[Git][security-tracker-team/security-tracker][master] Add two new trafficserver issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a5e5cfce by Salvatore Bonaccorso at 2023-08-09T22:44:48+02:00
Add two new trafficserver issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -174,7 +174,8 @@ CVE-2023-37856 (In PHOENIX CONTACTs WP 6xxx series web
panels in versions prior
CVE-2023-37855 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
NOT-FOR-US: PHOENIX
CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software
Foundation ...)
- TODO: check
+ - trafficserver
+ NOTE: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
CVE-2023-2905 (Due to a failure in validating the length of a provided
MQTT_CMD_PUBLI ...)
TODO: check
CVE-2023-3223
@@ -43621,7 +43622,8 @@ CVE-2022-47187
CVE-2022-47186
RESERVED
CVE-2022-47185 (Improper input validation vulnerability on the range header in
Apache ...)
- TODO: check
+ - trafficserver
+ NOTE: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
CVE-2022-47184 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
{DSA-5435-1 DLA-3475-1}
- trafficserver 9.2.1+ds-1 (bug #1038248)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e5cfceacb99d24f7ca2c7feb33359f992ffe6a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e5cfceacb99d24f7ca2c7feb33359f992ffe6a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89d2b5e4 by Salvatore Bonaccorso at 2023-08-09T22:42:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,15 +2,15 @@ CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The vul - linux NOTE: https://git.kernel.org/linus/d42334578eba1390859012ebb91e1e556d51db49 (6.5-rc5) CVE-2023-40012 (uthenticode is a small cross-platform library for partially verifying ...) - TODO: check + NOT-FOR-US: uthenticode CVE-2023-3953 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) NOT-FOR-US: Schneider Electric CVE-2023-3518 (HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for ...) TODO: check CVE-2023-39969 (uthenticode is a small cross-platform library for partially verifying ...) - TODO: check + NOT-FOR-US: uthenticode CVE-2023-39531 (Sentry is an error tracking and performance monitoring platform. Start ...) - TODO: check + NOT-FOR-US: Sentry CVE-2023-39008 (A command injection vulnerability in the component /api/cron/settings/ ...) NOT-FOR-US: OPNsense CVE-2023-39007 (/ui/cron/item/open in the Cron component of OPNsense before 23.7 allow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d2b5e41984ff84b4fd93413d30c1706e432ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d2b5e41984ff84b4fd93413d30c1706e432ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc559100 by Salvatore Bonaccorso at 2023-08-09T22:30:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,7 +4,7 @@ CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The vul CVE-2023-40012 (uthenticode is a small cross-platform library for partially verifying ...) TODO: check CVE-2023-3953 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-3518 (HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for ...) TODO: check CVE-2023-39969 (uthenticode is a small cross-platform library for partially verifying ...) @@ -12,43 +12,43 @@ CVE-2023-39969 (uthenticode is a small cross-platform library for partially veri CVE-2023-39531 (Sentry is an error tracking and performance monitoring platform. Start ...) TODO: check CVE-2023-39008 (A command injection vulnerability in the component /api/cron/settings/ ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39007 (/ui/cron/item/open in the Cron component of OPNsense before 23.7 allow ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39006 (The Crash Reporter (crash_reporter.php) component of OPNsense before 2 ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39005 (Insecure permissions exist for configd.socket in OPNsense before 23.7.) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39004 (Insecure permissions in the configuration directory (/conf/) of OPNsen ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39003 (OPNsense before 23.7 was discovered to contain insecure permissions in ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39002 (A cross-site scripting (XSS) vulnerability in the act parameter of sys ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39001 (A command injection vulnerability in the component diag_backup.php of ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-39000 (A reflected cross-site scripting (XSS) vulnerability in the component ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-38999 (A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/ha ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-38998 (An open redirect in the Login page of OPNsense before 23.7 allows atta ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-38997 (A directory traversal vulnerability in the Captive Portal templates of ...) - TODO: check + NOT-FOR-US: OPNsense CVE-2023-38348 (A CSRF issue was discovered in LWsystems Benno MailArchiv 2.10.1.) - TODO: check + NOT-FOR-US: LWsystems Benno MailArchiv CVE-2023-38347 (An issue was discovered in LWsystems Benno MailArchiv 2.10.1. Attacker ...) - TODO: check + NOT-FOR-US: LWsystems Benno MailArchiv CVE-2023-38213 (Adobe Dimension version 3.4.9 is affected by an out-of-bounds read vul ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38212 (Adobe Dimension version 3.4.9 is affected by a Heap-based Buffer Overf ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38211 (Adobe Dimension version 3.4.9 is affected by a Use After Free vulnerab ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-37068 (Code-Projects Gym Management System V1.0 allows remote attackers to ex ...) - TODO: check + NOT-FOR-US: Code-Projects Gym Management System CVE-2023-34545 (A SQL injection vulnerability in CSZCMS 1.3.0 allows remote attackers ...) - TODO: check + NOT-FOR-US: CSZCMS CVE-2023-33953 (gRPC contains a vulnerability that allows hpack table accounting error ...) TODO: check CVE-2023-33469 (In instances where the screen is visible and remote mouse connection i ...) @@ -56,17 +56,17 @@ CVE-2023-33469 (In instances where the screen is visible and remote mouse connec CVE-2023-33468 (KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior t ...) TODO: check CVE-2023-32782 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760. ...) - TODO: check + NOT-FOR-US: PRTG Network Monitor CVE-2023-32781 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760. ...) - TODO: check + NOT-FOR-US: PRTG Network Monitor CVE-2023-31452 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) - TODO: check + NOT-FOR-US: PRTG Network Monitor CVE-2023-31450 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) - TODO: check + NOT-FOR-US: PRTG Network Monitor CVE-2023-31449 (An issue was discovered in Paessler PRTG Network Monitor
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4273/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88ba7679 by Salvatore Bonaccorso at 2023-08-09T22:21:14+02:00 Add CVE-2023-4273/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The vulnerab ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/d42334578eba1390859012ebb91e1e556d51db49 (6.5-rc5) CVE-2023-40012 (uthenticode is a small cross-platform library for partially verifying ...) TODO: check CVE-2023-3953 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88ba767937a563e99d2d8daba3d7067b2afb99e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88ba767937a563e99d2d8daba3d7067b2afb99e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13e211d9 by security tracker role at 2023-08-09T20:12:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,121 @@ +CVE-2023-4273 (A flaw was found in the exFAT driver of the Linux kernel. The vulnerab ...) + TODO: check +CVE-2023-40012 (uthenticode is a small cross-platform library for partially verifying ...) + TODO: check +CVE-2023-3953 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) + TODO: check +CVE-2023-3518 (HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for ...) + TODO: check +CVE-2023-39969 (uthenticode is a small cross-platform library for partially verifying ...) + TODO: check +CVE-2023-39531 (Sentry is an error tracking and performance monitoring platform. Start ...) + TODO: check +CVE-2023-39008 (A command injection vulnerability in the component /api/cron/settings/ ...) + TODO: check +CVE-2023-39007 (/ui/cron/item/open in the Cron component of OPNsense before 23.7 allow ...) + TODO: check +CVE-2023-39006 (The Crash Reporter (crash_reporter.php) component of OPNsense before 2 ...) + TODO: check +CVE-2023-39005 (Insecure permissions exist for configd.socket in OPNsense before 23.7.) + TODO: check +CVE-2023-39004 (Insecure permissions in the configuration directory (/conf/) of OPNsen ...) + TODO: check +CVE-2023-39003 (OPNsense before 23.7 was discovered to contain insecure permissions in ...) + TODO: check +CVE-2023-39002 (A cross-site scripting (XSS) vulnerability in the act parameter of sys ...) + TODO: check +CVE-2023-39001 (A command injection vulnerability in the component diag_backup.php of ...) + TODO: check +CVE-2023-39000 (A reflected cross-site scripting (XSS) vulnerability in the component ...) + TODO: check +CVE-2023-38999 (A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/ha ...) + TODO: check +CVE-2023-38998 (An open redirect in the Login page of OPNsense before 23.7 allows atta ...) + TODO: check +CVE-2023-38997 (A directory traversal vulnerability in the Captive Portal templates of ...) + TODO: check +CVE-2023-38348 (A CSRF issue was discovered in LWsystems Benno MailArchiv 2.10.1.) + TODO: check +CVE-2023-38347 (An issue was discovered in LWsystems Benno MailArchiv 2.10.1. Attacker ...) + TODO: check +CVE-2023-38213 (Adobe Dimension version 3.4.9 is affected by an out-of-bounds read vul ...) + TODO: check +CVE-2023-38212 (Adobe Dimension version 3.4.9 is affected by a Heap-based Buffer Overf ...) + TODO: check +CVE-2023-38211 (Adobe Dimension version 3.4.9 is affected by a Use After Free vulnerab ...) + TODO: check +CVE-2023-37068 (Code-Projects Gym Management System V1.0 allows remote attackers to ex ...) + TODO: check +CVE-2023-34545 (A SQL injection vulnerability in CSZCMS 1.3.0 allows remote attackers ...) + TODO: check +CVE-2023-33953 (gRPC contains a vulnerability that allows hpack table accounting error ...) + TODO: check +CVE-2023-33469 (In instances where the screen is visible and remote mouse connection i ...) + TODO: check +CVE-2023-33468 (KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior t ...) + TODO: check +CVE-2023-32782 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760. ...) + TODO: check +CVE-2023-32781 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760. ...) + TODO: check +CVE-2023-31452 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) + TODO: check +CVE-2023-31450 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) + TODO: check +CVE-2023-31449 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) + TODO: check +CVE-2023-31448 (An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 ...) + TODO: check +CVE-2022-48604 (A SQL injection vulnerability exists in the \u201clogging export\u201d ...) + TODO: check +CVE-2022-48603 (A SQL injection vulnerability exists in the \u201cmessage viewer ifram ...) + TODO: check +CVE-2022-48602 (A SQL injection vulnerability exists in the \u201cmessage viewer print ...) + TODO: check +CVE-2022-48601 (A SQL injection vulnerability exists in the \u201cnetwork print report ...) + TODO: check +CVE-2022-48600 (A SQL injection vulnerability exists in the \u201cnotes view\u201d fea ...) + TODO: check +CVE-2022-48599 (A SQL injection vulnerability exists in the \u201creporter events type ...) + TODO: check +CVE-2022-48598 (A SQL injection vulnerability exists in the \u201creporter events type ...) +
[Git][security-tracker-team/security-tracker][master] Associate mitigation for CVE-2023-20588 in kernel
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f448a611 by Salvatore Bonaccorso at 2023-08-09T21:58:40+02:00 Associate mitigation for CVE-2023-20588 in kernel - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54500,7 +54500,9 @@ CVE-2023-20590 CVE-2023-20589 (An attacker with specialized hardware and physical access to an impact ...) TODO: check CVE-2023-20588 (A division-by-zero error on some AMD processors can potentially return ...) - NOT-FOR-US: AMD + - linux + NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html + NOTE: https://git.kernel.org/linus/77245f1c3c6495521f6a3af082696ee2f8ce3921 CVE-2023-20587 RESERVED CVE-2023-20586 (A potential vulnerability was reported in Radeon\u2122 Software Crimso ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f448a61183a0a7e1d335c3b36a223aa444e0cbfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f448a61183a0a7e1d335c3b36a223aa444e0cbfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim datatables.js in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dd930f7 by Guilhem Moulin at 2023-08-09T21:50:52+02:00 LTS: claim datatables.js in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,7 +32,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -datatables.js +datatables.js (guilhem) NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 NOTE: 20230809: Follow fixes from 11.2 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dd930f70e9108f12d8fd6f8bdce2bc1780eb576 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dd930f70e9108f12d8fd6f8bdce2bc1780eb576 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unify style for some notes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db6749c3 by Salvatore Bonaccorso at 2023-08-09T21:22:44+02:00 Unify style for some notes - - - - - fba58211 by Salvatore Bonaccorso at 2023-08-09T21:23:52+02:00 CVE-2023-20569: Reference followup for 4th Gen AMD EPYC processors via #1043381 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16353,7 +16353,7 @@ CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Ge [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22981 NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720 - NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 + NOTE: vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6) CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) - zabbix [bullseye] - zabbix (5.x not affected) @@ -54548,7 +54548,7 @@ CVE-2023-20569 (A side channel vulnerability on some of the AMD CPUs may allow a NOTE: 3.20230719.1 ships the first batch of fixes, only for 3nd gen EPYC CPUs (Milan), NOTE: further update for 4th gen EPYC CPUs to follow in later releases. NOTE: Updated microcode for 4th gen EPYC CPUs Genoa (Family=0x19 Model=0x11) and - NOTE: Bergamo (Family=0x19 Model=0xa0) with: + NOTE: Bergamo (Family=0x19 Model=0xa0) with (cf: https://bugs.debian.org/1043381): NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=f2eb058afc57348cde66852272d6bf11da1eef8f NOTE: https://comsec.ethz.ch/research/microarch/inception/ NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf @@ -56952,8 +56952,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintai [bullseye] - zabbix (Minor issue) [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 - NOTE: Patches: for 4.0.45rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 - NOTE: for 5.0.30rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e + NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 (4.0.45rc1) + NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e (5.0.30rc1) CVE-2022-43514 (A vulnerability has been identified in Automation License Manager V5 ( ...) NOT-FOR-US: Automation License Manager CVE-2022-43513 (A vulnerability has been identified in Automation License Manager V5 ( ...) @@ -270352,7 +270352,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with un NOTE: https://support.zabbix.com/browse/ZBX-16551 NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898 NOTE: https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords - NOTE: patch for 5.0.0: https://github.com/zabbix/zabbix/commit/3c4b81c66da + NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/0bc1a41104cf747edbda6d2c84c7ade9d714fb30 (5.0.0alpha1) CVE-2020-1784 RESERVED CVE-2020-1783 @@ -279529,8 +279529,9 @@ CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view NOTE: Disputed by upstream, closed as not a security bug. NOTE: Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532) - NOTE: Patch to disable default user by default, for 5.0.0alpha1: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 - NOTE: and for 4.0.15rc: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 + NOTE: Patch to disable default user by default: + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 (5.0.0alpha1) + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 (4.0.15rc1) CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3d39481247db7f5d33200ff32ca1f64203922543...fba582111255373e28b5ae22a7a0e85fa708 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Update note for amd64-microcode related fixes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d394812 by Salvatore Bonaccorso at 2023-08-09T20:59:20+02:00 Update note for amd64-microcode related fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54545,8 +54545,11 @@ CVE-2023-20569 (A side channel vulnerability on some of the AMD CPUs may allow a - linux 6.4.4-3 NOTE: SRSO microcode for Milan (Zen3 EPYC): NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 - NOTE: 3.20230719.1 ships the first batch of fixes, only for 3nd gen EPYC CPUs, - NOTE: further update for 4th gen EPYC CPUs to follow in later releases + NOTE: 3.20230719.1 ships the first batch of fixes, only for 3nd gen EPYC CPUs (Milan), + NOTE: further update for 4th gen EPYC CPUs to follow in later releases. + NOTE: Updated microcode for 4th gen EPYC CPUs Genoa (Family=0x19 Model=0x11) and + NOTE: Bergamo (Family=0x19 Model=0xa0) with: + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=f2eb058afc57348cde66852272d6bf11da1eef8f NOTE: https://comsec.ethz.ch/research/microarch/inception/ NOTE: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf NOTE: https://github.com/comsec-group/inception View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d39481247db7f5d33200ff32ca1f64203922543 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d39481247db7f5d33200ff32ca1f64203922543 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-37276/python-aiohttp: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 86284d7b by Sylvain Beucler at 2023-08-09T20:31:12+02:00 CVE-2023-37276/python-aiohttp: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2575,9 +2575,11 @@ CVE-2023-37276 (aiohttp is an asynchronous HTTP client/server framework for asyn - python-aiohttp [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) + [buster] - python-aiohttp (doesn't use llhttp, PoC is rejected with Bad Request) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w NOTE: https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 NOTE: https://hackerone.com/reports/2001873 + NOTE: http-parser->llhttp switch: https://github.com/aio-libs/aiohttp/commit/485a5fc49050f8f8bf0d7eec8a85b4d9b450386c (v3.8.0a4) CVE-2023-35900 (IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.4 a ...) NOT-FOR-US: IBM CVE-2023-35898 (IBM InfoSphere Information Server 11.7 could allow an authenticated us ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86284d7b9e2bd0bdd3328d516e2083a760e64ef8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86284d7b9e2bd0bdd3328d516e2083a760e64ef8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5044562a by Moritz Muehlenhoff at 2023-08-09T20:07:53+02:00 NFUs - - - - - 1b4d0128 by Moritz Muehlenhoff at 2023-08-09T20:07:54+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -100,7 +100,7 @@ CVE-2023-39532 (SES is a JavaScript environment that allows safe execution of ar CVE-2023-39518 (social-media-skeleton is an uncompleted social media project implement ...) TODO: check CVE-2023-39419 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39342 (Dangerzone is software for converting potentially dangerous PDFs, offi ...) TODO: check CVE-2023-39269 (A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800N ...) @@ -112,21 +112,21 @@ CVE-2023-39217 (Improper input validation in Zoom SDK\u2019s before 5.14.10 may CVE-2023-39216 (Improper input validation in Zoom Desktop Client for Windows before 5. ...) NOT-FOR-US: Zoom CVE-2023-39188 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39187 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39186 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39185 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39184 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39183 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39182 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39181 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-39086 (ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitiv ...) NOT-FOR-US: ASUS CVE-2023-38815 @@ -164,37 +164,37 @@ CVE-2023-38759 (Cross Site Request Forgery (CSRF) vulnerability in wger Project CVE-2023-38758 (Cross Site Scripting vulnerability in wger Project wger Workout Manage ...) TODO: check CVE-2023-38683 (A vulnerability has been identified in JT2Go (All versions < V14.2.0.5 ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38682 (A vulnerability has been identified in JT2Go (All versions < V14.2.0.5 ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38681 (A vulnerability has been identified in Tecnomatix Plant Simulation V22 ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38680 (A vulnerability has been identified in Tecnomatix Plant Simulation V22 ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38679 (A vulnerability has been identified in Tecnomatix Plant Simulation V22 ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38641 (A vulnerability has been identified in SICAM TOOLBOX II (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38532 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38531 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38530 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38529 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38528 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38527 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38526 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38525 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38524 (A vulnerability has been identified in Parasolid V34.1 (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38384 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Syntacti ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38254 (Microsoft Message
[Git][security-tracker-team/security-tracker][master] Triaging zabbix with focus LTS/buster
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b21c5fb by Tobias Frost at 2023-08-09T18:42:38+02:00 Triaging zabbix with focus LTS/buster CVE-2023-29458: duktape library only introduced in 5.0.0alpha1 CVE-2023-29452: geomap widget only introduced in 6.0.0alpha6 add links to patch for: CVE-2023-29451 CVE-2013-7484 CVE-2019-17382 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16321,8 +16321,10 @@ CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android expose NOT-FOR-US: laola.redbull CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...) - zabbix + [buster] - zabbix (vulnerable code introduced later) NOTE: This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se NOTE: https://support.zabbix.com/browse/ZBX-22989 + NOTE: duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...) - zabbix NOTE: https://support.zabbix.com/browse/ZBX-22988 @@ -16339,8 +16341,11 @@ CVE-2023-29453 RESERVED CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...) - zabbix - [bullseye] - zabbix (5.x not affected) + [bullseye] - zabbix (vulnerable code introduced later) + [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22981 + NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720 + NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) - zabbix [bullseye] - zabbix (5.x not affected) @@ -56908,6 +56913,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintai [bullseye] - zabbix (Minor issue) [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 + NOTE: Patches: for 4.0.45rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 + NOTE: for 5.0.30rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e CVE-2022-43514 (A vulnerability has been identified in Automation License Manager V5 ( ...) NOT-FOR-US: Automation License Manager CVE-2022-43513 (A vulnerability has been identified in Automation License Manager V5 ( ...) @@ -270306,6 +270313,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with un NOTE: https://support.zabbix.com/browse/ZBX-16551 NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898 NOTE: https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords + NOTE: patch for 5.0.0: https://github.com/zabbix/zabbix/commit/3c4b81c66da CVE-2020-1784 RESERVED CVE-2020-1783 @@ -279482,6 +279490,8 @@ CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view NOTE: Disputed by upstream, closed as not a security bug. NOTE: Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532) + NOTE: Patch to disable default user by default, for 5.0.0alpha1: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 + NOTE: and for 4.0.15rc: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3523-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3099d0a5 by Emilio Pozuelo Monfort at 2023-08-09T18:41:58+02:00
Reserve DLA-3523-1 for firefox-esr
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[09 Aug 2023] DLA-3523-1 firefox-esr - security update
+ {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
+ [buster] - firefox-esr 102.14.0esr-1~deb10u1
[09 Aug 2023] DLA-3522-1 hdf5 - security update
{CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237
CVE-2018-17434 CVE-2018-17437}
[buster] - hdf5 1.10.4+repack-10+deb10u1
=
data/dla-needed.txt
=
@@ -51,9 +51,6 @@ dogecoin
NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the
initiatives. (Beuc/front-desk)
--
-firefox-esr (Emilio)
- NOTE: 20230802: Added by pochu
---
gawk (Adrian Bunk)
NOTE: 20230806: Added by Front-Desk (gladk)
NOTE: 20230806: Please, check, whether CVE is applicable for buster
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3099d0a54707cd27a87bf551860a18ad59501bc9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3099d0a54707cd27a87bf551860a18ad59501bc9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add datatables.js
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: af6ef93a by Sylvain Beucler at 2023-08-09T18:30:48+02:00 dla: add datatables.js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,11 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +datatables.js + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 + NOTE: 20230809: Follow fixes from 11.2 (1 CVE) (Beuc/front-desk) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6ef93a6ac2a2101c820d3fb3813bb590851755 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6ef93a6ac2a2101c820d3fb3813bb590851755 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add i2p (with experimental issue-based LTS workflow)
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 256ed1ea by Sylvain Beucler at 2023-08-09T16:58:46+02:00 dla: add i2p (with experimental issue-based LTS workflow) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,6 +60,10 @@ glib2.0 (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test NOTE: 20230807: idem. -- +i2p + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 +-- imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/256ed1ea6aa1b7601c7174448d16730916493138 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/256ed1ea6aa1b7601c7174448d16730916493138 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/embedded-code-copies: drop ruby versions <=wheezy
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 09b41c3c by Sylvain Beucler at 2023-08-09T11:18:40+02:00 data/embedded-code-copies: drop ruby versions =wheezy - - - - - c9d9f0a6 by Sylvain Beucler at 2023-08-09T11:18:40+02:00 data/embedded-code-copies: document ruby-arel situation - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1914,9 +1914,6 @@ dtoa - qt4-x11 (embed) - rhino (embed) NOTE: code translated to Java - - ruby1.8 (embed) - - ruby1.9 (embed) - - ruby1.9.1 (embed) - sdd (embed) - sfind (embed) - star (embed) @@ -2199,10 +2196,6 @@ kfreebsd-8 - kfreebsd-7 (old-version) - kfreebsd-6 (old-version) -ruby1.9.1 - - ruby1.9 (old-version) - - ruby1.8 (old-version) - maildrop - courier (embed) [./maildrop] @@ -3820,3 +3813,7 @@ llhttp (ITP: #977716) cakephp - zoneminder (embed; bug #1042970) + +ruby-arel + - rails 2:6.1.7.3+dfsg-2 (embed; bug #1038935) [activerecord/lib/arel*] + NOTE: ruby-arel to be RM'd from bookworm as well through -pu, in favor of the embedded copy View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3...c9d9f0a69b14fd25e4ae8fb286edc99a7a79edeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3...c9d9f0a69b14fd25e4ae8fb286edc99a7a79edeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f4e4937e by Moritz Muehlenhoff at 2023-08-09T10:58:05+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -210,9 +210,9 @@ CVE-2023-38182 (Microsoft Exchange Server Remote Code Execution Vulnerability) CVE-2023-38181 (Microsoft Exchange Server Spoofing Vulnerability) NOT-FOR-US: Microsoft CVE-2023-38180 (.NET and Visual Studio Denial of Service Vulnerability) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2023-38178 (.NET Core and Visual Studio Denial of Service Vulnerability) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2023-38176 (Azure Arc-Enabled Servers Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2023-38175 (Microsoft Windows Defender Elevation of Privilege Vulnerability) @@ -346,9 +346,9 @@ CVE-2023-35394 (Azure HDInsight Jupyter Notebook Spoofing Vulnerability) CVE-2023-35393 (Azure Apache Hive Spoofing Vulnerability) TODO: check CVE-2023-35391 (ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerab ...) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2023-35390 (.NET and Visual Studio Remote Code Execution Vulnerability) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2023-35389 (Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability) TODO: check CVE-2023-35388 (Microsoft Exchange Server Remote Code Execution Vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b857919 by Utkarsh Gupta at 2023-08-09T14:26:30+05:30 Take rails - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- -rails +rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b85791986d6b93222e64bd13d3c7bf4df288a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b85791986d6b93222e64bd13d3c7bf4df288a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take intel-microcode
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: caf6e7d6 by Utkarsh Gupta at 2023-08-09T14:25:34+05:30 Take intel-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,11 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -intel-microcode +intel-microcode (utkarsh) NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) + NOTE: 20230809: will co-ordinate with hmh. (utkarsh) -- libreoffice (santiago) NOTE: 20230530: Added by Front-Desk (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf6e7d68722f33a6cf8547562711e3555bbf64d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf6e7d68722f33a6cf8547562711e3555bbf64d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add intel-microcode
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 41979053 by Sylvain Beucler at 2023-08-09T10:47:30+02:00 dla: add intel-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,6 +64,11 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +intel-microcode + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. + NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) +-- libreoffice (santiago) NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419790537452307a08a4f430e2d10df4f9db5cc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419790537452307a08a4f430e2d10df4f9db5cc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 11ea205a by Moritz Muehlenhoff at 2023-08-09T10:25:40+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54525,11 +54525,12 @@ CVE-2023-20564 CVE-2023-20563 RESERVED CVE-2023-20562 (Insufficient validation in the IOCTL (Input Output Control) input buff ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20561 (Insufficient validation of the IOCTL (Input Output Control) input buff ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20560 RESERVED + NOT-FOR-US: AMD CVE-2023-20559 (Insufficient control flow management in AmdCpmGpioInitSmm may allow a ...) NOT-FOR-US: AMD CVE-2023-20558 (Insufficient control flow management in AmdCpmOemSmm may allow a privi ...) @@ -54537,7 +54538,7 @@ CVE-2023-20558 (Insufficient control flow management in AmdCpmOemSmm may allow a CVE-2023-20557 RESERVED CVE-2023-20556 (Insufficient validation of the IOCTL (Input Output Control) input buff ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20555 (Insufficient input validation in CpmDisplayFeatureSmm may allow an att ...) TODO: check CVE-2023-20554 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ea205a278bea702fd5450bda7d109e1690d08e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ea205a278bea702fd5450bda7d109e1690d08e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
19b1370d by Moritz Muehlenhoff at 2023-08-09T10:21:33+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,59 +1,59 @@
CVE-2023-4243 (The FULL - Customer plugin for WordPress is vulnerable to
Arbitrary Fi ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-4242 (The FULL - Customer plugin for WordPress is vulnerable to
Information ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-4239 (The Real Estate Manager plugin for WordPress is vulnerable to
privileg ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-3632 (Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes
Educati ...)
- TODO: check
+ NOT-FOR-US: Sifir Bes Education and Informatics Kunduz Homework Helper
App
CVE-2023-39951 (OpenTelemetry Java Instrumentation provides OpenTelemetry
auto-instrum ...)
TODO: check
CVE-2023-39910 (The cryptocurrency wallet entropy seeding mechanism used in
Libbitcoin ...)
- TODO: check
+ NOT-FOR-US: Libbitcoin Explorer
CVE-2023-39341 ("FFRI yarai", "FFRI yarai Home and Business Edition" and their
OEM pro ...)
- TODO: check
+ NOT-FOR-US: FFRI yarai
CVE-2023-39214 (Exposure of sensitive information in Zoom Client SDK's before
5.15.5 m ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-39213 (Improper neutralization of special elements in Zoom Desktop
Client for ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-39212 (Untrusted search path in Zoom Rooms for Windows before version
5.15.5 ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-39211 (Improper privilege management in Zoom Desktop Client for
Windows and Z ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-39210 (Cleartext storage of sensitive information in Zoom Client SDK
for Wind ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-39209 (Improper input validation in Zoom Desktop Client for Windows
before 5. ...)
- TODO: check
+ NOT-FOR-US: Zoom
CVE-2023-38752 (Improper authorization vulnerability in Special Interest Group
Network ...)
- TODO: check
+ NOT-FOR-US: Special Interest Group Network for Analysis and Liaison
CVE-2023-38751 (Improper authorization vulnerability in Special Interest Group
Network ...)
- TODO: check
+ NOT-FOR-US: Special Interest Group Network for Analysis and Liaison
CVE-2023-38209 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
- TODO: check
+ NOT-FOR-US: Adobe
CVE-2023-38208 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
- TODO: check
+ NOT-FOR-US: Adobe
CVE-2023-38207 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
- TODO: check
+ NOT-FOR-US: Adobe
CVE-2023-37864 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37863 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37862 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37861 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37860 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37859 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37858 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37857 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37856 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-37855 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
- TODO: check
+ NOT-FOR-US: PHOENIX
CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software
Foundation ...)
TODO: check
CVE-2023-2905 (Due to a failure in validating the length of a provided
MQTT_CMD_PUBLI ...)
@@ -68,7 +68,7 @@ CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices
through 1.21 are a
CVE-2023-4202 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are
affect ...)
NOT-FOR-US: Advantech
CVE-2023-4009 (In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to
6.0.17 i ...)
- TODO: check
+
[Git][security-tracker-team/security-tracker][master] new undertow issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c00a84d6 by Moritz Muehlenhoff at 2023-08-09T10:18:40+02:00 new undertow issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,6 +58,9 @@ CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software Found TODO: check CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_PUBLI ...) TODO: check +CVE-2023-3223 + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689 CVE-2023-4219 (A vulnerability was found in SourceCodester Doctors Appointment System ...) NOT-FOR-US: SourceCodester Doctors Appointment System CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c00a84d60004fb859c355fda946f3fedda9736e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c00a84d60004fb859c355fda946f3fedda9736e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e740c12a by security tracker role at 2023-08-09T08:12:16+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,63 @@
+CVE-2023-4243 (The FULL - Customer plugin for WordPress is vulnerable to
Arbitrary Fi ...)
+ TODO: check
+CVE-2023-4242 (The FULL - Customer plugin for WordPress is vulnerable to
Information ...)
+ TODO: check
+CVE-2023-4239 (The Real Estate Manager plugin for WordPress is vulnerable to
privileg ...)
+ TODO: check
+CVE-2023-3632 (Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes
Educati ...)
+ TODO: check
+CVE-2023-39951 (OpenTelemetry Java Instrumentation provides OpenTelemetry
auto-instrum ...)
+ TODO: check
+CVE-2023-39910 (The cryptocurrency wallet entropy seeding mechanism used in
Libbitcoin ...)
+ TODO: check
+CVE-2023-39341 ("FFRI yarai", "FFRI yarai Home and Business Edition" and their
OEM pro ...)
+ TODO: check
+CVE-2023-39214 (Exposure of sensitive information in Zoom Client SDK's before
5.15.5 m ...)
+ TODO: check
+CVE-2023-39213 (Improper neutralization of special elements in Zoom Desktop
Client for ...)
+ TODO: check
+CVE-2023-39212 (Untrusted search path in Zoom Rooms for Windows before version
5.15.5 ...)
+ TODO: check
+CVE-2023-39211 (Improper privilege management in Zoom Desktop Client for
Windows and Z ...)
+ TODO: check
+CVE-2023-39210 (Cleartext storage of sensitive information in Zoom Client SDK
for Wind ...)
+ TODO: check
+CVE-2023-39209 (Improper input validation in Zoom Desktop Client for Windows
before 5. ...)
+ TODO: check
+CVE-2023-38752 (Improper authorization vulnerability in Special Interest Group
Network ...)
+ TODO: check
+CVE-2023-38751 (Improper authorization vulnerability in Special Interest Group
Network ...)
+ TODO: check
+CVE-2023-38209 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
+ TODO: check
+CVE-2023-38208 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
+ TODO: check
+CVE-2023-38207 (Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and
earlier) ...)
+ TODO: check
+CVE-2023-37864 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37863 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37862 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37861 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37860 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37859 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37858 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37857 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37856 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-37855 (In PHOENIX CONTACTs WP 6xxx series web panels in versions
prior to 4.0 ...)
+ TODO: check
+CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software
Foundation ...)
+ TODO: check
+CVE-2023-2905 (Due to a failure in validating the length of a provided
MQTT_CMD_PUBLI ...)
+ TODO: check
CVE-2023-4219 (A vulnerability was found in SourceCodester Doctors Appointment
System ...)
NOT-FOR-US: SourceCodester Doctors Appointment System
CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are
affect ...)
@@ -5342,6 +5402,7 @@ CVE-2023-34487 (itsourcecode Online Hotel Management
System Project In PHP v1.0.
CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP
v1.0.0 is v ...)
NOT-FOR-US: itsourcecode Online Hotel Management System Project
CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access
to the Or ...)
+ {DSA-5473-1}
- orthanc 1.12.1+dfsg-1 (bug #1040597)
[buster] - orthanc (Requires new configuration variable)
NOTE:
https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
@@ -26168,8 +26229,8 @@ CVE-2023-26312
RESERVED
CVE-2023-26311
RESERVED
-CVE-2023-26310
- RESERVED
+CVE-2023-26310 (There is a command injection problem in the old version of the
mobile ...)
+ TODO: check
CVE-2023-26309
RESERVED
CVE-2023-26308
@@ -31979,8 +32040,8 @@ CVE-2023-24483 (A vulnerability has been
[Git][security-tracker-team/security-tracker][master] Claim rar and unrar-nonfree in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0635c44d by Markus Koschany at 2023-08-09T08:35:57+02:00 Claim rar and unrar-nonfree in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,7 +138,7 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- -rar +rar (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) NOTE: 20230808: CVE-2022-30333 was tagged "Non-free not supported" but we have sponsors for this package in buster, NOTE: 20230808: so it should be fixed. Fixed by 6.12, not sure there's a fix in the 5.x series. (Beuc/front-desk) @@ -193,7 +193,7 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -unrar-nonfree +unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- zabbix (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0635c44dab58a551dd4488edd928c827c1c592b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0635c44dab58a551dd4488edd928c827c1c592b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark remaining hdf5 CVE as no-dsa/postponed.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 70c636c5 by Markus Koschany at 2023-08-09T08:23:58+02:00 Mark remaining hdf5 CVE as no-dsa/postponed. Wait until those issues are fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103711,16 +103711,19 @@ CVE-2022-26061 (A heap-based buffer overflow vulnerability exists in the gif2h5 - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487 CVE-2022-25972 (An out-of-bounds write vulnerability exists in the gif2h5 functionalit ...) - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485 CVE-2022-25942 (An out-of-bounds read vulnerability exists in the gif2h5 functionality ...) - hdf5 (bug #1031726) [bookworm] - hdf5 (Minor issue, revisit when fixed upstream) [bullseye] - hdf5 (Minor issue, revisit when fixed upstream) + [buster] - hdf5 (Minor issue, revisit when fixed upstream) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486 CVE-2022-0935 (Host Header injection in password Reset in GitHub repository livehelpe ...) NOT-FOR-US: livehelperchat @@ -308039,6 +308042,7 @@ CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is - hdf5 (bug #1034838) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710 CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) @@ -308053,6 +308057,7 @@ CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF - hdf5 (bug #1034838) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712 NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream release. @@ -353341,6 +353346,7 @@ CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c i - hdf5 (bug #1034807) [bookworm] - hdf5 (Minor issue) [bullseye] - hdf5 (Minor issue) + [buster] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10479 CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...) - hdf5 1.10.4+repack-1 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70c636c5a9aa86e41001ee62ec2f063b3e63fc27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70c636c5a9aa86e41001ee62ec2f063b3e63fc27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3522-1 for hdf5
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7803b26c by Markus Koschany at 2023-08-09T08:21:04+02:00
Reserve DLA-3522-1 for hdf5
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -336548,7 +336548,6 @@ CVE-2018-17438 (A SIGFPE signal is raised in the
function H5D__select_io() of H5
NOTE: Negligible security impact
CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in
H5Odtype.c in ...)
- hdf5 1.10.6+repack-2 (low)
- [buster] - hdf5 (Minor issue)
[stretch] - hdf5 (Minor issue)
[jessie] - hdf5 (Minor issue)
NOTE:
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper
@@ -336568,7 +336567,6 @@ CVE-2018-17435 (A heap-based buffer over-read in
H5O_attr_decode() in H5Oattr.c
NOTE: Fixed for 1.10.x in 1.10.7:
https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511
CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of
h5repack_ ...)
- hdf5 1.10.6+repack-2 (low)
- [buster] - hdf5 (Minor issue)
[stretch] - hdf5 (Minor issue)
[jessie] - hdf5 (Minor issue)
NOTE:
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
@@ -337011,7 +337009,6 @@ CVE-2018-17238
RESERVED
CVE-2018-17237 (A SIGFPE signal is raised in the function
H5D__chunk_set_info_real() o ...)
- hdf5 1.10.6+repack-2 (low)
- [buster] - hdf5 (Minor issue)
[stretch] - hdf5 (Minor issue)
[jessie] - hdf5 (Minor issue)
NOTE:
https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero
@@ -337030,7 +337027,6 @@ CVE-2018-17235 (The function
mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451
CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in
H5Ocache.c in ...)
- hdf5 1.10.6+repack-2 (low)
- [buster] - hdf5 (Minor issue)
[stretch] - hdf5 (Minor issue)
[jessie] - hdf5 (Minor issue)
NOTE:
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak
@@ -337039,7 +337035,6 @@ CVE-2018-17234 (Memory leak in the
H5O__chunk_deserialize() function in H5Ocache
NOTE:
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f4138013dbc6851e968ea3d37b32776538ef306b
CVE-2018-17233 (A SIGFPE signal is raised in the function
H5D__create_chunk_file_map_h ...)
- hdf5 1.10.6+repack-2 (low)
- [buster] - hdf5 (Minor issue)
[stretch] - hdf5 (Minor issue)
[jessie] - hdf5 (Minor issue)
NOTE:
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[09 Aug 2023] DLA-3522-1 hdf5 - security update
+ {CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237
CVE-2018-17434 CVE-2018-17437}
+ [buster] - hdf5 1.10.4+repack-10+deb10u1
[08 Aug 2023] DLA-3521-1 thunderbird - security update
{CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
[buster] - thunderbird 1:102.14.0-1~deb10u1
=
data/dla-needed.txt
=
@@ -60,18 +60,6 @@ glib2.0 (santiago)
NOTE: 20230724: buster should be ready. need if it's possible to run same
reporter's fuzz test
NOTE: 20230807: idem.
--
-hdf5 (Markus Koschany)
- NOTE: 20230318: Added by Front-Desk (utkarsh)
- NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well.
(utkarsh)
- NOTE: 20230318: Enrico did some work around hdf5* packaging in the past,
probably
- NOTE: 20230318: sync w/ him. (utkarsh)
- NOTE: 20230506: tried to triage… seems to be that only sensible way forward
would be to update to a newer version in the 1.10.x
- NOTE: 20230506: line. Still then, state of CVEs are unknown if they have
been fixed. 1.10.11 is scheduled for September. (tobi)
- NOTE: 20230520: Tried to backport 1.10.6 to buster, however, it seems that
there is a (hidden) SONAME bump,
- NOTE: 20230520:
https://salsa.debian.org/debian/hdf5/-/commit/52b5fe589e68361ea840121d8f4a8eb9148bf3da
- NOTE: 20230520: additionally couldn't convince the build system to build for
buster, something with the autogenerated .install files,
- NOTE: 20230520: so giving up on the package. (tobi)
---
imagemagick (rouca)
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE:
