[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-30577/amanda
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0042ddf1 by Salvatore Bonaccorso at 2023-12-07T07:57:36+01:00 Track fixed version via unstable for CVE-2023-30577/amanda - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32229,7 +32229,7 @@ CVE-2023-30578 RESERVED CVE-2023-30577 (AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag- ...) {DLA-3681-1} - - amanda (bug #1055253) + - amanda 1:3.5.1-11.1 (bug #1055253) [bookworm] - amanda (Minor issue) [bullseye] - amanda (Minor issue) NOTE: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0042ddf1d4bc72b0bf1344d97c7a2720c126764a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0042ddf1d4bc72b0bf1344d97c7a2720c126764a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6560/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e361ec8c by Salvatore Bonaccorso at 2023-12-07T07:38:45+01:00 Add CVE-2023-6560/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-6560 [io_uring out of boundary memory access in __io_uaddr_map()] + - linux + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/820d070feb668aab5bc9413c285a1dda2a70e076 (6.7-rc4) CVE-2023-5384 NOT-FOR-US: Infinispan CVE-2023-6514 (The Bluetooth module of some Huawei Smart Screen products has an ident ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e361ec8c8b1eaec6bcd1ec94174bfb22a83d6b01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e361ec8c8b1eaec6bcd1ec94174bfb22a83d6b01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5384 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53c50f1f by Salvatore Bonaccorso at 2023-12-07T07:21:04+01:00 Add CVE-2023-5384 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-5384 + NOT-FOR-US: Infinispan CVE-2023-6514 (The Bluetooth module of some Huawei Smart Screen products has an ident ...) NOT-FOR-US: Huawei CVE-2023-6459 (Mattermost is grouping calls inthe /metrics endpoint by id and reports ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c50f1f4ce9aa8debcdd8f4245a8b22cb506d3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c50f1f4ce9aa8debcdd8f4245a8b22cb506d3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add haproxy
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: de01f33d by Thorsten Alteholz at 2023-12-06T23:39:28+01:00 add haproxy - - - - - f3f4bfd8 by Thorsten Alteholz at 2023-12-06T23:41:21+01:00 mark CVE-2023-43628 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -221,6 +221,7 @@ CVE-2023-43628 (An integer underflow vulnerability exists in the NTRIP Stream Pa - gpsd (bug #1057667) [bookworm] - gpsd (Minor issue) [bullseye] - gpsd (Minor issue) + [buster] - gpsd (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860 NOTE: https://gitlab.com/gpsd/gpsd/-/commit/3e5c6c28c422102dd453e31912e1e79d1f7ff7f2 CVE-2023-43608 (A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR func ...) = data/dla-needed.txt = @@ -66,6 +66,9 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- +haproxy + NOTE: 20231206: Added by Front-Desk (ta) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3b772737cd9687dac0fce23cf9e89127d54536b6...f3f4bfd83e5879ae2b6a53913d68ca9b793e274f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3b772737cd9687dac0fce23cf9e89127d54536b6...f3f4bfd83e5879ae2b6a53913d68ca9b793e274f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-43628/gpsd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b772737 by Salvatore Bonaccorso at 2023-12-06T23:04:28+01:00 Add Debian bug reference for CVE-2023-43628/gpsd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -218,7 +218,7 @@ CVE-2023-44298 (Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BI CVE-2023-44297 (Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, ve ...) NOT-FOR-US: Dell CVE-2023-43628 (An integer underflow vulnerability exists in the NTRIP Stream Parsing ...) - - gpsd + - gpsd (bug #1057667) [bookworm] - gpsd (Minor issue) [bullseye] - gpsd (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b772737cd9687dac0fce23cf9e89127d54536b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b772737cd9687dac0fce23cf9e89127d54536b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2023-46751
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e51849a1 by Salvatore Bonaccorso at 2023-12-06T22:51:47+01:00 Remove todo item for CVE-2023-46751 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,7 +43,6 @@ CVE-2023-46751 (An issue was discovered in the function gdev_prn_open_printer_se NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707264 (restricted) NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13c9d11d235702dff46bb74c80f7698 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d2da96e81c7455338302c71a291088a8396245a (ghostpdl-10.02.1) - TODO: check CVE-2023-46688 (Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows ...) NOT-FOR-US: Pleasanter CVE-2023-45210 (Pleasanter 1.3.47.0 and earlier contains an improper access control vu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51849a1e78ebdf48ddbcf023d906e771226d889 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51849a1e78ebdf48ddbcf023d906e771226d889 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89d22c50 by Salvatore Bonaccorso at 2023-12-06T22:20:21+01:00 Process two more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,9 +85,9 @@ CVE-2023-49297 (PyDrive2 is a wrapper library of google-api-python-client that s NOTE: https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5 NOTE: https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004 (1.16.2) CVE-2023-49283 (microsoft-graph-core the Microsoft Graph Library for PHP. The Microsof ...) - TODO: check + NOT-FOR-US: microsoft-graph-core CVE-2023-49282 (msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft ...) - TODO: check + NOT-FOR-US: msgraph-sdk-php CVE-2023-48940 (A stored cross-site scripting (XSS) vulnerability in /admin.php of Dai ...) NOT-FOR-US: DaiCuo CVE-2023-48930 (xinhu xinhuoa 2.2.1 contains a File upload vulnerability.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d22c5098f715befc76461c399ddae4572ada60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d22c5098f715befc76461c399ddae4572ada60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two curl issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f26762ab by Salvatore Bonaccorso at 2023-12-06T21:40:39+01:00 Track fixed version for two curl issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,12 +63,12 @@ CVE-2023-34439 (Pleasanter 1.3.47.0 and earlier contains a stored cross-site scr CVE-2023-32268 (Exposure of Proxy Administrator Credentials An authenticated administ ...) NOT-FOR-US: Microfocus CVE-2023-46218 [curl: cookie mixed case PSL bypass] - - curl (bug #1057646) + - curl 8.5.0-1 (bug #1057646) NOTE: Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) NOTE: Fixed by: https://github.com/curl/curl/commit/2b0994c29a721c91c572cff7808c572a24d251eb (curl-8_5_0) NOTE: https://curl.se/docs/CVE-2023-46218.html CVE-2023-46219 [curl: HSTS long file name clears contents] - - curl (bug #1057645) + - curl 8.5.0-1 (bug #1057645) [bullseye] - curl (curl is not built with HSTS support) NOTE: Introduced by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) NOTE: The issue is introduced with the fix for CVE-2022-32207. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f26762ab4fb57988cc9eb8b4049802114913bc5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f26762ab4fb57988cc9eb8b4049802114913bc5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46751/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27299f91 by Salvatore Bonaccorso at 2023-12-06T21:33:24+01:00 Add CVE-2023-46751/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,6 +39,10 @@ CVE-2023-48123 (An issue in Netgate pfSense Plus v.23.05.1 and before and pfSens CVE-2023-46773 (Permission management vulnerability in the PMS module. Successful expl ...) NOT-FOR-US: Huawei CVE-2023-46751 (An issue was discovered in the function gdev_prn_open_printer_seekable ...) + - ghostscript 10.02.1~dfsg-1 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707264 (restricted) + NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13c9d11d235702dff46bb74c80f7698 + NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d2da96e81c7455338302c71a291088a8396245a (ghostpdl-10.02.1) TODO: check CVE-2023-46688 (Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows ...) NOT-FOR-US: Pleasanter View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27299f910646f0eef64574e63ab382669eee6b83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27299f910646f0eef64574e63ab382669eee6b83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bd8f54a by Salvatore Bonaccorso at 2023-12-06T21:24:55+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,63 +1,63 @@ CVE-2023-6514 (The Bluetooth module of some Huawei Smart Screen products has an ident ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-6459 (Mattermost is grouping calls inthe /metrics endpoint by id and reports ...) - mattermost-server (bug #823556) CVE-2023-6458 (Mattermost webapp fails to validateroute parameters in//cha ...) - mattermost-server (bug #823556) CVE-2023-6393 (A flaw was found in the Quarkus Cache Runtime. When request processing ...) - TODO: check + NOT-FOR-US: Quarkus CVE-2023-6288 (Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on mac ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2023-6273 (Permission management vulnerability in the module for disabling Sound ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49248 (Vulnerability of unauthorized file access in the Settings app. Success ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49247 (Permission verification vulnerability in distributed scenarios. Succes ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49246 (Unauthorized access vulnerability in the card management module. Succe ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49245 (Unauthorized access vulnerability in the Huawei Share module. Successf ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49244 (Permission management vulnerability in the multi-user module. Successf ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49243 (Vulnerability of unauthorized access to email attachments in the email ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49242 (Free broadcast vulnerability in the running management module. Success ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49241 (API permission control vulnerability in the network management module. ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49240 (Unauthorized access vulnerability in the launcher module. Successful e ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49239 (Unauthorized access vulnerability in the card management module. Succe ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-49096 (Jellyfin is a Free Software Media System for managing and streaming me ...) - jellyfin (bug #994189) CVE-2023-48859 (TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authenticatio ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-48123 (An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v ...) - TODO: check + NOT-FOR-US: Netgate pfSense Plus CVE-2023-46773 (Permission management vulnerability in the PMS module. Successful expl ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-46751 (An issue was discovered in the function gdev_prn_open_printer_seekable ...) TODO: check CVE-2023-46688 (Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows ...) - TODO: check + NOT-FOR-US: Pleasanter CVE-2023-45210 (Pleasanter 1.3.47.0 and earlier contains an improper access control vu ...) - TODO: check + NOT-FOR-US: Pleasanter CVE-2023-44113 (Vulnerability of missing permission verification for APIs in the Desig ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-44099 (Vulnerability of data verification errors in the kernel module. Succes ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39539 (AMI AptioV contains a vulnerability in BIOS where a User may cause an ...) - TODO: check + NOT-FOR-US: AMI AptioV CVE-2023-39538 (AMI AptioV contains a vulnerability in BIOS where a User may cause an ...) - TODO: check + NOT-FOR-US: AMI AptioV CVE-2023-36655 (The login REST API in ProLion CryptoSpike 3.0.15P2 (when LDAP or Activ ...) - TODO: check + NOT-FOR-US: ProLion CryptoSpike CVE-2023-34439 (Pleasanter 1.3.47.0 and earlier contains a stored cross-site scripting ...) - TODO: check + NOT-FOR-US: Pleasanter CVE-2023-32268 (Exposure of Proxy Administrator Credentials An authenticated administ ...) - TODO: check + NOT-FOR-US: Microfocus CVE-2023-46218 [curl: cookie mixed case PSL bypass] - curl (bug #1057646) NOTE: Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bd8f54aada77e2f071786ca17f06070727a613b -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49096/jellyfin, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc0f85ef by Salvatore Bonaccorso at 2023-12-06T21:24:00+01:00 Add CVE-2023-49096/jellyfin, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,7 @@ CVE-2023-49240 (Unauthorized access vulnerability in the launcher module. Succes CVE-2023-49239 (Unauthorized access vulnerability in the card management module. Succe ...) TODO: check CVE-2023-49096 (Jellyfin is a Free Software Media System for managing and streaming me ...) - TODO: check + - jellyfin (bug #994189) CVE-2023-48859 (TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authenticatio ...) TODO: check CVE-2023-48123 (An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc0f85ef9d89af62bd16f810d44588e67ddb10c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc0f85ef9d89af62bd16f810d44588e67ddb10c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two issues for mattermost
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcff8af4 by Salvatore Bonaccorso at 2023-12-06T21:21:46+01:00 Process two issues for mattermost One might actually not be in mattermost-server but in another component, webapp, but Im not completely sure. The fallout of having it falsly associated with mattermost-server once it might enter the archive and rectify then is negligible. So choose to be on the safe side. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-6514 (The Bluetooth module of some Huawei Smart Screen products has an ident ...) TODO: check CVE-2023-6459 (Mattermost is grouping calls inthe /metrics endpoint by id and reports ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-6458 (Mattermost webapp fails to validateroute parameters in//cha ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-6393 (A flaw was found in the Quarkus Cache Runtime. When request processing ...) TODO: check CVE-2023-6288 (Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on mac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcff8af40efdc922bf2b0561b90428bb8e7d0bae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcff8af40efdc922bf2b0561b90428bb8e7d0bae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14535fca by security tracker role at 2023-12-06T20:12:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,63 @@ +CVE-2023-6514 (The Bluetooth module of some Huawei Smart Screen products has an ident ...) + TODO: check +CVE-2023-6459 (Mattermost is grouping calls inthe /metrics endpoint by id and reports ...) + TODO: check +CVE-2023-6458 (Mattermost webapp fails to validateroute parameters in//cha ...) + TODO: check +CVE-2023-6393 (A flaw was found in the Quarkus Cache Runtime. When request processing ...) + TODO: check +CVE-2023-6288 (Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on mac ...) + TODO: check +CVE-2023-6273 (Permission management vulnerability in the module for disabling Sound ...) + TODO: check +CVE-2023-49248 (Vulnerability of unauthorized file access in the Settings app. Success ...) + TODO: check +CVE-2023-49247 (Permission verification vulnerability in distributed scenarios. Succes ...) + TODO: check +CVE-2023-49246 (Unauthorized access vulnerability in the card management module. Succe ...) + TODO: check +CVE-2023-49245 (Unauthorized access vulnerability in the Huawei Share module. Successf ...) + TODO: check +CVE-2023-49244 (Permission management vulnerability in the multi-user module. Successf ...) + TODO: check +CVE-2023-49243 (Vulnerability of unauthorized access to email attachments in the email ...) + TODO: check +CVE-2023-49242 (Free broadcast vulnerability in the running management module. Success ...) + TODO: check +CVE-2023-49241 (API permission control vulnerability in the network management module. ...) + TODO: check +CVE-2023-49240 (Unauthorized access vulnerability in the launcher module. Successful e ...) + TODO: check +CVE-2023-49239 (Unauthorized access vulnerability in the card management module. Succe ...) + TODO: check +CVE-2023-49096 (Jellyfin is a Free Software Media System for managing and streaming me ...) + TODO: check +CVE-2023-48859 (TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authenticatio ...) + TODO: check +CVE-2023-48123 (An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v ...) + TODO: check +CVE-2023-46773 (Permission management vulnerability in the PMS module. Successful expl ...) + TODO: check +CVE-2023-46751 (An issue was discovered in the function gdev_prn_open_printer_seekable ...) + TODO: check +CVE-2023-46688 (Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows ...) + TODO: check +CVE-2023-45210 (Pleasanter 1.3.47.0 and earlier contains an improper access control vu ...) + TODO: check +CVE-2023-44113 (Vulnerability of missing permission verification for APIs in the Desig ...) + TODO: check +CVE-2023-44099 (Vulnerability of data verification errors in the kernel module. Succes ...) + TODO: check +CVE-2023-39539 (AMI AptioV contains a vulnerability in BIOS where a User may cause an ...) + TODO: check +CVE-2023-39538 (AMI AptioV contains a vulnerability in BIOS where a User may cause an ...) + TODO: check +CVE-2023-36655 (The login REST API in ProLion CryptoSpike 3.0.15P2 (when LDAP or Activ ...) + TODO: check +CVE-2023-34439 (Pleasanter 1.3.47.0 and earlier contains a stored cross-site scripting ...) + TODO: check +CVE-2023-32268 (Exposure of Proxy Administrator Credentials An authenticated administ ...) + TODO: check CVE-2023-46218 [curl: cookie mixed case PSL bypass] - curl (bug #1057646) NOTE: Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) @@ -53,7 +113,7 @@ CVE-2023-6509 (Use after free in Side Panel Search in Google Chrome prior to 120 CVE-2023-6508 (Use after free in Media Stream in Google Chrome prior to 120.0.6099.62 ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-39326 [net/http: limit chunked data overhead] +CVE-2023-39326 (A malicious HTTP sender can use chunk extensions to cause a receiver r ...) - golang-1.21 1.21.5-1 - golang-1.20 1.20.12-1 - golang-1.19 @@ -64,7 +124,7 @@ CVE-2023-39326 [net/http: limit chunked data overhead] NOTE: https://go.dev/issue/64433 NOTE: https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5) NOTE: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12) -CVE-2023-45285 [cmd/go: go get may unexpectedly fallback to insecure git] +CVE-2023-45285 (Using go get to fetch a module with the ".git" suffix may unexpectedly ...) - golang-1.21 1.21.5-1 - golang-1.20
[Git][security-tracker-team/security-tracker][master] CVE-2023-40225: Reference commits in 2.2 and 2.6 repository
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0129cd08 by Salvatore Bonaccorso at 2023-12-06T16:27:22+01:00 CVE-2023-40225: Reference commits in 2.2 and 2.6 repository - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18245,6 +18245,8 @@ CVE-2023-40225 (HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x an [buster] - haproxy (Vulnerable code not present) NOTE: https://github.com/haproxy/haproxy/issues/2237 NOTE: https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 + NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=e8ba5e106444fc78558f4ff26e9ce946f89216f4 (v2.2.31) + NOTE: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=d17c50010d591d1c070e1cb0567a06032d8869e9 (v2.6.15) CVE-2023-4283 (The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site ...) NOT-FOR-US: EmbedPress plugin for WordPress CVE-2023-4282 (The EmbedPress plugin for WordPress is vulnerable to unauthorized loss ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0129cd0870ed36ac3cea54d3a58c28ab9c1e2a34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0129cd0870ed36ac3cea54d3a58c28ab9c1e2a34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take haproxy from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cdce5b71 by Salvatore Bonaccorso at 2023-12-06T16:17:52+01:00 Take haproxy from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,7 +26,7 @@ gpac/oldstable -- h2o (jmm) -- -haproxy +haproxy (carnil) -- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdce5b710215ef1eceb05b5b6c906d06795a4b48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdce5b710215ef1eceb05b5b6c906d06795a4b48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xen updates for spu fixes and bullseye EOL
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0dddaea by Moritz Muehlenhoff at 2023-12-06T15:21:59+01:00 xen updates for spu fixes and bullseye EOL - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9819,30 +9819,44 @@ CVE-2023-34324 [linux/xen: Possible deadlock in Linux kernel event handling] NOTE: https://git.kernel.org/linus/87797fad6cce28ec9be3c13f031776ff4f104cfc (6.6-rc6) CVE-2023-46836 [x86: BTC/SRSO fixes not fully effective] - xen 4.17.2+76-ge1f9cb16e2-1 (bug #1056928) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-446.html CVE-2023-46835 [x86/AMD: mismatch in IOMMU quarantine page table levels] - xen 4.17.2+76-ge1f9cb16e2-1 (bug #1056928) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-445.html CVE-2023-34328 [A PV vCPU can place a breakpoint over the live GDT] - xen 4.17.2+55-g0b56bed864-1 + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-444.html CVE-2023-34327 [An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state] - xen 4.17.2+55-g0b56bed864-1 + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-444.html CVE-2023-34325 [Multiple vulnerabilities in libfsimage disk handling] - xen 4.17.2+55-g0b56bed864-1 + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-443.html CVE-2023-34326 [x86/AMD: missing IOMMU TLB flushing] - xen 4.17.2+55-g0b56bed864-1 + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-442.html CVE-2023-34323 [xenstored: A transaction conflict can crash C Xenstored] - xen 4.17.2+55-g0b56bed864-1 (unimportant) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-440.html NOTE: Debian uses the ocaml-based xenstored @@ -14850,14 +14864,14 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 CVE-2023-34322 [top-level shadow reference dropped too early for 64-bit PV guests] - xen 4.17.2+55-g0b56bed864-1 - [bookworm] - xen (Minor issue, fix along in future DSA or point release) - [bullseye] - xen (Minor issue, fix along in future DSA or point release) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-438.html CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated] - xen 4.17.2+55-g0b56bed864-1 (bug #1051954) - [bookworm] - xen (Minor issue, fix along in future DSA) - [bullseye] - xen (Minor issue, fix along in future DSA) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-437.html CVE-2023-4758 (Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.) @@ -19686,8 +19700,8 @@ CVE-2023-3971 (An HTML injection flaw was found in Controller in the user interf NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] - xen 4.17.2-1 - [bookworm] - xen (Minor issue) - [bullseye] - xen (Minor issue) + [bookworm] - xen (Will be fixed via point release) + [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 NOTE: https://xenbits.xen.org/xsa/advisory-436.html @@ -73679,8 +73693,8 @@ CVE-2023-20588 (A division-by-zero error on some AMD processors can potentially - linux 6.4.13-1 [bullseye] - linux 5.10.197-1 - xen 4.17.2+55-g0b56bed864-1 - [bookworm] - xen (Minor issue, fix along in future DSA or point release) -
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-49297/pydrive2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52a74559 by Salvatore Bonaccorso at 2023-12-06T14:58:15+01:00 Add Debian bug reference for CVE-2023-49297/pydrive2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2023-5970 (Improper authentication in the SMA100 SSL-VPN virtual office port CVE-2023-49897 (An OS command injection vulnerability exists in AE1021PE firmware vers ...) NOT-FOR-US: AE1021PE firmware CVE-2023-49297 (PyDrive2 is a wrapper library of google-api-python-client that simplif ...) - - pydrive2 + - pydrive2 (bug #1057647) NOTE: https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5 NOTE: https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004 (1.16.2) CVE-2023-49283 (microsoft-graph-core the Microsoft Graph Library for PHP. The Microsof ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52a74559b5dbb4f735649aa21a061b875eef927c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52a74559b5dbb4f735649aa21a061b875eef927c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for curl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8298df0 by Salvatore Bonaccorso at 2023-12-06T14:47:53+01:00 Add Debian bug references for curl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,10 +1,10 @@ CVE-2023-46218 [curl: cookie mixed case PSL bypass] - - curl + - curl (bug #1057646) NOTE: Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) NOTE: Fixed by: https://github.com/curl/curl/commit/2b0994c29a721c91c572cff7808c572a24d251eb (curl-8_5_0) NOTE: https://curl.se/docs/CVE-2023-46218.html CVE-2023-46219 [curl: HSTS long file name clears contents] - - curl + - curl (bug #1057645) [bullseye] - curl (curl is not built with HSTS support) NOTE: Introduced by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) NOTE: The issue is introduced with the fix for CVE-2022-32207. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8298df0e5f2d3f16c05d221bd21f36d34a84088 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8298df0e5f2d3f16c05d221bd21f36d34a84088 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f35a06b by Emilio Pozuelo Monfort at 2023-12-06T11:29:10+01:00 lts: take tzdata - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -223,6 +223,9 @@ tomcat9 tor NOTE: 20231119: Added by Front-Desk (apo) -- +tzdata (Emilio) + NOTE: 20231206: Added by pochu +-- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct upstream tag information for CVE-2023-45539
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5422bc81 by Salvatore Bonaccorso at 2023-12-06T11:06:32+01:00 Correct upstream tag information for CVE-2023-45539 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1492,7 +1492,7 @@ CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component, whi NOTE: https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html NOTE: https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 (v2.9-dev3) NOTE: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9 (v2.6.15) - NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.3.31) + NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.2.31) CVE-2023-45286 (A race condition in go-resty can result in HTTP request body disclosur ...) - golang-github-go-resty-resty (bug #1057226) [bookworm] - golang-github-go-resty-resty (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5422bc81523790319b175d684079a88997419bf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5422bc81523790319b175d684079a88997419bf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 30867de7 by Moritz Muehlenhoff at 2023-12-06T10:46:03+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -57,7 +57,9 @@ CVE-2023-39326 [net/http: limit chunked data overhead] - golang-1.21 1.21.5-1 - golang-1.20 1.20.12-1 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 + [bullseye] - golang-1.15 (Minor issue) - golang-1.11 NOTE: https://go.dev/issue/64433 NOTE: https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5) @@ -66,7 +68,9 @@ CVE-2023-45285 [cmd/go: go get may unexpectedly fallback to insecure git] - golang-1.21 1.21.5-1 - golang-1.20 1.20.12-1 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 + [bullseye] - golang-1.15 (Minor issue) - golang-1.11 NOTE: https://go.dev/issue/63845 NOTE: https://github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 (go1.21.5) @@ -152,6 +156,8 @@ CVE-2023-44297 (Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BI NOT-FOR-US: Dell CVE-2023-43628 (An integer overflow vulnerability exists in the NTRIP Stream Parsing f ...) - gpsd + [bookworm] - gpsd (Minor issue) + [bullseye] - gpsd (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860 NOTE: https://gitlab.com/gpsd/gpsd/-/commit/3e5c6c28c422102dd453e31912e1e79d1f7ff7f2 CVE-2023-43608 (A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR func ...) @@ -8775,6 +8781,8 @@ CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an CVE-2023-3 (Exposure of Sensitive Information to an Unauthorized Actor in WordPres ...) {DLA-3658-1} - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress (Minor issue) + [bullseye] - wordpress (Minor issue) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://core.trac.wordpress.org/changeset/56843/ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) @@ -90460,6 +90468,7 @@ CVE-2022-2851 CVE-2022-2850 (A flaw was found In 389-ds-base. When the Content Synchronization plug ...) {DLA-3399-1} - 389-ds-base 2.3.1-1 (bug #1018054) + [bullseye] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2118691 NOTE: https://github.com/389ds/389-ds-base/issues/4711#issuecomment-1205100979 NOTE: https://github.com/389ds/389-ds-base/issues/5418 = data/dsa-needed.txt = @@ -26,6 +26,8 @@ gpac/oldstable -- h2o (jmm) -- +haproxy +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30867de72c030a7ee243172c7b235dbf4b2e4ae9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30867de72c030a7ee243172c7b235dbf4b2e4ae9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-39326 and CVE-2023-45285 for golang-1.21
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5aa378b2 by Salvatore Bonaccorso at 2023-12-06T10:05:37+01:00 Track fixed version for CVE-2023-39326 and CVE-2023-45285 for golang-1.21 Bump as well the tracked version for CVE-2023-45283 for the complete fix version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,7 @@ CVE-2023-6508 (Use after free in Media Stream in Google Chrome prior to 120.0.60 - chromium [buster] - chromium (see DSA 5046) CVE-2023-39326 [net/http: limit chunked data overhead] - - golang-1.21 + - golang-1.21 1.21.5-1 - golang-1.20 1.20.12-1 - golang-1.19 - golang-1.15 @@ -63,7 +63,7 @@ CVE-2023-39326 [net/http: limit chunked data overhead] NOTE: https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5) NOTE: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12) CVE-2023-45285 [cmd/go: go get may unexpectedly fallback to insecure git] - - golang-1.21 + - golang-1.21 1.21.5-1 - golang-1.20 1.20.12-1 - golang-1.19 - golang-1.15 @@ -4566,7 +4566,7 @@ CVE-2023-45284 (On Windows, The IsLocal function does not correctly detect reser NOTE: https://github.com/golang/go/commit/46fb78168596f7ce8834f528bb0eb9555c08bcae (go1.20.11) NOTE: No security impact for Debian packages, only affects code running on Windows CVE-2023-45283 (The filepath package does not recognize paths with a \??\ prefix as sp ...) - - golang-1.21 1.21.4-1 (unimportant) + - golang-1.21 1.21.5-1 (unimportant) - golang-1.20 1.20.12-1 (unimportant) - golang-1.19 (unimportant) - golang-1.15 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aa378b2932f3a7de1288077659d310e40a1bf6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aa378b2932f3a7de1288077659d310e40a1bf6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-39326 and CVE-2023-45285 for golang-1.20
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ed4e647b by Salvatore Bonaccorso at 2023-12-06T10:03:40+01:00 Track fixed version for CVE-2023-39326 and CVE-2023-45285 for golang-1.20 Bump as well the tracked version for CVE-2023-45283 for the complete fix version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2023-6508 (Use after free in Media Stream in Google Chrome prior to 120.0.60 [buster] - chromium (see DSA 5046) CVE-2023-39326 [net/http: limit chunked data overhead] - golang-1.21 - - golang-1.20 + - golang-1.20 1.20.12-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -64,7 +64,7 @@ CVE-2023-39326 [net/http: limit chunked data overhead] NOTE: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12) CVE-2023-45285 [cmd/go: go get may unexpectedly fallback to insecure git] - golang-1.21 - - golang-1.20 + - golang-1.20 1.20.12-1 - golang-1.19 - golang-1.15 - golang-1.11 @@ -4567,7 +4567,7 @@ CVE-2023-45284 (On Windows, The IsLocal function does not correctly detect reser NOTE: No security impact for Debian packages, only affects code running on Windows CVE-2023-45283 (The filepath package does not recognize paths with a \??\ prefix as sp ...) - golang-1.21 1.21.4-1 (unimportant) - - golang-1.20 1.20.11-1 (unimportant) + - golang-1.20 1.20.12-1 (unimportant) - golang-1.19 (unimportant) - golang-1.15 (unimportant) - golang-1.11 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed4e647bcfe861389b13e0492c80a787d6ba7c3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed4e647bcfe861389b13e0492c80a787d6ba7c3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Annoate commits with upstream tags for curl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ddb0538 by Salvatore Bonaccorso at 2023-12-06T09:56:50+01:00 Annoate commits with upstream tags for curl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,14 @@ CVE-2023-46218 [curl: cookie mixed case PSL bypass] - curl - NOTE: https://github.com/curl/curl/commit/2b0994c29a721c91c57 + NOTE: Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) + NOTE: Fixed by: https://github.com/curl/curl/commit/2b0994c29a721c91c572cff7808c572a24d251eb (curl-8_5_0) NOTE: https://curl.se/docs/CVE-2023-46218.html CVE-2023-46219 [curl: HSTS long file name clears contents] - curl [bullseye] - curl (curl is not built with HSTS support) - NOTE: https://github.com/curl/curl/commit/73b65e94f3531179de45 + NOTE: Introduced by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) + NOTE: The issue is introduced with the fix for CVE-2022-32207. + NOTE: Fixed by: https://github.com/curl/curl/commit/73b65e94f3531179de45c6f3c836a610e3d0a846 (curl-8_5_0) NOTE: https://curl.se/docs/CVE-2023-46219.html CVE-2023-6527 (The Email Subscription Popup plugin for WordPress is vulnerable to Ref ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddb05383ea9451ce288f5b2363cc62339f67775 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddb05383ea9451ce288f5b2363cc62339f67775 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new curl issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bee6b196 by Moritz Muehlenhoff at 2023-12-06T09:45:31+01:00 new curl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,12 @@ +CVE-2023-46218 [curl: cookie mixed case PSL bypass] + - curl + NOTE: https://github.com/curl/curl/commit/2b0994c29a721c91c57 + NOTE: https://curl.se/docs/CVE-2023-46218.html +CVE-2023-46219 [curl: HSTS long file name clears contents] + - curl + [bullseye] - curl (curl is not built with HSTS support) + NOTE: https://github.com/curl/curl/commit/73b65e94f3531179de45 + NOTE: https://curl.se/docs/CVE-2023-46219.html CVE-2023-6527 (The Email Subscription Popup plugin for WordPress is vulnerable to Ref ...) NOT-FOR-US: WordPress plugin CVE-2023-5970 (Improper authentication in the SMA100 SSL-VPN virtual office portal al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bee6b19626d15d6f6cd98cd77c1361f956189ea4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bee6b19626d15d6f6cd98cd77c1361f956189ea4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca12182 by Salvatore Bonaccorso at 2023-12-06T09:34:42+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-6527 (The Email Subscription Popup plugin for WordPress is vulnerable to Ref ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5970 (Improper authentication in the SMA100 SSL-VPN virtual office portal al ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2023-49897 (An OS command injection vulnerability exists in AE1021PE firmware vers ...) - TODO: check + NOT-FOR-US: AE1021PE firmware CVE-2023-49297 (PyDrive2 is a wrapper library of google-api-python-client that simplif ...) - pydrive2 NOTE: https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5 @@ -13,19 +13,19 @@ CVE-2023-49283 (microsoft-graph-core the Microsoft Graph Library for PHP. The Mi CVE-2023-49282 (msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft ...) TODO: check CVE-2023-48940 (A stored cross-site scripting (XSS) vulnerability in /admin.php of Dai ...) - TODO: check + NOT-FOR-US: DaiCuo CVE-2023-48930 (xinhu xinhuoa 2.2.1 contains a File upload vulnerability.) - TODO: check + NOT-FOR-US: xinhu xinhuoa CVE-2023-48849 (Ruijie EG Series Routers version EG_3.0(1)B11P216 and before allows un ...) - TODO: check + NOT-FOR-US: Ruijie EG Series Routers CVE-2023-46736 (EspoCRM is an Open Source CRM (Customer Relationship Management) softw ...) - TODO: check + NOT-FOR-US: EspoCRM CVE-2023-44221 (Improper neutralization of special elements in the SMA100 SSL-VPN mana ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2023-41268 (Improper input validation vulnerability in Samsung Open Source Escargo ...) - TODO: check + NOT-FOR-US: Samsung CVE-2023-40053 (A vulnerability has been identified within Serv-U 15.4 that allows an ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2023-6512 (Inappropriate implementation in Web Browser UI in Google Chrome prior ...) - chromium [buster] - chromium (see DSA 5046) @@ -37302,9 +37302,9 @@ CVE-2023-28878 CVE-2023-28877 (The VTEX apps-graphql@2.x GraphQL API module does not properly restric ...) NOT-FOR-US: VTEX apps-graphql@2.x GraphQL API module CVE-2023-28876 (A Broken Access Control issue in comments to uploaded files in Filerun ...) - TODO: check + NOT-FOR-US: Filerun CVE-2023-28875 (A Stored XSS issue in shared files download terms in Filerun Update 20 ...) - TODO: check + NOT-FOR-US: Filerun CVE-2023-28874 RESERVED CVE-2023-28873 @@ -50697,7 +50697,7 @@ CVE-2023-24549 (A vulnerability has been identified in Solid Edge SE2022 (All ve CVE-2023-24548 (On affected platforms running Arista EOS with VXLAN configured, malfor ...) NOT-FOR-US: Arista CVE-2023-24547 (On affected platforms running Arista MOS, the configuration of a BGP p ...) - TODO: check + NOT-FOR-US: Arista CVE-2023-24546 (On affected versions of the CloudVision Portal improper access control ...) NOT-FOR-US: Arista CVE-2023-24545 (On affected platforms running Arista CloudEOS an issue in the Software ...) @@ -57363,11 +57363,11 @@ CVE-2023-22526 CVE-2023-22525 RESERVED CVE-2023-22524 (Certain versions of the Atlassian Companion App for MacOS were affecte ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2023-22523 (This vulnerability, if exploited, allows an attacker to perform privil ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2023-22522 (This Template Injection vulnerability allows an authenticated attacker ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2023-22521 (This High severity RCE (Remote Code Execution) vulnerability was intro ...) NOT-FOR-US: Crowd Data Center and Server CVE-2023-22520 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca12182471ef3510a0bb602315128bb3063b7be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca12182471ef3510a0bb602315128bb3063b7be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49297/pydrive2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03ee0f61 by Salvatore Bonaccorso at 2023-12-06T09:33:28+01:00 Add CVE-2023-49297/pydrive2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,9 @@ CVE-2023-5970 (Improper authentication in the SMA100 SSL-VPN virtual office port CVE-2023-49897 (An OS command injection vulnerability exists in AE1021PE firmware vers ...) TODO: check CVE-2023-49297 (PyDrive2 is a wrapper library of google-api-python-client that simplif ...) - TODO: check + - pydrive2 + NOTE: https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5 + NOTE: https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004 (1.16.2) CVE-2023-49283 (microsoft-graph-core the Microsoft Graph Library for PHP. The Microsof ...) TODO: check CVE-2023-49282 (msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ee0f61ee78a966186a26e2f3dbc540c21e0212 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ee0f61ee78a966186a26e2f3dbc540c21e0212 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52ceeeff by security tracker role at 2023-12-06T08:12:00+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,16 +1,42 @@ -CVE-2023-6512 +CVE-2023-6527 (The Email Subscription Popup plugin for WordPress is vulnerable to Ref ...) + TODO: check +CVE-2023-5970 (Improper authentication in the SMA100 SSL-VPN virtual office portal al ...) + TODO: check +CVE-2023-49897 (An OS command injection vulnerability exists in AE1021PE firmware vers ...) + TODO: check +CVE-2023-49297 (PyDrive2 is a wrapper library of google-api-python-client that simplif ...) + TODO: check +CVE-2023-49283 (microsoft-graph-core the Microsoft Graph Library for PHP. The Microsof ...) + TODO: check +CVE-2023-49282 (msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft ...) + TODO: check +CVE-2023-48940 (A stored cross-site scripting (XSS) vulnerability in /admin.php of Dai ...) + TODO: check +CVE-2023-48930 (xinhu xinhuoa 2.2.1 contains a File upload vulnerability.) + TODO: check +CVE-2023-48849 (Ruijie EG Series Routers version EG_3.0(1)B11P216 and before allows un ...) + TODO: check +CVE-2023-46736 (EspoCRM is an Open Source CRM (Customer Relationship Management) softw ...) + TODO: check +CVE-2023-44221 (Improper neutralization of special elements in the SMA100 SSL-VPN mana ...) + TODO: check +CVE-2023-41268 (Improper input validation vulnerability in Samsung Open Source Escargo ...) + TODO: check +CVE-2023-40053 (A vulnerability has been identified within Serv-U 15.4 that allows an ...) + TODO: check +CVE-2023-6512 (Inappropriate implementation in Web Browser UI in Google Chrome prior ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-6511 +CVE-2023-6511 (Inappropriate implementation in Autofill in Google Chrome prior to 120 ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-6510 +CVE-2023-6510 (Use after free in Media Capture in Google Chrome prior to 120.0.6099.6 ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-6509 +CVE-2023-6509 (Use after free in Side Panel Search in Google Chrome prior to 120.0.60 ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-6508 +CVE-2023-6508 (Use after free in Media Stream in Google Chrome prior to 120.0.6099.62 ...) - chromium [buster] - chromium (see DSA 5046) CVE-2023-39326 [net/http: limit chunked data overhead] @@ -24375,7 +24401,7 @@ CVE-2023-32339 (IBM Business Automation Workflow is vulnerable to cross-site scr NOT-FOR-US: IBM CVE-2023-2996 (The Jetpack WordPress plugin before 12.1.1 does not validate uploaded ...) NOT-FOR-US: WordPress plugin -CVE-2023-2861 [9pfs: prevent opening special files] +CVE-2023-2861 (A flaw was found in the 9p passthrough filesystem (9pfs) implementatio ...) - qemu 1:8.0.3+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u1 [bullseye] - qemu (Minor issue) @@ -37273,10 +37299,10 @@ CVE-2023-28878 RESERVED CVE-2023-28877 (The VTEX apps-graphql@2.x GraphQL API module does not properly restric ...) NOT-FOR-US: VTEX apps-graphql@2.x GraphQL API module -CVE-2023-28876 - RESERVED -CVE-2023-28875 - RESERVED +CVE-2023-28876 (A Broken Access Control issue in comments to uploaded files in Filerun ...) + TODO: check +CVE-2023-28875 (A Stored XSS issue in shared files download terms in Filerun Update 20 ...) + TODO: check CVE-2023-28874 RESERVED CVE-2023-28873 @@ -38773,7 +38799,7 @@ CVE-2023-28474 (Concrete CMS (previously concrete5) before 9.2 is vulnerable to NOT-FOR-US: Concrete CMS CVE-2023-28473 (Concrete CMS (previously concrete5) before 9.2 is vulnerable to possib ...) NOT-FOR-US: Concrete CMS -CVE-2023-28472 (Concrete CMS (previously concrete5) before 9.2 does not have Secure an ...) +CVE-2023-28472 (Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 ...) NOT-FOR-US: Concrete CMS CVE-2023-28471 (Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored ...) NOT-FOR-US: Concrete CMS @@ -45587,8 +45613,8 @@ CVE-2023-26156 (Versions of the package chromedriver before 119.0.1 are vulnerab NOT-FOR-US: chromedriver Node.js module CVE-2023-26155 (All versions of the package node-qpdf are vulnerable to Command Inject ...) NOT-FOR-US: node-qpdf -CVE-2023-26154 - RESERVED +CVE-2023-26154 (Versions of the package pubnub before 7.4.0; all versions of the packa ...) + TODO: check CVE-2023-26153 (Versions of the package geokit-rails before 2.5.0 are vulnerable to Co ...) NOT-FOR-US: geokit-rails CVE-2023-26152 (All