[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVEs for gpac as EOL in Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dff9ed60 by Thorsten Alteholz at 2023-12-10T00:25:45+01:00 mark CVEs for gpac as EOL in Buster - - - - - 52c1cae8 by Thorsten Alteholz at 2023-12-10T00:27:32+01:00 mark CVE-2023-49284 as no-dsa for Buster - - - - - 917a5171 by Thorsten Alteholz at 2023-12-10T00:38:00+01:00 mark CVE-2023-49464 CVE-2023-49463 CVE-2023-49462 CVE-2023-49460 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,6 +24,7 @@ CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 NOTE: https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 @@ -31,6 +32,7 @@ CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2669 NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b CVE-2023-6622 (A null pointer dereference vulnerability was found in nft_dynset_init( ...) @@ -269,6 +271,7 @@ CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violati - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1044 NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 @@ -276,16 +279,19 @@ CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violati - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1043 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1046 CVE-2023-49437 (Tenda AX12 V22.03.01.46 has been discovered to contain a command injec ...) NOT-FOR-US: Tenda @@ -798,6 +804,7 @@ CVE-2023-49284 (fish is a smart and user-friendly command line shell for macOS, - fish (bug #1057455) [bookworm] - fish (Minor issue) [bullseye] - fish (Minor issue) + [buster] - fish (Minor issue) NOTE: https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f NOTE: https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 (3.6.2) CVE-2023-49280 (XWiki Change Request is an XWiki application allowing to request chang ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/68e140b27ee90086aed7c0a2f35d998587eb27b0...917a51719f847fc8d75dfdd0a210f43d636af528 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/68e140b27ee90086aed7c0a2f35d998587eb27b0...917a51719f847fc8d75dfdd0a210f43d636af528 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68e140b2 by Salvatore Bonaccorso at 2023-12-10T00:06:16+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-50428 (In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots202311 ...) TODO: check CVE-2021-46899 (SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote de ...) - TODO: check + NOT-FOR-US: SyncTrayzor CVE-2023-6394 (A flaw was found in Quarkus. This issue occurs when receiving a reques ...) NOT-FOR-US: Quarkus CVE-2023-6337 (HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68e140b27ee90086aed7c0a2f35d998587eb27b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68e140b27ee90086aed7c0a2f35d998587eb27b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for jruby issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f6beaf6 by Salvatore Bonaccorso at 2023-12-10T00:03:13+01:00 Update status for jruby issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24742,9 +24742,7 @@ CVE-2023-36617 (A ReDoS issue was discovered in the URI component before 0.12.2 - ruby2.7 (Incomplete fix never applied) - ruby2.5 [buster] - ruby2.5 (Minor issue, ReDoS) - - jruby - [bookworm] - jruby (Incomplete fix never applied) - [bullseye] - jruby (Incomplete fix never applied) + - jruby (Incomplete fix not applied, covered by CVE-2023-28755) [buster] - jruby (Minor issue, ReDoS) NOTE: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/ NOTE: https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1 @@ -38374,6 +38372,7 @@ CVE-2023-28756 (A ReDoS issue was discovered in the Time component through 0.2.1 - ruby3.1 (bug #1038408) - ruby2.7 - ruby2.5 + [experimental] - jruby 9.4.3.0+ds-1~exp1 - jruby (bug #1036283) [bookworm] - jruby (Minor issue) NOTE: Fixed by: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (v3_1_4) @@ -38388,6 +38387,7 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0 - ruby3.1 (bug #1038408) - ruby2.7 - ruby2.5 + [experimental] - jruby 9.4.3.0+ds-1~exp1 - jruby (bug #1036283) [bookworm] - jruby (Minor issue) NOTE: Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6beaf6fea0e5227e71f169df045f83f77e5bf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6beaf6fea0e5227e71f169df045f83f77e5bf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 598f4435 by security tracker role at 2023-12-09T20:12:36+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-50428 (In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots202311 ...) + TODO: check +CVE-2021-46899 (SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote de ...) + TODO: check CVE-2023-6394 (A flaw was found in Quarkus. This issue occurs when receiving a reques ...) NOT-FOR-US: Quarkus CVE-2023-6337 (HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable t ...) @@ -23558,7 +23562,7 @@ CVE-2023-36925 (SAP Solution Manager (Diagnostics agent) - version 7.20, allows NOT-FOR-US: SAP CVE-2023-36924 (While using a specific function, SAP ERP Defense Forces and Public Sec ...) NOT-FOR-US: SAP -CVE-2023-36922 (Due to programming error in function module or report, SAP NetWeaver A ...) +CVE-2023-36922 (Due to programming error in function module and report, IS-OIL compone ...) NOT-FOR-US: SAP CVE-2023-36921 (SAP Solution Manager (Diagnostics agent) - version 7.20, allows an att ...) NOT-FOR-US: SAP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/598f44359de95ae22798e29cb6d693f14143e325 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/598f44359de95ae22798e29cb6d693f14143e325 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d461a7ac by Salvatore Bonaccorso at 2023-12-09T11:35:42+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,9 @@ CVE-2023-49799 (`nuxt-api-party` is an open source module to proxy API requests. CVE-2023-49798 (OpenZeppelin Contracts is a library for smart contract development. A ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2023-49797 (PyInstaller bundles a Python application and all its dependencies into ...) - TODO: check + NOT-FOR-US: PyInstaller CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers in Doc ...) - TODO: check + NOT-FOR-US: dockerspawner CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d461a7ac625442d51d04f15c1ec314befc5a9f9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d461a7ac625442d51d04f15c1ec314befc5a9f9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ef175f7 by Salvatore Bonaccorso at 2023-12-09T09:53:25+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,30 +1,30 @@ CVE-2023-6394 (A flaw was found in Quarkus. This issue occurs when receiving a reques ...) - TODO: check + NOT-FOR-US: Quarkus CVE-2023-6337 (HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable t ...) - TODO: check + NOT-FOR-US: HashiCorp Vault CVE-2023-6120 (The Welcart e-Commerce plugin for WordPress is vulnerable to Directory ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5756 (The Digital Publications by Supsystic plugin for WordPress is vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49800 (`nuxt-api-party` is an open source module to proxy API requests. The l ...) - TODO: check + NOT-FOR-US: nuxt-api-party CVE-2023-49799 (`nuxt-api-party` is an open source module to proxy API requests. nuxt- ...) - TODO: check + NOT-FOR-US: nuxt-api-party CVE-2023-49798 (OpenZeppelin Contracts is a library for smart contract development. A ...) - TODO: check + NOT-FOR-US: OpenZeppelin Contracts CVE-2023-49797 (PyInstaller bundles a Python application and all its dependencies into ...) TODO: check CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers in Doc ...) TODO: check CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - gpac NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 NOTE: https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) - TODO: check + NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/2669 @@ -37937,13 +37937,13 @@ CVE-2023-28873 (An XSS issue in wiki and discussion pages in Seafile 9.0.6 allow CVE-2023-28872 RESERVED CVE-2023-28871 (Support Assistant in NCP Secure Enterprise Client before 12.22 allows ...) - TODO: check + NOT-FOR-US: Support Assistant in NCP Secure Enterprise Client CVE-2023-28870 (Insecure File Permissions in Support Assistant in NCP Secure Enterpris ...) - TODO: check + NOT-FOR-US: Support Assistant in NCP Secure Enterprise Client CVE-2023-28869 (Support Assistant in NCP Secure Enterprise Client before 12.22 allows ...) - TODO: check + NOT-FOR-US: Support Assistant in NCP Secure Enterprise Client CVE-2023-28868 (Support Assistant in NCP Secure Enterprise Client before 12.22 allows ...) - TODO: check + NOT-FOR-US: Support Assistant in NCP Secure Enterprise Client CVE-2023-28867 (In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a ...) NOT-FOR-US: graphql-java CVE-2023-28866 (In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out ...) @@ -39168,15 +39168,15 @@ CVE-2023-28529 (IBM InfoSphere Information Server 11.7 is vulnerable to stored c CVE-2023-28528 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) NOT-FOR-US: IBM CVE-2023-28527 (IBM Informix Dynamic Server 12.10 and 14.10 cdr is vulnerable to a hea ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-28526 (IBM Informix Dynamic Server 12.10 and 14.10 archecker is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-28525 RESERVED CVE-2023-28524 RESERVED CVE-2023-28523 (IBM Informix Dynamic Server 12.10 and 14.10 onsmsync is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-28522 (IBM API Connect V10 could allow an authenticated user to perform actio ...) NOT-FOR-US: IBM CVE-2023-28521 @@ -228837,7 +228837,7 @@ CVE-2020-25837 (Sensitive information disclosure vulnerability in Micro Focus Se CVE-2020-25836 RESERVED CVE-2020-25835 (A potential vulnerability has been identified in Micro Focus ArcSight ...) - TODO: check + NOT-FOR-US: Micro Focus ArcSight Management Center CVE-2020-25834 (Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger prod ...) NOT-FOR-US: Micro Focus CVE-2020-25833 (Persistent cross-Site Scripting vulnerability on Micro Focus IDOL prod ...) View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add two issues in seafile (server part, seafile-server, itp'ed)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bf5d37e by Salvatore Bonaccorso at 2023-12-09T09:51:09+01:00 Add two issues in seafile (server part, seafile-server, itped) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37931,9 +37931,9 @@ CVE-2023-28876 (A Broken Access Control issue in comments to uploaded files in F CVE-2023-28875 (A Stored XSS issue in shared files download terms in Filerun Update 20 ...) NOT-FOR-US: Filerun CVE-2023-28874 (The next parameter in the /accounts/login endpoint of Seafile 9.0.6 al ...) - TODO: check + - seafile-server (bug #865830) CVE-2023-28873 (An XSS issue in wiki and discussion pages in Seafile 9.0.6 allows atta ...) - TODO: check + - seafile-server (bug #865830) CVE-2023-28872 RESERVED CVE-2023-28871 (Support Assistant in NCP Secure Enterprise Client before 12.22 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf5d37e1efce5750ec469d6c8b126d4fa4325f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf5d37e1efce5750ec469d6c8b126d4fa4325f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46932/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e0475f3 by Salvatore Bonaccorso at 2023-12-09T09:50:31+01:00 Add CVE-2023-46932/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,7 +26,9 @@ CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to c CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) TODO: check CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2669 + NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b CVE-2023-6622 (A null pointer dereference vulnerability was found in nft_dynset_init( ...) - linux [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0475f3e0639e725f9a435f00ab60639dc5de12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0475f3e0639e725f9a435f00ab60639dc5de12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-47465/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 778e3806 by Salvatore Bonaccorso at 2023-12-09T09:49:27+01:00 Add CVE-2023-47465/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,10 @@ CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) TODO: check CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2652 + NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 + NOTE: https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) TODO: check CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/778e38060265b077b43791f3f0889c634ca7d92d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/778e38060265b077b43791f3f0889c634ca7d92d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6507/python
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abac4ea9 by Salvatore Bonaccorso at 2023-12-09T09:39:36+01:00 Add CVE-2023-6507/python - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,7 +58,15 @@ CVE-2023-6607 (A vulnerability has been found in Tongda OA 2017 up to 11.10 and CVE-2023-6606 (An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb ...) - linux CVE-2023-6507 (An issue was found in CPython 3.12.0 `subprocess` module on POSIX plat ...) - TODO: check + - python3.12 3.12.1-1 + - python3.11 (Vulnerable code not present) + - python3.10 (Vulnerable code not present) + - python3.9 (Vulnerable code not present) + - python3.7 (Vulnerable code not present) + - python2.7 (Vulnerable code not present) + NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD/ + NOTE: https://github.com/python/cpython/issues/112334 + NOTE: https://github.com/python/cpython/pull/112617 CVE-2023-6245 (The Candid library causes a Denial of Service while parsing a special ...) TODO: check CVE-2023-6146 (A Qualys web application was found to have a stored XSS vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abac4ea956f7fe2ee37d7df8ad85cd1c18347465 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abac4ea956f7fe2ee37d7df8ad85cd1c18347465 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cc8ff646 by security tracker role at 2023-12-09T08:12:01+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,29 @@
+CVE-2023-6394 (A flaw was found in Quarkus. This issue occurs when receiving a
reques ...)
+ TODO: check
+CVE-2023-6337 (HashiCorp Vault and Vault Enterprise 1.12.0 and newer are
vulnerable t ...)
+ TODO: check
+CVE-2023-6120 (The Welcart e-Commerce plugin for WordPress is vulnerable to
Directory ...)
+ TODO: check
+CVE-2023-5756 (The Digital Publications by Supsystic plugin for WordPress is
vulnerab ...)
+ TODO: check
+CVE-2023-49800 (`nuxt-api-party` is an open source module to proxy API
requests. The l ...)
+ TODO: check
+CVE-2023-49799 (`nuxt-api-party` is an open source module to proxy API
requests. nuxt- ...)
+ TODO: check
+CVE-2023-49798 (OpenZeppelin Contracts is a library for smart contract
development. A ...)
+ TODO: check
+CVE-2023-49797 (PyInstaller bundles a Python application and all its
dependencies into ...)
+ TODO: check
+CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user
servers in Doc ...)
+ TODO: check
+CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user
credentials in bro ...)
+ TODO: check
+CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to
cause a ...)
+ TODO: check
+CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek
Vigor167 versi ...)
+ TODO: check
+CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version
2.3-DEV-rev617-g671 ...)
+ TODO: check
CVE-2023-6622 (A null pointer dereference vulnerability was found in
nft_dynset_init( ...)
- linux
[bullseye] - linux (Vulnerable code not present)
@@ -454,7 +480,7 @@ CVE-2023-41106 (An issue was discovered in Zimbra
Collaboration (ZCS) before 10.
NOT-FOR-US: Zimbra
CVE-2023-40238 (A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde
InsydeH2O w ...)
NOT-FOR-US: Insyde
-CVE-2023-6560 [io_uring out of boundary memory access in __io_uaddr_map()]
+CVE-2023-6560 (An out-of-bounds memory access flaw was found in the io_uring
SQ/CQ ri ...)
- linux
[bookworm] - linux (Vulnerable code not present)
[bullseye] - linux (Vulnerable code not present)
@@ -566,18 +592,23 @@ CVE-2023-41268 (Improper input validation vulnerability
in Samsung Open Source E
CVE-2023-40053 (A vulnerability has been identified within Serv-U 15.4 that
allows an ...)
NOT-FOR-US: SolarWinds
CVE-2023-6512 (Inappropriate implementation in Web Browser UI in Google Chrome
prior ...)
+ {DSA-5573-1}
- chromium 120.0.6099.71-1
[buster] - chromium (see DSA 5046)
CVE-2023-6511 (Inappropriate implementation in Autofill in Google Chrome prior
to 120 ...)
+ {DSA-5573-1}
- chromium 120.0.6099.71-1
[buster] - chromium (see DSA 5046)
CVE-2023-6510 (Use after free in Media Capture in Google Chrome prior to
120.0.6099.6 ...)
+ {DSA-5573-1}
- chromium 120.0.6099.71-1
[buster] - chromium (see DSA 5046)
CVE-2023-6509 (Use after free in Side Panel Search in Google Chrome prior to
120.0.60 ...)
+ {DSA-5573-1}
- chromium 120.0.6099.71-1
[buster] - chromium (see DSA 5046)
CVE-2023-6508 (Use after free in Media Stream in Google Chrome prior to
120.0.6099.62 ...)
+ {DSA-5573-1}
- chromium 120.0.6099.71-1
[buster] - chromium (see DSA 5046)
CVE-2023-39326 (A malicious HTTP sender can use chunk extensions to cause a
receiver r ...)
@@ -20234,7 +20265,7 @@ CVE-2023-4104 (An invalid Polkit Authentication check
and missing authentication
NOTE:
https://github.com/mozilla-mobile/mozilla-vpn-client/commit/6933a07164cd69636889403c959ac2c2b115e0f6
CVE-2023-3971 (An HTML injection flaw was found in Controller in the user
interface s ...)
NOT-FOR-US: Red Hat Ansible Automation Controller
-CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77]
+CVE-2023-34320 (Cortex-A77 cores (r0p0 and r1p0) are affected by erratum
1508412 where ...)
- xen 4.17.2-1
[bookworm] - xen (Will be fixed via point release)
[bullseye] - xen (EOLed in Bullseye)
@@ -37875,20 +37906,20 @@ CVE-2023-28876 (A Broken Access Control issue in
comments to uploaded files in F
NOT-FOR-US: Filerun
CVE-2023-28875 (A Stored XSS issue in shared files download terms in Filerun
Update 20 ...)
NOT-FOR-US: Filerun
-CVE-2023-28874
- RESERVED
-CVE-2023-28873
- RESERVED
+CVE-2023-28874 (The next parameter in the /accounts/login endpoint of Seafile
9.0.6 al ...)
+ TODO: check
+CVE-2023-28873 (An XSS issue in wiki and discussion pages in
