[Git][security-tracker-team/security-tracker][master] 5 commits: mark CVE-2023-36675 as not-affected for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 52b88c21 by Thorsten Alteholz at 2023-07-01T23:52:51+02:00 mark CVE-2023-36675 as not-affected for Buster - - - - - 39800307 by Thorsten Alteholz at 2023-07-01T23:58:37+02:00 add mediawiki - - - - - 315f6018 by Thorsten Alteholz at 2023-07-01T23:59:12+02:00 update note - - - - - 573a8110 by Thorsten Alteholz at 2023-07-02T00:05:14+02:00 mark CVE-2023-25515 and CVE-2023-25516 as postponed for Buster - - - - - 4846fbed by Thorsten Alteholz at 2023-07-02T00:13:22+02:00 mark CVE-2023-36464 as not-affected for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -411,6 +411,7 @@ CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected ve - pypdf2 [bookworm] - pypdf2 (Minor issue) [bullseye] - pypdf2 (Minor issue) + [buster] - pypdf2 (Vulnerable code not present) NOTE: https://github.com/py-pdf/pypdf/pull/969 NOTE: https://github.com/py-pdf/pypdf/pull/1828 NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8 @@ -663,6 +664,7 @@ CVE-2023-2992 (An unauthenticated denial of service vulnerability exists in the NOT-FOR-US: Lenovo CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) - mediawiki 1:1.39.4-1 + [buster] - mediawiki (partial blocking was introduced in 1.33) NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452 NOTE: https://phabricator.wikimedia.org/T332889 CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) @@ -23511,10 +23513,12 @@ CVE-2023-25516 [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx (bug #1039680) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1039679) - nvidia-graphics-drivers (bug #1039678) [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Minor issue, revisit when/if fixed upstream) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468 CVE-2023-25515 (NVIDIA Jetson contains a vulnerability in CBoot, where the PCIe contro ...) - nvidia-open-gpu-kernel-modules (bug #1039686) @@ -23533,10 +23537,12 @@ CVE-2023-25515 (NVIDIA Jetson contains a vulnerability in CBoot, where the PCIe [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx (bug #1039680) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1039679) - nvidia-graphics-drivers (bug #1039678) [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Minor issue, revisit when/if fixed upstream) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) = data/dla-needed.txt = @@ -114,6 +114,9 @@ libusrsctp (rouca) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +mediawiki + NOTE: 20230701: Added by Front-Desk (ta) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -194,7 +197,7 @@ renderdoc ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230619: testing package, not all tests pass yet + NOTE: 20230701: testing package, not all tests pass yet -- ruby-doorkeeper (Chris Lamb) NOTE: 20230618: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e8710c44c760f6e9ac50f440a766ba2fa66a4830...4846fbeda02c36bfe2c3e744ecfc3c0042159246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e8710c44c760f6e9ac50f440a766ba2fa66a4830...4846fbeda02c36bfe2c3e744ecfc3c0042159246 You're receiving this email because of your account on salsa.debian.org
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-33201/bouncycastle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8710c44 by Salvatore Bonaccorso at 2023-07-01T21:08:24+02:00 Add Debian bug reference for CVE-2023-33201/bouncycastle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4493,7 +4493,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant [buster] - linux 4.19.282-1 NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) CVE-2023-33201 [potential blind LDAP injection attack using a self-signed certificate] - - bouncycastle + - bouncycastle (bug #1040050) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 CVE-2023-31729 (TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection.) NOT-FOR-US: TOTOLINK View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8710c44c760f6e9ac50f440a766ba2fa66a4830 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8710c44c760f6e9ac50f440a766ba2fa66a4830 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new gradle CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dd03cd2 by Salvatore Bonaccorso at 2023-07-01T21:07:30+02:00 Add two new gradle CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,9 +19,15 @@ CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Dat CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) NOT-FOR-US: Intelbras CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...) - TODO: check + - gradle + NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 + NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) + NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...) - TODO: check + - gradle + NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v + NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3) + NOTE: https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3) CVE-2023-33298 (com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allow ...) NOT-FOR-US: Perimeter81 CVE-2023-31997 (UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi N ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd03cd222b142335cccdb9aafbbf06cb5cda28a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd03cd222b142335cccdb9aafbbf06cb5cda28a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two linux CVEs via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4857a006 by Salvatore Bonaccorso at 2023-07-01T20:32:17+02:00 Track fixed version for two linux CVEs via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -336,7 +336,7 @@ CVE-2023-3439 (A flaw was found in the MCTP protocol in the Linux kernel. The fu [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b561275d633bcd8e0e8055ab86f1a13df75a0269 (5.18-rc5) CVE-2023-3390 (A use-after-free vulnerability was found in the Linux kernel's netfilt ...) - - linux + - linux 6.3.11-1 NOTE: https://git.kernel.org/linus/1240eb93f0616b21c675416516ff3d74798fdc97 (6.4-rc7) NOTE: https://kernel.dance/#1240eb93f0616b21c675416516ff3d74798fdc97 CVE-2023-3389 (A use-after-free vulnerability in the Linux Kernel io_uring subsystem ...) @@ -7333,7 +7333,7 @@ CVE-2023-2157 (A heap-based buffer overflow vulnerability was found in the Image NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b (7.1.1-7) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673 (6.9.12-85) CVE-2023-2156 (A flaw was found in the networking subsystem of the Linux kernel withi ...) - - linux + - linux 6.3.11-1 [buster] - linux (Vulnerable code not present) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-547/ NOTE: https://www.interruptlabs.co.uk//articles/linux-ipv6-route-of-death View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4857a006b2c5418115240d23d1a5c629c292fa06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4857a006b2c5418115240d23d1a5c629c292fa06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] texlive-bin fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 143de8c1 by Moritz Muehlenhoff at 2023-07-01T20:17:08+02:00 texlive-bin fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5195,7 +5195,7 @@ CVE-2023-2454 (schema_element defeats protective search_path changes; It was fou NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8 (REL_11_20) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=766e061404c2159dccebad4d19e496d8ced8b2c4 (REL_11_20) CVE-2023-32668 (LuaTeX before 1.17.0 allows a document (compiled with the default sett ...) - - texlive-bin (bug #1036470) + - texlive-bin 2022.20220321.62855-6 (bug #1036470) [bookworm] - texlive-bin (Minor issue) [bullseye] - texlive-bin (Minor issue) [buster] - texlive-bin (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/143de8c1324fef8b6898ba2e75c08d3de3dd451f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/143de8c1324fef8b6898ba2e75c08d3de3dd451f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gst-plugins-bad fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c64470a6 by Moritz Muehlenhoff at 2023-07-01T20:16:10+02:00 gst-plugins-bad fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261,7 +261,7 @@ CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683 CVE-2023-33190 (Sealos is an open source cloud operating system distribution based on ...) TODO: check CVE-2023- [Heap overwrite in PGS subtitle overlay decoder] - - gst-plugins-bad1.0 + - gst-plugins-bad1.0 1.22.4-1 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0003.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5f3cf0a7d7ae7ab883d0611e85c06354f1e94907 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c64470a6cfedfb7accb35464a02be6559cb0bf1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c64470a6cfedfb7accb35464a02be6559cb0bf1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mediawiki fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a624e0ab by Moritz Muehlenhoff at 2023-07-01T20:13:52+02:00 mediawiki fixed in sid - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-36674 [Manualthumb bypasses badFile lookup] + - mediawiki 1:1.39.4-1 + NOTE: https://phabricator.wikimedia.org/T335612 + NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/934571/ CVE-2023-37252 NOT-FOR-US: MediaWiki extension CheckUser CVE-2023-37253 @@ -652,9 +656,7 @@ CVE-2023-2993 (A valid, authenticated user with limited privileges may be able t CVE-2023-2992 (An unauthenticated denial of service vulnerability exists in the SMM v ...) NOT-FOR-US: Lenovo CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) - - mediawiki - [bookworm] - mediawiki (Fix in next security release) - [bullseye] - mediawiki (Fix in next security release) + - mediawiki 1:1.39.4-1 NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452 NOTE: https://phabricator.wikimedia.org/T332889 CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) @@ -12086,9 +12088,7 @@ CVE-2023-29143 CVE-2023-29142 RESERVED CVE-2023-29141 (An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1. ...) - - mediawiki - [bookworm] - mediawiki (Minor issue) - [bullseye] - mediawiki (Minor issue) + - mediawiki 1:1.39.4-1 [buster] - mediawiki (Minor issue) NOTE: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 NOTE: https://phabricator.wikimedia.org/T285159 = data/dsa-needed.txt = @@ -30,6 +30,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions -- +mediawiki (jmm) +-- nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a624e0ab90803c56de9fef3d2845ffd0f08d5e5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a624e0ab90803c56de9fef3d2845ffd0f08d5e5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cairo fixed in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d0a7148d by Moritz Muehlenhoff at 2023-07-01T20:08:43+02:00 cairo fixed in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -307212,6 +307212,7 @@ CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before 1.7Cp3 CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows r ...) NOT-FOR-US: SAS Web Infrastructure Platform CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...) + [experimental] - cairo 1.17.8-1 - cairo (low; bug #929945) [bookworm] - cairo (Minor issue) [bullseye] - cairo (Minor issue) @@ -307219,6 +307220,9 @@ CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loo [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353 + NOTE: Per upstream seems fixed in latest release, although it was never pinpointed + NOTE: which change exactly fixes it (and it's also not worth tracking down for older + NOTE: releases CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion problem ...) - cairo (low; bug #929944) [bookworm] - cairo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0a7148d1b64392bbdcc46e3d58e1451fe7961d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0a7148d1b64392bbdcc46e3d58e1451fe7961d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bb979d0 by Moritz Muehlenhoff at 2023-07-01T20:04:32+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-37252 + NOT-FOR-US: MediaWiki extension CheckUser +CVE-2023-37253 + NOT-FOR-US: MediaWiki extension ProofreadPage CVE-2023-3493 (Improper Neutralization of Formula Elements in a CSV File in GitHub re ...) NOT-FOR-US: fossbilling CVE-2023-3491 (Unrestricted Upload of File with Dangerous Type in GitHub repository f ...) @@ -109,15 +113,15 @@ CVE-2023-37307 (In MISP before 2.4.172, title_for_layout is not properly sanitiz CVE-2023-37306 (MISP 2.4.172 mishandles different certificate file extensions in serve ...) TODO: check CVE-2023-37305 (An issue was discovered in the ProofreadPage (aka Proofread Page) exte ...) - TODO: check + NOT-FOR-US: MediaWiki extension ProofreadPage CVE-2023-37304 (An issue was discovered in the DoubleWiki extension for MediaWiki thro ...) - TODO: check + NOT-FOR-US: MediaWiki extension DoubleWiki CVE-2023-37303 (An issue was discovered in the CheckUser extension for MediaWiki throu ...) - TODO: check + NOT-FOR-US: MediaWiki extension CheckUser CVE-2023-37302 (An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki ...) - TODO: check + NOT-FOR-US: MediaWiki extension WikiBase CVE-2023-37301 (An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki ...) - TODO: check + NOT-FOR-US: MediaWiki extension WikiBase CVE-2023-37300 (An issue was discovered in the CheckUserLog API in the CheckUser exten ...) TODO: check CVE-2023-37299 (Joplin before 2.11.5 allows XSS via an AREA element of an image map.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bb979d0b88317871ab147a1268d1c698e3a7e2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bb979d0b88317871ab147a1268d1c698e3a7e2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2020-8908 and CVE-2023-2976 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ecc7e8a by Thorsten Alteholz at 2023-07-01T19:52:53+02:00 mark CVE-2020-8908 and CVE-2023-2976 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1783,6 +1783,7 @@ CVE-2023-2976 (Use of Java's default temporary directory for file creation in `F - guava-libraries 32.0.1-1 (bug #1038979) [bookworm] - guava-libraries (Minor issue) [bullseye] - guava-libraries (Minor issue) + [buster] - guava-libraries (Minor issue) NOTE: https://github.com/google/guava/releases/tag/v32.0.0 NOTE: https://github.com/google/guava/issues/2575 CVE-2023-35149 (A missing permission check in Jenkins Digital.ai App Management Publis ...) @@ -245076,6 +245077,7 @@ CVE-2020-8908 (A temp directory creation vulnerability exists in all versions of - guava-libraries 32.0.1-1 (bug #1038979) [bookworm] - guava-libraries (Minor issue) [bullseye] - guava-libraries (Minor issue) + [buster] - guava-libraries (Minor issue) NOTE: https://github.com/google/guava/issues/4011 NOTE: https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40 NOTE: Issue incompletely fixed: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecc7e8a0e85658c7eebc6bdba005b51bf14f18a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecc7e8a0e85658c7eebc6bdba005b51bf14f18a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2022-2309 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3aeaa1e9 by Thorsten Alteholz at 2023-07-01T19:36:46+02:00 mark CVE-2022-2309 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73989,6 +73989,7 @@ CVE-2022-2309 (NULL Pointer Dereference allows attackers to cause a denial of se - libxml2 (bug #1039991) [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) + [buster] - libxml2 (Minor issue) NOTE: https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/ NOTE: https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f (lxml-4.9.1) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/378 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aeaa1e99a6faabf47df152bdb3160e63c9ccad4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aeaa1e99a6faabf47df152bdb3160e63c9ccad4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-33460 as postponed until newer releases got a fix
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d10a159 by Thorsten Alteholz at 2023-07-01T19:30:45+02:00 mark CVE-2023-33460 as postponed until newer releases got a fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2776,11 +2776,15 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse [buster] - yajl (Minor issue) NOTE: https://github.com/lloyd/yajl/issues/250 - burp + [buster] - burp (Minor issue; fix only after newer releases got a fix) - crun + [buster] - crun (Minor issue; fix only after newer releases got a fix) - epic-base + [buster] - epic-base (Minor issue; fix only after newer releases got a fix) - r-cran-jsonlite [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) + [buster] - r-cran-jsonlite (Minor issue; fix only after newer releases got a fix) - ruby-yajl [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d10a1598c936b6e5df3f0c963677b49ed5d0248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d10a1598c936b6e5df3f0c963677b49ed5d0248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts-do-call-me: move info from packages.yml LTS package database
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c261f2a by Sylvain Beucler at 2023-07-01T16:54:20+02:00 lts-do-call-me: move info from packages.yml LTS package database - - - - - 1 changed file: - data/packages/lts-do-call-me Changes: = data/packages/lts-do-call-me = @@ -7,10 +7,11 @@ # All packages by Christoph Biedl fileDebConf19 conversation with apo busybox DebConf19 conversation with apo +schroot DebConf19 conversation with apo # Christoph Berg (credativ) postgresql.* (Christoph will always take care of updates, no need to contact him) -# However Christoph won't update EOL'd 9.6 for stretch +# However Christoph may not update EOL'd branches, e.g.: # https://lists.debian.org/debian-lts/2022/05/msg00054.html # Peter Palfrader @@ -30,6 +31,8 @@ openldap # all packages maintained by Thorsten Alteholz/Debian Printing Team cups +cups-filters +duktape # all packages maintained by Samuel Henrique # The main reason is to avoid duplication of work, so if I don't @@ -47,3 +50,15 @@ mariadb-10.5 mariadb galera-3 galera-4 + +# The maintainer is active in old releases, e.g. DLA 3190-2. +# https://lists.debian.org/debian-lts-announce/2022/12/msg00019.html +grub2 + +thunderbird 2023 contact with pochu + +modsecurity-crs 2022 contact with gladky + +# OpenStack packages from zigo +# https://lists.debian.org/debian-lts/2022/08/msg00011.html +nova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c261f2a88f90203a97d6c6eb55dea2be45e1a03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c261f2a88f90203a97d6c6eb55dea2be45e1a03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab6e2364 by Salvatore Bonaccorso at 2023-07-01T10:32:03+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,25 +1,25 @@ CVE-2023-3493 (Improper Neutralization of Formula Elements in a CSV File in GitHub re ...) - TODO: check + NOT-FOR-US: fossbilling CVE-2023-3491 (Unrestricted Upload of File with Dangerous Type in GitHub repository f ...) - TODO: check + NOT-FOR-US: fossbilling CVE-2023-3490 (SQL Injection in GitHub repository fossbilling/fossbilling prior to 0. ...) - TODO: check + NOT-FOR-US: fossbilling CVE-2023-3117 (A use-after-free flaw was found in the Netfilter subsystem of the Linu ...) TODO: check in https://bugzilla.redhat.com/show_bug.cgi?id=2213260, duplicate of CVE-2023-3390 CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Database ...) - TODO: check + NOT-FOR-US: OpenTSDB CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) - TODO: check + NOT-FOR-US: Intelbras CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...) TODO: check CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...) TODO: check CVE-2023-33298 (com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allow ...) - TODO: check + NOT-FOR-US: Perimeter81 CVE-2023-31997 (UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi N ...) - TODO: check + NOT-FOR-US: UniFi OS CVE-2023-29241 (Improper Information in Cybersecurity Guidebook in Bosch Building Inte ...) - TODO: check + NOT-FOR-US: Bosch CVE-2021-4405 (The ElasticPress plugin for WordPress is vulnerable to Cross-Site Requ ...) NOT-FOR-US: ElasticPress plugin for WordPress CVE-2021-4404 (The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6e236471cae935b88d39eb8711e10dd4ba6efb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6e236471cae935b88d39eb8711e10dd4ba6efb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify with TODO that we think CVE-2023-3117 should be considered duplicate of CVE-2023-3390
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d8528a2 by Salvatore Bonaccorso at 2023-07-01T10:31:16+02:00 Clarify with TODO that we think CVE-2023-3117 should be considered duplicate of CVE-2023-3390 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2023-3491 (Unrestricted Upload of File with Dangerous Type in GitHub reposit CVE-2023-3490 (SQL Injection in GitHub repository fossbilling/fossbilling prior to 0. ...) TODO: check CVE-2023-3117 (A use-after-free flaw was found in the Netfilter subsystem of the Linu ...) - TODO: check + TODO: check in https://bugzilla.redhat.com/show_bug.cgi?id=2213260, duplicate of CVE-2023-3390 CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Database ...) TODO: check CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d8528a20b29e0a273c12fbde506f2e69b8ee04f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d8528a20b29e0a273c12fbde506f2e69b8ee04f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08b6501c by Salvatore Bonaccorso at 2023-07-01T10:28:12+02:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,79 +21,79 @@ CVE-2023-31997 (UniFi OS 3.1 introduces a misconfiguration on consoles running U CVE-2023-29241 (Improper Information in Cybersecurity Guidebook in Bosch Building Inte ...) TODO: check CVE-2021-4405 (The ElasticPress plugin for WordPress is vulnerable to Cross-Site Requ ...) - TODO: check + NOT-FOR-US: ElasticPress plugin for WordPress CVE-2021-4404 (The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross ...) - TODO: check + NOT-FOR-US: Event Espresso 4 Decaf plugin for WordPress CVE-2021-4403 (The Remove Schema plugin for WordPress is vulnerable to Cross-Site Req ...) - TODO: check + NOT-FOR-US: Remove Schema plugin for WordPress CVE-2021-4402 (The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Re ...) - TODO: check + NOT-FOR-US: Multiple Roles plugin for WordPress CVE-2021-4401 (The Style Kits plugin for WordPress is vulnerable to Cross-Site Reques ...) - TODO: check + NOT-FOR-US: Style Kits plugin for WordPress CVE-2021-4400 (The Better Search plugin for WordPress is vulnerable to Cross-Site Req ...) - TODO: check + NOT-FOR-US: Better Search plugin for WordPress CVE-2021-4399 (The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Re ...) - TODO: check + NOT-FOR-US: Edwiser Bridge plugin for WordPress CVE-2021-4398 (The Amministrazione Trasparente plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: Amministrazione Trasparente plugin for WordPress CVE-2021-4397 (The Staff Directory Plugin plugin for WordPress is vulnerable to Cross ...) - TODO: check + NOT-FOR-US: Staff Directory Plugin plugin for WordPress CVE-2021-4396 (The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forg ...) - TODO: check + NOT-FOR-US: Rucy plugin for WordPress CVE-2021-4395 (The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vu ...) - TODO: check + NOT-FOR-US: Abandoned Cart Recovery for WooCommerce plugin for WordPress CVE-2021-4394 (The Locations plugin for WordPress is vulnerable to Cross-Site Request ...) - TODO: check + NOT-FOR-US: Locations plugin for WordPress CVE-2021-4393 (The eCommerce Product Catalog Plugin for WordPress plugin for WordPres ...) - TODO: check + NOT-FOR-US: eCommerce Product Catalog Plugin for WordPress plugin for WordPress CVE-2021-4392 (The eCommerce Product Catalog Plugin for WordPress plugin for WordPres ...) - TODO: check + NOT-FOR-US: eCommerce Product Catalog Plugin for WordPress plugin for WordPress CVE-2021-4391 (The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulner ...) - TODO: check + NOT-FOR-US: Ultimate Gift Cards for WooCommerce plugin for WordPress CVE-2021-4390 (The Contact Form 7 Style plugin for WordPress is vulnerable to Cross-S ...) - TODO: check + NOT-FOR-US: Contact Form 7 Style plugin for WordPress CVE-2021-4389 (The WP Travel plugin for WordPress is vulnerable to Cross-Site Request ...) - TODO: check + NOT-FOR-US: WP Travel plugin for WordPress CVE-2021-4388 (The Opal Estate plugin for WordPress is vulnerable to featured propert ...) - TODO: check + NOT-FOR-US: Opal Estate plugin for WordPress CVE-2021-4387 (The Opal Estate plugin for WordPress is vulnerable to Cross-Site Reque ...) - TODO: check + NOT-FOR-US: Opal Estate plugin for WordPress CVE-2021-4386 (The WP Security Question plugin for WordPress is vulnerable to Cross-S ...) - TODO: check + NOT-FOR-US: WP Security Question plugin for WordPress CVE-2021-4385 (The WP Private Content Plus plugin for WordPress is vulnerable to Cros ...) - TODO: check + NOT-FOR-US: WP Private Content Plus plugin for WordPress CVE-2021-4384 (The WordPress Photo Gallery \u2013 Image Gallery plugin for WordPress ...) - TODO: check + NOT-FOR-US: WordPress Photo Gallery Image Gallery plugin for WordPress CVE-2020-36749 (The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site ...) - TODO: check + NOT-FOR-US: Easy Testimonials plugin for WordPress CVE-2020-36748 (The Dokan plugin for WordPress is vulnerable to Cross-Site Request For ...) - TODO: check + NOT-FOR-US: Dokan plugin for WordPress CVE-2020-36747 (The Lightweight Sidebar Manager plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: Lightweight Sidebar Manager plugin for WordPress CVE-2020-36746 (The Menu Swapper plugin for WordPress is
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01beab62 by security tracker role at 2023-07-01T08:12:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,99 @@ +CVE-2023-3493 (Improper Neutralization of Formula Elements in a CSV File in GitHub re ...) + TODO: check +CVE-2023-3491 (Unrestricted Upload of File with Dangerous Type in GitHub repository f ...) + TODO: check +CVE-2023-3490 (SQL Injection in GitHub repository fossbilling/fossbilling prior to 0. ...) + TODO: check +CVE-2023-3117 (A use-after-free flaw was found in the Netfilter subsystem of the Linu ...) + TODO: check +CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Database ...) + TODO: check +CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) + TODO: check +CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...) + TODO: check +CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...) + TODO: check +CVE-2023-33298 (com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allow ...) + TODO: check +CVE-2023-31997 (UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi N ...) + TODO: check +CVE-2023-29241 (Improper Information in Cybersecurity Guidebook in Bosch Building Inte ...) + TODO: check +CVE-2021-4405 (The ElasticPress plugin for WordPress is vulnerable to Cross-Site Requ ...) + TODO: check +CVE-2021-4404 (The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross ...) + TODO: check +CVE-2021-4403 (The Remove Schema plugin for WordPress is vulnerable to Cross-Site Req ...) + TODO: check +CVE-2021-4402 (The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Re ...) + TODO: check +CVE-2021-4401 (The Style Kits plugin for WordPress is vulnerable to Cross-Site Reques ...) + TODO: check +CVE-2021-4400 (The Better Search plugin for WordPress is vulnerable to Cross-Site Req ...) + TODO: check +CVE-2021-4399 (The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Re ...) + TODO: check +CVE-2021-4398 (The Amministrazione Trasparente plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2021-4397 (The Staff Directory Plugin plugin for WordPress is vulnerable to Cross ...) + TODO: check +CVE-2021-4396 (The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forg ...) + TODO: check +CVE-2021-4395 (The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vu ...) + TODO: check +CVE-2021-4394 (The Locations plugin for WordPress is vulnerable to Cross-Site Request ...) + TODO: check +CVE-2021-4393 (The eCommerce Product Catalog Plugin for WordPress plugin for WordPres ...) + TODO: check +CVE-2021-4392 (The eCommerce Product Catalog Plugin for WordPress plugin for WordPres ...) + TODO: check +CVE-2021-4391 (The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulner ...) + TODO: check +CVE-2021-4390 (The Contact Form 7 Style plugin for WordPress is vulnerable to Cross-S ...) + TODO: check +CVE-2021-4389 (The WP Travel plugin for WordPress is vulnerable to Cross-Site Request ...) + TODO: check +CVE-2021-4388 (The Opal Estate plugin for WordPress is vulnerable to featured propert ...) + TODO: check +CVE-2021-4387 (The Opal Estate plugin for WordPress is vulnerable to Cross-Site Reque ...) + TODO: check +CVE-2021-4386 (The WP Security Question plugin for WordPress is vulnerable to Cross-S ...) + TODO: check +CVE-2021-4385 (The WP Private Content Plus plugin for WordPress is vulnerable to Cros ...) + TODO: check +CVE-2021-4384 (The WordPress Photo Gallery \u2013 Image Gallery plugin for WordPress ...) + TODO: check +CVE-2020-36749 (The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site ...) + TODO: check +CVE-2020-36748 (The Dokan plugin for WordPress is vulnerable to Cross-Site Request For ...) + TODO: check +CVE-2020-36747 (The Lightweight Sidebar Manager plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2020-36746 (The Menu Swapper plugin for WordPress is vulnerable to Cross-Site Requ ...) + TODO: check +CVE-2020-36745 (The WP Project Manager plugin for WordPress is vulnerable to Cross-Sit ...) + TODO: check +CVE-2020-36744 (The NotificationX plugin for WordPress is vulnerable to Cross-Site Req ...) + TODO: check +CVE-2020-36743 (The Product Catalog Simple plugin for WordPress is vulnerable to Cross ...) + TODO: check +CVE-2020-36742 (The Custom Field Template plugin for WordPress is vulnerable to Cross- ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-33201/bouncycastle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6fd3d81 by Salvatore Bonaccorso at 2023-07-01T08:53:29+02:00 Add CVE-2023-33201/bouncycastle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4379,6 +4379,9 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant [bullseye] - linux 5.10.178-1 [buster] - linux 4.19.282-1 NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) +CVE-2023-33201 [potential blind LDAP injection attack using a self-signed certificate] + - bouncycastle + NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 CVE-2023-31729 (TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection.) NOT-FOR-US: TOTOLINK CVE-2023-2780 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fd3d8149722d53a99b1459153d333d4eaf9eaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fd3d8149722d53a99b1459153d333d4eaf9eaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3297/accountsservice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab34d5b9 by Salvatore Bonaccorso at 2023-07-01T08:50:59+02:00 Add CVE-2023-3297/accountsservice - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1368,6 +1368,9 @@ CVE-2023-35808 (An issue was discovered in SugarCRM Enterprise before 11.0.6 and CVE-2014-125106 (Nanopb before 0.3.1 allows size_t overflows in pb_dec_bytes and pb_dec ...) - nanopb (Fixed before initial upload to Debian) NOTE: https://github.com/nanopb/nanopb/commit/d2099cc8f1adb33d427a44a5e32ed27b647c7168 (nanopb-0.3.1) +CVE-2023-3297 + - accountsservice (Ubuntu specific 0010-set-language.patch not applied in Debian) + NOTE: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182 CVE-2023-3295 (The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) ...) NOT-FOR-US: WordPress plugin CVE-2023-35790 (An issue was discovered in dec_patch_dictionary.cc in libjxl before 0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab34d5b91f37a5bf24c5753444ba7d7b00e57b15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab34d5b91f37a5bf24c5753444ba7d7b00e57b15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2908/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc53f619 by Salvatore Bonaccorso at 2023-07-01T08:45:15+02:00 Add CVE-2023-2908/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1180,6 +1180,10 @@ CVE-2023-31411 (A remote unprivileged attacker can modify and access configurati NOT-FOR-US: SICK CVE-2023-31410 (A remote unprivileged attacker can intercept the communication via e.g ...) NOT-FOR-US: SICK +CVE-2023-2908 [null pointer dereference in tif_dir.c] + - tiff 4.5.1~rc3-1 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/479 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f (v4.5.1rc1) CVE-2023-2907 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Marksoft CVE-2023-2899 (The Google Map Shortcode WordPress plugin through 3.1.2 does not valid ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc53f61939380d2ac1fc2ef0d15033140a6df0ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc53f61939380d2ac1fc2ef0d15033140a6df0ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for cdb-libs via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18050c98 by Salvatore Bonaccorso at 2023-07-01T08:38:30+02:00 Track proposed update for cdb-libs via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -26,3 +26,5 @@ CVE-2023-32324 [bookworm] - cups 2.4.2-3+deb12u1 CVE-2023-34241 [bookworm] - cups 2.4.2-3+deb12u1 +CVE-2023-34095 + [bookworm] - cpdb-libs 1.2.0-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18050c9873b8b345e2a7bf0e980b8e397f6e51bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18050c9873b8b345e2a7bf0e980b8e397f6e51bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync two linux CVEs with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a95a41 by Salvatore Bonaccorso at 2023-07-01T08:34:52+02:00 Sync two linux CVEs with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1127,7 +1127,7 @@ CVE-2023-29158 (SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulner CVE-2023-3318 (A vulnerability was found in SourceCodester Resort Management System 1 ...) NOT-FOR-US: SourceCodester Resort Management System CVE-2023-3317 (A use-after-free flaw was found in mt7921_check_offload_capability in ...) - - linux 6.3.7-1 + - linux (Vulnerable code never in released version in unstable) NOTE: https://git.kernel.org/linus/2ceb76f734e37833824b7fab6af17c999eb48d2b (6.3-rc6) CVE-2023-3316 (A NULL pointer dereference in TIFFClose() is caused by a failure to op ...) - tiff 4.5.1~rc3-1 @@ -5585,6 +5585,7 @@ CVE-2015-10104 (A vulnerability, which was classified as problematic, has been f NOT-FOR-US: WordPress plugin CVE-2023-2430 [io_uring/msg_ring: fix missing lock on overflow for IOPOLL] - linux 6.3.7-1 + [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d (6.2-rc5) CVE-2023-2429 (Improper Access Control in GitHub repository thorsten/phpmyfaq prior t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a95a41e1fc2b1c92fcd3c753c427cdd2de9417 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a95a41e1fc2b1c92fcd3c753c427cdd2de9417 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits