[Git][security-tracker-team/security-tracker][master] Add CVE-2023-7192/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ece8d413 by Salvatore Bonaccorso at 2023-12-31T07:22:14+01:00 Add CVE-2023-7192/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-7192 [netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()] + - linux 6.1.20-1 + [bullseye] - linux 5.10.178-1 + [buster] - linux 4.19.282-1 + NOTE: https://git.kernel.org/linus/ac4893980bbe79ce383daf9a0885666a30fe4c83 (6.3-rc1) CVE-2023-7181 (A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified ...) NOT-FOR-US: Muyun DedeBIZ CVE-2023-7180 (A vulnerability has been found in Tongda OA 2017 up to 11.9 and classi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ece8d413b6d8761dd9dbfd00781df5c2df3a59cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ece8d413b6d8761dd9dbfd00781df5c2df3a59cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference applied patch for CVE-2023-34194 at least temporarily
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16a47b09 by Salvatore Bonaccorso at 2023-12-31T07:16:28+01:00 Reference applied patch for CVE-2023-34194 at least temporarily - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3491,6 +3491,7 @@ CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neu CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML ...) - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities + NOTE: Debian (non upstream) patch: https://salsa.debian.org/debian/tinyxml/-/raw/2366e1f23d059d4c20c43c54176b6bd78d6a83fc/debian/patches/CVE-2023-34194.patch CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) {DSA-5577-1} - chromium 120.0.6099.109-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16a47b09782f4f2bcfadc2cf4a32b9dab1d6f8a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16a47b09782f4f2bcfadc2cf4a32b9dab1d6f8a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40462 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e507c93 by Salvatore Bonaccorso at 2023-12-31T06:54:25+01:00 Mark CVE-2023-40462 as NFU The vulnerability report states that one issue has two CVE IDs because it affects TinyXML independently (CVE-2023-34194) and as used by ACEmanager (CVE-2023-40462). With that and given both CVEs are listed under the same issue in the Table 2, it looks safe to assume that CVE-2023-40462 is the ACEmanager specific CVE, while CVE-2023-34194 is for the underlying part in tinyxml. This is as well inline with the product association given in the CVE entry from MITRE. Link: https://www.forescout.com/resources/sierra21-vulnerabilities Link: https://www.cve.org/CVERecord?id=CVE-2023-40462 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -5066,8 +5066,7 @@ CVE-2023-40464 (Several versions of ALEOS, including ALEOS 4.16.0, use a hardcod CVE-2023-40463 (When configured in debugging mode by an authenticated user withadm ...) NOT-FOR-US: ALEOS CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not perform ...) - - tinyxml (bug #1059315) - NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities + NOT-FOR-US: TinyXML use in ACEManager component of ALEOS (relates to CVE-2023-34194 in src:tinyxml) CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an authen ...) NOT-FOR-US: ALEOS CVE-2023-40460 (The ACEManager component of ALEOS 4.16 and earlier does not validat ...) = data/DLA/list = @@ -2,7 +2,7 @@ {CVE-2023-7101} [buster] - libspreadsheet-parseexcel-perl 0.6500-1+deb10u1 [31 Dec 2023] DLA-3701-1 tinyxml - security update - {CVE-2023-34194 CVE-2023-40462} + {CVE-2023-34194} [buster] - tinyxml 2.6.2-4+deb10u2 [30 Dec 2023] DLA-3700-1 cjson - security update {CVE-2023-50471} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim php-guzzlehttp-psr7 in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: b1a1b40e by Guilhem Moulin at 2023-12-31T02:17:04+01:00 LTS: claim php-guzzlehttp-psr7 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,7 +169,7 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- -php-guzzlehttp-psr7 +php-guzzlehttp-psr7 (guilhem) NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2023-29197 already fixed in bullseye via DSA or point release (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1a1b40e7095d0781883559f014ea512a9b44609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1a1b40e7095d0781883559f014ea512a9b44609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3702-1 for libspreadsheet-parseexcel-perl
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: b5b8955b by Guilhem Moulin at 2023-12-31T02:00:33+01:00 Reserve DLA-3702-1 for libspreadsheet-parseexcel-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2023] DLA-3702-1 libspreadsheet-parseexcel-perl - security update + {CVE-2023-7101} + [buster] - libspreadsheet-parseexcel-perl 0.6500-1+deb10u1 [31 Dec 2023] DLA-3701-1 tinyxml - security update {CVE-2023-34194 CVE-2023-40462} [buster] - tinyxml 2.6.2-4+deb10u2 = data/dla-needed.txt = @@ -120,9 +120,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libspreadsheet-parseexcel-perl (guilhem) - NOTE: 20231230: Added by Front-Desk (lamby) --- libssh (Sean Whitton) NOTE: 20231219: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b8955bca27bb189a07b125c335e59707d3a213 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b8955bca27bb189a07b125c335e59707d3a213 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim libspreadsheet-parseexcel-perl in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: c9458da1 by Guilhem Moulin at 2023-12-31T00:15:27+01:00 LTS: claim libspreadsheet-parseexcel-perl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,7 +120,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libspreadsheet-parseexcel-perl +libspreadsheet-parseexcel-perl (guilhem) NOTE: 20231230: Added by Front-Desk (lamby) -- libssh (Sean Whitton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9458da1ac7dd69fba91d43ab8ac90e6cacfc635 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9458da1ac7dd69fba91d43ab8ac90e6cacfc635 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3701-1 for tinyxml
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fe8f15d by Guilhem Moulin at 2023-12-31T00:08:39+01:00 Reserve DLA-3701-1 for tinyxml - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2023] DLA-3701-1 tinyxml - security update + {CVE-2023-34194 CVE-2023-40462} + [buster] - tinyxml 2.6.2-4+deb10u2 [30 Dec 2023] DLA-3700-1 cjson - security update {CVE-2023-50471} [buster] - cjson 1.7.10-1.1+deb10u2 = data/dla-needed.txt = @@ -263,9 +263,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tinyxml (guilhem) - NOTE: 20231224: Added by Front-Desk (ta) --- tomcat9 (rouca) NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe8f15df4d7687c271f49d44d4ddfd9d89fcfdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe8f15df4d7687c271f49d44d4ddfd9d89fcfdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4788fbdb by Salvatore Bonaccorso at 2023-12-30T21:27:25+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,11 +17,11 @@ CVE-2023-7173 (A vulnerability, which was classified as problematic, was found i CVE-2023-7172 (A vulnerability, which was classified as critical, has been found in P ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2023-6998 (Improper privilege management vulnerability in CoolKit Technology eWeL ...) - TODO: check + NOT-FOR-US: CoolKit Technology eWeLink on Android and iOS CVE-2023-52263 (Brave Browser before 1.59.40 does not properly restrict the schema for ...) - brave-browser (bug #864795) CVE-2023-52262 (outdoorbits little-backup-box (aka Little Backup Box) before f39f91c a ...) - TODO: check + NOT-FOR-US: outdoorbits little-backup-box (aka Little Backup Box) CVE-2023-51136 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) NOT-FOR-US: TOTOLINK CVE-2023-51135 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) @@ -35,13 +35,13 @@ CVE-2023-50589 (Grupo Embras GEOSIAP ERP v2.2.167.02 was discovered to contain a CVE-2023-50578 (Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnera ...) NOT-FOR-US: Mingsoft MCMS CVE-2023-50550 (layui up to v2.74 was discovered to contain a cross-site scripting (XS ...) - TODO: check + NOT-FOR-US: layui CVE-2023-50110 (TestLink through 1.9.20 allows type juggling for authentication bypass ...) - TODO: check + NOT-FOR-US: TestLink CVE-2023-49299 (Improper Input Validation vulnerability in Apache DolphinScheduler. An ...) - TODO: check + NOT-FOR-US: Apache DolphinScheduler CVE-2018-25096 (A vulnerability was found in MdAlAmin-aol Own Health Record 0.1-alpha/ ...) - TODO: check + NOT-FOR-US: MdAlAmin-aol Own Health Record CVE-2023-52257 (LogoBee 0.2 allows updates.php?id= XSS.) NOT-FOR-US: LogoBee CVE-2023-52252 (Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4788fbdb960f06a2651d5c409890392e9fc92259 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4788fbdb960f06a2651d5c409890392e9fc92259 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52263/brave-browser, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 893d7f85 by Salvatore Bonaccorso at 2023-12-30T21:26:41+01:00 Add CVE-2023-52263/brave-browser, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-7172 (A vulnerability, which was classified as critical, has been found CVE-2023-6998 (Improper privilege management vulnerability in CoolKit Technology eWeL ...) TODO: check CVE-2023-52263 (Brave Browser before 1.59.40 does not properly restrict the schema for ...) - TODO: check + - brave-browser (bug #864795) CVE-2023-52262 (outdoorbits little-backup-box (aka Little Backup Box) before f39f91c a ...) TODO: check CVE-2023-51136 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/893d7f85e21b33b0dc0e051e72ae1402acec2315 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/893d7f85e21b33b0dc0e051e72ae1402acec2315 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-50572
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04f0d04a by Salvatore Bonaccorso at 2023-12-30T21:17:46+01:00 Add Debian bug reference for CVE-2023-50572 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -185,7 +185,7 @@ CVE-2023-50878 (Cross-Site Request Forgery (CSRF) vulnerability in InspireUI MSt CVE-2023-50837 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-50572 (An issue in the component GroovyEngine.execute of jline-groovy v3.24.1 ...) - - jline3 + - jline3 (bug #1059726) NOTE: https://github.com/jline/jline3/issues/909 NOTE: https://github.com/jline/jline3/commit/f3c60a3e6255e8e0c20d5043a4fe248446f292bb (jline-parent-3.25.0) TODO: check if jline 3.x specific or affects as well src:jline2, src:jline View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04f0d04a2acd6b443887b8ca2cbbcd5c13869488 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04f0d04a2acd6b443887b8ca2cbbcd5c13869488 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39be84e8 by Salvatore Bonaccorso at 2023-12-30T21:17:02+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2023-7181 (A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified ...) - TODO: check + NOT-FOR-US: Muyun DedeBIZ CVE-2023-7180 (A vulnerability has been found in Tongda OA 2017 up to 11.9 and classi ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-7179 (A vulnerability, which was classified as critical, was found in Campco ...) - TODO: check + NOT-FOR-US: Campcodes Online College Library System CVE-2023-7178 (A vulnerability, which was classified as critical, has been found in C ...) - TODO: check + NOT-FOR-US: Campcodes Online College Library System CVE-2023-7177 (A vulnerability classified as critical was found in Campcodes Online C ...) - TODO: check + NOT-FOR-US: Campcodes Online College Library System CVE-2023-7176 (A vulnerability classified as critical has been found in Campcodes Onl ...) - TODO: check + NOT-FOR-US: Campcodes Online College Library System CVE-2023-7175 (A vulnerability was found in Campcodes Online College Library System 1 ...) - TODO: check + NOT-FOR-US: Campcodes Online College Library System CVE-2023-7173 (A vulnerability, which was classified as problematic, was found in PHP ...) - TODO: check + NOT-FOR-US: PHPGurukul Hospital Management System CVE-2023-7172 (A vulnerability, which was classified as critical, has been found in P ...) - TODO: check + NOT-FOR-US: PHPGurukul Hospital Management System CVE-2023-6998 (Improper privilege management vulnerability in CoolKit Technology eWeL ...) TODO: check CVE-2023-52263 (Brave Browser before 1.59.40 does not properly restrict the schema for ...) @@ -23,17 +23,17 @@ CVE-2023-52263 (Brave Browser before 1.59.40 does not properly restrict the sche CVE-2023-52262 (outdoorbits little-backup-box (aka Little Backup Box) before f39f91c a ...) TODO: check CVE-2023-51136 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-51135 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-51133 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-50651 (TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a rem ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-50589 (Grupo Embras GEOSIAP ERP v2.2.167.02 was discovered to contain a SQL i ...) - TODO: check + NOT-FOR-US: Grupo Embras GEOSIAP ERP CVE-2023-50578 (Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnera ...) - TODO: check + NOT-FOR-US: Mingsoft MCMS CVE-2023-50550 (layui up to v2.74 was discovered to contain a cross-site scripting (XS ...) TODO: check CVE-2023-50110 (TestLink through 1.9.20 allows type juggling for authentication bypass ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39be84e8838e6db1007a53ac1f6d930741715de2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39be84e8838e6db1007a53ac1f6d930741715de2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e12d1f1 by security tracker role at 2023-12-30T20:11:42+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2023-7181 (A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified ...) + TODO: check +CVE-2023-7180 (A vulnerability has been found in Tongda OA 2017 up to 11.9 and classi ...) + TODO: check +CVE-2023-7179 (A vulnerability, which was classified as critical, was found in Campco ...) + TODO: check +CVE-2023-7178 (A vulnerability, which was classified as critical, has been found in C ...) + TODO: check +CVE-2023-7177 (A vulnerability classified as critical was found in Campcodes Online C ...) + TODO: check +CVE-2023-7176 (A vulnerability classified as critical has been found in Campcodes Onl ...) + TODO: check +CVE-2023-7175 (A vulnerability was found in Campcodes Online College Library System 1 ...) + TODO: check +CVE-2023-7173 (A vulnerability, which was classified as problematic, was found in PHP ...) + TODO: check +CVE-2023-7172 (A vulnerability, which was classified as critical, has been found in P ...) + TODO: check +CVE-2023-6998 (Improper privilege management vulnerability in CoolKit Technology eWeL ...) + TODO: check +CVE-2023-52263 (Brave Browser before 1.59.40 does not properly restrict the schema for ...) + TODO: check +CVE-2023-52262 (outdoorbits little-backup-box (aka Little Backup Box) before f39f91c a ...) + TODO: check +CVE-2023-51136 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) + TODO: check +CVE-2023-51135 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) + TODO: check +CVE-2023-51133 (TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain ...) + TODO: check +CVE-2023-50651 (TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a rem ...) + TODO: check +CVE-2023-50589 (Grupo Embras GEOSIAP ERP v2.2.167.02 was discovered to contain a SQL i ...) + TODO: check +CVE-2023-50578 (Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnera ...) + TODO: check +CVE-2023-50550 (layui up to v2.74 was discovered to contain a cross-site scripting (XS ...) + TODO: check +CVE-2023-50110 (TestLink through 1.9.20 allows type juggling for authentication bypass ...) + TODO: check +CVE-2023-49299 (Improper Input Validation vulnerability in Apache DolphinScheduler. An ...) + TODO: check +CVE-2018-25096 (A vulnerability was found in MdAlAmin-aol Own Health Record 0.1-alpha/ ...) + TODO: check CVE-2023-52257 (LogoBee 0.2 allows updates.php?id= XSS.) NOT-FOR-US: LogoBee CVE-2023-52252 (Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua ...) @@ -694,6 +738,7 @@ CVE-2023-34198 (In Stormshield Network Security (SNS) 1.0.0 through 3.7.36 befor CVE-2023-7102 (Use of a Third Party library produced a vulnerability in Barracuda Net ...) NOT-FOR-US: Barracuda (its use of Spreadsheet::ParseExcel, cf. CVE-2023-7102) CVE-2023-7101 (Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing ...) + {DSA-5592-1} - libspreadsheet-parseexcel-perl 0.6500-4 (bug #1059450) NOTE: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md NOTE: https://github.com/haile01/perl_spreadsheet_excel_rce_poc @@ -2847,6 +2892,7 @@ CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 NOTE: Seems bogus, this isn't a DoS but only a broken use of an API CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) + {DLA-3700-1} - cjson 1.7.17-1 (bug #1059287) NOTE: https://github.com/DaveGamble/cJSON/issues/802 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 @@ -4335,18 +4381,21 @@ CVE-2023-49493 (DedeCMS v5.7.111 was discovered to contain a reflective cross-si CVE-2023-49492 (DedeCMS v5.7.111 was discovered to contain a reflective cross-site scr ...) NOT-FOR-US: DedeCMS CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer overflow vu ...) + {DLA-3699-1} - libde265 1.0.15-1 (bug #1059275) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/432 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb (v1.0.15) CVE-2023-49467 (Libde265 v1.0.14 was discovered to
[Git][security-tracker-team/security-tracker][master] libsass fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba45f82 by Moritz Muehlenhoff at 2023-12-30T20:55:56+01:00 libsass fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81656,14 +81656,14 @@ CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was disco NOT-FOR-US: Gifdec CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function Sass::C ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051895) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3178 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051893) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -128882,7 +128882,7 @@ CVE-2022-26593 (Cross-site scripting (XSS) vulnerability in the Asset module's a NOT-FOR-US: Liferay CVE-2022-26592 (Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector ...) [experimental] - libsass 3.6.5+20231221-1 - - libsass (bug #1051894) + - libsass 3.6.5+20231221-2 (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -297083,7 +297083,7 @@ CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3000 - NOTE: Not considered a security issue be upstream + NOTE: Not considered a security issue by upstream CVE-2019-18796 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) NOT-FOR-US: BASS Audio Library CVE-2019-18795 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba45f82ca092693196147790ef731923a437e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3700-1 for cjson
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 631403dd by Thorsten Alteholz at 2023-12-30T19:33:42+01:00 Reserve DLA-3700-1 for cjson - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Dec 2023] DLA-3700-1 cjson - security update + {CVE-2023-50471} + [buster] - cjson 1.7.10-1.1+deb10u2 [30 Dec 2023] DLA-3699-1 libde265 - security update {CVE-2023-49465 CVE-2023-49467 CVE-2023-49468} [buster] - libde265 1.0.11-0+deb10u6 = data/dla-needed.txt = @@ -48,9 +48,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cjson (Thorsten Alteholz) - NOTE: 20231225: Added by Front-Desk (ta) --- curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/631403dd9ad314ad4743a04be3b951991bcc9e08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/631403dd9ad314ad4743a04be3b951991bcc9e08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3699-1 for libde265
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0af6b042 by Thorsten Alteholz at 2023-12-30T19:27:58+01:00 Reserve DLA-3699-1 for libde265 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Dec 2023] DLA-3699-1 libde265 - security update + {CVE-2023-49465 CVE-2023-49467 CVE-2023-49468} + [buster] - libde265 1.0.11-0+deb10u6 [29 Dec 2023] DLA-3698-1 thunderbird - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} [buster] - thunderbird 1:115.6.0-1~deb10u1 = data/dla-needed.txt = @@ -112,9 +112,6 @@ kodi NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) -- -libde265 (Thorsten Alteholz) - NOTE: 20231224: Added by Front-Desk (ta) --- libreoffice (rouca) NOTE: 20231217: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6b042c236241ce4dd4bb2afb9d7718435aa0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6b042c236241ce4dd4bb2afb9d7718435aa0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add exim4 for pending clarification
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61d11a9a by Salvatore Bonaccorso at 2023-12-30T18:44:03+01:00 Add exim4 for pending clarification - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -18,6 +18,9 @@ cryptojs -- dnsdist (jmm) -- +exim4 (carnil) + Clarifying with maintainer on route to perform, cf. #1059387 +-- frr -- gpac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61d11a9a2c2359a320799bf8b618d8684f299608 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61d11a9a2c2359a320799bf8b618d8684f299608 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libspreadsheet-parseexcel-perl update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2da2be4 by Salvatore Bonaccorso at 2023-12-30T17:07:14+01:00 Reserve DSA number for libspreadsheet-parseexcel-perl update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Dec 2023] DSA-5592-1 libspreadsheet-parseexcel-perl - security update + {CVE-2023-7101} + [bullseye] - libspreadsheet-parseexcel-perl 0.6500-1.1+deb11u1 + [bookworm] - libspreadsheet-parseexcel-perl 0.6500-4~deb12u1 [28 Dec 2023] DSA-5591-1 libssh - security update {CVE-2023-6004 CVE-2023-6918 CVE-2023-48795} [bullseye] - libssh 0.9.8-0+deb11u1 = data/dsa-needed.txt = @@ -27,9 +27,6 @@ h2o (jmm) libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- -libspreadsheet-parseexcel-perl (carnil) - Checking with the pkg-perl group --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2da2be4110ba2342ea6e723b7d18bf995d013e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2da2be4110ba2342ea6e723b7d18bf995d013e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-50472 as not-affected for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c295bb8b by Thorsten Alteholz at 2023-12-30T16:56:49+01:00 mark CVE-2023-50472 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2842,6 +2842,7 @@ CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerabil NOT-FOR-US: Semcms CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - cjson 1.7.17-1 (unimportant; bug #1059287) + [buster] - cjson (Vulnerable code introduced later) NOTE: https://github.com/DaveGamble/cJSON/issues/803 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 NOTE: Seems bogus, this isn't a DoS but only a broken use of an API View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c295bb8b96a40d74418953a073635baf22c856e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c295bb8b96a40d74418953a073635baf22c856e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fixing commit for CVE-2023-7101
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c182caa4 by Salvatore Bonaccorso at 2023-12-30T15:00:06+01:00 Reference fixing commit for CVE-2023-7101 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -698,6 +698,7 @@ CVE-2023-7101 (Spreadsheet::ParseExcel version 0.65 is a Perl module used for pa NOTE: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md NOTE: https://github.com/haile01/perl_spreadsheet_excel_rce_poc NOTE: https://github.com/runrig/spreadsheet-parseexcel/issues/33 + NOTE: Fixed by: https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc (CPAN_0.66) CVE-2023-7100 (A vulnerability, which was classified as critical, was found in PHPGur ...) NOT-FOR-US: PHPGurukul Restaurant Table Booking System CVE-2023-7099 (A vulnerability, which was classified as critical, has been found in P ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c182caa486e48ea94717aa52a796e01a9eb7ee41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c182caa486e48ea94717aa52a796e01a9eb7ee41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process CVE-2023-51663 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7723b494 by Salvatore Bonaccorso at 2023-12-30T14:09:59+01:00 Process CVE-2023-51663 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2023-51676 (Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy CVE-2023-51675 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in A ...) NOT-FOR-US: WordPress plugin CVE-2023-51663 (Hail is an open-source, general-purpose, Python-based data analysis to ...) - TODO: check + NOT-FOR-US: Hail CVE-2023-51545 (Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data v ...) NOT-FOR-US: WordPress plugin CVE-2023-51541 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7723b4940ed9b9dd144bf21c612644ba2d19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7723b4940ed9b9dd144bf21c612644ba2d19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage edk2 for buster LTS (CVE-2019-11098)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ae2a0002 by Chris Lamb at 2023-12-30T12:37:40+00:00 data/dla-needed.txt: Triage edk2 for buster LTS (CVE-2019-11098) - - - - - 58fd8228 by Chris Lamb at 2023-12-30T12:38:41+00:00 data/dla-needed.txt: Triage php-guzzlehttp-psr7 for buster LTS (CVE-2023-29197) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,10 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +edk2 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) +-- exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- @@ -174,6 +178,10 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- +php-guzzlehttp-psr7 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2023-29197 already fixed in bullseye via DSA or point release (lamby) +-- postfix NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bce0734072f5c5b275a47d94bafd803dd79ddc66...58fd822899037b2abf8f6fefed4f1b32515860f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bce0734072f5c5b275a47d94bafd803dd79ddc66...58fd822899037b2abf8f6fefed4f1b32515860f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage libspreadsheet-parseexcel-perl for buster LTS (CVE-2023-7101)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1216ea9e by Chris Lamb at 2023-12-30T12:20:56+00:00 data/dla-needed.txt: Triage libspreadsheet-parseexcel-perl for buster LTS (CVE-2023-7101) - - - - - bce07340 by Chris Lamb at 2023-12-30T12:21:49+00:00 Triage CVE-2023-47118, CVE-2023-48298 CVE-2023-48704 in clickhouse for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -984,6 +984,7 @@ CVE-2023-48704 (ClickHouse is an open-source column-oriented database management - clickhouse (bug #1059367) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63 NOTE: https://github.com/ClickHouse/ClickHouse/pull/57107 CVE-2023-48670 (Dell SupportAssist for Home PCs version 3.14.1 and prior versions cont ...) @@ -1129,6 +1130,7 @@ CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database manage - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) @@ -1487,6 +1489,7 @@ CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database manage - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -122,6 +122,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libspreadsheet-parseexcel-perl + NOTE: 20231230: Added by Front-Desk (lamby) +-- libssh (Sean Whitton) NOTE: 20231219: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/179129dc8165f0fbce6a195c7f514630885b181e...bce0734072f5c5b275a47d94bafd803dd79ddc66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/179129dc8165f0fbce6a195c7f514630885b181e...bce0734072f5c5b275a47d94bafd803dd79ddc66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 179129dc by Salvatore Bonaccorso at 2023-12-30T12:35:05+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2023-50071 (Sourcecodester Customer Support System 1.0 has multiple SQL inje CVE-2023-50070 (Sourcecodester Customer Support System 1.0 has multiple SQL injection ...) NOT-FOR-US: Sourcecodester Customer Support System CVE-2023-50069 (WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to s ...) - TODO: check + NOT-FOR-US: WireMock CVE-2023-50035 (PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users l ...) NOT-FOR-US: PHPGurukul Small CRM CVE-2023-41544 (SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remot ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/179129dc8165f0fbce6a195c7f514630885b181e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/179129dc8165f0fbce6a195c7f514630885b181e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for mariadb-10.5 via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af75c2ef by Salvatore Bonaccorso at 2023-12-30T12:16:22+01:00 Track proposed update for mariadb-10.5 via bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -115,3 +115,5 @@ CVE-2023-51764 [bullseye] - postfix 3.5.23-0+deb11u1 CVE-2023-48795 [bullseye] - filezilla 3.52.2-3+deb11u1 +CVE-2023-22084 + [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af75c2ef642bc76e5bd2d10225d1f01cf3182dd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af75c2ef642bc76e5bd2d10225d1f01cf3182dd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference blog post for spip issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f2bd2dcd by Salvatore Bonaccorso at 2023-12-30T11:58:42+01:00 Reference blog post for spip issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1007,6 +1007,7 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] [bookworm] - spip (Minor issue) [bullseye] - spip (Minor issue) [buster] - spip (Minor issue) + NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html?lang=fr NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) NOT-FOR-US: SourceCodester School Visitor Log e-Book View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bd2dcd71d69d17937708d5c81448bd7fc05a94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bd2dcd71d69d17937708d5c81448bd7fc05a94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for spip issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 099151f2 by Salvatore Bonaccorso at 2023-12-30T11:57:29+01:00 Reference upstream commit for spip issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1007,6 +1007,7 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] [bookworm] - spip (Minor issue) [bullseye] - spip (Minor issue) [buster] - spip (Minor issue) + NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) NOT-FOR-US: SourceCodester School Visitor Log e-Book CVE-2023-7058 (A vulnerability was found in SourceCodester Simple Student Attendance ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099151f2c96364bb567ae93c754660feb4857d08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099151f2c96364bb567ae93c754660feb4857d08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updates for filezilla via {bullseye,bookworm}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5891585 by Salvatore Bonaccorso at 2023-12-30T11:55:16+01:00 Track proposed updates for filezilla via {bullseye,bookworm}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -113,3 +113,5 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] NOTE: For Debian bug #1059331 CVE-2023-51764 [bullseye] - postfix 3.5.23-0+deb11u1 +CVE-2023-48795 + [bullseye] - filezilla 3.52.2-3+deb11u1 = data/next-point-update.txt = @@ -63,3 +63,5 @@ CVE-2023-49991 [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 CVE-2023-49990 [bookworm] - espeak-ng 1.51+dfsg-10+deb12u1 +CVE-2023-48795 + [bookworm] - filezilla 3.63.0-1+deb12u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58915853603e92a45b4c491d668570ed5b2ae64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58915853603e92a45b4c491d668570ed5b2ae64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add phpseclib tracking for CVE-2023-48795
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dd37d4c by Salvatore Bonaccorso at 2023-12-30T11:17:04+01:00 Add phpseclib tracking for CVE-2023-48795 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2076,6 +2076,9 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - libssh2 (ChaCha20-Poly1305 and CBC-EtM support not present) - openssh 1:9.6p1-1 - paramiko (bug #1059006) + - phpseclib 1.0.22-1 + - php-phpseclib 2.0.46-1 + - php-phpseclib3 3.0.35-1 - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -2110,6 +2113,8 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: OpenSSH: https://www.openwall.com/lists/oss-security/2023/12/18/2 NOTE: OpenSSH (strict key exchange): https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (V_9_6_P1) NOTE: paramiko: https://github.com/paramiko/paramiko/issues/2337 + NOTE: phpseclib: https://github.com/phpseclib/phpseclib/issues/1972 + NOTE: phpseclib: https://github.com/phpseclib/phpseclib/commit/c8e3ab9317abae80d7f58fd9acd9214b57572b32 (1.0.22, 2.0.46, 3.0.35) NOTE: proftpd: https://github.com/proftpd/proftpd/issues/1760 NOTE: proftpd: https://github.com/proftpd/proftpd/commit/7fba68ebb3ded3047a35aa639e115eba7d585682 (v1.3.9rc2) NOTE: proftpd: https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b (v1.3.8b) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd37d4c8a36752d89b1c7abf2291986214644e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd37d4c8a36752d89b1c7abf2291986214644e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64447640 by Salvatore Bonaccorso at 2023-12-30T09:45:05+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,31 +1,31 @@ CVE-2023-52257 (LogoBee 0.2 allows updates.php?id= XSS.) - TODO: check + NOT-FOR-US: LogoBee CVE-2023-52252 (Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua ...) - TODO: check + NOT-FOR-US: Unified Remote CVE-2023-52240 (The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 f ...) - TODO: check + NOT-FOR-US: Kantega SAML SSO OIDC Kerberos Single Sign-on apps CVE-2023-50559 (An issue was discovered in XiangShan v2.1, allows local attackers to o ...) - TODO: check + NOT-FOR-US: XiangShan CVE-2023-50071 (Sourcecodester Customer Support System 1.0 has multiple SQL injection ...) - TODO: check + NOT-FOR-US: Sourcecodester Customer Support System CVE-2023-50070 (Sourcecodester Customer Support System 1.0 has multiple SQL injection ...) - TODO: check + NOT-FOR-US: Sourcecodester Customer Support System CVE-2023-50069 (WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to s ...) TODO: check CVE-2023-50035 (PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users l ...) - TODO: check + NOT-FOR-US: PHPGurukul Small CRM CVE-2023-41544 (SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remot ...) - TODO: check + NOT-FOR-US: jeecg-boot CVE-2023-41543 (SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attack ...) - TODO: check + NOT-FOR-US: jeecg-boot CVE-2023-41542 (SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote ...) - TODO: check + NOT-FOR-US: jeecg-boot CVE-2023-38023 (An issue was discovered in SCONE Confidential Computing Platform befor ...) - TODO: check + NOT-FOR-US: SCONE Confidential Computing Platform CVE-2023-38022 (An issue was discovered in Fortanix EnclaveOS Confidential Computing M ...) - TODO: check + NOT-FOR-US: Fortanix EnclaveOS Confidential Computing Manager (CCM) Platform CVE-2023-38021 (An issue was discovered in Fortanix EnclaveOS Confidential Computing M ...) - TODO: check + NOT-FOR-US: Fortanix EnclaveOS Confidential Computing Manager (CCM) Platform CVE-2023-7171 (A vulnerability was found in Novel-Plus up to 4.2.0. It has been decla ...) NOT-FOR-US: Novel-Plus CVE-2023-7166 (A vulnerability classified as problematic has been found in Novel-Plus ...) @@ -69457,9 +69457,9 @@ CVE-2022-46489 (GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to CVE-2022-46488 RESERVED CVE-2022-46487 (Improper initialization of x87 and SSE floating-point configuration re ...) - TODO: check + NOT-FOR-US: SCONE CVE-2022-46486 (A lack of pointer-validation logic in the __scone_dispatch component o ...) - TODO: check + NOT-FOR-US: SCONE CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and be ...) NOT-FOR-US: ngSurvey CVE-2022-46484 (Information disclosure in password protected surveys in Data Illusion ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/644476406dfde6cb218347bca3b80588366b4eca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/644476406dfde6cb218347bca3b80588366b4eca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0384af13 by security tracker role at 2023-12-30T08:11:33+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2023-52257 (LogoBee 0.2 allows updates.php?id= XSS.) + TODO: check +CVE-2023-52252 (Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua ...) + TODO: check +CVE-2023-52240 (The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 f ...) + TODO: check +CVE-2023-50559 (An issue was discovered in XiangShan v2.1, allows local attackers to o ...) + TODO: check +CVE-2023-50071 (Sourcecodester Customer Support System 1.0 has multiple SQL injection ...) + TODO: check +CVE-2023-50070 (Sourcecodester Customer Support System 1.0 has multiple SQL injection ...) + TODO: check +CVE-2023-50069 (WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to s ...) + TODO: check +CVE-2023-50035 (PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users l ...) + TODO: check +CVE-2023-41544 (SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remot ...) + TODO: check +CVE-2023-41543 (SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attack ...) + TODO: check +CVE-2023-41542 (SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote ...) + TODO: check +CVE-2023-38023 (An issue was discovered in SCONE Confidential Computing Platform befor ...) + TODO: check +CVE-2023-38022 (An issue was discovered in Fortanix EnclaveOS Confidential Computing M ...) + TODO: check +CVE-2023-38021 (An issue was discovered in Fortanix EnclaveOS Confidential Computing M ...) + TODO: check CVE-2023-7171 (A vulnerability was found in Novel-Plus up to 4.2.0. It has been decla ...) NOT-FOR-US: Novel-Plus CVE-2023-7166 (A vulnerability classified as problematic has been found in Novel-Plus ...) @@ -69428,10 +69456,10 @@ CVE-2022-46489 (GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to NOTE: https://github.com/gpac/gpac/commit/44e8616ec6d0c37498cdacb81375b09249fa9daa (v2.2.0) CVE-2022-46488 RESERVED -CVE-2022-46487 - RESERVED -CVE-2022-46486 - RESERVED +CVE-2022-46487 (Improper initialization of x87 and SSE floating-point configuration re ...) + TODO: check +CVE-2022-46486 (A lack of pointer-validation logic in the __scone_dispatch component o ...) + TODO: check CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and be ...) NOT-FOR-US: ngSurvey CVE-2022-46484 (Information disclosure in password protected surveys in Data Illusion ...) @@ -185433,7 +185461,7 @@ CVE-2021-31973 (Windows GPSVC Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2021-31972 (Event Tracing for Windows Information Disclosure Vulnerability) NOT-FOR-US: Microsoft -CVE-2021-31971 (Windows HTML Platform Security Feature Bypass Vulnerability) +CVE-2021-31971 (Windows HTML Platforms Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2021-31970 (Windows TCP/IP Driver Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft @@ -194847,7 +194875,7 @@ CVE-2021-28448 (Visual Studio Code Kubernetes Tools Remote Code Execution Vulner NOT-FOR-US: Microsoft CVE-2021-28447 (Windows Early Launch Antimalware Driver Security Feature Bypass Vulner ...) NOT-FOR-US: Microsoft -CVE-2021-28446 (N/A) +CVE-2021-28446 (Windows Portmapping Information Disclosure Vulnerability) NOT-FOR-US: Microsoft CVE-2021-28445 (Windows Network File System Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft @@ -198187,7 +198215,7 @@ CVE-2021-27079 (Windows Media Photo Codec Information Disclosure Vulnerability) NOT-FOR-US: Microsoft CVE-2021-27078 (Microsoft Exchange Server Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft -CVE-2021-27077 (Windows Win32k Elevation of Privilege Vulnerability This CVE ID is uni ...) +CVE-2021-27077 (Windows Win32k Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2021-27076 (Microsoft SharePoint Server Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft @@ -198215,7 +198243,7 @@ CVE-2021-27065 (Microsoft Exchange Server Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft CVE-2021-27064 (Visual Studio Installer Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft -CVE-2021-27063 (Windows DNS Server Denial of Service Vulnerability This CVE ID is uniq ...) +CVE-2021-27063 (Windows DNS Server Denial of Service Vulnerability) NOT-FOR-US: Microsoft CVE-2021-27062 (HEVC Video Extensions Remote Code Execution Vulnerability)