[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6228/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3249545 by Salvatore Bonaccorso at 2023-11-22T08:23:06+01:00 Add CVE-2023-6228/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,6 +5,10 @@ CVE-2023-6238 [nvme: memory corruption via unprivileged user passthrough] [buster] - linux (Vulnerable code not present) CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) NOT-FOR-US: Duet Display for Windows +CVE-2023-6228 [heap-based buffer overflow in cpStripToTile() in tools/tiffcp.c] + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/606 + NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32495450442d807678789a983c582860178177a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32495450442d807678789a983c582860178177a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6238/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b00d7dd by Salvatore Bonaccorso at 2023-11-22T08:06:05+01:00 Add CVE-2023-6238/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-6238 [nvme: memory corruption via unprivileged user passthrough] + - linux + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) NOT-FOR-US: Duet Display for Windows CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b00d7dda0304d43eabd08b520623463b9628cd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b00d7dda0304d43eabd08b520623463b9628cd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updte for nvidia-graphics-drivers via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc816ad4 by Salvatore Bonaccorso at 2023-11-22T07:02:54+01:00 Track proposed updte for nvidia-graphics-drivers via bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -82,3 +82,5 @@ CVE-2021-33880 [bullseye] - python-websockets 8.1-1+deb11u1 CVE-2023-46734 [bullseye] - symfony 4.4.19+dfsg-2+deb11u4 +CVE-2023-31022 + [bullseye] - nvidia-graphics-drivers 470.223.02-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc816ad4ac3ead1e91d4ecb994a0dbc44f99be74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc816ad4ac3ead1e91d4ecb994a0dbc44f99be74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for firefox issues (mfsa2023-49) via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22927d46 by Salvatore Bonaccorso at 2023-11-22T06:54:58+01:00 Track fixed version for firefox issues (mfsa2023-49) via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,58 +1,58 @@ CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) NOT-FOR-US: Duet Display for Windows CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) - - firefox + - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - tunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6212 CVE-2023-6211 (If an attacker needed a user to load an insecure http: page and knew t ...) - - firefox + - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6211 CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL, tha ...) - - firefox + - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6210 CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) - - firefox + - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22927d46f5f0f5749f554210c0ded4f0ec53cafa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22927d46f5f0f5749f554210c0ded4f0ec53cafa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for firefox-esr (mfsa2023-50) via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c55812ba by Salvatore Bonaccorso at 2023-11-22T06:51:39+01:00 Track fixes for firefox-esr (mfsa2023-50) via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs sho NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - tunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 @@ -18,42 +18,42 @@ CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6210 CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) - firefox - - firefox-esr + - firefox-esr 115.5.0esr-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55812bab3d0f1c7c8a7cece40b29dc1b7e93189 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55812bab3d0f1c7c8a7cece40b29dc1b7e93189 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-31022/nvidia-open-gpu-kernel-modules
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0efb041 by Salvatore Bonaccorso at 2023-11-22T06:46:27+01:00 Track fixed version via unstable for CVE-2023-31022/nvidia-open-gpu-kernel-modules - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28332,7 +28332,7 @@ CVE-2023-31022 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) [buster] - nvidia-graphics-drivers (Non-free not supported) - - nvidia-open-gpu-kernel-modules (bug #1055144) + - nvidia-open-gpu-kernel-modules 525.147.05-1 (bug #1055144) [bookworm] - nvidia-open-gpu-kernel-modules (Non-free not supported) - nvidia-graphics-drivers-tesla 525.147.05-1 (bug #1055143) [bookworm] - nvidia-graphics-drivers-tesla (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0efb0416ec3eaaebed11b72f59ee9c782623012 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0efb0416ec3eaaebed11b72f59ee9c782623012 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 036fa37f by Salvatore Bonaccorso at 2023-11-21T21:40:42+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) - TODO: check + NOT-FOR-US: Duet Display for Windows CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 @@ -59,13 +59,13 @@ CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drive NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6204 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6204 CVE-2023-5776 (The Post Meta Data Manager plugin for WordPress is vulnerable to Cross ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5599 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) - TODO: check + NOT-FOR-US: 3DDashboard in 3DSwymer from Release 3DEXPERIENCE CVE-2023-5598 (Stored Cross-site Scripting (XSS) vulnerabilities\xc2affecting 3DSwym ...) - TODO: check + NOT-FOR-US: 3DSwym in 3DSwymer from Release 3DEXPERIENCE CVE-2023-5055 (Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.) - TODO: check + NOT-FOR-US: zephyr-rtos CVE-2023-49061 (An attacker could have performed HTML template injection via Reader Mo ...) TODO: check CVE-2023-49060 (An attacker could have accessed internal pages or data by ex-filtratin ...) @@ -73,9 +73,9 @@ CVE-2023-49060 (An attacker could have accessed internal pages or data by ex-fil CVE-2023-48226 (OpenReplay is a self-hosted session replay suite. In version 1.14.0, d ...) TODO: check CVE-2023-48124 (Cross Site Scripting in SUP Online Shopping v.1.0 allows a remote atta ...) - TODO: check + NOT-FOR-US: SUP Online Shopping CVE-2023-47643 (SuiteCRM is a Customer Relationship Management (CRM) software applicat ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2023-46377 REJECTED CVE-2023-6199 (Book Stack version 23.10.2 allows filtering local files on the server. ...) @@ -35198,7 +35198,7 @@ CVE-2023-28804 (An Improper Verification of Cryptographic Signature vulnerabilit CVE-2023-28803 (An authentication bypass by spoofing of a device with a synthetic IP a ...) NOT-FOR-US: Zscaler Client Connector CVE-2023-28802 (An Improper Validation of Integrity Check Value in Zscaler Client Conn ...) - TODO: check + NOT-FOR-US: Zscaler Client Connector on Windows CVE-2023-28801 (An Improper Verification of Cryptographic Signature in the SAML authen ...) NOT-FOR-US: Zscaler CVE-2023-28800 (When using local accounts for administration, the redirect url paramet ...) @@ -54982,7 +54982,7 @@ CVE-2023-22523 CVE-2023-22522 RESERVED CVE-2023-22521 (This High severity RCE (Remote Code Execution) vulnerability was intro ...) - TODO: check + NOT-FOR-US: Crowd Data Center and Server CVE-2023-22520 RESERVED CVE-2023-22519 @@ -54992,7 +54992,7 @@ CVE-2023-22518 (All versions of Confluence Data Center and Server are affected b CVE-2023-22517 RESERVED CVE-2023-22516 (This High severity RCE (Remote Code Execution) vulnerability was intro ...) - TODO: check + NOT-FOR-US: Bamboo Data Center and Server CVE-2023-22515 (Atlassian has been made aware of an issue reported by a handful of cus ...) NOT-FOR-US: Atlassian CVE-2023-22514 @@ -71901,11 +71901,11 @@ CVE-2023-20276 CVE-2023-20275 RESERVED CVE-2023-20274 (A vulnerability in the installer script of Cisco AppDynamics PHP Agent ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20273 (A vulnerability in the web UI feature of Cisco IOS XE Software could a ...) NOT-FOR-US: Cisco CVE-2023-20272 (A vulnerability in the web-based management interface of Cisco Identit ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20271 RESERVED CVE-2023-20270 (A vulnerability in the interaction between the Server Message Block (S ...) @@ -71919,7 +71919,7 @@ CVE-2023-20267 (A vulnerability in the IP geolocation rules of Snort 3 could all CVE-2023-20266 (A vulnerability in Cisco Emergency Responder, Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2023-20265 (A vulnerability in the web-based management interface of a small subse ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20264 (A vulnerability in the implementation of Security Assertion Markup Lan ...) NOT-FOR-US: Cisco CVE-2023-20263 (A vulnerability in the web-based management
[Git][security-tracker-team/security-tracker][master] Add thunderbird to DSA needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae7c7d23 by Salvatore Bonaccorso at 2023-11-21T21:34:16+01:00 Add thunderbird to DSA needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -90,6 +90,8 @@ samba/oldstable -- squid -- +thunderbird (jmm) +-- tiff (aron) -- tor (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae7c7d237a54d1c472a583440131defc4fe995cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae7c7d237a54d1c472a583440131defc4fe995cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add thunderbird issues from mfsa2023-52
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba5dc4fa by Salvatore Bonaccorso at 2023-11-21T21:33:00+01:00 Add thunderbird issues from mfsa2023-52 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,8 +6,10 @@ CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs sho CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) - firefox - firefox-esr + - tunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6212 CVE-2023-6211 (If an attacker needed a user to load an insecure http: page and knew t ...) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6211 @@ -17,33 +19,45 @@ CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6204 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6204 CVE-2023-5776 (The Post Meta Data Manager plugin for WordPress is vulnerable to Cross ...) TODO: check CVE-2023-5599 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba5dc4fa0e6bd6f661b313032888602dc6db19d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba5dc4fa0e6bd6f661b313032888602dc6db19d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox-esr issues from mfsa2023-50
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14f6b810 by Salvatore Bonaccorso at 2023-11-21T21:28:31+01:00 Add firefox-esr issues from mfsa2023-50 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,9 @@ CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs sho NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 CVE-2023-6211 (If an attacker needed a user to load an insecure http: page and knew t ...) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6211 @@ -14,22 +16,34 @@ CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6210 CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6204 CVE-2023-5776 (The Post Meta Data Manager plugin for WordPress is vulnerable to Cross ...) TODO: check CVE-2023-5599 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14f6b8102ee4f6d4d7ce78248b8db882fbb41b8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14f6b8102ee4f6d4d7ce78248b8db882fbb41b8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox-esr to DSA needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2064f5c7 by Salvatore Bonaccorso at 2023-11-21T21:24:26+01:00 Add firefox-esr to DSA needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,8 @@ dnsdist (jmm) fastdds Awaiting feedback from maintainer on bullseye status -- +firefox-esr (jmm) +-- frr -- gimp (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2064f5c73d73c123797f514ecd8692cde6967e1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2064f5c73d73c123797f514ecd8692cde6967e1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new firefox issues from mfsa2023-49
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b884125 by Salvatore Bonaccorso at 2023-11-21T21:23:17+01:00 Add new firefox issues from mfsa2023-49 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,25 +1,35 @@ CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) TODO: check CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 CVE-2023-6211 (If an attacker needed a user to load an insecure http: page and knew t ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6211 CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL, tha ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6210 CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) - TODO: check + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 CVE-2023-5776 (The Post Meta Data Manager plugin for WordPress is vulnerable to Cross ...) TODO: check CVE-2023-5599 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b884125b4614640bd0b4498b23e74c8ad695285 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b884125b4614640bd0b4498b23e74c8ad695285 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b3f2996 by Salvatore Bonaccorso at 2023-11-21T21:18:45+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,13 +43,13 @@ CVE-2023-46377 CVE-2023-6199 (Book Stack version 23.10.2 allows filtering local files on the server. ...) NOT-FOR-US: bookstack CVE-2023-6178 (An arbitrary file write vulnerability exists where an authenticated at ...) - TODO: check + NOT-FOR-US: Nessus Agent CVE-2023-6144 (Dev blog v1.0 allows to exploit an account takeover through the "user" ...) NOT-FOR-US: Dev blog CVE-2023-6142 (Dev blog v1.0 allows to exploit an XSS through an unrestricted file up ...) NOT-FOR-US: Dev blog CVE-2023-6062 (An arbitrary file write vulnerability exists where an authenticated, r ...) - TODO: check + NOT-FOR-US: Nessus CVE-2023-5553 (During internal Axis Security Development Model (ASDM) threat-modellin ...) NOT-FOR-US: AXIS OS CVE-2023-5275 (Improper Input Validation vulnerability in simulation function of GX W ...) @@ -57,9 +57,9 @@ CVE-2023-5275 (Improper Input Validation vulnerability in simulation function of CVE-2023-5274 (Improper Input Validation vulnerability in simulation function of GX W ...) NOT-FOR-US: Mitsubishi CVE-2023-4424 (An malicious BLE device can cause buffer overflow by sending malformed ...) - TODO: check + NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-4149 (A vulnerability in the web-based management allows an unauthenticated ...) - TODO: check + NOT-FOR-US: Wago CVE-2023-48310 (TestingPlatform is a testing platform for Internet Security Standards. ...) NOT-FOR-US: TestingPlatform CVE-2023-48192 (An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local att ...) @@ -67,7 +67,7 @@ CVE-2023-48192 (An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a loc CVE-2023-48176 (An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote at ...) NOT-FOR-US: WebsiteGuide CVE-2023-48051 (An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to dec ...) - TODO: check + NOT-FOR-US: upydev CVE-2023-47311 (An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcomma ...) NOT-FOR-US: Yamcs CVE-2023-47172 (Certain WithSecure products allow Local Privilege Escalation. This aff ...) @@ -79,7 +79,7 @@ CVE-2023-46471 (Cross Site Scripting vulnerability in Space Applications Service CVE-2023-46470 (Cross Site Scripting vulnerability in Space Applications Services Yamc ...) NOT-FOR-US: Yamcs CVE-2023-45886 (The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote ...) - TODO: check + NOT-FOR-US: BGP daemon (bgpd) in IP Infusion ZebOS CVE-2023-42770 (Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users en ...) NOT-FOR-US: Red Lion CVE-2023-40151 (When user authentication is not enabled the shell can execute commands ...) @@ -133,7 +133,7 @@ CVE-2023-4808 (The WP Post Popup WordPress plugin through 3.7.3 does not sanitis CVE-2023-4799 (The Magic Embeds WordPress plugin before 3.1.2 does not validate and e ...) NOT-FOR-US: WordPress plugin CVE-2023-48309 (NextAuth.js provides authentication for Next.js. `next-auth` applicati ...) - TODO: check + NOT-FOR-US: NextAuth.js CVE-2023-48300 (The `Embed Privacy` plugin for WordPress that prevents the loading of ...) NOT-FOR-US: WordPress plugin CVE-2023-48293 (The XWiki Admin Tools Application provides tools to help the administr ...) @@ -181,19 +181,19 @@ CVE-2023-42774 (in OpenHarmony v3.2.2 and prior versions allow a local attacker CVE-2023-3116 (in OpenHarmony v3.2.2 and prior versions allow a local attacker get co ...) NOT-FOR-US: OpenHarmony CVE-2023-38885 (OpenSIS Classic Community Edition version 9.0 lacks cross-site request ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38884 (An Insecure Direct Object Reference (IDOR) vulnerability in the Commun ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38883 (A reflected cross-site scripting (XSS) vulnerability in the Community ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38882 (A reflected cross-site scripting (XSS) vulnerability in the Community ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38881 (A reflected cross-site scripting (XSS) vulnerability in the Community ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38880 (The Community Edition version 9.0 of OS4ED's openSIS Classic has a bro ...) - TODO: check + NOT-FOR-US: OpenSIS CVE-2023-38879 (The Community Edition version 9.0 of OS4ED's openSIS Classic allows re ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cea084e2 by security tracker role at 2023-11-21T20:11:47+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2023-6235 (An uncontrolled search path element vulnerability has been found in th ...) + TODO: check +CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs showed e ...) + TODO: check +CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderb ...) + TODO: check +CVE-2023-6211 (If an attacker needed a user to load an insecure http: page and knew t ...) + TODO: check +CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL, tha ...) + TODO: check +CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) + TODO: check +CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) + TODO: check +CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) + TODO: check +CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) + TODO: check +CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) + TODO: check +CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drivers\u2 ...) + TODO: check +CVE-2023-5776 (The Post Meta Data Manager plugin for WordPress is vulnerable to Cross ...) + TODO: check +CVE-2023-5599 (A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboar ...) + TODO: check +CVE-2023-5598 (Stored Cross-site Scripting (XSS) vulnerabilities\xc2affecting 3DSwym ...) + TODO: check +CVE-2023-5055 (Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.) + TODO: check +CVE-2023-49061 (An attacker could have performed HTML template injection via Reader Mo ...) + TODO: check +CVE-2023-49060 (An attacker could have accessed internal pages or data by ex-filtratin ...) + TODO: check +CVE-2023-48226 (OpenReplay is a self-hosted session replay suite. In version 1.14.0, d ...) + TODO: check +CVE-2023-48124 (Cross Site Scripting in SUP Online Shopping v.1.0 allows a remote atta ...) + TODO: check +CVE-2023-47643 (SuiteCRM is a Customer Relationship Management (CRM) software applicat ...) + TODO: check +CVE-2023-46377 + REJECTED CVE-2023-6199 (Book Stack version 23.10.2 allows filtering local files on the server. ...) NOT-FOR-US: bookstack CVE-2023-6178 (An arbitrary file write vulnerability exists where an authenticated at ...) @@ -88,7 +130,7 @@ CVE-2023-4824 (The WooHoo Newspaper Magazine theme does not have CSRF check in p NOT-FOR-US: WooHoo Newspaper Magazine theme CVE-2023-4808 (The WP Post Popup WordPress plugin through 3.7.3 does not sanitise and ...) NOT-FOR-US: WordPress plugin -CVE-2023-4799 (The Magic Embeds WordPress plugin through 3.0.10 does not validate and ...) +CVE-2023-4799 (The Magic Embeds WordPress plugin before 3.1.2 does not validate and e ...) NOT-FOR-US: WordPress plugin CVE-2023-48309 (NextAuth.js provides authentication for Next.js. `next-auth` applicati ...) TODO: check @@ -958,6 +1000,7 @@ CVE-2023-35080 (A vulnerability has been identified in the Ivanti Secure Access CVE-2023-34060 (VMware Cloud Director Appliance contains an authentication bypass vuln ...) NOT-FOR-US: VMware CVE-2023-4 [GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability] + {DLA-3659-1} - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1591/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities @@ -974,6 +1017,7 @@ CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vul NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10072 (restricted) NOTE: Introduced by: https://gitlab.gnome.org/GNOME/gimp/-/commit/bf66a07d207bc09f222e56c398760478a3a057fa (GIMP_2_10_22) CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] + {DLA-3659-1} - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities @@ -35115,8 +35159,8 @@ CVE-2023-28804 (An Improper Verification of Cryptographic Signature vulnerabilit NOT-FOR-US: Zscaler Client Connector CVE-2023-28803 (An authentication bypass by spoofing of a device with a synthetic IP a ...) NOT-FOR-US: Zscaler Client Connector -CVE-2023-28802 - RESERVED
[Git][security-tracker-team/security-tracker][master] Drop todo entry as it is the plausible reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c33b42b by Salvatore Bonaccorso at 2023-11-21T19:01:37+01:00 Drop todo entry as it is the plausible reference Seems that upstream has requested from a CNA (Red Hat?) a CVE accordingly and has posted it to the upstream issue himself. So drop the todo now, and thanks to Thorsten Alteholz for the research. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -662,7 +662,6 @@ CVE-2023-47638 REJECTED CVE-2023-43887 - libde265 1.0.13-1 - TODO: check references, suggestion below NOTE: https://github.com/strukturag/libde265/issues/418 NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13) CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c33b42bccd5a8bdbec64ff3eb9769116616d9f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c33b42bccd5a8bdbec64ff3eb9769116616d9f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add notes for CVE-2023-43887
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cb873ce7 by Thorsten Alteholz at 2023-11-21T18:47:58+01:00 add notes for CVE-2023-43887 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -662,7 +662,9 @@ CVE-2023-47638 REJECTED CVE-2023-43887 - libde265 1.0.13-1 - TODO: check references + TODO: check references, suggestion below + NOTE: https://github.com/strukturag/libde265/issues/418 + NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13) CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) - libde265 1.0.13-1 (bug #1056187) [bookworm] - libde265 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb873ce7aad912324f59c12495841d0fa8f49823 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb873ce7aad912324f59c12495841d0fa8f49823 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take vlc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abecc4d6 by Adrian Bunk at 2023-11-21T19:16:43+02:00 dla: take vlc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -267,7 +267,7 @@ tor varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) -- -vlc +vlc (Adrian Bunk) NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abecc4d61f7d74a20625314e98e43e4fe83d84a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abecc4d61f7d74a20625314e98e43e4fe83d84a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3659-1 for gimp
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: d72f5ed6 by Adrian Bunk at 2023-11-21T17:12:14+02:00 Reserve DLA-3659-1 for gimp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Nov 2023] DLA-3659-1 gimp - security update + {CVE-2022-30067 CVE-2023-2 CVE-2023-4} + [buster] - gimp 2.10.8-2+deb10u1 [20 Nov 2023] DLA-3658-1 wordpress - security update {CVE-2023-5561 CVE-2023-3} [buster] - wordpress 5.0.20+dfsg1-0+deb10u1 = data/dla-needed.txt = @@ -75,9 +75,6 @@ freeimage (gladk) frr NOTE: 20231119: Added by Front-Desk (apo) -- -gimp (Adrian Bunk) - NOTE: 20231117: Added by Front-Desk (apo) --- gnutls28 (Markus Koschany) NOTE: 20231117: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d72f5ed6e156dcd7fee6b5909a8e8af9b9a28b64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d72f5ed6e156dcd7fee6b5909a8e8af9b9a28b64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes via unstable for CVE-2023-43887 and CVE-2023-47471
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4195ee4e by Salvatore Bonaccorso at 2023-11-21T15:59:56+01:00 Track fixes via unstable for CVE-2023-43887 and CVE-2023-47471 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -660,8 +660,11 @@ CVE-2023-47674 (Missing authentication for critical function vulnerability in Fi NOT-FOR-US: First Corporation CVE-2023-47638 REJECTED +CVE-2023-43887 + - libde265 1.0.13-1 + TODO: check references CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) - - libde265 (bug #1056187) + - libde265 1.0.13-1 (bug #1056187) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/426 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4195ee4e54a641db3b51898ae9cdc64f3d4a78f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4195ee4e54a641db3b51898ae9cdc64f3d4a78f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag for CVE-2023-47471
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d14e55df by Salvatore Bonaccorso at 2023-11-21T15:54:47+01:00 Add upstream tag for CVE-2023-47471 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -665,7 +665,7 @@ CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 al [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/426 - NOTE: https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7 + NOTE: https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7 (v1.0.13) CVE-2023-47470 (Buffer Overflow vulnerability in Ffmpeg before github commit 456574705 ...) - ffmpeg (Vulnerable code not in any Debian released version) NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20230915131147.5945-2-michael%40niedermayer.cc/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d14e55dfbed5b6864e06ce552476a15b4e0f8d95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d14e55dfbed5b6864e06ce552476a15b4e0f8d95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvidia-graphics-drivers-tesla fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c6e712b9 by Moritz Muehlenhoff at 2023-11-21T13:05:00+01:00 nvidia-graphics-drivers-tesla fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28248,7 +28248,7 @@ CVE-2023-31022 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-open-gpu-kernel-modules (bug #1055144) [bookworm] - nvidia-open-gpu-kernel-modules (Non-free not supported) - - nvidia-graphics-drivers-tesla (bug #1055143) + - nvidia-graphics-drivers-tesla 525.147.05-1 (bug #1055143) [bookworm] - nvidia-graphics-drivers-tesla (Non-free not supported) - nvidia-graphics-drivers-tesla-470 470.223.02-1 (bug #1055142) [bookworm] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6e712b908fbcbacf5a44ab61279e5ba4f6055da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6e712b908fbcbacf5a44ab61279e5ba4f6055da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added strongswan to be fixed for LTS.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: deb0f964 by Ola Lundqvist at 2023-11-21T10:50:56+00:00 Added strongswan to be fixed for LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -248,6 +248,9 @@ samba squid NOTE: 20231102: Added by Front-Desk (lamby) -- +strongswan + NOTE: 20231121: Added by Front-Desk (ola) +-- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb0f9647143aaa2caf6b3f84c10f19645c11756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb0f9647143aaa2caf6b3f84c10f19645c11756 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19795f81 by Salvatore Bonaccorso at 2023-11-21T09:20:51+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,47 +1,47 @@ CVE-2023-6199 (Book Stack version 23.10.2 allows filtering local files on the server. ...) - TODO: check + NOT-FOR-US: bookstack CVE-2023-6178 (An arbitrary file write vulnerability exists where an authenticated at ...) TODO: check CVE-2023-6144 (Dev blog v1.0 allows to exploit an account takeover through the "user" ...) - TODO: check + NOT-FOR-US: Dev blog CVE-2023-6142 (Dev blog v1.0 allows to exploit an XSS through an unrestricted file up ...) - TODO: check + NOT-FOR-US: Dev blog CVE-2023-6062 (An arbitrary file write vulnerability exists where an authenticated, r ...) TODO: check CVE-2023-5553 (During internal Axis Security Development Model (ASDM) threat-modellin ...) - TODO: check + NOT-FOR-US: AXIS OS CVE-2023-5275 (Improper Input Validation vulnerability in simulation function of GX W ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2023-5274 (Improper Input Validation vulnerability in simulation function of GX W ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2023-4424 (An malicious BLE device can cause buffer overflow by sending malformed ...) TODO: check CVE-2023-4149 (A vulnerability in the web-based management allows an unauthenticated ...) TODO: check CVE-2023-48310 (TestingPlatform is a testing platform for Internet Security Standards. ...) - TODO: check + NOT-FOR-US: TestingPlatform CVE-2023-48192 (An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local att ...) - TODO: check + NOT-FOR-US: TOTOlink CVE-2023-48176 (An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote at ...) - TODO: check + NOT-FOR-US: WebsiteGuide CVE-2023-48051 (An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to dec ...) TODO: check CVE-2023-47311 (An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcomma ...) - TODO: check + NOT-FOR-US: Yamcs CVE-2023-47172 (Certain WithSecure products allow Local Privilege Escalation. This aff ...) - TODO: check + NOT-FOR-US: WithSecure CVE-2023-46935 (eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lea ...) - TODO: check + NOT-FOR-US: eyoucms CVE-2023-46471 (Cross Site Scripting vulnerability in Space Applications Services Yamc ...) - TODO: check + NOT-FOR-US: Yamcs CVE-2023-46470 (Cross Site Scripting vulnerability in Space Applications Services Yamc ...) - TODO: check + NOT-FOR-US: Yamcs CVE-2023-45886 (The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote ...) TODO: check CVE-2023-42770 (Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users en ...) - TODO: check + NOT-FOR-US: Red Lion CVE-2023-40151 (When user authentication is not enabled the shell can execute commands ...) - TODO: check + NOT-FOR-US: Red Lion CVE-2023-6134 NOT-FOR-US: Keycloak CVE-2023-5764 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19795f815bd3435c0ee5dd13dfa2e1465b09b923 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19795f815bd3435c0ee5dd13dfa2e1465b09b923 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3459fa64 by security tracker role at 2023-11-21T08:11:50+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,54 @@ +CVE-2023-6199 (Book Stack version 23.10.2 allows filtering local files on the server. ...) + TODO: check +CVE-2023-6178 (An arbitrary file write vulnerability exists where an authenticated at ...) + TODO: check +CVE-2023-6144 (Dev blog v1.0 allows to exploit an account takeover through the "user" ...) + TODO: check +CVE-2023-6142 (Dev blog v1.0 allows to exploit an XSS through an unrestricted file up ...) + TODO: check +CVE-2023-6062 (An arbitrary file write vulnerability exists where an authenticated, r ...) + TODO: check +CVE-2023-5553 (During internal Axis Security Development Model (ASDM) threat-modellin ...) + TODO: check +CVE-2023-5275 (Improper Input Validation vulnerability in simulation function of GX W ...) + TODO: check +CVE-2023-5274 (Improper Input Validation vulnerability in simulation function of GX W ...) + TODO: check +CVE-2023-4424 (An malicious BLE device can cause buffer overflow by sending malformed ...) + TODO: check +CVE-2023-4149 (A vulnerability in the web-based management allows an unauthenticated ...) + TODO: check +CVE-2023-48310 (TestingPlatform is a testing platform for Internet Security Standards. ...) + TODO: check +CVE-2023-48192 (An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local att ...) + TODO: check +CVE-2023-48176 (An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote at ...) + TODO: check +CVE-2023-48051 (An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to dec ...) + TODO: check +CVE-2023-47311 (An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcomma ...) + TODO: check +CVE-2023-47172 (Certain WithSecure products allow Local Privilege Escalation. This aff ...) + TODO: check +CVE-2023-46935 (eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lea ...) + TODO: check +CVE-2023-46471 (Cross Site Scripting vulnerability in Space Applications Services Yamc ...) + TODO: check +CVE-2023-46470 (Cross Site Scripting vulnerability in Space Applications Services Yamc ...) + TODO: check +CVE-2023-45886 (The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote ...) + TODO: check +CVE-2023-42770 (Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users en ...) + TODO: check +CVE-2023-40151 (When user authentication is not enabled the shell can execute commands ...) + TODO: check CVE-2023-6134 NOT-FOR-US: Keycloak CVE-2023-5764 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247629 TODO: check with Red Hat for details CVE-2023-41913 + {DSA-5560-1} - strongswan NOTE: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html NOTE: Patches: https://download.strongswan.org/security/CVE-2023-41913/ @@ -1286,7 +1331,7 @@ CVE-2023-6034 REJECTED CVE-2023-6010 REJECTED -CVE-2023-6006 (This vulnerability allows local attackers to escalate privileges on af ...) +CVE-2023-6006 (This vulnerability potentially allows local attackers to escalate priv ...) NOT-FOR-US: PaperCut NG CVE-2023-5977 REJECTED @@ -3697,6 +3742,7 @@ CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when proces [buster] - memcached (The vulnerable code was introduced later) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (The Java OpenWire protocol marshaller is vulnerable to Remote Code Ex ...) + {DLA-3657-1} - activemq 5.17.6+dfsg-1 (bug #1054909) NOTE: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt NOTE: http://www.openwall.com/lists/oss-security/2023/10/27/5 @@ -5864,6 +5910,7 @@ CVE-2023-5595 (Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-D CVE-2023-5575 (Improper access control in the permission inheritance in Devolutions S ...) NOT-FOR-US: Devolutions Server CVE-2023-5561 (WordPress does not properly restrict which user fields are searchable ...) + {DLA-3658-1} - wordpress 6.3.2+dfsg1-1 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://core.trac.wordpress.org/changeset/56840/ @@ -6303,6 +6350,7 @@ CVE-2023-41680 (A improper neutralization of input during web page generation (' CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an unspe ...) NOT-FOR-US: OVM CVE-2023-3 (Exposure
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5764 with TODO item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f74183e8 by Salvatore Bonaccorso at 2023-11-21T09:07:53+01:00 Add CVE-2023-5764 with TODO item - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,8 @@ CVE-2023-6134 NOT-FOR-US: Keycloak +CVE-2023-5764 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247629 + TODO: check with Red Hat for details CVE-2023-41913 - strongswan NOTE: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f74183e88d3a94321e2d06b517f672fd5f48152c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f74183e88d3a94321e2d06b517f672fd5f48152c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6134 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15371727 by Salvatore Bonaccorso at 2023-11-21T09:06:19+01:00 Add CVE-2023-6134 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-6134 + NOT-FOR-US: Keycloak CVE-2023-41913 - strongswan NOTE: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15371727f3df45592b252e5336d4028963a01b46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15371727f3df45592b252e5336d4028963a01b46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits