date:20230829

[Git][security-tracker-team/security-tracker][master] Track fixed version for firefox-esr for mfsa2023-36 issues

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd6768dc by Salvatore Bonaccorso at 2023-08-30T06:44:27+02:00
Track fixed version for firefox-esr for mfsa2023-36 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -50,21 +50,21 @@ CVE-2023-34039 (Aria Operations for Networks contains an 
Authentication Bypass v
NOT-FOR-US: VMware
 CVE-2023-4585
- firefox 117.0-1
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4585
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4585
 CVE-2023-4584
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
- firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4584
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4584
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4584
 CVE-2023-4583
- firefox 117.0-1
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
@@ -77,14 +77,14 @@ CVE-2023-4582
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4582
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4582
 CVE-2023-4581
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
- firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4581
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4581
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4581
 CVE-2023-4580
- firefox 117.0-1
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
@@ -95,14 +95,14 @@ CVE-2023-4579
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4579
 CVE-2023-4578
- firefox 117.0-1
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4578
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4578
 CVE-2023-4577
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
@@ -117,19 +117,19 @@ CVE-2023-4576
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4576
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4576
 CVE-2023-4575
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
- firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4575
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4575
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4575
 CVE-2023-4574
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
- firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4574
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4574
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4574
 CVE-2023-4573
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
- firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4573
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4573
@@ -3839,7 +3839,7 @@ CVE-2023-4054 (When opening appref-ms files, Firefox did 
not warn the user that
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4054
 CVE-2023-4053 (A website could have obscured the full screen notification by 
using a  ...)
- firefox 116.0-1
-   - firefox-esr 
+   - firefox-esr 115.2.0esr-1
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr

[Git][security-tracker-team/security-tracker][master] Track fixed version for firefox via unstable for mfsa2023-34 issues

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7eb3bc09 by Salvatore Bonaccorso at 2023-08-30T06:43:17+02:00
Track fixed version for firefox via unstable for mfsa2023-34 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -49,7 +49,7 @@ CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of 
BGP update data (l
 CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass 
vulnera ...)
NOT-FOR-US: VMware
 CVE-2023-4585
-   - firefox 
+   - firefox 117.0-1
- firefox-esr 
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
@@ -58,12 +58,12 @@ CVE-2023-4585
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4585
 CVE-2023-4584
- firefox-esr 
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4584
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4584
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4584
 CVE-2023-4583
-   - firefox 
+   - firefox 117.0-1
- firefox-esr 
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
@@ -78,12 +78,12 @@ CVE-2023-4582
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4582
 CVE-2023-4581
- firefox-esr 
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4581
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4581
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4581
 CVE-2023-4580
-   - firefox 
+   - firefox 117.0-1
- firefox-esr 
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
@@ -91,10 +91,10 @@ CVE-2023-4580
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4580
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4580
 CVE-2023-4579
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4579
 CVE-2023-4578
-   - firefox 
+   - firefox 117.0-1
- firefox-esr 
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
@@ -106,7 +106,7 @@ CVE-2023-4577
[bookworm] - firefox-esr  (ESR 102 not affected)
[bullseye] - firefox-esr  (ESR 102 not affected)
[buster] - firefox-esr  (ESR 102 not affected)
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4577
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4577
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4577
@@ -118,19 +118,19 @@ CVE-2023-4576
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4576
 CVE-2023-4575
- firefox-esr 
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4575
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4575
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4575
 CVE-2023-4574
- firefox-esr 
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4574
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4574
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4574
 CVE-2023-4573
- firefox-esr 
-   - firefox 
+   - firefox 117.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4573
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4573
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4573



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb3bc09ef71d62f75f6fd3fca5ad8e75a0ae092

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb3bc09ef71d62f75f6fd3fca5ad8e75a0ae092
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for oggvideotools issues

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3249df18 by Salvatore Bonaccorso at 2023-08-30T06:38:26+02:00
Add Debian bug reference for oggvideotools issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -221214,17 +221214,17 @@ CVE-2020-21726 (OpenSNS v6.1.0 contains a blind SQL 
injection vulnerability in /
 CVE-2020-21725 (OpenSNS v6.1.0 contains a blind SQL injection vulnerability in 
/Contro ...)
NOT-FOR-US: OpenSNS
 CVE-2020-21724 (Buffer Overflow vulnerability in ExtractorInformation function 
in stre ...)
-   - oggvideotools 
+   - oggvideotools  (bug #1050836)
[bookworm] - oggvideotools  (Minor issue)
[bullseye] - oggvideotools  (Minor issue)
NOTE: https://sourceforge.net/p/oggvideotools/bugs/9/
 CVE-2020-21723 (A Segmentation Fault issue discovered 
StreamSerializer::extractStreams ...)
-   - oggvideotools 
+   - oggvideotools  (bug #1050836)
[bookworm] - oggvideotools  (Minor issue)
[bullseye] - oggvideotools  (Minor issue)
NOTE: https://sourceforge.net/p/oggvideotools/bugs/10/
 CVE-2020-21722 (Buffer Overflow vulnerability in oggvideotools 0.9.1 allows 
remote att ...)
-   - oggvideotools 
+   - oggvideotools  (bug #1050836)
[bookworm] - oggvideotools  (Minor issue)
[bullseye] - oggvideotools  (Minor issue)
NOTE: https://sourceforge.net/p/oggvideotools/bugs/11/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3249df18069e8b162050709e24bd24a7e13f455d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3249df18069e8b162050709e24bd24a7e13f455d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take file from dsa-needed list

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86cd3dcb by Salvatore Bonaccorso at 2023-08-30T05:40:35+02:00
Take file from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -16,7 +16,7 @@ aom/oldstable (apo)
 --
 cinder/oldstable
 --
-file/oldstable
+file/oldstable (carnil)
 --
 firefox-esr (jmm)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86cd3dcbab2b60a0a4bff4f7c87de9743e389c09

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86cd3dcbab2b60a0a4bff4f7c87de9743e389c09
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3549-1 for ring

2023-08-29 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c016457 by Thorsten Alteholz at 2023-08-29T23:09:48+02:00
Reserve DLA-3549-1 for ring

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Aug 2023] DLA-3549-1 ring - security update
+   {CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 
CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 
CVE-2022-21723 CVE-2022-23537 CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 
CVE-2022-24763 CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244 
CVE-2023-27585}
+   [buster] - ring 20190215.1.f152c98~ds1-1+deb10u2
 [29 Aug 2023] DLA-3548-1 qpdf - security update
{CVE-2018-18020 CVE-2021-25786 CVE-2021-36978}
[buster] - qpdf 8.4.0-2+deb10u1


=
data/dla-needed.txt
=
@@ -178,10 +178,6 @@ rails (utkarsh)
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
-ring (Thorsten Alteholz)
-  NOTE: 20221120: Added by Front-Desk (ta)
-  NOTE: 20230827: testing package, almost done
---
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk (ola)
   NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c016457521eb531b0510858181ad2fe8cc81312

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c016457521eb531b0510858181ad2fe8cc81312
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bugnums

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb7ca0fb by Moritz Muehlenhoff at 2023-08-29T23:02:42+02:00
bugnums

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -169,20 +169,20 @@ CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN 
Software Community ric-pl
 CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
NOTE: Non issue, untrusted yara rules not supported, see 
https://github.com/VirusTotal/yara/issues/1948
 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 
+   - libpf4j-java  (bug #1050834)
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/pull/537
NOTE: https://github.com/pf4j/pf4j/pull/538
NOTE: Fixed by: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 
+   - libpf4j-java  (bug #1050834)
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/issues/536
NOTE: https://github.com/pf4j/pf4j/pull/537
NOTE: https://github.com/pf4j/pf4j/pull/538
NOTE: Fixed by: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 
+   - libpf4j-java  (bug #1050834)
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/issues/536
NOTE: Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526
@@ -19499,7 +19499,7 @@ CVE-2023-29339
 CVE-2023-29338 (Visual Studio Code Information Disclosure Vulnerability)
NOT-FOR-US: Microsoft
 CVE-2023-29337 (NuGet Client Remote Code Execution Vulnerability)
-   - nuget 
+   - nuget  (bug #1050835)
[buster] - nuget  (Can wait for next update)
NOTE: 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
 CVE-2023-29336 (Win32k Elevation of Privilege Vulnerability)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7ca0fbe9c30d1a868ff114bf690847076b1bf0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7ca0fbe9c30d1a868ff114bf690847076b1bf0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3548-1 for qpdf

2023-08-29 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5ffdf337 by Thorsten Alteholz at 2023-08-29T23:00:36+02:00
Reserve DLA-3548-1 for qpdf

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -151410,7 +151410,6 @@ CVE-2021-36979 (Unicorn Engine 1.0.2 has an 
out-of-bounds write in tb_flush_arme
NOT-FOR-US: Unicorn Engine
 CVE-2021-36978 (QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a 
heap-based buffer ...)
- qpdf 10.1.0-1
-   [buster] - qpdf  (Minor issue)
[stretch] - qpdf  (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262
NOTE: 
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml
@@ -338377,7 +338376,6 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 
2.1.2 allows remote attackers
- extplorer 
 CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, 
QPDFWriter::unparseObject and ...)
- qpdf 9.0.0-1
-   [buster] - qpdf  (Minor issue)
[stretch] - qpdf  (Minor issue)
[jessie] - qpdf  (Minor issue)
NOTE: https://github.com/qpdf/qpdf/issues/243


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Aug 2023] DLA-3548-1 qpdf - security update
+   {CVE-2018-18020 CVE-2021-25786 CVE-2021-36978}
+   [buster] - qpdf 8.4.0-2+deb10u1
 [29 Aug 2023] DLA-3547-1 tryton-server - security update
[buster] - tryton-server 5.0.4-2+deb10u2
 [28 Aug 2023] DLA-3546-1 opendmarc - security update


=
data/dla-needed.txt
=
@@ -160,9 +160,6 @@ python2.7
   NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now 
available and can be fixed now. (utkarsh)
   NOTE: 20230826: contact Utkarsh in case you're unable to find the 
supplementary patch. (utkarsh)
 --
-qpdf (Thorsten Alteholz)
-  NOTE: 20230820: Added by Front-Desk (ta)
---
 qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, 
fix or remove entry from this file (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for clamav via bookworm-pu

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0abe983e by Salvatore Bonaccorso at 2023-08-29T22:43:16+02:00
Track proposed update for clamav via bookworm-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -31,3 +31,7 @@ CVE-2023-3817
[bookworm] - openssl 3.0.10-1~deb12u1
 CVE-2023-40305
[bookworm] - indent 2.2.12-4+deb12u2
+CVE-2023-20197
+   [bookworm] - clamav 1.0.2+dfsg-1~deb12u1
+CVE-2023-20212
+   [bookworm] - clamav 1.0.2+dfsg-1~deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abe983eeffae6edbb069499b5be2196910707dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abe983eeffae6edbb069499b5be2196910707dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for clamav via bullseye-pu

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e302e666 by Salvatore Bonaccorso at 2023-08-29T22:42:14+02:00
Track proposed update for clamav via bullseye-pu

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -185,3 +185,5 @@ CVE-2023-3446
[bullseye] - openssl 1.1.1v-0~deb11u1
 CVE-2023-3817
[bullseye] - openssl 1.1.1v-0~deb11u1
+CVE-2023-20197
+   [bullseye] - clamav 0.103.9+dfsg-0+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e302e666c687bbd6676e0a1c4e56fc0df1566ab6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e302e666c687bbd6676e0a1c4e56fc0df1566ab6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add two zbar issues, with unclear upstream status

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c63ab282 by Salvatore Bonaccorso at 2023-08-29T22:24:22+02:00
Add two zbar issues, with unclear upstream status

The reporter uses an older version, but unlcear if it is fixed or even
reported upstream.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,9 +9,13 @@ CVE-2023-41362 (MyBB before 1.8.36 allows Code Injection by 
users with certain h
 CVE-2023-41037 (OpenPGP.js is a JavaScript implementation of the OpenPGP 
protocol. In  ...)
TODO: check
 CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the 
lookup_seque ...)
-   TODO: check
+   - zbar 
+   NOTE: https://hackmd.io/@cspl/H1PxPAUnn
+   TODO: check if reported upsream
 CVE-2023-40889 (A heap-based buffer overflow exists in the 
qr_reader_match_centers fun ...)
-   TODO: check
+   - zbar 
+   NOTE: https://hackmd.io/@cspl/B1ZkFZv23
+   TODO: check if reported upstream
 CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters 
submitt ...)
TODO: check
 CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to 
multiple de ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c63ab282103440a61b7e0e2d48eb036592704987

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c63ab282103440a61b7e0e2d48eb036592704987
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65698136 by Salvatore Bonaccorso at 2023-08-29T22:23:22+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,9 +3,9 @@ CVE-2023-4572 (Use after free in MediaStream in Google Chrome 
prior to 116.0.584
 CVE-2023-4346 (KNX devices that use KNX Connection Authorization and support 
Option 1 ...)
TODO: check
 CVE-2023-41376 (Nokia Service Router Operating System (SR OS) 22.10 and SR 
Linux, when ...)
-   TODO: check
+   NOT-FOR-US: Nokia Service Router Operating System (SR OS) and SR Linux
 CVE-2023-41362 (MyBB before 1.8.36 allows Code Injection by users with certain 
high pr ...)
-   TODO: check
+   NOT-FOR-US: MyBB
 CVE-2023-41037 (OpenPGP.js is a JavaScript implementation of the OpenPGP 
protocol. In  ...)
TODO: check
 CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the 
lookup_seque ...)
@@ -15,7 +15,7 @@ CVE-2023-40889 (A heap-based buffer overflow exists in the 
qr_reader_match_cente
 CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters 
submitt ...)
TODO: check
 CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to 
multiple de ...)
-   TODO: check
+   NOT-FOR-US: Arista
 CVE-2023-3253 (An improper authorization vulnerability exists where an 
authenticated, ...)
TODO: check
 CVE-2023-3252 (An arbitrary file write vulnerability exists where an 
authenticated, r ...)
@@ -33,17 +33,17 @@ CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to 
contain a global buffe
 CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected 
versions  ...)
TODO: check
 CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead 
to unau ...)
-   TODO: check
+   NOT-FOR-US: Aruba
 CVE-2023-39267 (An authenticated remote code execution vulnerability exists in 
the com ...)
TODO: check
 CVE-2023-39266 (A vulnerability in the ArubaOS-Switch web management interface 
could a ...)
-   TODO: check
+   NOT-FOR-US: Aruba
 CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow 
a remote ...)
TODO: check
 CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data 
(length  ...)
TODO: check
 CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass 
vulnera ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2023-4585
- firefox 
- firefox-esr 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65698136929bfc88bdaa0b870b40204d78dadad1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65698136929bfc88bdaa0b870b40204d78dadad1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24165/qemu

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5b8ef00d by Salvatore Bonaccorso at 2023-08-29T22:16:03+02:00
Add CVE-2020-24165/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -215944,6 +215944,9 @@ CVE-2020-24167
 CVE-2020-24166
RESERVED
 CVE-2020-24165 (An issue was discovered in TCG Accelerator in QEMU 4.2.0, 
allows local ...)
+   - qemu 1:5.0-1
+   NOTE: https://bugs.launchpad.net/qemu/+bug/1863025
+   NOTE: Fixed by: 
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=886cc68943ebe8cf7e5f970be33459f95068a441
 (v5.0.0-rc0)
TODO: check
 CVE-2020-24164 (A deserialization flaw is present in Taoensso Nippy before 
2.14.2. In  ...)
NOT-FOR-US: Taoensso Nippy



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8ef00d04c2930193517d78340a24cf95a5e80f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8ef00d04c2930193517d78340a24cf95a5e80f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20a17e2e by security tracker role at 2023-08-29T20:12:45+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,49 @@
+CVE-2023-4572 (Use after free in MediaStream in Google Chrome prior to 
116.0.5845.140 ...)
+   TODO: check
+CVE-2023-4346 (KNX devices that use KNX Connection Authorization and support 
Option 1 ...)
+   TODO: check
+CVE-2023-41376 (Nokia Service Router Operating System (SR OS) 22.10 and SR 
Linux, when ...)
+   TODO: check
+CVE-2023-41362 (MyBB before 1.8.36 allows Code Injection by users with certain 
high pr ...)
+   TODO: check
+CVE-2023-41037 (OpenPGP.js is a JavaScript implementation of the OpenPGP 
protocol. In  ...)
+   TODO: check
+CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the 
lookup_seque ...)
+   TODO: check
+CVE-2023-40889 (A heap-based buffer overflow exists in the 
qr_reader_match_centers fun ...)
+   TODO: check
+CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters 
submitt ...)
+   TODO: check
+CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to 
multiple de ...)
+   TODO: check
+CVE-2023-3253 (An improper authorization vulnerability exists where an 
authenticated, ...)
+   TODO: check
+CVE-2023-3252 (An arbitrary file write vulnerability exists where an 
authenticated, r ...)
+   TODO: check
+CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote 
attack ...)
+   TODO: check
+CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web 
interface ...)
+   TODO: check
+CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular 
expression  ...)
+   TODO: check
+CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid 
read mem ...)
+   TODO: check
+CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain a global 
buffer over ...)
+   TODO: check
+CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected 
versions  ...)
+   TODO: check
+CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead 
to unau ...)
+   TODO: check
+CVE-2023-39267 (An authenticated remote code execution vulnerability exists in 
the com ...)
+   TODO: check
+CVE-2023-39266 (A vulnerability in the ArubaOS-Switch web management interface 
could a ...)
+   TODO: check
+CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow 
a remote ...)
+   TODO: check
+CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data 
(length  ...)
+   TODO: check
+CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass 
vulnera ...)
+   TODO: check
 CVE-2023-4585
- firefox 
- firefox-esr 
@@ -3392,7 +3438,7 @@ CVE-2023-3663 (In CODESYS Development System versions 
from 3.5.11.20 and before
NOT-FOR-US: Codesys
 CVE-2023-3662 (In CODESYS Development System versions from 3.5.17.0 and prior 
to 3.5. ...)
NOT-FOR-US: Codesys
-CVE-2023-3348 (The Wrangler command line tool (<=wrangler@3.1.0) was affected 
by a di ...)
+CVE-2023-3348 (The Wrangler command line tool (<=wrangler@3.1.0 or 
<=wrangler@2.20.1) ...)
NOT-FOR-US: Wrangler
 CVE-2023-3346 (Buffer Copy without Checking Size of Input ('Classic Buffer 
Overflow') ...)
NOT-FOR-US: Mitsubishi
@@ -32866,8 +32912,8 @@ CVE-2023-0656 (A Stack-based buffer overflow 
vulnerability in the SonicOS allows
NOT-FOR-US: SonicOS
 CVE-2023-0655 (SonicWall Email Security contains a vulnerability that could 
permit a  ...)
NOT-FOR-US: SonicWall
-CVE-2023-0654
-   RESERVED
+CVE-2023-0654 (Due to a misconfiguration, the WARP Mobile Client (< 6.29) for 
Android ...)
+   TODO: check
 CVE-2023-0653
RESERVED
 CVE-2023-0652 (Due to a hardlink created in the ProgramData folder during the 
repair  ...)
@@ -34314,8 +34360,8 @@ CVE-2023-24550 (A vulnerability has been identified in 
Solid Edge SE2022 (All ve
NOT-FOR-US: Siemens
 CVE-2023-24549 (A vulnerability has been identified in Solid Edge SE2022 (All 
versions ...)
NOT-FOR-US: Siemens
-CVE-2023-24548
-   RESERVED
+CVE-2023-24548 (On affected platforms running Arista EOS with VXLAN 
configured, malfor ...)
+   TODO: check
 CVE-2023-24547
RESERVED
 CVE-2023-24546 (On affected versions of the CloudVision Portal improper access 
control ...)
@@ -36594,16 +36640,16 @@ CVE-2014-125083 (A vulnerability has been found in 
Anant Labs google-enterprise-
NOT-FOR-US: Anant Labs google-enterprise-connect
 CVE-2013-10014 (A vulnerability classified as critical has been found in 
oktora24 2moo ...)
NOT-FOR-US: oktora24 2moons
-CVE-2023-23774
-   RESERVED

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-4082{6,7,8}/libpf4j-java

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c5694f3 by Salvatore Bonaccorso at 2023-08-29T22:03:15+02:00
Update information on CVE-2023-4082{6,7,8}/libpf4j-java

All three issues, following the upstream reference boil down to the
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
commit upstream .

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -119,21 +119,25 @@ CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN 
Software Community ric-pl
 CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
NOTE: Non issue, untrusted yara rules not supported, see 
https://github.com/VirusTotal/yara/issues/1948
 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 3.9.0+dfsg-1
+   - libpf4j-java 
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/pull/537
NOTE: https://github.com/pf4j/pf4j/pull/538
-   NOTE: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
+   NOTE: Fixed by: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 3.9.0+dfsg-1
+   - libpf4j-java 
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/issues/536
NOTE: https://github.com/pf4j/pf4j/pull/537
-   NOTE: 
https://github.com/pf4j/pf4j/pull/537/commits/ed9392069fe14c6c30d9f876710e5ad40f7ea8c1
+   NOTE: https://github.com/pf4j/pf4j/pull/538
+   NOTE: Fixed by: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   - libpf4j-java 3.9.0+dfsg-1
+   - libpf4j-java 
[bookworm] - libpf4j-java  (Minor issue)
NOTE: https://github.com/pf4j/pf4j/issues/536
+   NOTE: Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526
+   NOTE: https://github.com/pf4j/pf4j/pull/538
+   NOTE: Fixed by: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40825 (An issue in Perfree PerfreeBlog v.3.1.2 allows a remote 
attacker to ex ...)
NOT-FOR-US: PerfreeBlog
 CVE-2023-40781 (Buffer Overflow vulnerability in Libming Libming v.0.4.8 
allows a remo ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c5694f37116fffc3ccd07c5a9a88ebc8e62165e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c5694f37116fffc3ccd07c5a9a88ebc8e62165e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process one NFU

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9d210c9c by Salvatore Bonaccorso at 2023-08-29T21:58:10+02:00
Process one NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -85,7 +85,7 @@ CVE-2023-4573
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4573
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4573
 CVE-2023-41363 (In Cerebrate 1.14, a vulnerability in UserSettingsController 
allows au ...)
-   TODO: check
+   NOT-FOR-US: Cerebrate
 CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c 
does not ...)
- frr 
NOTE: https://github.com/FRRouting/frr/pull/14241



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d210c9c288eeeb4b2215824c95e41f025552e9d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d210c9c288eeeb4b2215824c95e41f025552e9d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-31102 and CVE-2023-40481

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fb8c8f90 by Salvatore Bonaccorso at 2023-08-29T18:52:38+02:00
Add CVE-2023-31102 and CVE-2023-40481

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14274,8 +14274,15 @@ CVE-2022-48476 (In JetBrains Ktor before 2.3.0 path 
traversal in the `resolveRes
NOT-FOR-US: JetBrains Ktor
 CVE-2023-31103 (Exposure of Resource to Wrong Sphere Vulnerability in Apache 
Software  ...)
NOT-FOR-US: Apache InLong
+CVE-2023-40481
+   - 7zip 23.01+dfsg-1
+   NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/
+   NOTE: 
https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/
 CVE-2023-31102
RESERVED
+   - 7zip 23.01+dfsg-1
+   NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/
+   NOTE: 
https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/
 CVE-2023-31101 (Insecure Default Initialization of Resource Vulnerability in 
Apache So ...)
NOT-FOR-US: Apache InLong
 CVE-2023-31100



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c8f90a899f454a59b7c77c1e1aa51b9879d55

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c8f90a899f454a59b7c77c1e1aa51b9879d55
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take orthanc and tiff

2023-08-29 Thread Anton Gladky (@gladk)



Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ac555012 by Anton Gladky at 2023-08-29T18:49:24+02:00
LTS: take orthanc and tiff

- - - - -
de4dd34a by Anton Gladky at 2023-08-29T18:50:54+02:00
Update email

- - - - -


2 changed files:

- data/dla-needed.txt
- org/lts-frontdesk.2023.txt


Changes:

=
data/dla-needed.txt
=
@@ -126,7 +126,7 @@ openjdk-11 (Emilio)
   NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking
   NOTE: 20230802: whether to change jtreg version (pochu)
 --
-orthanc
+orthanc (gladk)
   NOTE: 20230812: Added by Front-Desk (Beuc)
   NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
   NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)
@@ -233,7 +233,7 @@ suricata (Adrian Bunk)
 thunderbird (Emilio)
   NOTE: 20230829: Added by pochu
 --
-tiff
+tiff (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
 --
 trafficserver


=
org/lts-frontdesk.2023.txt
=
@@ -24,15 +24,15 @@ From 05-06 to 11-06:Markus Koschany 
 From 12-06 to 18-06:Ola Lundqvist 
 From 19-06 to 25-06:Sylvain Beucler 
 From 26-06 to 02-07:Thorsten Alteholz 
-From 03-07 to 09-07:Anton Gladky 
+From 03-07 to 09-07:Anton Gladky 
 From 10-07 to 16-07:Chris Lamb 
 From 17-07 to 23-07:Emilio Pozuelo Monfort 
 From 24-07 to 30-07:Markus Koschany 
-From 31-07 to 06-08:Anton Gladky 
+From 31-07 to 06-08:Anton Gladky 
 From 07-08 to 13-08:Sylvain Beucler 
 From 14-08 to 20-08:Thorsten Alteholz 
 From 21-08 to 27-08:Utkarsh Gupta 
-From 28-08 to 03-09:Anton Gladky 
+From 28-08 to 03-09:Anton Gladky 
 From 04-09 to 10-09:Chris Lamb 
 From 11-09 to 17-09:Emilio Pozuelo Monfort 
 From 18-09 to 24-09:Markus Koschany 
@@ -40,7 +40,7 @@ From 25-09 to 01-10:Ola Lundqvist 
 From 02-10 to 08-10:Sylvain Beucler 
 From 09-10 to 15-10:Thorsten Alteholz 
 From 16-10 to 22-10:Utkarsh Gupta 
-From 23-10 to 29-10:Anton Gladky 
+From 23-10 to 29-10:Anton Gladky 
 From 30-10 to 05-11:Chris Lamb 
 From 06-11 to 12-11:Emilio Pozuelo Monfort 
 From 13-11 to 19-11:Markus Koschany 
@@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist 
 From 27-11 to 03-12:Sylvain Beucler 
 From 04-12 to 10-12:Thorsten Alteholz 
 From 11-12 to 17-12:Utkarsh Gupta 
-From 18-12 to 24-12:Anton Gladky 
+From 18-12 to 24-12:Anton Gladky 
 From 25-12 to 31-12:Chris Lamb 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add buster tryton-server 5.0.4-2+deb10u2 entry in data/CVE/list

2023-08-29 Thread Santiago R.R. (@santiago)



Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fdb067e1 by Santiago Ruano Rincón at 2023-08-29T13:19:11-03:00
Add buster tryton-server 5.0.4-2+deb10u2 entry in data/CVE/list

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -587,6 +587,7 @@ CVE-2023- [tryton-server lack of record validation]
- tryton-server 6.0.34-1
[bookworm] - tryton-server 6.0.29-2+deb12u1
[bullseye] - tryton-server 5.0.33-2+deb11u2
+   [buster] - tryton-server 5.0.4-2+deb10u2
NOTE: https://discuss.tryton.org/t/security-release-for-issue-12428
 CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 
3.6.0 to  ...)
- wireshark 4.0.8-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb067e1a312feac5be29e31047dac80828d1552

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb067e1a312feac5be29e31047dac80828d1552
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3547-1 for tryton-server

2023-08-29 Thread Santiago R.R. (@santiago)



Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
af604791 by Santiago Ruano Rincón at 2023-08-29T13:05:47-03:00
Reserve DLA-3547-1 for tryton-server

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[29 Aug 2023] DLA-3547-1 tryton-server - security update
+   [buster] - tryton-server 5.0.4-2+deb10u2
 [28 Aug 2023] DLA-3546-1 opendmarc - security update
{CVE-2020-12272}
[buster] - opendmarc 1.3.2-6+deb10u3


=
data/dla-needed.txt
=
@@ -242,8 +242,3 @@ trafficserver
   NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when
   NOTE: 20230826: I have the answer here. (utkarsh)
 --
-tryton-server (santiago)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: sync with the DSA released. (utkarsh)
-  NOTE: 20230829: Maintainer has prepared the update. I'll do the paperwork 
(santiago)
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af604791ed9f4365108011b715aadc5b151f590e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af604791ed9f4365108011b715aadc5b151f590e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41358/frr

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c43fe3dd by Salvatore Bonaccorso at 2023-08-29T18:00:34+02:00
Add CVE-2023-41358/frr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -105,7 +105,11 @@ CVE-2023-41359 (An issue was discovered in FRRouting FRR 
through 9.0. There is a
NOTE: Backport for stable/8.5: 
https://github.com/FRRouting/frr/pull/14268
NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/460ee930d6dbce6e96ecbfcd568a291f31bae24e
 CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
-   TODO: check
+   - frr 
+   NOTE: https://github.com/FRRouting/frr/pull/14260
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/28ccc24d38df1d51ed8a563507e5d6f6171fdd38
+   NOTE: Backport for stable/8.5: 
https://github.com/FRRouting/frr/pull/14270
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/f291f1ee9434f56d4b185db0652794a92e313b00
 CVE-2023-41005 (An issue in Pagekit pagekit v.1.0.18 alows a remote attacker 
to execut ...)
NOT-FOR-US: Pagekit CMS
 CVE-2023-40998 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c43fe3dd8c3c20d43ff4388f50ed4e707188347c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c43fe3dd8c3c20d43ff4388f50ed4e707188347c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41359/frr

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65d6a5da by Salvatore Bonaccorso at 2023-08-29T17:57:32+02:00
Add CVE-2023-41359/frr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -99,7 +99,11 @@ CVE-2023-41360 (An issue was discovered in FRRouting FRR 
through 9.0. bgpd/bgp_p
NOTE: Backport for stable/8.5: 
https://github.com/FRRouting/frr/pull/14249
NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/3515178de4a56d66ed948a774efcbe4a854e1ca7
 CVE-2023-41359 (An issue was discovered in FRRouting FRR through 9.0. There is 
an out- ...)
-   TODO: check
+   - frr 
+   NOTE: https://github.com/FRRouting/frr/pull/14232
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/f96201e104892e18493f24cf67bb713678e8237b
+   NOTE: Backport for stable/8.5: 
https://github.com/FRRouting/frr/pull/14268
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/460ee930d6dbce6e96ecbfcd568a291f31bae24e
 CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
TODO: check
 CVE-2023-41005 (An issue in Pagekit pagekit v.1.0.18 alows a remote attacker 
to execut ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65d6a5dad33ac75adad7e5c2b9d0917a7d1aa5c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65d6a5dad33ac75adad7e5c2b9d0917a7d1aa5c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Document expected behaviour for check_by_ssh in monitoring-plugins

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f786c32 by Salvatore Bonaccorso at 2023-08-29T17:49:20+02:00
Document expected behaviour for check_by_ssh in monitoring-plugins

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6839,6 +6839,8 @@ CVE-2023-37154
NOTE: monitoring-plugins upstream does not plan to make an upstream 
change similar to
NOTE: nagios-plugins because there are valid usecases to execute stuff 
locally via
NOTE: check_by_ssh (although not commonly known and used).
+   NOTE: Documentation for expected behaviour in 
monitoring-plugins/check_by_ssh:
+   NOTE: 
https://github.com/monitoring-plugins/monitoring-plugins/security/advisories/GHSA-p3gv-vmpx-hhw4
 CVE-2023-37153 (KodExplorer 4.51 contains a Cross-Site Scripting (XSS) 
vulnerability i ...)
NOT-FOR-US: KodExplorer
 CVE-2023-37152 (Projectworlds Online Art Gallery Project 1.0 allows 
unauthenticated us ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f786c32639ba9d3268827c099f01aa0721a7ddb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f786c32639ba9d3268827c099f01aa0721a7ddb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] yara non issue

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
feef0239 by Moritz Muehlenhoff at 2023-08-29T17:18:50+02:00
yara non issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -109,7 +109,7 @@ CVE-2023-40998 (Buffer Overflow vulnerability in O-RAN 
Software Community ric-pl
 CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)
NOT-FOR-US: O-RAN Software Community ric-plt-lib-rmr
 CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
-   TODO: check
+   NOTE: Non issue, untrusted yara rules not supported, see 
https://github.com/VirusTotal/yara/issues/1948
 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
- libpf4j-java 3.9.0+dfsg-1
[bookworm] - libpf4j-java  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feef02391c060776ff268917364fdd8261f19230

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feef02391c060776ff268917364fdd8261f19230
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new firefox issues

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d2277139 by Moritz Muehlenhoff at 2023-08-29T16:59:51+02:00
new firefox issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,3 +1,89 @@
+CVE-2023-4585
+   - firefox 
+   - firefox-esr 
+   [bookworm] - firefox-esr  (ESR 102 not affected)
+   [bullseye] - firefox-esr  (ESR 102 not affected)
+   [buster] - firefox-esr  (ESR 102 not affected)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4585
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4585
+CVE-2023-4584
+   - firefox-esr 
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4584
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4584
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4584
+CVE-2023-4583
+   - firefox 
+   - firefox-esr 
+   [bookworm] - firefox-esr  (ESR 102 not affected)
+   [bullseye] - firefox-esr  (ESR 102 not affected)
+   [buster] - firefox-esr  (ESR 102 not affected)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4583
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4583
+CVE-2023-4582
+   - firefox-esr  (MacOS-specific)
+   - firefox  (MacOS-specific)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4582
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4582
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4582
+CVE-2023-4581
+   - firefox-esr 
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4581
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4581
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4581
+CVE-2023-4580
+   - firefox 
+   - firefox-esr 
+   [bookworm] - firefox-esr  (ESR 102 not affected)
+   [bullseye] - firefox-esr  (ESR 102 not affected)
+   [buster] - firefox-esr  (ESR 102 not affected)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4580
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4580
+CVE-2023-4579
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4579
+CVE-2023-4578
+   - firefox 
+   - firefox-esr 
+   [bookworm] - firefox-esr  (ESR 102 not affected)
+   [bullseye] - firefox-esr  (ESR 102 not affected)
+   [buster] - firefox-esr  (ESR 102 not affected)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4578
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4578
+CVE-2023-4577
+   - firefox-esr 
+   [bookworm] - firefox-esr  (ESR 102 not affected)
+   [bullseye] - firefox-esr  (ESR 102 not affected)
+   [buster] - firefox-esr  (ESR 102 not affected)
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4577
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4577
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4577
+CVE-2023-4576
+   - firefox-esr  (Windows-specific)
+   - firefox  (Windows-specific)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4576
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4576
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4576
+CVE-2023-4575
+   - firefox-esr 
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4575
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4575
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4575
+CVE-2023-4574
+   - firefox-esr 
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4574
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4574
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4574
+CVE-2023-4573
+   - firefox-esr 
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4573
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/#CVE-2023-4573
+   NOTE:

[Git][security-tracker-team/security-tracker][master] new libpf4j-java issues

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d616398 by Moritz Muehlenhoff at 2023-08-29T15:18:01+02:00
new libpf4j-java issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -25,11 +25,21 @@ CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN 
Software Community ric-pl
 CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
TODO: check
 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   TODO: check
+   - libpf4j-java 3.9.0+dfsg-1
+   [bookworm] - libpf4j-java  (Minor issue)
+   NOTE: https://github.com/pf4j/pf4j/pull/537
+   NOTE: https://github.com/pf4j/pf4j/pull/538
+   NOTE: 
https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72
 CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   TODO: check
+   - libpf4j-java 3.9.0+dfsg-1
+   [bookworm] - libpf4j-java  (Minor issue)
+   NOTE: https://github.com/pf4j/pf4j/issues/536
+   NOTE: https://github.com/pf4j/pf4j/pull/537
+   NOTE: 
https://github.com/pf4j/pf4j/pull/537/commits/ed9392069fe14c6c30d9f876710e5ad40f7ea8c1
 CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
-   TODO: check
+   - libpf4j-java 3.9.0+dfsg-1
+   [bookworm] - libpf4j-java  (Minor issue)
+   NOTE: https://github.com/pf4j/pf4j/issues/536
 CVE-2023-40825 (An issue in Perfree PerfreeBlog v.3.1.2 allows a remote 
attacker to ex ...)
NOT-FOR-US: PerfreeBlog
 CVE-2023-40781 (Buffer Overflow vulnerability in Libming Libming v.0.4.8 
allows a remo ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d616398e1fc8d65af3d11655167d6a6fd9d8512

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d616398e1fc8d65af3d11655167d6a6fd9d8512
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
539aaf27 by Moritz Muehlenhoff at 2023-08-29T15:13:57+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17,11 +17,11 @@ CVE-2023-41359 (An issue was discovered in FRRouting FRR 
through 9.0. There is a
 CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
TODO: check
 CVE-2023-41005 (An issue in Pagekit pagekit v.1.0.18 alows a remote attacker 
to execut ...)
-   TODO: check
+   NOT-FOR-US: Pagekit CMS
 CVE-2023-40998 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)
-   TODO: check
+   NOT-FOR-US: O-RAN Software Community ric-plt-lib-rmr
 CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)
-   TODO: check
+   NOT-FOR-US: O-RAN Software Community ric-plt-lib-rmr
 CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
TODO: check
 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
@@ -31,23 +31,23 @@ CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before 
allows a remote attacke
 CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
TODO: check
 CVE-2023-40825 (An issue in Perfree PerfreeBlog v.3.1.2 allows a remote 
attacker to ex ...)
-   TODO: check
+   NOT-FOR-US: PerfreeBlog
 CVE-2023-40781 (Buffer Overflow vulnerability in Libming Libming v.0.4.8 
allows a remo ...)
-   TODO: check
+   - ming 
 CVE-2023-39968 (jupyter-server is the backend for Jupyter web applications. 
Open Redir ...)
TODO: check
 CVE-2023-39650 (Theme Volty CMS Blog up to version v4.0.1 was discovered to 
contain a  ...)
-   TODO: check
+   NOT-FOR-US: Theme Volty CMS Blog
 CVE-2023-39059 (An issue in ansible semaphore v.2.8.90 allows a remote 
attacker to exe ...)
TODO: check
 CVE-2023-38969 (Cross Site Scripting vulnerabiltiy in Badaso v.2.9.7 allows a 
remote a ...)
-   TODO: check
+   NOT-FOR-US: Badaso
 CVE-2023-34725 (An issue was discovered in TechView LA-5570 Wireless Gateway 
1.0.19_T5 ...)
-   TODO: check
+   NOT-FOR-US: TechView
 CVE-2023-34724 (An issue was discovered in TECHView LA5570 Wireless Gateway 
1.0.19_T53 ...)
-   TODO: check
+   NOT-FOR-US: TechView
 CVE-2023-32457 (Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an 
improper  ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2023-4569 (A memory leak flaw was found in nft_set_catchall_flush in 
net/netfilte ...)
- linux 
NOTE: 
https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7)
@@ -113,31 +113,31 @@ CVE-2023-39709 (Multiple cross-site scripting (XSS) 
vulnerabilities in Free and
 CVE-2023-39708 (A stored cross-site scripting (XSS) vulnerability in Free and 
Open Sou ...)
NOT-FOR-US: Free and Open Source Inventory Management System
 CVE-2023-39652 (theme volty tvcmsvideotab up to v4.0.0 was discovered to 
contain a SQL ...)
-   TODO: check
+   NOT-FOR-US: theme volty tvcmsvideotab
 CVE-2023-39578 (A stored cross-site scripting (XSS) vulnerability in the 
Create functi ...)
-   TODO: check
+   NOT-FOR-US: Zenario CMS
 CVE-2023-39562 (GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to 
contain a hea ...)
TODO: check
 CVE-2023-39560 (ECTouch v2 was discovered to contain a SQL injection 
vulnerability via ...)
-   TODO: check
+   NOT-FOR-US: ECTouch v2
 CVE-2023-39348 (Spinnaker is an open source, multi-cloud continuous delivery 
platform. ...)
-   TODO: check
+   NOT-FOR-US: Spinnaker
 CVE-2023-39062 (Cross Site Scripting vulnerability in Spipu HTML2PDF before 
v.5.2.8 al ...)
-   TODO: check
+   NOT-FOR-US: Spipu HTML2PDF
 CVE-2023-38289
REJECTED
 CVE-2023-38288
REJECTED
 CVE-2023-36481 (An issue was discovered in Samsung Exynos Mobile Processor and 
Wearabl ...)
-   TODO: check
+   NOT-FOR-US: Samsung
 CVE-2023-35785 (Zoho ManageEngine ADManager Plus through 7186 is vulnerable to 
2FA byp ...)
-   TODO: check
+   NOT-FOR-US: Zoho
 CVE-2023-34758 (Sliver from v1.5.x to v1.5.39 has an improper cryptographic 
implementa ...)
-   TODO: check
+   NOT-FOR-US: Slive
 CVE-2018-25089 (A vulnerability was found in glb Meetup Tag Extension 0.1 on 
MediaWiki ...)
-   TODO: check
+   NOT-FOR-US: glb Meetup Tag Extension
 CVE-2017-20186 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in 
nikooo777 ...)
-   TODO: check
+   NOT-FOR-US: nikooo777 ckSurf
 CVE-2023-4561 (Cross-site Scripting (XSS) - Stored in GitHub repository 
omeka/omeka-s ...)
NOT-FOR-US: Omeka S
 CVE-2023-4560 (Improper Authorization of Index Containing Sensitive

[Git][security-tracker-team/security-tracker][master] Take tryton-server

2023-08-29 Thread Santiago R.R. (@santiago)



Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d19b16c by Santiago Ruano Rincón at 2023-08-29T10:04:21-03:00
Take tryton-server

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -242,7 +242,8 @@ trafficserver
   NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when
   NOTE: 20230826: I have the answer here. (utkarsh)
 --
-tryton-server
+tryton-server (santiago)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: sync with the DSA released. (utkarsh)
+  NOTE: 20230829: Maintainer has prepared the update. I'll do the paperwork 
(santiago)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d19b16cf40631778aa1577e0fb4417ddaf3b940

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d19b16cf40631778aa1577e0fb4417ddaf3b940
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
12ab88d6 by Moritz Muehlenhoff at 2023-08-29T12:53:13+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -105,6 +105,8 @@ CVE-2023-40170 (jupyter-server is the backend for Jupyter 
web applications. Impr
TODO: check
 CVE-2023-39810 (An issue in the CPIO command of Busybox v1.33.2 allows 
attackers to ex ...)
- busybox 
+   [bookworm] - busybox  (Minor issue)
+   [bullseye] - busybox  (Minor issue)
NOTE: 
https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/
 CVE-2023-39709 (Multiple cross-site scripting (XSS) vulnerabilities in Free 
and Open S ...)
NOT-FOR-US: Free and Open Source Inventory Management System
@@ -1875,14 +1877,18 @@ CVE-2023-40014 (OpenZeppelin Contracts is a library for 
secure smart contract de
NOT-FOR-US: OpenZeppelin Contracts
 CVE-2023-3824 (In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 
8.2.* bef ...)
- php8.2  (bug #1043477)
+   [bookworm] - php8.2  (Fix along in future update)
- php7.4 
+   [bullseye] - php7.4  (Fix along in future update)
- php7.3 
NOTE: 
https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv
NOTE: 
https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef 
(php-8.0.30)
NOTE: Fixed in: 8.0.30, 8.1.22, 8.2.8
 CVE-2023-3823 (In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 
8.2.* be ...)
- php8.2  (bug #1043477)
+   [bookworm] - php8.2  (Fix along in future update)
- php7.4 
+   [bullseye] - php7.4  (Fix along in future update)
- php7.3 
NOTE: 
https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr
NOTE: 
https://github.com/php/php-src/commit/c283c3ab0ba45d21b2b8745c1f9c7cbfe771c975 
(php-8.0.30)


=
data/dsa-needed.txt
=
@@ -16,15 +16,18 @@ aom/oldstable (apo)
 --
 cinder/oldstable
 --
+file/oldstable
+--
 flac/oldstable
 --
 frr (aron)
   maintainer proposed to update to 8.4.4 for bookworm, which might be a good 
idea
 --
+json-c/oldstable (jmm)
+--
 libreswan (jmm)
   Maintainer prepared bookworm-security update, but needs work on 
bullseye-security backports
 --
---
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y and 6.1.y versions



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ab88d61fc5e175bd8070187d082a97e0cad596

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ab88d61fc5e175bd8070187d082a97e0cad596
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11

2023-08-29 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0ad9731c by Emilio Pozuelo Monfort at 2023-08-29T12:52:35+02:00
lts: take openjdk-11

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -118,7 +118,7 @@ nvidia-cuda-toolkit
 opendkim
   NOTE: 20230821: Added by Front-Desk (ta)
 --
-openjdk-11
+openjdk-11 (Emilio)
   NOTE: 20230419: Added by Front-Desk (ola)
   NOTE: 20230522: waiting for sid update (pochu)
   NOTE: 20230612: sid updated, preparing backport (pochu)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad9731c314ad7ef4cb80af96b172142aca30760

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad9731c314ad7ef4cb80af96b172142aca30760
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird

2023-08-29 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
33364e18 by Emilio Pozuelo Monfort at 2023-08-29T11:33:55+02:00
lts: take firefox-esr and thunderbird

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -54,6 +54,9 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
+firefox-esr (Emilio)
+  NOTE: 20230829: Added by pochu
+--
 firmware-nonfree
   NOTE: 20230820: Added by Front-Desk (ta)
 --
@@ -227,6 +230,9 @@ suricata (Adrian Bunk)
   NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
   NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
 --
+thunderbird (Emilio)
+  NOTE: 20230829: Added by pochu
+--
 tiff
   NOTE: 20230826: Added by Front-Desk (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33364e18f290dcea4378342c07d5fc05aa44e266

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33364e18f290dcea4378342c07d5fc05aa44e266
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41360/frr

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ae0b868b by Salvatore Bonaccorso at 2023-08-29T11:19:44+02:00
Add CVE-2023-41360/frr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7,7 +7,11 @@ CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. 
bgpd/bgp_open.c do
NOTE: Backport for 9.0 branch: 
https://github.com/FRRouting/frr/pull/14250
NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e
 CVE-2023-41360 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
-   TODO: check
+   - frr 
+   NOTE: https://github.com/FRRouting/frr/pull/14245
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702
+   NOTE: Backport for stable/8.5: 
https://github.com/FRRouting/frr/pull/14249
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/3515178de4a56d66ed948a774efcbe4a854e1ca7
 CVE-2023-41359 (An issue was discovered in FRRouting FRR through 9.0. There is 
an out- ...)
TODO: check
 CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae0b868be95c77e22dbb0448f47ce57839e8af10

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae0b868be95c77e22dbb0448f47ce57839e8af10
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41361/frr

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0b0fcd6c by Salvatore Bonaccorso at 2023-08-29T11:06:56+02:00
Add CVE-2023-41361/frr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,11 @@
 CVE-2023-41363 (In Cerebrate 1.14, a vulnerability in UserSettingsController 
allows au ...)
TODO: check
 CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c 
does not ...)
-   TODO: check
+   - frr 
+   NOTE: https://github.com/FRRouting/frr/pull/14241
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840
+   NOTE: Backport for 9.0 branch: 
https://github.com/FRRouting/frr/pull/14250
+   NOTE: Fixed by: 
https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e
 CVE-2023-41360 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
TODO: check
 CVE-2023-41359 (An issue was discovered in FRRouting FRR through 9.0. There is 
an out- ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b0fcd6c7a1e64e7f05663f96aaa3b3bfe85f50f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b0fcd6c7a1e64e7f05663f96aaa3b3bfe85f50f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] indent spu

2023-08-29 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1adb4c6b by Moritz Mühlenhoff at 2023-08-29T10:36:02+02:00
indent spu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -29,3 +29,5 @@ CVE-2023-3446
[bookworm] - openssl 3.0.10-1~deb12u1
 CVE-2023-3817
[bookworm] - openssl 3.0.10-1~deb12u1
+CVE-2023-40305
+   [bookworm] - indent 2.2.12-4+deb12u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1adb4c6bc1927ab5fff953a4482227cf6de17549

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1adb4c6bc1927ab5fff953a4482227cf6de17549
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4711f028 by security tracker role at 2023-08-29T08:14:06+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,4 +1,46 @@
-CVE-2023-4569 [information leak in nft_set_catchall_flush in 
net/netfilter/nf_tables_api.c]
+CVE-2023-41363 (In Cerebrate 1.14, a vulnerability in UserSettingsController 
allows au ...)
+   TODO: check
+CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c 
does not ...)
+   TODO: check
+CVE-2023-41360 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
+   TODO: check
+CVE-2023-41359 (An issue was discovered in FRRouting FRR through 9.0. There is 
an out- ...)
+   TODO: check
+CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. 
bgpd/bgp_packet. ...)
+   TODO: check
+CVE-2023-41005 (An issue in Pagekit pagekit v.1.0.18 alows a remote attacker 
to execut ...)
+   TODO: check
+CVE-2023-40998 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)
+   TODO: check
+CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN Software Community 
ric-plt-lib- ...)
+   TODO: check
+CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 
allows a remo ...)
+   TODO: check
+CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
+   TODO: check
+CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
+   TODO: check
+CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote 
attacker to o ...)
+   TODO: check
+CVE-2023-40825 (An issue in Perfree PerfreeBlog v.3.1.2 allows a remote 
attacker to ex ...)
+   TODO: check
+CVE-2023-40781 (Buffer Overflow vulnerability in Libming Libming v.0.4.8 
allows a remo ...)
+   TODO: check
+CVE-2023-39968 (jupyter-server is the backend for Jupyter web applications. 
Open Redir ...)
+   TODO: check
+CVE-2023-39650 (Theme Volty CMS Blog up to version v4.0.1 was discovered to 
contain a  ...)
+   TODO: check
+CVE-2023-39059 (An issue in ansible semaphore v.2.8.90 allows a remote 
attacker to exe ...)
+   TODO: check
+CVE-2023-38969 (Cross Site Scripting vulnerabiltiy in Badaso v.2.9.7 allows a 
remote a ...)
+   TODO: check
+CVE-2023-34725 (An issue was discovered in TechView LA-5570 Wireless Gateway 
1.0.19_T5 ...)
+   TODO: check
+CVE-2023-34724 (An issue was discovered in TECHView LA5570 Wireless Gateway 
1.0.19_T53 ...)
+   TODO: check
+CVE-2023-32457 (Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an 
improper  ...)
+   TODO: check
+CVE-2023-4569 (A memory leak flaw was found in nft_set_catchall_flush in 
net/netfilte ...)
- linux 
NOTE: 
https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7)
 CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC 
and transaction]
@@ -16158,8 +16200,8 @@ CVE-2023-1998 (The Linux kernel allows userspace 
processes to enable mitigations
[bullseye] - linux 5.10.178-1
NOTE: 
https://git.kernel.org/linus/6921ed9049bc7457f66c1596c5b78aec0dae4a9d (6.3-rc1)
NOTE: https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
-CVE-2023-1995
-   RESERVED
+CVE-2023-1995 (Insufficient Logging vulnerability in Hitachi HiRDB Server, 
HiRDB Serv ...)
+   TODO: check
 CVE-2023-1994 (GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 
3.6.12  ...)
{DSA-5429-1 DLA-3402-1}
[experimental] - wireshark 4.0.5-1~exp1
@@ -215713,8 +215755,8 @@ CVE-2020-24167
RESERVED
 CVE-2020-24166
RESERVED
-CVE-2020-24165
-   RESERVED
+CVE-2020-24165 (An issue was discovered in TCG Accelerator in QEMU 4.2.0, 
allows local ...)
+   TODO: check
 CVE-2020-24164 (A deserialization flaw is present in Taoensso Nippy before 
2.14.2. In  ...)
NOT-FOR-US: Taoensso Nippy
 CVE-2020-24163



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4711f02843be38d738c1de82f1693e363e436d0f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4711f02843be38d738c1de82f1693e363e436d0f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-21469

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06c9072b by Salvatore Bonaccorso at 2023-08-29T09:56:05+02:00
Add CVE-2020-21469

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -221650,7 +221650,13 @@ CVE-2020-21471
 CVE-2020-21470
RESERVED
 CVE-2020-21469 (An issue was discovered in PostgreSQL 12.2 allows attackers to 
cause a ...)
-   TODO: check
+   - postgresql-13  (Fixed before initial upload to Debian)
+   - postgresql-11 
+   [buster] - postgresql-11 11.10-0+deb10u1
+   NOTE: 
https://www.postgresql.org/message-id/CAA8ZSMqAHDCgo07hqKoM5XJaoQy6Vv76O7966agez4ffyQktkA%40mail.gmail.com
+   NOTE: Fixed by: 
https://github.com/postgres/postgres/commit/9abb2bfc046070b22e3be28173a0736da31cab5a
 (REL_13_BETA1)
+   NOTE: Fixed by: 
https://github.com/postgres/postgres/commit/8b53dbada4a6a9e5f16548ca2c4d17cff55933d8
 (REL_12_5)
+   NOTE: Fixed by: 
https://github.com/postgres/postgres/commit/85834023a95e16d1d3fe73b0608e1608573753c3
 (REL_11_10)
 CVE-2020-21468 (A segmentation fault in the redis-server component of Redis 
5.0.7 lead ...)
- redis  (unimportant)
NOTE: https://github.com/redis/redis/issues/6633



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c9072bf9f034f7b36c9375509dbae443a5f9df

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c9072bf9f034f7b36c9375509dbae443a5f9df
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark two hdf5 issues as unimportant

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4bb3099c by Salvatore Bonaccorso at 2023-08-29T09:20:12+02:00
Mark two hdf5 issues as unimportant

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -227909,8 +227909,9 @@ CVE-2020-18496
 CVE-2020-18495
RESERVED
 CVE-2020-18494 (Buffer Overflow vulnerability in function H5S_close in H5S.c 
in HDF5 1 ...)
-   - hdf5 
+   - hdf5  (unimportant)
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul12
+   NOTE: Negligible security impact, malicous scientific data has more 
issues than a crash...
 CVE-2020-18493
RESERVED
 CVE-2020-18492
@@ -228451,8 +228452,9 @@ CVE-2020-18234
 CVE-2020-18233
RESERVED
 CVE-2020-18232 (Buffer Overflow vulnerability in function H5S_close in H5S.c 
in HDF5 1 ...)
-   - hdf5 
+   - hdf5  (unimportant)
NOTE: https://github.com/winson2004aa/PAAFS/tree/master/vul2
+   NOTE: Negligible security impact, malicous scientific data has more 
issues than a crash...
 CVE-2020-18231
RESERVED
 CVE-2020-18230 (Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote 
attackers t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb3099c8b1f74c18c0b6b8709e051066f0b15f6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb3099c8b1f74c18c0b6b8709e051066f0b15f6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4569/linux

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bdc27e8b by Salvatore Bonaccorso at 2023-08-29T08:47:44+02:00
Add CVE-2023-4569/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,6 @@
+CVE-2023-4569 [information leak in nft_set_catchall_flush in 
net/netfilter/nf_tables_api.c]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7)
 CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC 
and transaction]
- linux 
NOTE: 
https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdc27e8b515b764810ef99ceeab46e7fe73a31c2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdc27e8b515b764810ef99ceeab46e7fe73a31c2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4563/linux

2023-08-29 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
67451971 by Salvatore Bonaccorso at 2023-08-29T08:38:20+02:00
Add CVE-2023-4563/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC 
and transaction]
+   - linux 
+   NOTE: 
https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/
+   NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/
 CVE-2023-41109 (SmartNode SN200 (aka SN200) 3.21.2-23021 allows 
unauthenticated OS Com ...)
NOT-FOR-US: SmartNode SN200 (aka SN200)
 CVE-2023-40846 (Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is 
vulnerable to Bu ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674519714448b96fce3b98b2e70c6d91f26848dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674519714448b96fce3b98b2e70c6d91f26848dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

38 matches

Mail list logo