOT-FOR-US: Xintongda OA
 CVE-2024-35593 (An arbitrary file upload vulnerability in the File preview 
function of ...)
-   TODO: check
+   NOT-FOR-US: Raingad IM
 CVE-2024-35592 (An arbitrary file upload vulnerability in the Upload function 
of Box-I ...)
-   TODO: check
+   NOT-FOR-US: Box-IM
 CVE-2024-35591 (An arbitrary file upload vulnerability in O2OA v8.3.8 allows 
attackers ...)
-   TODO: check
+   NOT-FOR-US: O2OA
 CVE-2024-35396 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a har ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35395 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a har ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35388 (TOTOLINK NR1800X v9.1.0u.6681_B20230703 was discovered to 
contain a st ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35387 (TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to 
contain a stac ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2024-35340 (Tenda FH1206 V1.2.0.8(8155) was discovered to contain a 
command inject ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2024-35339 (Tenda FH1206 V1.2.0.8(8155) was discovered to contain a 
command inject ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2024-34995 (svnWebUI v1.8.3 was discovered to contain an arbitrary file 
deletion v ...)
-   TODO: check
+   NOT-FOR-US: svnWebUI
 CVE-2024-33809 (PingCAP TiDB v7.5.1 was discovered to contain a buffer 
overflow vulner ...)
-   TODO: check
+   NOT-FOR-US: PingCAP TiDB
 CVE-2024-33471 (An issue in the Sensor Settings of AVTECH Room Alert 4E v4.4.0 
allows  ...)
-   TODO: check
+   NOT-FOR-US: AVTECH Room Alert
 CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E 
v4.4.0 all ...)
-   TODO: check
+   NOT-FOR-US: AVTECH Room Alert
 CVE-2024-33427 (Buffer Overflow vulnerability in Squid version before v.6.10 
allows a  ...)
TODO: check
 CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote 
attacker t ...)
@@ -51,13 +51,13 @@ CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 
allows a remote atta
 CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.)
TODO: check
 CVE-2023-49575 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
-   TODO: check
+   NOT-FOR-US: VX Search Enterprise
 CVE-2023-49574 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
-   TODO: check
+   NOT-FOR-US: VX Search Enterprise
 CVE-2023-49573 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
-   TODO: check
+   NOT-FOR-US: VX Search Enterprise
 CVE-2023-49572 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
-   TODO: check
+   NOT-FOR-US: VX Search Enterprise
 CVE-2023-47710 (IBM Security Guardium 11.4, 11.5, and 12.0 is vulnerable to 
cross-site ...)
NOT-FOR-US: IBM
 CVE-2023-46442 (An infinite loop in the retrieveActiveBody function of Soot 
before v4. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5515d4d1e24a730967061403378de2b411bd97a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 

[Git][security-tracker-team/security-tracker][master] Add two new issues in dolibarr

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3aea02d by Salvatore Bonaccorso at 2024-05-25T08:50:36+02:00
Add two new issues in dolibarr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,9 +1,9 @@
 CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
- gitlab  (Vulnerable code introduced later)
 CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
-   TODO: check
+   - dolibarr 
 CVE-2024-5314 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
-   TODO: check
+   - dolibarr 
 CVE-2024-5312 (PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via 
the /ph ...)
TODO: check
 CVE-2024-5310 (A vulnerability classified as problematic has been found in 
JFinalCMS  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3aea02d134fd7ee5a0fa8a128f81e6f76defc18

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3aea02d134fd7ee5a0fa8a128f81e6f76defc18
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-5318/gitlab

2024-05-25 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47bf90c0 by Salvatore Bonaccorso at 2024-05-25T08:49:08+02:00
Add CVE-2024-5318/gitlab

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,5 @@
 CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
-   TODO: check
+   - gitlab  (Vulnerable code introduced later)
 CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
TODO: check
 CVE-2024-5314 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47bf90c09e0754f1b4c9397f6af849a14c99e724

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47bf90c09e0754f1b4c9397f6af849a14c99e724
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process one NFU

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0a5dde93 by Salvatore Bonaccorso at 2024-05-25T07:23:57+02:00
Process one NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -59,7 +59,7 @@ CVE-2023-49573 (A vulnerability has been discovered in VX 
Search Enterprise affe
 CVE-2023-49572 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
TODO: check
 CVE-2023-47710 (IBM Security Guardium 11.4, 11.5, and 12.0 is vulnerable to 
cross-site ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-46442 (An infinite loop in the retrieveActiveBody function of Soot 
before v4. ...)
TODO: check
 CVE-2023-52880 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a5dde93bae0364d58effb26556a3cd5af94c7e4

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a5dde93bae0364d58effb26556a3cd5af94c7e4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0a200b01 by security tracker role at 2024-05-24T20:12:24+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,359 +1,423 @@
-CVE-2023-52880 [tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc]
+CVE-2024-5318 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
+   TODO: check
+CVE-2024-5315 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
+   TODO: check
+CVE-2024-5314 (Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 
and al ...)
+   TODO: check
+CVE-2024-5312 (PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via 
the /ph ...)
+   TODO: check
+CVE-2024-5310 (A vulnerability classified as problematic has been found in 
JFinalCMS  ...)
+   TODO: check
+CVE-2024-4455 (The YITH WooCommerce Ajax Search plugin for WordPress is 
vulnerable to ...)
+   TODO: check
+CVE-2024-4037 (The WP Photo Album Plus plugin for WordPress is vulnerable to 
arbitrar ...)
+   TODO: check
+CVE-2024-36049 (Aptos Wisal payroll accounting before 7.1.6 uses hardcoded 
credentials ...)
+   TODO: check
+CVE-2024-35618 (PingCAP TiDB v7.5.1 was discovered to contain a NULL pointer 
dereferen ...)
+   TODO: check
+CVE-2024-35595 (An arbitrary file upload vulnerability in the File Preview 
function of ...)
+   TODO: check
+CVE-2024-35593 (An arbitrary file upload vulnerability in the File preview 
function of ...)
+   TODO: check
+CVE-2024-35592 (An arbitrary file upload vulnerability in the Upload function 
of Box-I ...)
+   TODO: check
+CVE-2024-35591 (An arbitrary file upload vulnerability in O2OA v8.3.8 allows 
attackers ...)
+   TODO: check
+CVE-2024-35396 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a har ...)
+   TODO: check
+CVE-2024-35395 (TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to 
contain a har ...)
+   TODO: check
+CVE-2024-35388 (TOTOLINK NR1800X v9.1.0u.6681_B20230703 was discovered to 
contain a st ...)
+   TODO: check
+CVE-2024-35387 (TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to 
contain a stac ...)
+   TODO: check
+CVE-2024-35340 (Tenda FH1206 V1.2.0.8(8155) was discovered to contain a 
command inject ...)
+   TODO: check
+CVE-2024-35339 (Tenda FH1206 V1.2.0.8(8155) was discovered to contain a 
command inject ...)
+   TODO: check
+CVE-2024-34995 (svnWebUI v1.8.3 was discovered to contain an arbitrary file 
deletion v ...)
+   TODO: check
+CVE-2024-33809 (PingCAP TiDB v7.5.1 was discovered to contain a buffer 
overflow vulner ...)
+   TODO: check
+CVE-2024-33471 (An issue in the Sensor Settings of AVTECH Room Alert 4E v4.4.0 
allows  ...)
+   TODO: check
+CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E 
v4.4.0 all ...)
+   TODO: check
+CVE-2024-33427 (Buffer Overflow vulnerability in Squid version before v.6.10 
allows a  ...)
+   TODO: check
+CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote 
attacker t ...)
+   TODO: check
+CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.)
+   TODO: check
+CVE-2023-49575 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
+   TODO: check
+CVE-2023-49574 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
+   TODO: check
+CVE-2023-49573 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
+   TODO: check
+CVE-2023-49572 (A vulnerability has been discovered in VX Search Enterprise 
affecting  ...)
+   TODO: check
+CVE-2023-47710 (IBM Security Guardium 11.4, 11.5, and 12.0 is vulnerable to 
cross-site ...)
+   TODO: check
+CVE-2023-46442 (An infinite loop in the retrieveActiveBody function of Soot 
before v4. ...)
+   TODO: check
+CVE-2023-52880 (In the Linux kernel, the following vulnerability has been 
resolved:  t ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.85-1
[bullseye] - linux 5.10.216-1
NOTE: 
https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88 (6.6-rc1)
-CVE-2021-47572 [net: nexthop: fix null pointer dereference when IPv6 is not 
enabled]
+CVE-2021-47572 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
- linux 5.15.15-1
[bullseye] - linux 5.10.84-1
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/1c743127cc54b112b155f434756bd4b5fa565a99 (5.16-rc3)
-CVE-2021-47571 [staging: rtl8192e: Fix use after free in 
_rtl92e_pci_disconnect()]
+CVE-2021-47571 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
- linux 5.15.15-1
[bullseye] - linux 5.10.84-1

[Git][security-tracker-team/security-tracker][master] Drop notes from rejected Linux CVEs

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1295d62d by Salvatore Bonaccorso at 2024-05-24T17:47:21+02:00
Drop notes from rejected Linux CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1668,25 +1668,19 @@ CVE-2023-52825 (In the Linux kernel, the following 
vulnerability has been resolv
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1
NOTE: 
https://git.kernel.org/linus/709c348261618da7ed89d6c303e2ceb9e453ba74 (6.7-rc1)
-CVE-2023-52824 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
-   - linux 6.6.8-1
-   [bookworm] - linux 6.1.64-1
-   NOTE: 
https://git.kernel.org/linus/ca0776571d3163bd03b3e8c9e3da936abfaecbf6 (6.7-rc1)
+CVE-2023-52824
+   REJECTED
 CVE-2023-52823
REJECTED
-CVE-2023-52822 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 6.6.8-1
-   [bookworm] - linux 6.1.64-1
-   NOTE: 
https://git.kernel.org/linus/06ab64a0d836ac430c5f94669710a78aa43942cb (6.7-rc1)
+CVE-2023-52822
+   REJECTED
 CVE-2023-52821 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1
[bullseye] - linux 5.10.205-1
NOTE: 
https://git.kernel.org/linus/924e5814d1f84e6fa5cb19c6eceb69f066225229 (6.7-rc1)
-CVE-2023-52820 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 6.6.8-1
-   [bookworm] - linux 6.1.64-1
-   NOTE: 
https://git.kernel.org/linus/f37d63e219c39199a59b8b8a211412ff27192830 (6.7-rc1)
+CVE-2023-52820
+   REJECTED
 CVE-2023-52819 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1
@@ -2017,10 +2011,8 @@ CVE-2023-52759 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux 5.10.205-1
[buster] - linux 4.19.304-1
NOTE: 
https://git.kernel.org/linus/4c6a08125f2249531ec01783a5f4317d7342add5 (6.7-rc1)
-CVE-2023-52758 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
-   - linux 6.6.8-1
-   [bookworm] - linux 6.1.64-1
-   NOTE: 
https://git.kernel.org/linus/cc9c54232f04aef3a5d7f64a0ece7df00f1aaa3d (6.7-rc1)
+CVE-2023-52758
+   REJECTED
 CVE-2023-52757 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1295d62d4515dd21aa67e8ed9c5535bafb732cb2

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1295d62d4515dd21aa67e8ed9c5535bafb732cb2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52880/linux

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c4f0f24f by Salvatore Bonaccorso at 2024-05-24T17:45:24+02:00
Add CVE-2023-52880/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,8 @@
+CVE-2023-52880 [tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc]
+   - linux 6.6.8-1
+   [bookworm] - linux 6.1.85-1
+   [bullseye] - linux 5.10.216-1
+   NOTE: 
https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88 (6.6-rc1)
 CVE-2021-47572 [net: nexthop: fix null pointer dereference when IPv6 is not 
enabled]
- linux 5.15.15-1
[bullseye] - linux 5.10.84-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4f0f24f3c093ed5648103fb75fa43b1ba68475d

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4f0f24f3c093ed5648103fb75fa43b1ba68475d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c8b2075c by Salvatore Bonaccorso at 2024-05-24T17:33:15+02:00
Merge Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,358 @@
+CVE-2021-47572 [net: nexthop: fix null pointer dereference when IPv6 is not 
enabled]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/1c743127cc54b112b155f434756bd4b5fa565a99 (5.16-rc3)
+CVE-2021-47571 [staging: rtl8192e: Fix use after free in 
_rtl92e_pci_disconnect()]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux 4.19.232-1
+   NOTE: 
https://git.kernel.org/linus/b535917c51acc97fb0761b1edec85f1f3d02bda4 (5.16-rc3)
+CVE-2021-47570 [staging: r8188eu: fix a memory leak in rtw_wx_read32()]
+   - linux 5.15.15-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/be4ea8f383551b9dae11b8dfff1f38b3b5436e9a (5.16-rc3)
+CVE-2021-47569 [io_uring: fail cancellation for EXITING tasks]
+   - linux 5.15.15-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/617a89484debcd4e7999796d693cf0b77d2519de (5.16-rc3)
+CVE-2021-47568 [ksmbd: fix memleak in get_file_stream_info()]
+   - linux 5.15.15-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/178ca6f85aa3231094467691f5ea1ff2f398aa8d (5.16-rc3)
+CVE-2021-47567 [powerpc/32: Fix hardlockup on vmap stack overflow]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/5bb60ea611db1e04814426ed4bd1c95d1487678e (5.16-rc3)
+CVE-2021-47566 [proc/vmcore: fix clearing user buffer by properly using 
clear_user()]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux 4.19.232-1
+   NOTE: 
https://git.kernel.org/linus/c1e63117711977cc4295b2ce73de29dd17066c82 (5.16-rc2)
+CVE-2021-47565 [scsi: mpt3sas: Fix kernel panic during drive powercycle test]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux 4.19.232-1
+   NOTE: 
https://git.kernel.org/linus/0ee4ba13e09c9d9c1cb6abb59da8295d9952328b (5.16-rc3)
+CVE-2021-47564 [net: marvell: prestera: fix double free issue on err path]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/e8d032507cb7912baf1d3e0af54516f823befefd (5.16-rc3)
+CVE-2021-47563 [ice: avoid bpf_prog refcount underflow]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/f65ee535df775a13a1046c0a0b2d72db342f8a5b (5.16-rc3)
+CVE-2021-47562 [ice: fix vsi->txq_map sizing]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/792b2086584f25d84081a526beee80d103c2a913 (5.16-rc3)
+CVE-2021-47561 [i2c: virtio: disable timeout handling]
+   - linux 5.15.15-1
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/84e1d0bf1d7121759622dabf8fbef4c99ad597c5 (5.16-rc3)
+CVE-2021-47560 [mlxsw: spectrum: Protect driver from buggy firmware]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/63b08b1f6834bbb0b4f7783bf63b80c8c8e9a047 (5.16-rc3)
+CVE-2021-47559 [net/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()]
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   NOTE: 
https://git.kernel.org/linus/587acad41f1bc48e16f42bb2aca63bf323380be8 (5.16-rc3)
+CVE-2021-47558 [net: stmmac: Disable Tx queues when reconfiguring the 
interface]
+   - linux 5.15.15-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/b270bfe697367776eca2e6759a71d700fb8d82a2 (5.16-rc3)
+CVE-2021-47557 [net/sched: sch_ets: don't peek at classes beyond 'nbands']
+   - linux 5.15.15-1
+   [bullseye] - linux 5.10.84-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/de6d25924c2a8c2988c6a385990cafbe742061bf (5.16-rc3)
+CVE-2021-47556 [ethtool: ioctl: fix potential NULL deref in 
ethtool_set_coalesce()]
+   - linux 

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52823

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b9d5c2a0 by Salvatore Bonaccorso at 2024-05-24T17:17:20+02:00
Remove notes from CVE-2023-52823

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1312,10 +1312,8 @@ CVE-2023-52824 (In the Linux kernel, the following 
vulnerability has been resolv
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1
NOTE: 
https://git.kernel.org/linus/ca0776571d3163bd03b3e8c9e3da936abfaecbf6 (6.7-rc1)
-CVE-2023-52823 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
-   - linux 6.6.8-1
-   [bookworm] - linux 6.1.64-1
-   NOTE: 
https://git.kernel.org/linus/569c8d82f95eb5993c84fb61a649a9c4ddd208b3 (6.7-rc1)
+CVE-2023-52823
+   REJECTED
 CVE-2023-52822 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9d5c2a0b6274435794fda7d9d6eb149c8b95d5c

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9d5c2a0b6274435794fda7d9d6eb149c8b95d5c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-5274 in unstable

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
95446059 by Salvatore Bonaccorso at 2024-05-24T17:13:38+02:00
Track fixed version for CVE-2024-5274 in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -87,7 +87,7 @@ CVE-2024-0867 (The Email Log plugin for WordPress is 
vulnerable to Unauthenticat
 CVE-2023-7259 (** DISPUTED ** A vulnerability was found in zzdevelop lenosp up 
to 202 ...)
NOT-FOR-US: zzdevelop lenosp
 CVE-2024-5274
-   - chromium 
+   - chromium 125.0.6422.112-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above 
allows  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95446059e99bf8c6a1240ec05161403933dc4402

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95446059e99bf8c6a1240ec05161403933dc4402
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-24 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb4a9746 by security tracker role at 2024-05-24T08:11:53+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,77 @@
+CVE-2024-5299 (D-Link D-View execMonitorScript Exposed Dangerous Method Remote 
Code E ...)
+   TODO: check
+CVE-2024-5298 (D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous 
Method  ...)
+   TODO: check
+CVE-2024-5297 (D-Link D-View executeWmicCmd Command Injection Remote Code 
Execution V ...)
+   TODO: check
+CVE-2024-5296 (D-Link D-View Use of Hard-coded Cryptographic Key 
Authentication Bypas ...)
+   TODO: check
+CVE-2024-5295 (D-Link G416 flupl self Command Injection Remote Code Execution 
Vulnera ...)
+   TODO: check
+CVE-2024-5294 (D-Link DIR-3040 prog.cgi websSecurityHandler Memory Leak 
Denial-of-Ser ...)
+   TODO: check
+CVE-2024-5293 (D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote 
Code E ...)
+   TODO: check
+CVE-2024-5292 (D-Link Network Assistant Uncontrolled Search Path Element Local 
Privil ...)
+   TODO: check
+CVE-2024-5291 (D-Link DIR-2150 GetDeviceSettings Target Command Injection 
Remote Code ...)
+   TODO: check
+CVE-2024-5279 (A vulnerability was found in Qiwen Netdisk up to 1.4.0. It has 
been de ...)
+   TODO: check
+CVE-2024-5247 (NETGEAR ProSAFE Network Management System UpLoadServlet 
Unrestricted F ...)
+   TODO: check
+CVE-2024-5246 (NETGEAR ProSAFE Network Management System Tomcat Remote Code 
Execution ...)
+   TODO: check
+CVE-2024-5245 (NETGEAR ProSAFE Network Management System Default Credentials 
Local Pr ...)
+   TODO: check
+CVE-2024-5244 (TP-Link Omada ER605 Reliance on Security Through Obscurity 
Vulnerabili ...)
+   TODO: check
+CVE-2024-5243 (TP-Link Omada ER605 Buffer Overflow Remote Code Execution 
Vulnerabilit ...)
+   TODO: check
+CVE-2024-5242 (TP-Link Omada ER605 Stack-based Buffer Overflow Remote Code 
Execution  ...)
+   TODO: check
+CVE-2024-5228 (TP-Link Omada ER605  Comexe DDNS Response Handling Heap-based 
Buffer O ...)
+   TODO: check
+CVE-2024-5227 (TP-Link Omada ER605 PPTP VPN username Command Injection Remote 
Code Ex ...)
+   TODO: check
+CVE-2024-5205 (The Videojs HTML5 Player plugin for WordPress is vulnerable to 
Stored  ...)
+   TODO: check
+CVE-2024-5142 (Stored Cross-Site Scripting vulnerability in Social Module in 
M-Files  ...)
+   TODO: check
+CVE-2024-5060 (The LottieFiles \u2013 JSON Based Animation Lottie & Bodymovin 
for Ele ...)
+   TODO: check
+CVE-2024-4544 (The Pie Register - Social Sites Login (Add on) plugin for 
WordPress is ...)
+   TODO: check
+CVE-2024-4485 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page 
Templa ...)
+   TODO: check
+CVE-2024-4484 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page 
Templa ...)
+   TODO: check
+CVE-2024-4409 (The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site 
Reques ...)
+   TODO: check
+CVE-2024-4366 (The Spectra \u2013 WordPress Gutenberg Blocks plugin for 
WordPress is  ...)
+   TODO: check
+CVE-2024-3718 (The The Plus Addons for Elementor plugin for WordPress is 
vulnerable t ...)
+   TODO: check
+CVE-2024-3557 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)
+   TODO: check
+CVE-2024-36361 (Pug through 3.0.2 allows JavaScript code execution if an 
application a ...)
+   TODO: check
+CVE-2024-2784 (The The Plus Addons for Elementor plugin for WordPress is 
vulnerable t ...)
+   TODO: check
+CVE-2024-2618 (The Elementor Header & Footer Builder plugin for WordPress is 
vulnerab ...)
+   TODO: check
+CVE-2024-1376 (The Event post plugin for WordPress is vulnerable to 
unauthorized bulk ...)
+   TODO: check
+CVE-2024-1332 (The Custom Fonts \u2013 Host Your Fonts Locally plugin for 
WordPress i ...)
+   TODO: check
+CVE-2024-1134 (The SEOPress \u2013 On-site SEO plugin for WordPress is 
vulnerable to  ...)
+   TODO: check
+CVE-2024-0893 (The Schema App Structured Data plugin for WordPress is 
vulnerable to u ...)
+   TODO: check
+CVE-2024-0867 (The Email Log plugin for WordPress is vulnerable to 
Unauthenticated Ho ...)
+   TODO: check
+CVE-2023-7259 (** DISPUTED ** A vulnerability was found in zzdevelop lenosp up 
to 202 ...)
+   TODO: check
 CVE-2024-5274
- chromium 
[bullseye] - chromium  (see #1061268)
@@ -90230,8 +90304,8 @@ CVE-2023-1113 (A vulnerability was found in 
SourceCodester Simple Payroll System
NOT-FOR-US: SourceCodester Simple Payroll System
 CVE-2023-1112 (A vulnerability was found in Drag and Drop Multiple File Upload 
Contac ...)
NOT-FOR-US: Drag and Drop Multiple File Upload Contact Form
-CVE-2023-
-   RESERVED
+CVE-2023- (A 

[Git][security-tracker-team/security-tracker][master] Add new round of chromium update required

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0218f529 by Salvatore Bonaccorso at 2024-05-24T07:34:05+02:00
Add new round of chromium update required

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2024-5274
+   - chromium 
+   [bullseye] - chromium  (see #1061268)
+   [buster] - chromium  (see DSA 5046)
 CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above 
allows  ...)
NOT-FOR-US: Thales Luna EFT
 CVE-2024-5258 (An authorization vulnerability exists within GitLab from 
versions 16.1 ...)


=
data/dsa-needed.txt
=
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 cacti
 --
+chromium (dilinger)
+--
 dnsdist (jmm)
 --
 dnsmasq



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0218f529b75e5bba4a9474d5633aca3a220fe7fa

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0218f529b75e5bba4a9474d5633aca3a220fe7fa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52793

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f4f2aed7 by Salvatore Bonaccorso at 2024-05-24T06:45:39+02:00
Remove notes from CVE-2023-52793

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1377,12 +1377,8 @@ CVE-2023-52794 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/fae633cfb729da2771b5433f6b84ae7e8b4aa5f7 (6.7-rc1)
-CVE-2023-52793 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
-   - linux 6.6.8-1
-   [bookworm] - linux  (Vulnerable code not present)
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
-   NOTE: 
https://git.kernel.org/linus/9220c3ef6fefbf18f24aeedb1142a642b3de0596 (6.7-rc1)
+CVE-2023-52793
+   REJECTED
 CVE-2023-52792 (In the Linux kernel, the following vulnerability has been 
resolved:  c ...)
- linux 6.6.8-1
[bookworm] - linux 6.1.64-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f2aed7ac2e1cd4bf2118046551f0aa5a0abbcc

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4f2aed7ac2e1cd4bf2118046551f0aa5a0abbcc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add gst-plugins-base1.0 to dsa-needed list

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3dbcdf94 by Salvatore Bonaccorso at 2024-05-23T23:19:53+02:00
Add gst-plugins-base1.0 to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -25,6 +25,8 @@ git
 --
 gpac/oldstable
 --
+gst-plugins-base1.0 (carnil)
+--
 h2o (jmm)
 --
 libreswan (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dbcdf942be6382a97ae3df453e473b5f44bb5c6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dbcdf942be6382a97ae3df453e473b5f44bb5c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-4453

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f7d9585a by Salvatore Bonaccorso at 2024-05-23T23:18:52+02:00
Update information for CVE-2024-4453

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -253,10 +253,12 @@ CVE-2024-4563 (The Progress MOVEit Automation 
configuration export function prio
 CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local 
Privilege ...)
NOT-FOR-US: WithSecure Elements Endpoint Protection
 CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code 
Execution ...)
-   - gst-plugins-base1.0 
+   - gst-plugins-base1.0 1.24.3-1
- gst-plugins-base0.10 
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
-   NOTE: Fixed by: 
https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
+   NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
+   NOTE: Backport: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768
+   NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e33578a3c2b85a68962003bd053abda9409e73a2
 (1.24.3)
 CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is 
vulnerable to St ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the 
parisneo/lol ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d9585a4f396b6e19be0064cfccd8d212403672

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d9585a4f396b6e19be0064cfccd8d212403672
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add CVE-2024-3708/lighttpd

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f7d537a by Salvatore Bonaccorso at 2024-05-23T22:51:32+02:00
Add CVE-2024-3708/lighttpd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -165,7 +165,8 @@ CVE-2024-3917 (The Pet Manager WordPress plugin through 1.4 
does not sanitise an
 CVE-2024-3711 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to un ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3708 (A condition exists in lighttpd version prior to 1.4.51 whereby 
a remot ...)
-   TODO: check
+   - lighttpd 
+   TODO: check, maybe fixed in 1.4.51, details will be only pubished on 
July 9th, 2024
 CVE-2024-3648 (The ShareThis Share Buttons plugin for WordPress is vulnerable 
to Stor ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3626 (The Email Subscribers by Icegram Express \u2013 Email 
Marketing, Newsl ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f7d537a1de2da348450218e59b57179909d7449

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f7d537a1de2da348450218e59b57179909d7449
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add two new issues for gitoxide, itp'ed

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6c097e27 by Salvatore Bonaccorso at 2024-05-23T22:50:59+02:00
Add two new issues for gitoxide, itped

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39,9 +39,9 @@ CVE-2024-35223 (Dapr is a portable, event-driven, runtime for 
building distribut
 CVE-2024-35222 (Tauri is a framework for building binaries for all major 
desktop platf ...)
TODO: check
 CVE-2024-35197 (gitoxide is a pure Rust implementation of Git. On Windows, 
fetching re ...)
-   TODO: check
+   - rust-gitoxide  (bug #1043208)
 CVE-2024-35186 (gitoxide is a pure Rust implementation of Git. During 
checkout, `gix-w ...)
-   TODO: check
+   - rust-gitoxide  (bug #1043208)
 CVE-2024-35091 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
NOT-FOR-US: J2EEFAST
 CVE-2024-35090 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c097e273b026ca8fd6fc2d3398019cca7639216

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c097e273b026ca8fd6fc2d3398019cca7639216
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8a697d4d by Salvatore Bonaccorso at 2024-05-23T22:50:16+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23,15 +23,15 @@ CVE-2024-4575 (The LayerSlider plugin for WordPress is 
vulnerable to Stored Cros
 CVE-2024-4471 (The 140+ Widgets | Best Addons For Elementor \u2013 FREE for 
WordPress ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-4378 (The Premium Addons for Elementor plugin for WordPress is 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4365 (The Advanced iFrame plugin for WordPress is vulnerable to 
Stored Cross ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3997 (The Prime Slider \u2013 Addons For Elementor (Revolution of a 
slider,  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-35570 (An arbitrary file upload vulnerability in the component 
\controller\Im ...)
-   TODO: check
+   NOT-FOR-US: inxedu
 CVE-2024-35375 (There is an arbitrary file upload vulnerability on the media 
add .php  ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-35224 (OpenProject is the leading open source project management 
software. Op ...)
TODO: check
 CVE-2024-35223 (Dapr is a portable, event-driven, runtime for building 
distributed app ...)
@@ -43,57 +43,57 @@ CVE-2024-35197 (gitoxide is a pure Rust implementation of 
Git. On Windows, fetch
 CVE-2024-35186 (gitoxide is a pure Rust implementation of Git. During 
checkout, `gix-w ...)
TODO: check
 CVE-2024-35091 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35090 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35086 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35085 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35084 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35083 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35082 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: J2EEFAST
 CVE-2024-35081 (LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary 
file delet ...)
-   TODO: check
+   NOT-FOR-US: LuckyFrameWeb
 CVE-2024-35080 (An arbitrary file upload vulnerability in the gok4 method of 
inxedu v2 ...)
-   TODO: check
+   NOT-FOR-US: inxedu
 CVE-2024-35079 (An arbitrary file upload vulnerability in the uploadAudio 
method of in ...)
-   TODO: check
+   NOT-FOR-US: inxedu
 CVE-2024-34936 (A SQL injection vulnerability in /view/event1.php in Campcodes 
Complet ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34935 (A SQL injection vulnerability in 
/view/conversation_history_admin.php  ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34934 (A SQL injection vulnerability in 
/view/emarks_range_grade_update_form. ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34933 (A SQL injection vulnerability in /model/update_grade.php in 
Campcodes  ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34932 (A SQL injection vulnerability in /model/update_exam.php in 
Campcodes C ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34931 (A SQL injection vulnerability in /model/update_subject.php in 
Campcode ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34930 (A SQL injection vulnerability in /model/all_events1.php in 
Campcodes C ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34929 (A SQL injection vulnerability in /view/find_friends.php in 
Campcodes C ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34928 (A SQL injection vulnerability in 
/model/update_subject_routing.php in  ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-34927 (A SQL injection vulnerability in /model/update_classroom.php 
in Campco ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-4453/gst-plugins-base*

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
635a6b40 by Salvatore Bonaccorso at 2024-05-23T22:38:39+02:00
Add CVE-2024-4453/gst-plugins-base*

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -252,7 +252,10 @@ CVE-2024-4563 (The Progress MOVEit Automation 
configuration export function prio
 CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local 
Privilege ...)
NOT-FOR-US: WithSecure Elements Endpoint Protection
 CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code 
Execution ...)
-   TODO: check
+   - gst-plugins-base1.0 
+   - gst-plugins-base0.10 
+   NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
+   NOTE: Fixed by: 
https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
 CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is 
vulnerable to St ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the 
parisneo/lol ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/635a6b400f6557215328d1353de59b18abd58043

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/635a6b400f6557215328d1353de59b18abd58043
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7487454e by Salvatore Bonaccorso at 2024-05-23T22:33:44+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,5 @@
 CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above 
allows  ...)
-   TODO: check
+   NOT-FOR-US: Thales Luna EFT
 CVE-2024-5258 (An authorization vulnerability exists within GitLab from 
versions 16.1 ...)
TODO: check
 CVE-2024-5202 (Arbitrary File Readin OpenText Dimensions RM 
allowsauthenticated users ...)
@@ -11,17 +11,17 @@ CVE-2024-5168 (Improper access control vulnerability in 
Prodys' Quantum Audio co
 CVE-2024-5165 (In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of 
several in ...)
TODO: check
 CVE-2024-5143 (A user with device administrative privileges can change 
existing SMTP  ...)
-   TODO: check
+   NOT-FOR-US: HP
 CVE-2024-5085 (The Hash Form \u2013 Drag & Drop Form Builder plugin for 
WordPress is  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5084 (The Hash Form \u2013 Drag & Drop Form Builder plugin for 
WordPress is  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4779 (The Unlimited Elements For Elementor (Free Widgets, Addons, 
Templates) ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4575 (The LayerSlider plugin for WordPress is vulnerable to Stored 
Cross-Sit ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4471 (The 140+ Widgets | Best Addons For Elementor \u2013 FREE for 
WordPress ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4378 (The Premium Addons for Elementor plugin for WordPress is 
vulnerable to ...)
TODO: check
 CVE-2024-4365 (The Advanced iFrame plugin for WordPress is vulnerable to 
Stored Cross ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7487454e30ef95a97c527d8cc49ecb61d5ebced6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7487454e30ef95a97c527d8cc49ecb61d5ebced6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
def2256a by security tracker role at 2024-05-23T20:11:54+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,113 @@
+CVE-2024-5264 (Network Transfer with AES KHT in Thales Luna EFT 2.1 and above 
allows  ...)
+   TODO: check
+CVE-2024-5258 (An authorization vulnerability exists within GitLab from 
versions 16.1 ...)
+   TODO: check
+CVE-2024-5202 (Arbitrary File Readin OpenText Dimensions RM 
allowsauthenticated users ...)
+   TODO: check
+CVE-2024-5201 (Privilege Escalationin OpenText Dimensions RM allows an 
authenticated  ...)
+   TODO: check
+CVE-2024-5168 (Improper access control vulnerability in Prodys' Quantum Audio 
codec a ...)
+   TODO: check
+CVE-2024-5165 (In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of 
several in ...)
+   TODO: check
+CVE-2024-5143 (A user with device administrative privileges can change 
existing SMTP  ...)
+   TODO: check
+CVE-2024-5085 (The Hash Form \u2013 Drag & Drop Form Builder plugin for 
WordPress is  ...)
+   TODO: check
+CVE-2024-5084 (The Hash Form \u2013 Drag & Drop Form Builder plugin for 
WordPress is  ...)
+   TODO: check
+CVE-2024-4779 (The Unlimited Elements For Elementor (Free Widgets, Addons, 
Templates) ...)
+   TODO: check
+CVE-2024-4575 (The LayerSlider plugin for WordPress is vulnerable to Stored 
Cross-Sit ...)
+   TODO: check
+CVE-2024-4471 (The 140+ Widgets | Best Addons For Elementor \u2013 FREE for 
WordPress ...)
+   TODO: check
+CVE-2024-4378 (The Premium Addons for Elementor plugin for WordPress is 
vulnerable to ...)
+   TODO: check
+CVE-2024-4365 (The Advanced iFrame plugin for WordPress is vulnerable to 
Stored Cross ...)
+   TODO: check
+CVE-2024-3997 (The Prime Slider \u2013 Addons For Elementor (Revolution of a 
slider,  ...)
+   TODO: check
+CVE-2024-35570 (An arbitrary file upload vulnerability in the component 
\controller\Im ...)
+   TODO: check
+CVE-2024-35375 (There is an arbitrary file upload vulnerability on the media 
add .php  ...)
+   TODO: check
+CVE-2024-35224 (OpenProject is the leading open source project management 
software. Op ...)
+   TODO: check
+CVE-2024-35223 (Dapr is a portable, event-driven, runtime for building 
distributed app ...)
+   TODO: check
+CVE-2024-35222 (Tauri is a framework for building binaries for all major 
desktop platf ...)
+   TODO: check
+CVE-2024-35197 (gitoxide is a pure Rust implementation of Git. On Windows, 
fetching re ...)
+   TODO: check
+CVE-2024-35186 (gitoxide is a pure Rust implementation of Git. During 
checkout, `gix-w ...)
+   TODO: check
+CVE-2024-35091 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35090 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35086 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35085 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35084 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35083 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35082 (J2EEFAST v2.7.0 was discovered to contain a SQL injection 
vulnerabilit ...)
+   TODO: check
+CVE-2024-35081 (LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary 
file delet ...)
+   TODO: check
+CVE-2024-35080 (An arbitrary file upload vulnerability in the gok4 method of 
inxedu v2 ...)
+   TODO: check
+CVE-2024-35079 (An arbitrary file upload vulnerability in the uploadAudio 
method of in ...)
+   TODO: check
+CVE-2024-34936 (A SQL injection vulnerability in /view/event1.php in Campcodes 
Complet ...)
+   TODO: check
+CVE-2024-34935 (A SQL injection vulnerability in 
/view/conversation_history_admin.php  ...)
+   TODO: check
+CVE-2024-34934 (A SQL injection vulnerability in 
/view/emarks_range_grade_update_form. ...)
+   TODO: check
+CVE-2024-34933 (A SQL injection vulnerability in /model/update_grade.php in 
Campcodes  ...)
+   TODO: check
+CVE-2024-34932 (A SQL injection vulnerability in /model/update_exam.php in 
Campcodes C ...)
+   TODO: check
+CVE-2024-34931 (A SQL injection vulnerability in /model/update_subject.php in 
Campcode ...)
+   TODO: check
+CVE-2024-34930 (A SQL injection vulnerability in /model/all_events1.php in 
Campcodes C ...)
+   TODO: check
+CVE-2024-34929 (A SQL injection vulnerability in /view/find_friends.php in 
Campcodes C ...)
+   TODO: check
+CVE-2024-34928 (A SQL injection vulnerability in 
/model/update_subject_routing.php in  ...)
+   

[Git][security-tracker-team/security-tracker][master] Sync Linux CVE rejections with kernel-sec

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0280e776 by Salvatore Bonaccorso at 2024-05-23T16:03:16+02:00
Sync Linux CVE rejections with kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2424,10 +2424,8 @@ CVE-2021-47325 (In the Linux kernel, the following 
vulnerability has been resolv
- linux 5.14.6-1
[bullseye] - linux 5.10.70-1
NOTE: 
https://git.kernel.org/linus/7c8f176d6a3fa18aa0f8875da6f7c672ed2a8554 (5.14-rc1)
-CVE-2021-47326 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
-   - linux 5.14.6-1
-   [bullseye] - linux 5.10.70-1
-   NOTE: 
https://git.kernel.org/linus/2beb4a53fc3f1081cedc1c1a198c7f56cc4fc60c (5.14-rc1)
+CVE-2021-47326
+   REJECTED
 CVE-2021-47327 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
- linux 5.14.6-1
[bullseye] - linux 5.10.70-1
@@ -3277,9 +3275,8 @@ CVE-2024-35907 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/f7442a634ac06b953fc1f7418f307b25acd4cfbc (6.9-rc2)
-CVE-2024-35906 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
-   - linux 6.8.9-1
-   NOTE: 
https://git.kernel.org/linus/f341055b10bd8be55c3c995dff5f770b236b8ca9 (6.9-rc1)
+CVE-2024-35906
+   REJECTED
 CVE-2024-35905 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 6.8.9-1
[bookworm] - linux 6.1.85-1
@@ -3412,9 +3409,8 @@ CVE-2024-35882 (In the Linux kernel, the following 
vulnerability has been resolv
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/05258a0a69b3c5d2c003f818702c0a52b6fea861 (6.9-rc3)
-CVE-2024-35881 (In the Linux kernel, the following vulnerability has been 
resolved:  R ...)
-   - linux 6.8.9-1
-   NOTE: 
https://git.kernel.org/linus/3a6a32b31a111f6e66526fb2d3cb13a876465076 (6.9-rc1)
+CVE-2024-35881
+   REJECTED
 CVE-2024-35880 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
- linux 6.8.9-1
[bookworm] - linux  (Vulnerable code not present)
@@ -3435,11 +3431,8 @@ CVE-2024-35877 (In the Linux kernel, the following 
vulnerability has been resolv
[bookworm] - linux 6.1.85-1
[bullseye] - linux 5.10.216-1
NOTE: 
https://git.kernel.org/linus/04c35ab3bdae7fefbd7c7a7355f29fa03a035221 (6.9-rc3)
-CVE-2024-35876 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
-   - linux 6.8.9-1
-   [bookworm] - linux 6.1.85-1
-   [bullseye] - linux 5.10.216-1
-   NOTE: 
https://git.kernel.org/linus/3ddf944b32f88741c303f0b21459dbb3872b8bc5 (6.9-rc3)
+CVE-2024-35876
+   REJECTED
 CVE-2024-35875 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
- linux 6.8.9-1
[bookworm] - linux 6.1.85-1
@@ -22642,12 +22635,8 @@ CVE-2024-2883 (Use after free in ANGLE in Google 
Chrome prior to 123.0.6312.86 a
- chromium 123.0.6312.86-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
-CVE-2024-26650 (In the Linux kernel, the following vulnerability has been 
resolved:  p ...)
-   - linux 6.6.15-1
-   [bookworm] - linux 6.1.76-1
-   [bullseye] - linux  (Vulnerable code not present)
-   [buster] - linux  (Vulnerable code not present)
-   NOTE: 
https://git.kernel.org/linus/5913320eb0b3ec88158cfcb0fa5e996bf4ef681b (6.8-rc2)
+CVE-2024-26650
+   REJECTED
 CVE-2024-26649 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
- linux 6.6.15-1
[bookworm] - linux  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0280e7766c9d98d6e2ff0561dfc2b8814aae4f01

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0280e7766c9d98d6e2ff0561dfc2b8814aae4f01
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
09303ea8 by Salvatore Bonaccorso at 2024-05-23T10:53:23+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,67 +1,67 @@
 CVE-2024-5241 (A vulnerability was found in Huashi Private Cloud CDN Live 
Streaming A ...)
-   TODO: check
+   NOT-FOR-US: Huashi Private Cloud CDN Live Streaming Acceleration Server
 CVE-2024-5240 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5239 (A vulnerability has been found in Campcodes Complete Web-Based 
School  ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5238 (A vulnerability, which was classified as critical, was found in 
Campco ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5237 (A vulnerability, which was classified as critical, has been 
found in C ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5236 (A vulnerability classified as critical was found in Campcodes 
Complete ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5235 (A vulnerability classified as critical has been found in 
Campcodes Com ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5234 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5233 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5232 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5231 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
-   TODO: check
+   NOT-FOR-US: Campcodes Complete Web-Based School Management System
 CVE-2024-5230 (A vulnerability has been found in EnvaySoft FleetCart up to 
4.1.1 and  ...)
-   TODO: check
+   NOT-FOR-US: EnvaySoft FleetCart
 CVE-2024-5177 (The Hash Elements plugin for WordPress is vulnerable to Stored 
Cross-S ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4978 (Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a 
malicious bin ...)
-   TODO: check
+   NOT-FOR-US: Justice AV Solutions Viewer Setup
 CVE-2024-4895 (The wpDataTables \u2013 WordPress Data Table, Dynamic Tables & 
Table C ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4783 (The jQuery T(-) Countdown Widget plugin for WordPress is 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4706 (The WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin 
for Wor ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4662 (The Oxygen Builder plugin for WordPress is vulnerable to Remote 
Code E ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4486 (The Awesome Contact Form7 for Elementor plugin for WordPress is 
vulner ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4431 (The LA-Studio Element Kit for Elementor plugin for WordPress is 
vulner ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4399 (The  does not validate a parameter before making a request to 
it, whic ...)
TODO: check
 CVE-2024-4388 (This  does not validate a path generated with user input when 
download ...)
TODO: check
 CVE-2024-4347 (The WP Fastest Cache plugin for WordPress is vulnerable to 
Directory T ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4043 (The WP Ultimate Post Grid plugin for WordPress is vulnerable to 
Stored ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3920 (The Flattr WordPress plugin through 1.2.2 does not sanitise and 
escape ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3918 (The Pet Manager WordPress plugin through 1.4 does not sanitise 
and esc ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3917 (The Pet Manager WordPress plugin through 1.4 does not sanitise 
and esc ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3711 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to un ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3708 (A condition exists in lighttpd version prior to 1.4.51 whereby 
a remot 

[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f3b5d6a by security tracker role at 2024-05-23T08:11:52+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,12 +1,106 @@
-CVE-2024-36013 [Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()]
+CVE-2024-5241 (A vulnerability was found in Huashi Private Cloud CDN Live 
Streaming A ...)
+   TODO: check
+CVE-2024-5240 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
+   TODO: check
+CVE-2024-5239 (A vulnerability has been found in Campcodes Complete Web-Based 
School  ...)
+   TODO: check
+CVE-2024-5238 (A vulnerability, which was classified as critical, was found in 
Campco ...)
+   TODO: check
+CVE-2024-5237 (A vulnerability, which was classified as critical, has been 
found in C ...)
+   TODO: check
+CVE-2024-5236 (A vulnerability classified as critical was found in Campcodes 
Complete ...)
+   TODO: check
+CVE-2024-5235 (A vulnerability classified as critical has been found in 
Campcodes Com ...)
+   TODO: check
+CVE-2024-5234 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
+   TODO: check
+CVE-2024-5233 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
+   TODO: check
+CVE-2024-5232 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
+   TODO: check
+CVE-2024-5231 (A vulnerability was found in Campcodes Complete Web-Based 
School Manag ...)
+   TODO: check
+CVE-2024-5230 (A vulnerability has been found in EnvaySoft FleetCart up to 
4.1.1 and  ...)
+   TODO: check
+CVE-2024-5177 (The Hash Elements plugin for WordPress is vulnerable to Stored 
Cross-S ...)
+   TODO: check
+CVE-2024-4978 (Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a 
malicious bin ...)
+   TODO: check
+CVE-2024-4895 (The wpDataTables \u2013 WordPress Data Table, Dynamic Tables & 
Table C ...)
+   TODO: check
+CVE-2024-4783 (The jQuery T(-) Countdown Widget plugin for WordPress is 
vulnerable to ...)
+   TODO: check
+CVE-2024-4706 (The WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin 
for Wor ...)
+   TODO: check
+CVE-2024-4662 (The Oxygen Builder plugin for WordPress is vulnerable to Remote 
Code E ...)
+   TODO: check
+CVE-2024-4486 (The Awesome Contact Form7 for Elementor plugin for WordPress is 
vulner ...)
+   TODO: check
+CVE-2024-4431 (The LA-Studio Element Kit for Elementor plugin for WordPress is 
vulner ...)
+   TODO: check
+CVE-2024-4399 (The  does not validate a parameter before making a request to 
it, whic ...)
+   TODO: check
+CVE-2024-4388 (This  does not validate a path generated with user input when 
download ...)
+   TODO: check
+CVE-2024-4347 (The WP Fastest Cache plugin for WordPress is vulnerable to 
Directory T ...)
+   TODO: check
+CVE-2024-4043 (The WP Ultimate Post Grid plugin for WordPress is vulnerable to 
Stored ...)
+   TODO: check
+CVE-2024-3920 (The Flattr WordPress plugin through 1.2.2 does not sanitise and 
escape ...)
+   TODO: check
+CVE-2024-3918 (The Pet Manager WordPress plugin through 1.4 does not sanitise 
and esc ...)
+   TODO: check
+CVE-2024-3917 (The Pet Manager WordPress plugin through 1.4 does not sanitise 
and esc ...)
+   TODO: check
+CVE-2024-3711 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to un ...)
+   TODO: check
+CVE-2024-3708 (A condition exists in lighttpd version prior to 1.4.51 whereby 
a remot ...)
+   TODO: check
+CVE-2024-3648 (The ShareThis Share Buttons plugin for WordPress is vulnerable 
to Stor ...)
+   TODO: check
+CVE-2024-3626 (The Email Subscribers by Icegram Express \u2013 Email 
Marketing, Newsl ...)
+   TODO: check
+CVE-2024-3594 (The IDonate  WordPress plugin through 1.9.0 does not sanitise 
and esca ...)
+   TODO: check
+CVE-2024-3201 (The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to 
Stored ...)
+   TODO: check
+CVE-2024-3065 (The PayPal Pay Now, Buy Now, Donation and Cart Buttons 
Shortcode plugi ...)
+   TODO: check
+CVE-2024-2220 (The Button contact VR WordPress plugin through 4.7 does not 
sanitise a ...)
+   TODO: check
+CVE-2024-2038 (The Visual Website Collaboration, Feedback & Project Management 
\u2013 ...)
+   TODO: check
+CVE-2024-29853 (An authentication bypass vulnerability in Veeam Agent for 
Microsoft Wi ...)
+   TODO: check
+CVE-2024-29852 (Veeam Backup Enterprise Manager allows high-privileged users 
to read b ...)
+   TODO: check
+CVE-2024-29851 (Veeam Backup Enterprise Manager allows high-privileged users 
to steal  ...)
+   TODO: check
+CVE-2024-29850 (Veeam Backup Enterprise Manager allows account takeover via 
NTLM relay ...)
+   TODO: check
+CVE-2024-29849 (Veeam Backup Enterprise 

[Git][security-tracker-team/security-tracker][master] Add three new Linux CVEs from kernel-sec

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4dfb9e97 by Salvatore Bonaccorso at 2024-05-23T09:29:13+02:00
Add three new Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,17 @@
+CVE-2024-36013 [Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/4d7b41c0e43995b0e992b9f8903109275744b658 (6.9)
+CVE-2024-36012 [Bluetooth: msft: fix slab-use-after-free in msft_do_close()]
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/10f9f426ac6e752c8d87bf4346930ba347aaabac (6.9)
+CVE-2024-36011 [Bluetooth: HCI: Fix potential null-ptr-deref]
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/d2706004a1b8b526592e823d7e52551b518a7941 (6.9)
 CVE-2024-1947
- gitlab 
NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dfb9e970152c57c5b74b8043047e1d90842010f

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dfb9e970152c57c5b74b8043047e1d90842010f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Add new gitlab issues

2024-05-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7e04de21 by Salvatore Bonaccorso at 2024-05-23T08:39:25+02:00
Add new gitlab issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,18 @@
+CVE-2024-1947
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
+CVE-2023-6502
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
+CVE-2023-7045
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
+CVE-2024-2874
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
+CVE-2024-4835
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
 CVE-2024-5196 (A vulnerability classified as critical has been found in Arris 
VAP2500 ...)
NOT-FOR-US: Arris VAP2500
 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been 
rated as ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce7c83bd by Salvatore Bonaccorso at 2024-05-22T22:49:20+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33,65 +33,65 @@ CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 
1.2.2 allows attacker
 CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template 
Library, Dy ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is 
vulnerable ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a 
remote atta ...)
-   TODO: check
+   NOT-FOR-US: Qlik Sense Enterprise for Windows
 CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a 
cross-site scr ...)
TODO: check
 CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: idccms
 CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was 
discovered in Op ...)
TODO: check
 CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.)
TODO: check
 CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via 
ecshop/arti ...)
-   TODO: check
+   NOT-FOR-US: Ecshop
 CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV 
export.)
-   TODO: check
+   NOT-FOR-US: Ghost CMS
 CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software 
Corp SEG ...)
-   TODO: check
+   NOT-FOR-US: Insyde
 CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC 
v3.7.4.0  ...)
-   TODO: check
+   NOT-FOR-US: Nicomsoft WinI2C/DDC
 CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation 
TBT Forc ...)
-   TODO: check
+   NOT-FOR-US: Wistron Corporation TBT Force Power Control
 CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek 
Semiconductor Corp R ...)
-   TODO: check
+   NOT-FOR-US: Realtek Semiconductor Corp Realtek High Definition Audio 
Function Driver
 CVE-2024-33224 (An issue in the component rtkio64.sys of Realtek Semiconductor 
Corp Re ...)
-   TODO: check
+   NOT-FOR-US: Realtek Semiconductor Corp Realtek lO Driver
 CVE-2024-33223 (An issue in the component IOMap64.sys of ASUSTeK Computer Inc 
ASUS GPU ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-33222 (An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc 
ASUS AT ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-33221 (An issue in the component AsusBSItf.sys of ASUSTeK Computer 
Inc ASUS B ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-33220 (An issue in the component AslO3_64.sys of ASUSTeK Computer Inc 
AISuite ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-33219 (An issue in the component AsIO64.sys of ASUSTeK Computer Inc 
ASUS SABE ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc 
ASUS US ...)
-   TODO: check
+   NOT-FOR-US: ASUSTeK
 CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 
12.0.1.0 thr ...)

[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "Reference fix for CVE-2024-4068/node-braces"

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
92ff20ed by Salvatore Bonaccorso at 2024-05-22T22:40:14+02:00
Revert Reference fix for CVE-2024-4068/node-braces

This reverts commit ceeb6abf3bc08c2c81e86de151967575d3014f5a.

For now revert this reference. It is not fully clear following upstream
issue #35.

- - - - -
28e43f48 by Salvatore Bonaccorso at 2024-05-22T22:44:35+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,37 +1,37 @@
 CVE-2024-5196 (A vulnerability classified as critical has been found in Arris 
VAP2500 ...)
-   TODO: check
+   NOT-FOR-US: Arris VAP2500
 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been 
rated as ...)
-   TODO: check
+   NOT-FOR-US: Arris VAP2500
 CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been 
declared ...)
-   TODO: check
+   NOT-FOR-US: Arris VAP2500
 CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It 
has been  ...)
-   TODO: check
+   NOT-FOR-US: Ritlabs TinyWeb Server
 CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker 
allowed m ...)
TODO: check
 CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind 
Server-Sid ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored 
Cross-Sit ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to 
Stored  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4563 (The Progress MOVEit Automation configuration export function 
prior to  ...)
-   TODO: check
+   NOT-FOR-US: Progress MOVEit
 CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local 
Privilege ...)
-   TODO: check
+   NOT-FOR-US: WithSecure Elements Endpoint Protection
 CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code 
Execution ...)
TODO: check
 CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is 
vulnerable to St ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the 
parisneo/lol ...)
-   TODO: check
+   NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin 
plugin fo ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows 
attackers to  ...)
-   TODO: check
+   NOT-FOR-US: lunary-ai/lunary
 CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template 
Library, Dy ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is 
vulnerable ...)
TODO: check
 CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a 
remote atta ...)
@@ -6062,7 +6062,6 @@ CVE-2024-4068 (The NPM package `braces`, versions prior 
to 3.0.3, fails to limit
[bullseye] - node-braces  (Minor issue)
[buster] - node-braces  (Minor issue)
NOTE: https://github.com/micromatch/braces/issues/35
-   NOTE: Fixed by: 
https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3
 (3.0.3)
 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular 
Expression Denia ...)
- node-micromatch  (bug #1071631)
[bookworm] - node-micromatch  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c3cd6eea by Salvatore Bonaccorso at 2024-05-22T22:30:19+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -93,13 +93,13 @@ CVE-2024-33219 (An issue in the component AsIO64.sys of 
ASUSTeK Computer Inc ASU
 CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc 
ASUS US ...)
TODO: check
 CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 
12.0.1.0 thr ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-31895 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could 
allow an a ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-31894 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could 
allow an a ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-31893 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could 
allow an a ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-31617 (OpenLiteSpeed before 1.8.1 mishandles chunked encoding.)
TODO: check
 CVE-2024-2036 (The ApplyOnline \u2013 Application Form Builder and Manager 
plugin for ...)
@@ -109,7 +109,7 @@ CVE-2024-29421 (xmedcon 0.23.0 and fixed in v.0.24.0 is 
vulnerable to Buffer Ove
 CVE-2024-29392 (Silverpeas Core 6.3 is vulnerable to Cross Site Scripting 
(XSS) via Cl ...)
TODO: check
 CVE-2024-27264 (IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow 
a local ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-25738 (A Server-Side Request Forgery (SSRF) vulnerability in the 
/Upgrade/Fix ...)
TODO: check
 CVE-2024-25737 (A Server-Side Request Forgery (SSRF) vulnerability in the 
/Cover/Show  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-4642

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
753ce9f1 by Salvatore Bonaccorso at 2024-05-22T22:26:31+02:00
Remove notes from CVE-2024-4642

CVE got rejected byt the assigning CNA (but without specific reason
mentioned).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4917,7 +4917,6 @@ CVE-2024-4733 (The ShiftController Employee Shift 
Scheduling plugin is vulnerabl
NOT-FOR-US: WordPress plugin
 CVE-2024-4642
REJECTED
-   NOT-FOR-US: wandb
 CVE-2024-4635 (The Menu Icons by ThemeIsle plugin for WordPress is vulnerable 
to Stor ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-4634 (The Elementor Header & Footer Builder plugin for WordPress is 
vulnerab ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2024-4068/node-braces

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ceeb6abf by Salvatore Bonaccorso at 2024-05-22T22:24:10+02:00
Reference fix for CVE-2024-4068/node-braces

Note this is in upstream 3.0.3. Checking 3.0.3+~3.0.4-1 though the code
is not inclued. What is 3.0.3+~3.0.4 refering to? This needs
double-checking to see if the issue was fixed in the last upload to
unstable.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6063,6 +6063,7 @@ CVE-2024-4068 (The NPM package `braces`, versions prior 
to 3.0.3, fails to limit
[bullseye] - node-braces  (Minor issue)
[buster] - node-braces  (Minor issue)
NOTE: https://github.com/micromatch/braces/issues/35
+   NOTE: Fixed by: 
https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3
 (3.0.3)
 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular 
Expression Denia ...)
- node-micromatch  (bug #1071631)
[bookworm] - node-micromatch  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] automatic update

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3dd5fc42 by security tracker role at 2024-05-22T20:12:09+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,4 +1,138 @@
-CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version]
+CVE-2024-5196 (A vulnerability classified as critical has been found in Arris 
VAP2500 ...)
+   TODO: check
+CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been 
rated as ...)
+   TODO: check
+CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been 
declared ...)
+   TODO: check
+CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It 
has been  ...)
+   TODO: check
+CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker 
allowed m ...)
+   TODO: check
+CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind 
Server-Sid ...)
+   TODO: check
+CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored 
Cross-Sit ...)
+   TODO: check
+CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to 
Stored  ...)
+   TODO: check
+CVE-2024-4563 (The Progress MOVEit Automation configuration export function 
prior to  ...)
+   TODO: check
+CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local 
Privilege ...)
+   TODO: check
+CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code 
Execution ...)
+   TODO: check
+CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is 
vulnerable to St ...)
+   TODO: check
+CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the 
parisneo/lol ...)
+   TODO: check
+CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is 
vulnerable to ...)
+   TODO: check
+CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin 
plugin fo ...)
+   TODO: check
+CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows 
attackers to  ...)
+   TODO: check
+CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template 
Library, Dy ...)
+   TODO: check
+CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is 
vulnerable ...)
+   TODO: check
+CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a 
remote atta ...)
+   TODO: check
+CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a 
cross-site scr ...)
+   TODO: check
+CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was 
discovered in Op ...)
+   TODO: check
+CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.)
+   TODO: check
+CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via 
ecshop/arti ...)
+   TODO: check
+CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV 
export.)
+   TODO: check
+CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software 
Corp SEG ...)
+   TODO: check
+CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC 
v3.7.4.0  ...)
+   TODO: check
+CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation 
TBT Forc ...)
+   TODO: check
+CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek 
Semiconductor Corp R ...)
+   TODO: check
+CVE-2024-33224 (An issue in the component 

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36010/linux

2024-05-22 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
56d06d90 by Salvatore Bonaccorso at 2024-05-22T16:15:50+02:00
Add CVE-2024-36010/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version]
+   - linux 6.8.9-1
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/c56d055893cbe97848611855d1c97d0ab171eccc (6.8-rc5)
 CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling SVG 
animate attributes]
- roundcube 1.6.7+dfsg-1 (bug #1071474)
NOTE: 
https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


  1   2   3   4   5   6   7   8   9   10   >