[Git][security-tracker-team/security-tracker][master] Remove sox from dsa-needed list, no update required
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4d4a7d2 by Salvatore Bonaccorso at 2023-08-15T07:32:10+02:00 Remove sox from dsa-needed list, no update required The only DSA worthy CVE was CVE-2023-34432 which was already fixed. - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -70,10 +70,6 @@ ruby-tzinfo/oldstable -- salt/oldstable -- -sox - all issues unfixed upstream - for CVE-2023-34432, rest can be ignored --- tiff -- wpewebkit/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d4a7d2ce63fdfa305fb83eb56ddcf2dc1f948d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d4a7d2ce63fdfa305fb83eb56ddcf2dc1f948d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reference proposed patch for CVE-2023-32627/sox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71933bc7 by Salvatore Bonaccorso at 2023-08-15T07:29:56+02:00 Reference proposed patch for CVE-2023-32627/sox - - - - - 9467f2d4 by Salvatore Bonaccorso at 2023-08-15T07:30:43+02:00 Mark CVE-2023-32627/sox as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5100,10 +5100,13 @@ CVE-2023-34316 (An attacker could bypass the latest Delta Electronics InfraSuite CVE-2023-32627 (A floating point exception vulnerability was found in sox, in the read ...) {DLA-3527-1} - sox (bug #1041112) + [bookworm] - sox (Minor issue) + [bullseye] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2212282 NOTE: https://sourceforge.net/p/sox/bugs/369/ NOTE: POC posted upstream is masked by fix of CVE-2021-3643, however sampling rate == 0, NOTE: thus FPE is not fixed by CVE-2021-3643 + NOTE: Proposed patch: https://sourceforge.net/p/sox/bugs/_discuss/thread/e759e37389/2ead/attachment/0026-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch CVE-2023-30765 (Delta Electronics InfraSuite Device Master versions prior to 1.0.7 con ...) NOT-FOR-US: Delta Electronics InfraSuite Device Master CVE-2023-2967 (The TinyMCE Custom Styles WordPress plugin before 1.1.4 does not sanit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47e10f5e4fa3e62b6ccd454da791c8dd760788db...9467f2d467faf22c653e921ac46edaa917fe300a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47e10f5e4fa3e62b6ccd454da791c8dd760788db...9467f2d467faf22c653e921ac46edaa917fe300a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark netatalk as no-dsa and remove from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47e10f5e by Salvatore Bonaccorso at 2023-08-15T07:25:55+02:00 Mark netatalk as no-dsa and remove from dsa-needed list The update was proposed to go trough the upcoming bullseye point release. Mark as such and remove it from dsa-needed list instead. - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -50405,6 +50405,7 @@ CVE-2022-45189 CVE-2022-45188 (Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow ...) {DLA-3426-1} - netatalk 3.1.15~ds-1 (bug #1024021) + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://rushbnt.github.io/bug%20analysis/netatalk-0day/ NOTE: https://github.com/Netatalk/netatalk/commit/dfab56846e8f454fe0548347ae6437bd12a05925 NOTE: https://github.com/Netatalk/netatalk/commit/952b510d38914ed215858883f395da33d8b7e396 (netatalk-3-1-15) @@ -57346,6 +57347,7 @@ CVE-2022-43635 (This vulnerability allows network-adjacent attackers to disclose CVE-2022-43634 (This vulnerability allows remote attackers to execute arbitrary code o ...) {DLA-3426-1} - netatalk 3.1.15~ds-1 (bug #1034170) + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://github.com/Netatalk/Netatalk/pull/186 NOTE: https://github.com/advisories/GHSA-fwj9-7qq8-jc93 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-094/ @@ -117010,11 +117012,13 @@ CVE-2021-46283 (nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux k CVE-2022-23125 (This vulnerability allows remote attackers to execute arbitrary code o ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/d801ed421800bcd5df9045f7327c92cd4fc944aa CVE-2022-23124 (This vulnerability allows remote attackers to disclose sensitive infor ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d NOTE: 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d causes a regression: @@ -117025,6 +117029,7 @@ CVE-2022-23124 (This vulnerability allows remote attackers to disclose sensitive CVE-2022-23123 (This vulnerability allows remote attackers to disclose sensitive infor ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/a6fbccb0f2478108add188df023cfbb7428aac33 NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d @@ -117036,6 +117041,7 @@ CVE-2022-23123 (This vulnerability allows remote attackers to disclose sensitive CVE-2022-23122 (This vulnerability allows remote attackers to execute arbitrary code o ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d NOTE: Causes a regression: @@ -117046,6 +117052,7 @@ CVE-2022-23122 (This vulnerability allows remote attackers to execute arbitrary CVE-2022-23121 (This vulnerability allows remote attackers to execute arbitrary code o ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/0c0465e4e85a27105b61b3918df8f8df0565367c NOTE: https://github.com/Netatalk/Netatalk/commit/62d4013c62be3b1b4a14f37057cb1c8f393c5fd1 @@ -117092,6 +117099,7 @@ CVE-2022-21134 (A firmware update vulnerability exists in the update CVE-2022-0194 (This vulnerability allows remote attackers to execute arbitrary code o ...) {DLA-3426-1} - netatalk 3.1.13~ds-1 + [bullseye] - netatalk (Minor issue, will be fixed via point release) NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d NOTE: Causes a regression: @@ -163375,6 +163383,7 @@ CVE-2021-31440 (This vulnerability allows local attackers to
[Git][security-tracker-team/security-tracker][master] netatalk proposed to be fixed trough upcoming bullseye point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c226df6 by Salvatore Bonaccorso at 2023-08-15T07:22:26+02:00 netatalk proposed to be fixed trough upcoming bullseye point release - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -153,3 +153,21 @@ CVE-2023-35936 [bullseye] - pandoc 2.9.2.1-1+deb11u1 CVE-2023-36054 [bullseye] - krb5 1.18.3-6+deb11u4 +CVE-2022-45188 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-43634 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23125 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23124 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23123 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23122 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23121 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-0194 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2021-31439 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c226df6a2b6bcc426ef16148d3b291de44d1c8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c226df6a2b6bcc426ef16148d3b291de44d1c8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for libstb issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7805fb01 by Salvatore Bonaccorso at 2023-08-15T07:18:42+02:00 Track fixed version for libstb issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101301,7 +101301,7 @@ CVE-2022-28043 RESERVED CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...) {DLA-3305-1} - - libstb (bug #1014531) + - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014531) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1289 @@ -101312,7 +101312,7 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-af NOTE: https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...) {DLA-3305-1} - - libstb (bug #1014531) + - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014531) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1292 @@ -133255,7 +133255,7 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/41918335fa4c74fba46a986771a5a6cb457070c4 (v2.9.5) NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6) CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) - - libstb (bug #1014532) + - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014532) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Vulnerable code introduced later) [buster] - libstb (Vulnerable code introduced later) @@ -133266,7 +133266,7 @@ CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader NOTE: https://github.com/nothings/stb/commit/8befa752b005da174b2429c1ffaafffe452b2997 CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR ...) {DLA-3305-1} - - libstb (bug #1014532) + - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014532) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1224 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7805fb01ba91ce818f472be73c4b8c7553c07260 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7805fb01ba91ce818f472be73c4b8c7553c07260 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed krb5 update for bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47719975 by Salvatore Bonaccorso at 2023-08-14T22:55:39+02:00 Track proposed krb5 update for bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -151,3 +151,5 @@ CVE-2023-37365 [bullseye] - hnswlib 0.4.0-3+deb11u1 CVE-2023-35936 [bullseye] - pandoc 2.9.2.1-1+deb11u1 +CVE-2023-36054 + [bullseye] - krb5 1.18.3-6+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47719975aca6e6562b97d0db4da22e5068a69e25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47719975aca6e6562b97d0db4da22e5068a69e25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed krb5 update via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 892da885 by Salvatore Bonaccorso at 2023-08-14T22:49:11+02:00 Track proposed krb5 update via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -4,3 +4,5 @@ CVE-2023-26132 [bookworm] - node-dottie 2.0.2-4+deb12u1 CVE-2023-35936 [bookworm] - pandoc 2.17.1.1-2~deb12u1 +CVE-2023-36054 + [bookworm] - krb5 1.20.1-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892da885bda012b3413162cf9696b194d618a504 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892da885bda012b3413162cf9696b194d618a504 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-36054/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24e1df94 by Salvatore Bonaccorso at 2023-08-14T22:48:13+02:00 Track fixed version for CVE-2023-36054/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1245,7 +1245,7 @@ CVE-2023-36499 (Netgear XR300 v1.0.3.78 was discovered to contain multiple buffe CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a r ...) NOT-FOR-US: Textpattern CMS CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...) - - krb5 (bug #1043431) + - krb5 1.20.1-3 (bug #1043431) [bookworm] - krb5 (Minor issue) [bullseye] - krb5 (Minor issue) [buster] - krb5 (Minor issue, DoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e1df94bfc8c417ae01818fd23d57bdbed2d602 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e1df94bfc8c417ae01818fd23d57bdbed2d602 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-39950 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7d07edf by Salvatore Bonaccorso at 2023-08-14T22:46:32+02:00 Mark CVE-2023-39950 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,6 +66,7 @@ CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does NOT-FOR-US: WordPress plugin CVE-2023-39950 - efibootguard + [bookworm] - efibootguard (Minor issue, can be fixed via point release) NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15) CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d07edfbd22951964ac81192c8d6c84a0a27a4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d07edfbd22951964ac81192c8d6c84a0a27a4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40359/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6dac681 by Salvatore Bonaccorso at 2023-08-14T22:32:06+02:00 Add CVE-2023-40359/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,7 +12,8 @@ CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_rec NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 (v8.1.0-rc3) CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set names even ...) - TODO: check + - xterm 382-2 + NOTE: https://invisible-island.net/xterm/xterm.log.html#xterm_380 CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) TODO: check CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with unsaniti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6dac681d973c45751ceb2bb7b3f0822e68c1547 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6dac681d973c45751ceb2bb7b3f0822e68c1547 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3be41217 by Salvatore Bonaccorso at 2023-08-14T22:31:36+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) - TODO: check + NOT-FOR-US: Cockpit CMS CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) - qemu [bookworm] - qemu (Vulnerable code intoduced later) @@ -16,9 +16,9 @@ CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set name CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) TODO: check CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with unsaniti ...) - TODO: check + NOT-FOR-US: OpenMNS CVE-2023-40311 (Multiple stored XSS were found on different JSP files with unsanitized ...) - TODO: check + NOT-FOR-US: OpenMNS CVE-2023-40024 (ScanCode.io is a server to script and automate software composition an ...) TODO: check CVE-2023-40023 (yaklang is a programming language designed for cybersecurity. The Yak ...) @@ -26,23 +26,23 @@ CVE-2023-40023 (yaklang is a programming language designed for cybersecurity. Th CVE-2023-40020 (PrivateUploader is an open source image hosting server written in Vue ...) TODO: check CVE-2023-3721 (The WP-EMail WordPress plugin before 2.69.1 does not sanitise and esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3645 (The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 doe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3601 (The Simple Author Box WordPress plugin before 2.52 does not verify a u ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3435 (The User Activity Log WordPress plugin before 1.6.5 does not correctly ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3328 (The Custom Field For WP Job Manager WordPress plugin before 1.2 does n ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3160 (The vulnerability potentially allows an attacker to misuse ESET\u2019s ...) TODO: check CVE-2023-39908 (The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not proper ...) TODO: check CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiVoice O ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a d ...) NOT-FOR-US: IBM CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i conta ...) @@ -50,19 +50,19 @@ CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection vulnerabil ...) TODO: check CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to Cross S ...) - TODO: check + NOT-FOR-US: Code Projects Hospital Information System CVE-2023-33013 (A post-authentication command injection vulnerability in the NTP featu ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-32748 (The Linux DVS server component of Mitel MiVoice Connect through 19.3 S ...) TODO: check CVE-2023-2803 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2802 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2606 (The WP Brutal AI WordPress plugin before 2.06 does not sanitise and es ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does not f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39950 - efibootguard NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be41217b0c6d833afe5415657c9d96072aeceec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be41217b0c6d833afe5415657c9d96072aeceec You're
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40360/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f679666 by Salvatore Bonaccorso at 2023-08-14T22:30:47+02:00 Add CVE-2023-40360/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,12 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) TODO: check CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) - TODO: check + - qemu + [bookworm] - qemu (Vulnerable code intoduced later) + [buster] - qemu (Vulnerable code intoduced later) + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1815 + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 (v8.1.0-rc3) CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set names even ...) TODO: check CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f679666887b60200a77e9988f8d276bcd45c1d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f679666887b60200a77e9988f8d276bcd45c1d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4322/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e24ba8b5 by Salvatore Bonaccorso at 2023-08-14T22:30:12+02:00 Add CVE-2023-4322/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - TODO: check + - radare2 + NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd + NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) TODO: check CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24ba8b579e2d73af85cf0abe501efc46697523a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24ba8b579e2d73af85cf0abe501efc46697523a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3159204 by Salvatore Bonaccorso at 2023-08-14T22:23:17+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,9 +37,9 @@ CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiV CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) TODO: check CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a d ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i conta ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection vulnerabil ...) TODO: check CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to Cross S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31592046077e2077330b9c790066471c50bbf73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31592046077e2077330b9c790066471c50bbf73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2017-14250 (withdrawn by its CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0194f50 by Salvatore Bonaccorso at 2023-08-14T22:21:22+02:00 Remove notes from CVE-2017-14250 (withdrawn by its CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -395359,7 +395359,6 @@ CVE-2017-14251 (Unrestricted File Upload vulnerability in the fileDenyPattern in [wheezy] - typo3-src (Not supported in Wheezy LTS) CVE-2017-14250 REJECTED - NOT-FOR-US: TP-Link Router CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coder ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876099) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0194f508a7e4e9df18f48510c216ad1f289958c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0194f508a7e4e9df18f48510c216ad1f289958c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b5c8e75 by security tracker role at 2023-08-14T20:13:02+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,61 @@ +CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) + TODO: check +CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) + TODO: check +CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) + TODO: check +CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set names even ...) + TODO: check +CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) + TODO: check +CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with unsaniti ...) + TODO: check +CVE-2023-40311 (Multiple stored XSS were found on different JSP files with unsanitized ...) + TODO: check +CVE-2023-40024 (ScanCode.io is a server to script and automate software composition an ...) + TODO: check +CVE-2023-40023 (yaklang is a programming language designed for cybersecurity. The Yak ...) + TODO: check +CVE-2023-40020 (PrivateUploader is an open source image hosting server written in Vue ...) + TODO: check +CVE-2023-3721 (The WP-EMail WordPress plugin before 2.69.1 does not sanitise and esca ...) + TODO: check +CVE-2023-3645 (The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 doe ...) + TODO: check +CVE-2023-3601 (The Simple Author Box WordPress plugin before 2.52 does not verify a u ...) + TODO: check +CVE-2023-3435 (The User Activity Log WordPress plugin before 1.6.5 does not correctly ...) + TODO: check +CVE-2023-3328 (The Custom Field For WP Job Manager WordPress plugin before 1.2 does n ...) + TODO: check +CVE-2023-3160 (The vulnerability potentially allows an attacker to misuse ESET\u2019s ...) + TODO: check +CVE-2023-39908 (The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not proper ...) + TODO: check +CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiVoice O ...) + TODO: check +CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) + TODO: check +CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a d ...) + TODO: check +CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i conta ...) + TODO: check +CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection vulnerabil ...) + TODO: check +CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to Cross S ...) + TODO: check +CVE-2023-33013 (A post-authentication command injection vulnerability in the NTP featu ...) + TODO: check +CVE-2023-32748 (The Linux DVS server component of Mitel MiVoice Connect through 19.3 S ...) + TODO: check +CVE-2023-2803 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) + TODO: check +CVE-2023-2802 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) + TODO: check +CVE-2023-2606 (The WP Brutal AI WordPress plugin before 2.06 does not sanitise and es ...) + TODO: check +CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does not f ...) + TODO: check CVE-2023-39950 - efibootguard NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) @@ -3052,7 +3110,7 @@ CVE-2023-38334 (Omnis Studio 10.22.00 has incorrect access control. It advertise NOT-FOR-US: Omnis Studio CVE-2023-38203 (Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) ...) NOT-FOR-US: Adobe -CVE-2023-37728 (Icewarp Icearp v10.2.1 was discovered to contain a cross-site scriptin ...) +CVE-2023-37728 (IceWarp v10.2.1 was discovered to contain cross-site scripting (XSS) v ...) NOT-FOR-US: Icewarp Icearp CVE-2023-37650 (A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS ...) NOT-FOR-US: Cockpit CMS @@ -3233,17 +3291,21 @@ CVE-2023-32263 (A potential vulnerability has been identified in the Micro Focus CVE-2023-27379 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit CVE-2023-3347 (A vulnerability was found in Samba's SMB2 packet signing mechanism. Th ...) + {DSA-5477-1} - samba 2:4.18.5+dfsg-1 [bullseye] - samba (Vulnerable code not present) [buster] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2023-3347.html CVE-2023-34968 (A path disclosure
[Git][security-tracker-team/security-tracker][master] Annoate note for CVE-2023-34872
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 849dc031 by Salvatore Bonaccorso at 2023-08-14T22:07:48+02:00 Annoate note for CVE-2023-34872 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2122,7 +2122,7 @@ CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allow [bullseye] - poppler (Vulnerable code introduced later) [buster] - poppler (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/fa494b780ab69ef04ba7447ab6d8fc3b46373e59 (poppler-21.08.0) - NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) + NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...) NOT-FOR-US: DedeCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/849dc031c23b69398ca0fc7e0b48c1412558fb01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/849dc031c23b69398ca0fc7e0b48c1412558fb01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc8c5434 by Salvatore Bonaccorso at 2023-08-14T21:35:11+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1363,13 +1363,13 @@ CVE-2023-38695 (cypress-image-snapshot shows visual regressions in Cypress with CVE-2023-38692 (CloudExplorer Lite is an open source, lightweight cloud management pla ...) NOT-FOR-US: CloudExplorer Lite CVE-2023-38691 (matrix-appservice-bridge provides an API for setting up bridges. Start ...) - TODO: check + NOT-FOR-US: matrix-appservice-bridge CVE-2023-38690 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to ver ...) - TODO: check + NOT-FOR-US: matrix-appservice-irc CVE-2023-38689 (Logistics Pipes is a modification (a.k.a. mod) for the computer game M ...) TODO: check CVE-2023-38688 (twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, ...) - TODO: check + NOT-FOR-US: twitch-tui CVE-2023-38686 (Sydent is an identity server for the Matrix communications protocol. P ...) - matrix-sydent (bug #1043162) NOTE: https://github.com/matrix-org/sydent/pull/574 @@ -32719,11 +32719,11 @@ CVE-2023-24482 (A vulnerability has been identified in COMOS V10.2 (All versions CVE-2023-24477 (In certain conditions, depending on timing and the usage of the Chrome ...) NOT-FOR-US: Guardian/CMC CVE-2023-24471 (An access control vulnerability was found, due to the restrictions tha ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-24015 (A partial DoS vulnerability has been detected in the Reports section, ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-23903 (An authenticated administrator can upload a SAML configuration file wi ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-23574 (A blind SQL Injection vulnerability in Nozomi Networks Guardian and CM ...) NOT-FOR-US: Nozomi Networks Guardian and CMC CVE-2023-22843 (An authenticated attacker with administrative access to the appliance ...) @@ -36342,7 +36342,7 @@ CVE-2023-23210 CVE-2023-23209 RESERVED CVE-2023-23208 (Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable ...) - TODO: check + NOT-FOR-US: Genesys Administrator Extension (GAX) CVE-2023-23207 RESERVED CVE-2023-23206 @@ -173482,9 +173482,9 @@ CVE-2021-27526 (A cross-site scripting (XSS) vulnerability in DynPG version 4.9. CVE-2021-27525 RESERVED CVE-2021-27524 (Cross Site Scripting (XSS) vulnerability in margox braft-editor versio ...) - TODO: check + NOT-FOR-US: margox braft-editor CVE-2021-27523 (An issue was discovered in open-falcon dashboard version 0.2.0, allows ...) - TODO: check + NOT-FOR-US: open-falcon dashboard CVE-2021-27522 (Learnsite 1.2.5.0 contains a remote privilege escalation vulnerability ...) NOT-FOR-US: Learnsite CVE-2021-27521 @@ -176000,7 +176000,7 @@ CVE-2021-26506 CVE-2021-26505 (Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, ...) NOT-FOR-US: MrSwitch hello.js CVE-2021-26504 (Directory Traversal vulnerability in Foddy node-red-contrib-huemagic v ...) - TODO: check + NOT-FOR-US: Foddy node-red-contrib-huemagic CVE-2021-26503 RESERVED CVE-2021-26502 @@ -205523,7 +205523,7 @@ CVE-2020-27516 CVE-2020-27515 (A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows ...) NOT-FOR-US: Savsoft Quiz CVE-2020-27514 (Directory Traversal vulnerability in delete function in admin.api.Temp ...) - TODO: check + NOT-FOR-US: ZrLog CVE-2020-27513 RESERVED CVE-2020-27512 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c543405805de02faf2ea4b6ad2ca93fe3d4ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c543405805de02faf2ea4b6ad2ca93fe3d4ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39950/efibootguard
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 188f1e3d by Salvatore Bonaccorso at 2023-08-14T21:15:20+02:00 Add CVE-2023-39950/efibootguard - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-39950 + - efibootguard + NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) + NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15) CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - indent (bug #1049366) [bookworm] - indent (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188f1e3d209f7e3f6f21c4e977bd10f5f59590e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188f1e3d209f7e3f6f21c4e977bd10f5f59590e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7078e0f9 by Salvatore Bonaccorso at 2023-08-14T20:57:41+02:00 Add Debian bug reference for CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - - indent + - indent (bug #1049366) [bookworm] - indent (Minor issue) [bullseye] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7078e0f94cd437837d40910f1ff35d46aa86c4db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7078e0f94cd437837d40910f1ff35d46aa86c4db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4395c208 by Salvatore Bonaccorso at 2023-08-14T20:51:04+02:00 Mark CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - indent + [bookworm] - indent (Minor issue) + [bullseye] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - inetutils (bug #1049365) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4395c208d292a92af0a4b05c15e3e76b81bdeb46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4395c208d292a92af0a4b05c15e3e76b81bdeb46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40303/inetutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ccc0d953 by Salvatore Bonaccorso at 2023-08-14T20:48:29+02:00 Add Debian bug reference for CVE-2023-40303/inetutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,7 +2,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - - inetutils + - inetutils (bug #1049365) NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc0d9539a220674394584cbc955a26bdcdde9e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc0d9539a220674394584cbc955a26bdcdde9e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] samba DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0f00027 by Moritz Mühlenhoff at 2023-08-14T20:19:59+02:00 samba DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -40353,7 +40353,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is installed setuid root, and NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952 NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45 NOTE: Different issue than CVE-2018-6556 -NOTE: https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd + NOTE: https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before ...) {DSA-5338-1 DSA-5337-1 DSA-5336-1 DLA-3302-1 DLA-3301-1 DLA-3300-1} - nova 2:26.0.0-6 (bug #1029561) = data/DSA/list = @@ -1,3 +1,6 @@ +[14 Aug 2023] DSA-5477-1 samba - security update + {CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968} + [bookworm] - samba 2:4.17.10+dfsg-0+deb12u1 [12 Aug 2023] DSA-5476-1 gst-plugins-ugly1.0 - security update [bullseye] - gst-plugins-ugly1.0 1.18.4-2+deb11u1 [bookworm] - gst-plugins-ugly1.0 1.22.0-2+deb12u1 = data/dsa-needed.txt = @@ -74,9 +74,6 @@ ruby-tzinfo/oldstable -- salt/oldstable -- -samba (jmm) - oldstable likely to be EOLed partly --- sox all issues unfixed upstream for CVE-2023-34432, rest can be ignored View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0f00027f010ea8109ff5b373c5216a17f007c60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0f00027f010ea8109ff5b373c5216a17f007c60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add openssh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f1ca69 by Thorsten Alteholz at 2023-08-14T20:16:06+02:00 add openssh - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,6 +138,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- +openssh + NOTE: 20230814: Added by Front-Desk (ta) +-- openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) NOTE: 20230814: ready to be uploaded View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Remove nodejs from dla-needed.txt.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e441c6 by Guilhem Moulin at 2023-08-14T20:13:18+02:00 LTS: Remove nodejs from dla-needed.txt. All CVEs have been postponed or marked as non-affecting buster. New CVEs will be filed for http_parser (the llhttp counterpart). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,9 +104,6 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- -nodejs - NOTE: 20230731: Added by Front-Desk (apo) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39e441c6a52b2a103805f0e88ecd24d7edd3a7a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39e441c6a52b2a103805f0e88ecd24d7edd3a7a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl again, it will be uploaded today
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c0675d07 by Anton Gladky at 2023-08-14T20:09:51+02:00 LTS: take openssl again, it will be uploaded today - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,8 +141,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) + NOTE: 20230814: ready to be uploaded -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40274/zola, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bc4a0ea by Salvatore Bonaccorso at 2023-08-14T19:28:06+02:00 Add CVE-2023-40274/zola, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l - linux NOTE: https://git.kernel.org/linus/1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 (6.5-rc1) CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) - TODO: check + - zola (bug #976052) CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) NOT-FOR-US: Trellix CVE-2023-3266 (A non-feature complete authentication mechanism exists in the producti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4a0eae4675b139295d624a87c8089bb510dee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4a0eae4675b139295d624a87c8089bb510dee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd37ad0c by Salvatore Bonaccorso at 2023-08-14T19:27:31+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,9 +8,9 @@ CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) TODO: check CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInit ...) - TODO: check + NOT-FOR-US: libboron CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBl ...) - TODO: check + NOT-FOR-US: libboron CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command injection ...) NOT-FOR-US: Harman Infotainment CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP address ...) @@ -23,79 +23,79 @@ CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) TODO: check CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3266 (A non-feature complete authentication mechanism exists in the producti ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3265 (An authentication bypass exists on CyberPower PowerPanel Enterprise by ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3264 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3263 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3262 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3261 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3260 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3259 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-39406 (Permission control vulnerability in the XLayout component. Successful ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39405 (Vulnerability of out-of-bounds parameter read/write in the Wi-Fi modul ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39404 (Vulnerability of input parameter verification in certain APIs in the w ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39403 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39402 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39401 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39400 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39399 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39398 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39397 (Input parameter verification vulnerability in the communication system ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39396 (Deserialization vulnerability in the input module. Successful exploita ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39395 (Mismatch vulnerability in the serialization process in the communicati ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39394 (Vulnerability of API privilege escalation in the wifienhance module. S ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39393 (Vulnerability of insecure signatures in the ServiceWifiResources modul ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39392 (Vulnerability of insecure signatures in the OsuLogin module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39391 (Vulnerability of system file information leakage in the USB Service mo ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39390 (Vulnerability of input parameter verification in certain APIs in the w ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39389 (Vulnerability of input parameters being
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e7cec407 by Roberto C. Sánchez at 2023-08-14T13:14:53-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230813: testing packages (ta) -- -cairosvg (gladk) +cairosvg NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- @@ -104,7 +104,7 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- -nodejs (guilhem) +nodejs NOTE: 20230731: Added by Front-Desk (apo) -- nova @@ -126,7 +126,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Abhijith PA) +open-vm-tools NOTE: 20230731: Added by Front-Desk (apo) -- opendmarc (Chris Lamb) @@ -141,7 +141,7 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl (gladk) +openssl NOTE: 20230731: Added by Front-Desk (apo) -- orthanc (gladk) @@ -228,7 +228,7 @@ samba (Lee Garrett) NOTE: 20230807: functional test framework is however needed (WIP) as most NOTE: 20230807: CVEs/bugfixes don't have test coverage. -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-48579,unrar-non-free: Bookworm is not-affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea7d3752 by Markus Koschany at 2023-08-14T18:13:53+02:00 CVE-2022-48579,unrar-non-free: Bookworm is not-affected This issue is fixed in 6.2.3. Bookworm has 6.2.6. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1213,7 +1213,6 @@ CVE-2023-33906 (In Contacts Service, there is a possible missing permission chec NOT-FOR-US: Unisoc CVE-2022-48579 (UnRAR before 6.2.3 allows extraction of files outside of the destinati ...) - unrar-nonfree 1:6.2.3-1 - [bookworm] - unrar-nonfree (Non-free not supported) [bullseye] - unrar-nonfree (Non-free not supported) NOTE: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea7d3752f7c8cc1bb7c7eb2527f879bf4abfbb55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea7d3752f7c8cc1bb7c7eb2527f879bf4abfbb55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b195688 by Santiago Ruano Rincón at 2023-08-14T11:20:26-03:00 Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40354,6 +40354,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is installed setuid root, and NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952 NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45 NOTE: Different issue than CVE-2018-6556 +NOTE: https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before ...) {DSA-5338-1 DSA-5337-1 DSA-5336-1 DLA-3302-1 DLA-3301-1 DLA-3300-1} - nova 2:26.0.0-6 (bug #1029561) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3528-1 for poppler
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: a63538a8 by Adrian Bunk at 2023-08-14T15:21:19+03:00 Reserve DLA-3528-1 for poppler - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Aug 2023] DLA-3528-1 poppler - security update + {CVE-2020-36023 CVE-2020-36024} + [buster] - poppler 0.71.0-5+deb10u2 [13 Aug 2023] DLA-3426-3 netatalk - regression update [buster] - netatalk 3.1.12~ds-3+deb10u3 [13 Aug 2023] DLA-3527-1 sox - security update = data/dla-needed.txt = @@ -155,9 +155,6 @@ otrs2 NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) -- -poppler (Adrian Bunk) - NOTE: 20230804: Added by Front-Desk (gladk) --- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63538a8a3513fce3af097c8498da13ad17fe46e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63538a8a3513fce3af097c8498da13ad17fe46e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34872/poppler does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abc23003 by Adrian Bunk at 2023-08-14T14:51:25+03:00 CVE-2023-34872/poppler does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2114,7 +2114,9 @@ CVE-2023-34916 (Fuge CMS v1.0 contains an Open Redirect vulnerability via /front CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a re ...) - poppler (bug #1042811) [bookworm] - poppler (Minor issue) - [bullseye] - poppler (Minor issue) + [bullseye] - poppler (Vulnerable code introduced later) + [buster] - poppler (Vulnerable code introduced later) + NOTE: Introduced by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/fa494b780ab69ef04ba7447ab6d8fc3b46373e59 (poppler-21.08.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc23003d9b71d43ac94314d166ecc4c8b66f21e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc23003d9b71d43ac94314d166ecc4c8b66f21e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim opendmarc.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fe2345cc by Chris Lamb at 2023-08-14T11:30:59+01:00 data/dla-needed.txt: Claim opendmarc. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,7 +129,7 @@ nvidia-cuda-toolkit open-vm-tools (Abhijith PA) NOTE: 20230731: Added by Front-Desk (apo) -- -opendmarc +opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2345ccaffcf249018ce12a5a38b1f04e43a690 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2345ccaffcf249018ce12a5a38b1f04e43a690 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim w3m
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e93a97df by Sylvain Beucler at 2023-08-14T12:04:24+02:00 dla: claim w3m - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -242,7 +242,7 @@ suricata (Adrian Bunk) unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- -w3m +w3m (Sylvain Beucler) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6af1116 by Salvatore Bonaccorso at 2023-08-14T10:27:50+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,11 +12,11 @@ CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_s CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBl ...) TODO: check CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command injection ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP address ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH over a U ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_s ...) TODO: check CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6af11168485d5ac94107a0d84667e6f457eec63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6af11168485d5ac94107a0d84667e6f457eec63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40283/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4531066 by Salvatore Bonaccorso at 2023-08-14T10:35:45+02:00 Add CVE-2023-40283/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,8 @@ CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP ad CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH over a U ...) NOT-FOR-US: Harman Infotainment CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_s ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 (6.5-rc1) CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) TODO: check CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4531066f606e940a70e0a1696288d22ac15d3ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4531066f606e940a70e0a1696288d22ac15d3ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40303/inetutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86e2e2af by Salvatore Bonaccorso at 2023-08-14T10:20:23+02:00 Add CVE-2023-40303/inetutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,7 +2,9 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - TODO: check + - inetutils + NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 + NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) TODO: check CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86e2e2afbc2b8ee0db40dcf07924329d696cb360 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86e2e2afbc2b8ee0db40dcf07924329d696cb360 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 499396d9 by Salvatore Bonaccorso at 2023-08-14T10:18:49+02:00 Add CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - TODO: check + - indent + NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) TODO: check CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499396d9c3723690f6ad92d2ea2f9e420e0ac901 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499396d9c3723690f6ad92d2ea2f9e420e0ac901 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4b6d1d3 by security tracker role at 2023-08-14T08:12:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) + TODO: check +CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) + TODO: check +CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) + TODO: check +CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInit ...) + TODO: check +CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBl ...) + TODO: check +CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command injection ...) + TODO: check +CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP address ...) + TODO: check +CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH over a U ...) + TODO: check +CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_s ...) + TODO: check +CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) + TODO: check +CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) + TODO: check +CVE-2023-3266 (A non-feature complete authentication mechanism exists in the producti ...) + TODO: check +CVE-2023-3265 (An authentication bypass exists on CyberPower PowerPanel Enterprise by ...) + TODO: check +CVE-2023-3264 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) + TODO: check +CVE-2023-3263 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) + TODO: check +CVE-2023-3262 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) + TODO: check +CVE-2023-3261 (When adding a remote backup location, an authenticated user can pass a ...) + TODO: check +CVE-2023-3260 (When adding a remote backup location, an authenticated user can pass a ...) + TODO: check +CVE-2023-3259 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) + TODO: check CVE-2023-39406 (Permission control vulnerability in the XLayout component. Successful ...) TODO: check CVE-2023-39405 (Vulnerability of out-of-bounds parameter read/write in the Wi-Fi modul ...) @@ -36292,8 +36330,8 @@ CVE-2023-23210 RESERVED CVE-2023-23209 RESERVED -CVE-2023-23208 - RESERVED +CVE-2023-23208 (Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable ...) + TODO: check CVE-2023-23207 RESERVED CVE-2023-23206 @@ -395242,7 +395280,8 @@ CVE-2017-14252 (SQL Injection exists in the EyesOfNetwork web interface (aka eon CVE-2017-14251 (Unrestricted File Upload vulnerability in the fileDenyPattern in sysex ...) - typo3-src [wheezy] - typo3-src (Not supported in Wheezy LTS) -CVE-2017-14250 (In TP-LINK TL-WR741N / TL-WR741ND 150M Wireless Lite N Router with Fir ...) +CVE-2017-14250 + REJECTED NOT-FOR-US: TP-Link Router CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coder ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4b6d1d374ebe5eedc7d45e83c7badf7d4d3eb18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4b6d1d374ebe5eedc7d45e83c7badf7d4d3eb18 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits