[Git][security-tracker-team/security-tracker][master] Remove sox from dsa-needed list, no update required
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4d4a7d2 by Salvatore Bonaccorso at 2023-08-15T07:32:10+02:00 Remove sox from dsa-needed list, no update required The only DSA worthy CVE was CVE-2023-34432 which was already fixed. - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -70,10 +70,6 @@ ruby-tzinfo/oldstable -- salt/oldstable -- -sox - all issues unfixed upstream - for CVE-2023-34432, rest can be ignored --- tiff -- wpewebkit/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d4a7d2ce63fdfa305fb83eb56ddcf2dc1f948d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d4a7d2ce63fdfa305fb83eb56ddcf2dc1f948d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reference proposed patch for CVE-2023-32627/sox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
71933bc7 by Salvatore Bonaccorso at 2023-08-15T07:29:56+02:00
Reference proposed patch for CVE-2023-32627/sox
- - - - -
9467f2d4 by Salvatore Bonaccorso at 2023-08-15T07:30:43+02:00
Mark CVE-2023-32627/sox as no-dsa
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5100,10 +5100,13 @@ CVE-2023-34316 (An attacker could bypass the latest
Delta Electronics InfraSuite
CVE-2023-32627 (A floating point exception vulnerability was found in sox, in
the read ...)
{DLA-3527-1}
- sox (bug #1041112)
+ [bookworm] - sox (Minor issue)
+ [bullseye] - sox (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
NOTE: https://sourceforge.net/p/sox/bugs/369/
NOTE: POC posted upstream is masked by fix of CVE-2021-3643, however
sampling rate == 0,
NOTE: thus FPE is not fixed by CVE-2021-3643
+ NOTE: Proposed patch:
https://sourceforge.net/p/sox/bugs/_discuss/thread/e759e37389/2ead/attachment/0026-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
CVE-2023-30765 (Delta Electronics InfraSuite Device Master versions prior to
1.0.7 con ...)
NOT-FOR-US: Delta Electronics InfraSuite Device Master
CVE-2023-2967 (The TinyMCE Custom Styles WordPress plugin before 1.1.4 does
not sanit ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47e10f5e4fa3e62b6ccd454da791c8dd760788db...9467f2d467faf22c653e921ac46edaa917fe300a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47e10f5e4fa3e62b6ccd454da791c8dd760788db...9467f2d467faf22c653e921ac46edaa917fe300a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark netatalk as no-dsa and remove from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
47e10f5e by Salvatore Bonaccorso at 2023-08-15T07:25:55+02:00
Mark netatalk as no-dsa and remove from dsa-needed list
The update was proposed to go trough the upcoming bullseye point
release. Mark as such and remove it from dsa-needed list instead.
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -50405,6 +50405,7 @@ CVE-2022-45189
CVE-2022-45188 (Netatalk through 3.1.13 has an afp_getappl heap-based buffer
overflow ...)
{DLA-3426-1}
- netatalk 3.1.15~ds-1 (bug #1024021)
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://rushbnt.github.io/bug%20analysis/netatalk-0day/
NOTE:
https://github.com/Netatalk/netatalk/commit/dfab56846e8f454fe0548347ae6437bd12a05925
NOTE:
https://github.com/Netatalk/netatalk/commit/952b510d38914ed215858883f395da33d8b7e396
(netatalk-3-1-15)
@@ -57346,6 +57347,7 @@ CVE-2022-43635 (This vulnerability allows
network-adjacent attackers to disclose
CVE-2022-43634 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
{DLA-3426-1}
- netatalk 3.1.15~ds-1 (bug #1034170)
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://github.com/Netatalk/Netatalk/pull/186
NOTE: https://github.com/advisories/GHSA-fwj9-7qq8-jc93
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-094/
@@ -117010,11 +117012,13 @@ CVE-2021-46283 (nf_tables_newset in
net/netfilter/nf_tables_api.c in the Linux k
CVE-2022-23125 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/d801ed421800bcd5df9045f7327c92cd4fc944aa
CVE-2022-23124 (This vulnerability allows remote attackers to disclose
sensitive infor ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
NOTE: 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d causes a regression:
@@ -117025,6 +117029,7 @@ CVE-2022-23124 (This vulnerability allows remote
attackers to disclose sensitive
CVE-2022-23123 (This vulnerability allows remote attackers to disclose
sensitive infor ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/a6fbccb0f2478108add188df023cfbb7428aac33
NOTE:
https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
@@ -117036,6 +117041,7 @@ CVE-2022-23123 (This vulnerability allows remote
attackers to disclose sensitive
CVE-2022-23122 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
NOTE: Causes a regression:
@@ -117046,6 +117052,7 @@ CVE-2022-23122 (This vulnerability allows remote
attackers to execute arbitrary
CVE-2022-23121 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/0c0465e4e85a27105b61b3918df8f8df0565367c
NOTE:
https://github.com/Netatalk/Netatalk/commit/62d4013c62be3b1b4a14f37057cb1c8f393c5fd1
@@ -117092,6 +117099,7 @@ CVE-2022-21134 (A firmware update vulnerability
exists in the update
CVE-2022-0194 (This vulnerability allows remote attackers to execute arbitrary
code o ...)
{DLA-3426-1}
- netatalk 3.1.13~ds-1
+ [bullseye] - netatalk (Minor issue, will be fixed via point
release)
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE:
https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
NOTE: Causes a regression:
@@ -163375,6 +163383,7 @@ CVE-2021-31440 (This vulnerability allows local
attackers to
[Git][security-tracker-team/security-tracker][master] netatalk proposed to be fixed trough upcoming bullseye point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c226df6 by Salvatore Bonaccorso at 2023-08-15T07:22:26+02:00 netatalk proposed to be fixed trough upcoming bullseye point release - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -153,3 +153,21 @@ CVE-2023-35936 [bullseye] - pandoc 2.9.2.1-1+deb11u1 CVE-2023-36054 [bullseye] - krb5 1.18.3-6+deb11u4 +CVE-2022-45188 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-43634 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23125 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23124 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23123 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23122 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-23121 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-0194 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2021-31439 + [bullseye] - netatalk 3.1.12~ds-8+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c226df6a2b6bcc426ef16148d3b291de44d1c8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c226df6a2b6bcc426ef16148d3b291de44d1c8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for libstb issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7805fb01 by Salvatore Bonaccorso at 2023-08-15T07:18:42+02:00
Track fixed version for libstb issues via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -101301,7 +101301,7 @@ CVE-2022-28043
RESERVED
CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based
use-after-fr ...)
{DLA-3305-1}
- - libstb (bug #1014531)
+ - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014531)
[bookworm] - libstb (Minor issue)
[bullseye] - libstb (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1289
@@ -101312,7 +101312,7 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to
contain an heap-based use-af
NOTE:
https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d
CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer
overflow via th ...)
{DLA-3305-1}
- - libstb (bug #1014531)
+ - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014531)
[bookworm] - libstb (Minor issue)
[bullseye] - libstb (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1292
@@ -133255,7 +133255,7 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5
mishandles excessively nested JSON
NOTE: Fixed by:
https://github.com/SpiderLabs/ModSecurity/commit/41918335fa4c74fba46a986771a5a6cb457070c4
(v2.9.5)
NOTE: Fixed by:
https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd
(v3.0.6)
CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM
loader incorr ...)
- - libstb (bug #1014532)
+ - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014532)
[bookworm] - libstb (Minor issue)
[bullseye] - libstb (Vulnerable code introduced later)
[buster] - libstb (Vulnerable code introduced later)
@@ -133266,7 +133266,7 @@ CVE-2021-42716 (An issue was discovered in stb
stb_image.h 2.27. The PNM loader
NOTE:
https://github.com/nothings/stb/commit/8befa752b005da174b2429c1ffaafffe452b2997
CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27.
The HDR ...)
{DLA-3305-1}
- - libstb (bug #1014532)
+ - libstb 0.0~git20230129.5736b15+ds-1 (bug #1014532)
[bookworm] - libstb (Minor issue)
[bullseye] - libstb (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1224
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7805fb01ba91ce818f472be73c4b8c7553c07260
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7805fb01ba91ce818f472be73c4b8c7553c07260
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed krb5 update for bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47719975 by Salvatore Bonaccorso at 2023-08-14T22:55:39+02:00 Track proposed krb5 update for bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -151,3 +151,5 @@ CVE-2023-37365 [bullseye] - hnswlib 0.4.0-3+deb11u1 CVE-2023-35936 [bullseye] - pandoc 2.9.2.1-1+deb11u1 +CVE-2023-36054 + [bullseye] - krb5 1.18.3-6+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47719975aca6e6562b97d0db4da22e5068a69e25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47719975aca6e6562b97d0db4da22e5068a69e25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed krb5 update via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 892da885 by Salvatore Bonaccorso at 2023-08-14T22:49:11+02:00 Track proposed krb5 update via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -4,3 +4,5 @@ CVE-2023-26132 [bookworm] - node-dottie 2.0.2-4+deb12u1 CVE-2023-35936 [bookworm] - pandoc 2.17.1.1-2~deb12u1 +CVE-2023-36054 + [bookworm] - krb5 1.20.1-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892da885bda012b3413162cf9696b194d618a504 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892da885bda012b3413162cf9696b194d618a504 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-36054/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24e1df94 by Salvatore Bonaccorso at 2023-08-14T22:48:13+02:00 Track fixed version for CVE-2023-36054/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1245,7 +1245,7 @@ CVE-2023-36499 (Netgear XR300 v1.0.3.78 was discovered to contain multiple buffe CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a r ...) NOT-FOR-US: Textpattern CMS CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...) - - krb5 (bug #1043431) + - krb5 1.20.1-3 (bug #1043431) [bookworm] - krb5 (Minor issue) [bullseye] - krb5 (Minor issue) [buster] - krb5 (Minor issue, DoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e1df94bfc8c417ae01818fd23d57bdbed2d602 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e1df94bfc8c417ae01818fd23d57bdbed2d602 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-39950 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7d07edf by Salvatore Bonaccorso at 2023-08-14T22:46:32+02:00 Mark CVE-2023-39950 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,6 +66,7 @@ CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does NOT-FOR-US: WordPress plugin CVE-2023-39950 - efibootguard + [bookworm] - efibootguard (Minor issue, can be fixed via point release) NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15) CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d07edfbd22951964ac81192c8d6c84a0a27a4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d07edfbd22951964ac81192c8d6c84a0a27a4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40359/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6dac681 by Salvatore Bonaccorso at 2023-08-14T22:32:06+02:00 Add CVE-2023-40359/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,7 +12,8 @@ CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_rec NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 (v8.1.0-rc3) CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set names even ...) - TODO: check + - xterm 382-2 + NOTE: https://invisible-island.net/xterm/xterm.log.html#xterm_380 CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) TODO: check CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with unsaniti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6dac681d973c45751ceb2bb7b3f0822e68c1547 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6dac681d973c45751ceb2bb7b3f0822e68c1547 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3be41217 by Salvatore Bonaccorso at 2023-08-14T22:31:36+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) - TODO: check + NOT-FOR-US: Cockpit CMS CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) - qemu [bookworm] - qemu (Vulnerable code intoduced later) @@ -16,9 +16,9 @@ CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set name CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) TODO: check CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with unsaniti ...) - TODO: check + NOT-FOR-US: OpenMNS CVE-2023-40311 (Multiple stored XSS were found on different JSP files with unsanitized ...) - TODO: check + NOT-FOR-US: OpenMNS CVE-2023-40024 (ScanCode.io is a server to script and automate software composition an ...) TODO: check CVE-2023-40023 (yaklang is a programming language designed for cybersecurity. The Yak ...) @@ -26,23 +26,23 @@ CVE-2023-40023 (yaklang is a programming language designed for cybersecurity. Th CVE-2023-40020 (PrivateUploader is an open source image hosting server written in Vue ...) TODO: check CVE-2023-3721 (The WP-EMail WordPress plugin before 2.69.1 does not sanitise and esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3645 (The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 doe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3601 (The Simple Author Box WordPress plugin before 2.52 does not verify a u ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3435 (The User Activity Log WordPress plugin before 1.6.5 does not correctly ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3328 (The Custom Field For WP Job Manager WordPress plugin before 1.2 does n ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3160 (The vulnerability potentially allows an attacker to misuse ESET\u2019s ...) TODO: check CVE-2023-39908 (The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not proper ...) TODO: check CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiVoice O ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a d ...) NOT-FOR-US: IBM CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i conta ...) @@ -50,19 +50,19 @@ CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection vulnerabil ...) TODO: check CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to Cross S ...) - TODO: check + NOT-FOR-US: Code Projects Hospital Information System CVE-2023-33013 (A post-authentication command injection vulnerability in the NTP featu ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-32748 (The Linux DVS server component of Mitel MiVoice Connect through 19.3 S ...) TODO: check CVE-2023-2803 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2802 (The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2606 (The WP Brutal AI WordPress plugin before 2.06 does not sanitise and es ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does not f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39950 - efibootguard NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be41217b0c6d833afe5415657c9d96072aeceec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3be41217b0c6d833afe5415657c9d96072aeceec You're
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40360/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f679666 by Salvatore Bonaccorso at 2023-08-14T22:30:47+02:00 Add CVE-2023-40360/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,12 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) TODO: check CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) - TODO: check + - qemu + [bookworm] - qemu (Vulnerable code intoduced later) + [buster] - qemu (Vulnerable code intoduced later) + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1815 + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 (v8.1.0-rc3) CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set names even ...) TODO: check CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f679666887b60200a77e9988f8d276bcd45c1d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f679666887b60200a77e9988f8d276bcd45c1d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4322/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e24ba8b5 by Salvatore Bonaccorso at 2023-08-14T22:30:12+02:00 Add CVE-2023-4322/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - TODO: check + - radare2 + NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd + NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) TODO: check CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24ba8b579e2d73af85cf0abe501efc46697523a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24ba8b579e2d73af85cf0abe501efc46697523a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3159204 by Salvatore Bonaccorso at 2023-08-14T22:23:17+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,9 +37,9 @@ CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiV CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) TODO: check CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a d ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i conta ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection vulnerabil ...) TODO: check CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to Cross S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31592046077e2077330b9c790066471c50bbf73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31592046077e2077330b9c790066471c50bbf73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2017-14250 (withdrawn by its CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a0194f50 by Salvatore Bonaccorso at 2023-08-14T22:21:22+02:00
Remove notes from CVE-2017-14250 (withdrawn by its CNA)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -395359,7 +395359,6 @@ CVE-2017-14251 (Unrestricted File Upload
vulnerability in the fileDenyPattern in
[wheezy] - typo3-src (Not supported in Wheezy LTS)
CVE-2017-14250
REJECTED
- NOT-FOR-US: TP-Link Router
CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage
in coder ...)
{DLA-2366-1 DLA-1785-1 DLA-1131-1}
- imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876099)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0194f508a7e4e9df18f48510c216ad1f289958c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0194f508a7e4e9df18f48510c216ad1f289958c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4b5c8e75 by security tracker role at 2023-08-14T20:13:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,61 @@
+CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository
radareorg/radare2 prio ...)
+ TODO: check
+CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository
cockpit-hq/co ...)
+ TODO: check
+CVE-2023-40360 (QEMU through 8.0.4 accesses a NULL pointer in
nvme_directive_receive i ...)
+ TODO: check
+CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set
names even ...)
+ TODO: check
+CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A
user ent ...)
+ TODO: check
+CVE-2023-40312 (Multiple reflected XSS were found on different JSP files with
unsaniti ...)
+ TODO: check
+CVE-2023-40311 (Multiple stored XSS were found on different JSP files with
unsanitized ...)
+ TODO: check
+CVE-2023-40024 (ScanCode.io is a server to script and automate software
composition an ...)
+ TODO: check
+CVE-2023-40023 (yaklang is a programming language designed for cybersecurity.
The Yak ...)
+ TODO: check
+CVE-2023-40020 (PrivateUploader is an open source image hosting server written
in Vue ...)
+ TODO: check
+CVE-2023-3721 (The WP-EMail WordPress plugin before 2.69.1 does not sanitise
and esca ...)
+ TODO: check
+CVE-2023-3645 (The Contact Form Builder by Bit Form WordPress plugin before
2.2.0 doe ...)
+ TODO: check
+CVE-2023-3601 (The Simple Author Box WordPress plugin before 2.52 does not
verify a u ...)
+ TODO: check
+CVE-2023-3435 (The User Activity Log WordPress plugin before 1.6.5 does not
correctly ...)
+ TODO: check
+CVE-2023-3328 (The Custom Field For WP Job Manager WordPress plugin before 1.2
does n ...)
+ TODO: check
+CVE-2023-3160 (The vulnerability potentially allows an attacker to misuse
ESET\u2019s ...)
+ TODO: check
+CVE-2023-39908 (The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does
not proper ...)
+ TODO: check
+CVE-2023-39293 (A Command Injection vulnerability has been identified in the
MiVoice O ...)
+ TODO: check
+CVE-2023-39292 (A SQL Injection vulnerability has been identified in the
MiVoice Offic ...)
+ TODO: check
+CVE-2023-38741 (IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is
vulnerable to a d ...)
+ TODO: check
+CVE-2023-38721 (The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for
i conta ...)
+ TODO: check
+CVE-2023-37847 (novel-plus v3.6.2 was discovered to contain a SQL injection
vulnerabil ...)
+ TODO: check
+CVE-2023-37070 (Code Projects Hospital Information System 1.0 is vulnerable to
Cross S ...)
+ TODO: check
+CVE-2023-33013 (A post-authentication command injection vulnerability in the
NTP featu ...)
+ TODO: check
+CVE-2023-32748 (The Linux DVS server component of Mitel MiVoice Connect
through 19.3 S ...)
+ TODO: check
+CVE-2023-2803 (The Ultimate Addons for Contact Form 7 WordPress plugin before
3.1.29 ...)
+ TODO: check
+CVE-2023-2802 (The Ultimate Addons for Contact Form 7 WordPress plugin before
3.1.29 ...)
+ TODO: check
+CVE-2023-2606 (The WP Brutal AI WordPress plugin before 2.06 does not sanitise
and es ...)
+ TODO: check
+CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5
does not f ...)
+ TODO: check
CVE-2023-39950
- efibootguard
NOTE:
https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414
(v0.15)
@@ -3052,7 +3110,7 @@ CVE-2023-38334 (Omnis Studio 10.22.00 has incorrect
access control. It advertise
NOT-FOR-US: Omnis Studio
CVE-2023-38203 (Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and
earlier) ...)
NOT-FOR-US: Adobe
-CVE-2023-37728 (Icewarp Icearp v10.2.1 was discovered to contain a cross-site
scriptin ...)
+CVE-2023-37728 (IceWarp v10.2.1 was discovered to contain cross-site scripting
(XSS) v ...)
NOT-FOR-US: Icewarp Icearp
CVE-2023-37650 (A Cross-Site Request Forgery (CSRF) in the Admin portal of
Cockpit CMS ...)
NOT-FOR-US: Cockpit CMS
@@ -3233,17 +3291,21 @@ CVE-2023-32263 (A potential vulnerability has been
identified in the Micro Focus
CVE-2023-27379 (A use-after-free vulnerability exists in the JavaScript engine
of Foxi ...)
NOT-FOR-US: Foxit
CVE-2023-3347 (A vulnerability was found in Samba's SMB2 packet signing
mechanism. Th ...)
+ {DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[bullseye] - samba (Vulnerable code not present)
[buster] - samba (Vulnerable code not present)
NOTE: https://www.samba.org/samba/security/CVE-2023-3347.html
CVE-2023-34968 (A path disclosure
[Git][security-tracker-team/security-tracker][master] Annoate note for CVE-2023-34872
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 849dc031 by Salvatore Bonaccorso at 2023-08-14T22:07:48+02:00 Annoate note for CVE-2023-34872 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2122,7 +2122,7 @@ CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allow [bullseye] - poppler (Vulnerable code introduced later) [buster] - poppler (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/fa494b780ab69ef04ba7447ab6d8fc3b46373e59 (poppler-21.08.0) - NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) + NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...) NOT-FOR-US: DedeCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/849dc031c23b69398ca0fc7e0b48c1412558fb01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/849dc031c23b69398ca0fc7e0b48c1412558fb01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc8c5434 by Salvatore Bonaccorso at 2023-08-14T21:35:11+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1363,13 +1363,13 @@ CVE-2023-38695 (cypress-image-snapshot shows visual regressions in Cypress with CVE-2023-38692 (CloudExplorer Lite is an open source, lightweight cloud management pla ...) NOT-FOR-US: CloudExplorer Lite CVE-2023-38691 (matrix-appservice-bridge provides an API for setting up bridges. Start ...) - TODO: check + NOT-FOR-US: matrix-appservice-bridge CVE-2023-38690 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to ver ...) - TODO: check + NOT-FOR-US: matrix-appservice-irc CVE-2023-38689 (Logistics Pipes is a modification (a.k.a. mod) for the computer game M ...) TODO: check CVE-2023-38688 (twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, ...) - TODO: check + NOT-FOR-US: twitch-tui CVE-2023-38686 (Sydent is an identity server for the Matrix communications protocol. P ...) - matrix-sydent (bug #1043162) NOTE: https://github.com/matrix-org/sydent/pull/574 @@ -32719,11 +32719,11 @@ CVE-2023-24482 (A vulnerability has been identified in COMOS V10.2 (All versions CVE-2023-24477 (In certain conditions, depending on timing and the usage of the Chrome ...) NOT-FOR-US: Guardian/CMC CVE-2023-24471 (An access control vulnerability was found, due to the restrictions tha ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-24015 (A partial DoS vulnerability has been detected in the Reports section, ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-23903 (An authenticated administrator can upload a SAML configuration file wi ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-23574 (A blind SQL Injection vulnerability in Nozomi Networks Guardian and CM ...) NOT-FOR-US: Nozomi Networks Guardian and CMC CVE-2023-22843 (An authenticated attacker with administrative access to the appliance ...) @@ -36342,7 +36342,7 @@ CVE-2023-23210 CVE-2023-23209 RESERVED CVE-2023-23208 (Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable ...) - TODO: check + NOT-FOR-US: Genesys Administrator Extension (GAX) CVE-2023-23207 RESERVED CVE-2023-23206 @@ -173482,9 +173482,9 @@ CVE-2021-27526 (A cross-site scripting (XSS) vulnerability in DynPG version 4.9. CVE-2021-27525 RESERVED CVE-2021-27524 (Cross Site Scripting (XSS) vulnerability in margox braft-editor versio ...) - TODO: check + NOT-FOR-US: margox braft-editor CVE-2021-27523 (An issue was discovered in open-falcon dashboard version 0.2.0, allows ...) - TODO: check + NOT-FOR-US: open-falcon dashboard CVE-2021-27522 (Learnsite 1.2.5.0 contains a remote privilege escalation vulnerability ...) NOT-FOR-US: Learnsite CVE-2021-27521 @@ -176000,7 +176000,7 @@ CVE-2021-26506 CVE-2021-26505 (Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, ...) NOT-FOR-US: MrSwitch hello.js CVE-2021-26504 (Directory Traversal vulnerability in Foddy node-red-contrib-huemagic v ...) - TODO: check + NOT-FOR-US: Foddy node-red-contrib-huemagic CVE-2021-26503 RESERVED CVE-2021-26502 @@ -205523,7 +205523,7 @@ CVE-2020-27516 CVE-2020-27515 (A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows ...) NOT-FOR-US: Savsoft Quiz CVE-2020-27514 (Directory Traversal vulnerability in delete function in admin.api.Temp ...) - TODO: check + NOT-FOR-US: ZrLog CVE-2020-27513 RESERVED CVE-2020-27512 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c543405805de02faf2ea4b6ad2ca93fe3d4ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c543405805de02faf2ea4b6ad2ca93fe3d4ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39950/efibootguard
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 188f1e3d by Salvatore Bonaccorso at 2023-08-14T21:15:20+02:00 Add CVE-2023-39950/efibootguard - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-39950 + - efibootguard + NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15) + NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15) CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - indent (bug #1049366) [bookworm] - indent (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188f1e3d209f7e3f6f21c4e977bd10f5f59590e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/188f1e3d209f7e3f6f21c4e977bd10f5f59590e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7078e0f9 by Salvatore Bonaccorso at 2023-08-14T20:57:41+02:00 Add Debian bug reference for CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - - indent + - indent (bug #1049366) [bookworm] - indent (Minor issue) [bullseye] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7078e0f94cd437837d40910f1ff35d46aa86c4db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7078e0f94cd437837d40910f1ff35d46aa86c4db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4395c208 by Salvatore Bonaccorso at 2023-08-14T20:51:04+02:00 Mark CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - indent + [bookworm] - indent (Minor issue) + [bullseye] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - inetutils (bug #1049365) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4395c208d292a92af0a4b05c15e3e76b81bdeb46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4395c208d292a92af0a4b05c15e3e76b81bdeb46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40303/inetutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ccc0d953 by Salvatore Bonaccorso at 2023-08-14T20:48:29+02:00 Add Debian bug reference for CVE-2023-40303/inetutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,7 +2,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - - inetutils + - inetutils (bug #1049365) NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc0d9539a220674394584cbc955a26bdcdde9e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc0d9539a220674394584cbc955a26bdcdde9e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] samba DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c0f00027 by Moritz Mühlenhoff at 2023-08-14T20:19:59+02:00
samba DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -40353,7 +40353,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is
installed setuid root, and
NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952
NOTE:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45
NOTE: Different issue than CVE-2018-6556
-NOTE:
https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd
+ NOTE:
https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd
CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2,
20.x before ...)
{DSA-5338-1 DSA-5337-1 DSA-5336-1 DLA-3302-1 DLA-3301-1 DLA-3300-1}
- nova 2:26.0.0-6 (bug #1029561)
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[14 Aug 2023] DSA-5477-1 samba - security update
+ {CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967
CVE-2023-34968}
+ [bookworm] - samba 2:4.17.10+dfsg-0+deb12u1
[12 Aug 2023] DSA-5476-1 gst-plugins-ugly1.0 - security update
[bullseye] - gst-plugins-ugly1.0 1.18.4-2+deb11u1
[bookworm] - gst-plugins-ugly1.0 1.22.0-2+deb12u1
=
data/dsa-needed.txt
=
@@ -74,9 +74,6 @@ ruby-tzinfo/oldstable
--
salt/oldstable
--
-samba (jmm)
- oldstable likely to be EOLed partly
---
sox
all issues unfixed upstream
for CVE-2023-34432, rest can be ignored
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0f00027f010ea8109ff5b373c5216a17f007c60
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0f00027f010ea8109ff5b373c5216a17f007c60
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add openssh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f1ca69 by Thorsten Alteholz at 2023-08-14T20:16:06+02:00 add openssh - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,6 +138,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- +openssh + NOTE: 20230814: Added by Front-Desk (ta) +-- openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) NOTE: 20230814: ready to be uploaded View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Remove nodejs from dla-needed.txt.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e441c6 by Guilhem Moulin at 2023-08-14T20:13:18+02:00 LTS: Remove nodejs from dla-needed.txt. All CVEs have been postponed or marked as non-affecting buster. New CVEs will be filed for http_parser (the llhttp counterpart). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,9 +104,6 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- -nodejs - NOTE: 20230731: Added by Front-Desk (apo) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39e441c6a52b2a103805f0e88ecd24d7edd3a7a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39e441c6a52b2a103805f0e88ecd24d7edd3a7a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl again, it will be uploaded today
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c0675d07 by Anton Gladky at 2023-08-14T20:09:51+02:00 LTS: take openssl again, it will be uploaded today - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,8 +141,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) + NOTE: 20230814: ready to be uploaded -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40274/zola, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bc4a0ea by Salvatore Bonaccorso at 2023-08-14T19:28:06+02:00 Add CVE-2023-40274/zola, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l - linux NOTE: https://git.kernel.org/linus/1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 (6.5-rc1) CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) - TODO: check + - zola (bug #976052) CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) NOT-FOR-US: Trellix CVE-2023-3266 (A non-feature complete authentication mechanism exists in the producti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4a0eae4675b139295d624a87c8089bb510dee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4a0eae4675b139295d624a87c8089bb510dee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd37ad0c by Salvatore Bonaccorso at 2023-08-14T19:27:31+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,9 +8,9 @@ CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) TODO: check CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInit ...) - TODO: check + NOT-FOR-US: libboron CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBl ...) - TODO: check + NOT-FOR-US: libboron CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command injection ...) NOT-FOR-US: Harman Infotainment CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP address ...) @@ -23,79 +23,79 @@ CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) TODO: check CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3266 (A non-feature complete authentication mechanism exists in the producti ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3265 (An authentication bypass exists on CyberPower PowerPanel Enterprise by ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3264 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3263 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3262 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3261 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3260 (When adding a remote backup location, an authenticated user can pass a ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-3259 (The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earl ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-39406 (Permission control vulnerability in the XLayout component. Successful ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39405 (Vulnerability of out-of-bounds parameter read/write in the Wi-Fi modul ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39404 (Vulnerability of input parameter verification in certain APIs in the w ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39403 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39402 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39401 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39400 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39399 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39398 (Parameter verification vulnerability in the installd module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39397 (Input parameter verification vulnerability in the communication system ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39396 (Deserialization vulnerability in the input module. Successful exploita ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39395 (Mismatch vulnerability in the serialization process in the communicati ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39394 (Vulnerability of API privilege escalation in the wifienhance module. S ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39393 (Vulnerability of insecure signatures in the ServiceWifiResources modul ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39392 (Vulnerability of insecure signatures in the OsuLogin module. Successfu ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39391 (Vulnerability of system file information leakage in the USB Service mo ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39390 (Vulnerability of input parameter verification in certain APIs in the w ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-39389 (Vulnerability of input parameters being
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e7cec407 by Roberto C. Sánchez at 2023-08-14T13:14:53-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230813: testing packages (ta) -- -cairosvg (gladk) +cairosvg NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- @@ -104,7 +104,7 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- -nodejs (guilhem) +nodejs NOTE: 20230731: Added by Front-Desk (apo) -- nova @@ -126,7 +126,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Abhijith PA) +open-vm-tools NOTE: 20230731: Added by Front-Desk (apo) -- opendmarc (Chris Lamb) @@ -141,7 +141,7 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl (gladk) +openssl NOTE: 20230731: Added by Front-Desk (apo) -- orthanc (gladk) @@ -228,7 +228,7 @@ samba (Lee Garrett) NOTE: 20230807: functional test framework is however needed (WIP) as most NOTE: 20230807: CVEs/bugfixes don't have test coverage. -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-48579,unrar-non-free: Bookworm is not-affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea7d3752 by Markus Koschany at 2023-08-14T18:13:53+02:00 CVE-2022-48579,unrar-non-free: Bookworm is not-affected This issue is fixed in 6.2.3. Bookworm has 6.2.6. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1213,7 +1213,6 @@ CVE-2023-33906 (In Contacts Service, there is a possible missing permission chec NOT-FOR-US: Unisoc CVE-2022-48579 (UnRAR before 6.2.3 allows extraction of files outside of the destinati ...) - unrar-nonfree 1:6.2.3-1 - [bookworm] - unrar-nonfree (Non-free not supported) [bullseye] - unrar-nonfree (Non-free not supported) NOTE: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea7d3752f7c8cc1bb7c7eb2527f879bf4abfbb55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea7d3752f7c8cc1bb7c7eb2527f879bf4abfbb55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list
Santiago R.R. pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4b195688 by Santiago Ruano Rincón at 2023-08-14T11:20:26-03:00
Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -40354,6 +40354,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is
installed setuid root, and
NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952
NOTE:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45
NOTE: Different issue than CVE-2018-6556
+NOTE:
https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd
CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2,
20.x before ...)
{DSA-5338-1 DSA-5337-1 DSA-5336-1 DLA-3302-1 DLA-3301-1 DLA-3300-1}
- nova 2:26.0.0-6 (bug #1029561)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3528-1 for poppler
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a63538a8 by Adrian Bunk at 2023-08-14T15:21:19+03:00
Reserve DLA-3528-1 for poppler
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[14 Aug 2023] DLA-3528-1 poppler - security update
+ {CVE-2020-36023 CVE-2020-36024}
+ [buster] - poppler 0.71.0-5+deb10u2
[13 Aug 2023] DLA-3426-3 netatalk - regression update
[buster] - netatalk 3.1.12~ds-3+deb10u3
[13 Aug 2023] DLA-3527-1 sox - security update
=
data/dla-needed.txt
=
@@ -155,9 +155,6 @@ otrs2
NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free
not supported),
NOTE: 20230811: but this is a sponsored package, so they need to be fixed.
(Beuc/front-desk)
--
-poppler (Adrian Bunk)
- NOTE: 20230804: Added by Front-Desk (gladk)
---
python-glance-store
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63538a8a3513fce3af097c8498da13ad17fe46e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63538a8a3513fce3af097c8498da13ad17fe46e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34872/poppler does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abc23003 by Adrian Bunk at 2023-08-14T14:51:25+03:00 CVE-2023-34872/poppler does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2114,7 +2114,9 @@ CVE-2023-34916 (Fuge CMS v1.0 contains an Open Redirect vulnerability via /front CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a re ...) - poppler (bug #1042811) [bookworm] - poppler (Minor issue) - [bullseye] - poppler (Minor issue) + [bullseye] - poppler (Vulnerable code introduced later) + [buster] - poppler (Vulnerable code introduced later) + NOTE: Introduced by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/fa494b780ab69ef04ba7447ab6d8fc3b46373e59 (poppler-21.08.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc23003d9b71d43ac94314d166ecc4c8b66f21e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc23003d9b71d43ac94314d166ecc4c8b66f21e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim opendmarc.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fe2345cc by Chris Lamb at 2023-08-14T11:30:59+01:00 data/dla-needed.txt: Claim opendmarc. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,7 +129,7 @@ nvidia-cuda-toolkit open-vm-tools (Abhijith PA) NOTE: 20230731: Added by Front-Desk (apo) -- -opendmarc +opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2345ccaffcf249018ce12a5a38b1f04e43a690 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe2345ccaffcf249018ce12a5a38b1f04e43a690 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim w3m
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e93a97df by Sylvain Beucler at 2023-08-14T12:04:24+02:00 dla: claim w3m - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -242,7 +242,7 @@ suricata (Adrian Bunk) unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- -w3m +w3m (Sylvain Beucler) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6af1116 by Salvatore Bonaccorso at 2023-08-14T10:27:50+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,11 +12,11 @@ CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_s CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBl ...) TODO: check CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command injection ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP address ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH over a U ...) - TODO: check + NOT-FOR-US: Harman Infotainment CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_s ...) TODO: check CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6af11168485d5ac94107a0d84667e6f457eec63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6af11168485d5ac94107a0d84667e6f457eec63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40283/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4531066 by Salvatore Bonaccorso at 2023-08-14T10:35:45+02:00 Add CVE-2023-40283/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,8 @@ CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP ad CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH over a U ...) NOT-FOR-US: Harman Infotainment CVE-2023-40283 (An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_s ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 (6.5-rc1) CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The custom impl ...) TODO: check CVE-2023-3267 (When adding a remote backup location, an authenticated user can pass a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4531066f606e940a70e0a1696288d22ac15d3ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4531066f606e940a70e0a1696288d22ac15d3ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40303/inetutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86e2e2af by Salvatore Bonaccorso at 2023-08-14T10:20:23+02:00 Add CVE-2023-40303/inetutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,7 +2,9 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - TODO: check + - inetutils + NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 + NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) TODO: check CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86e2e2afbc2b8ee0db40dcf07924329d696cb360 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86e2e2afbc2b8ee0db40dcf07924329d696cb360 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40305/indent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 499396d9 by Salvatore Bonaccorso at 2023-08-14T10:18:49+02:00 Add CVE-2023-40305/indent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...) - TODO: check + - indent + NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) TODO: check CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499396d9c3723690f6ad92d2ea2f9e420e0ac901 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499396d9c3723690f6ad92d2ea2f9e420e0ac901 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f4b6d1d3 by security tracker role at 2023-08-14T08:12:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,41 @@
+CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in
search_brace in ...)
+ TODO: check
+CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation
because of un ...)
+ TODO: check
+CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer
overflow in R ...)
+ TODO: check
+CVE-2023-40295 (libboron in Boron 2.0.8 has a heap-based buffer overflow in
ur_strInit ...)
+ TODO: check
+CVE-2023-40294 (libboron in Boron 2.0.8 has a heap-based buffer overflow in
ur_parseBl ...)
+ TODO: check
+CVE-2023-40293 (Harman Infotainment 20190525031613 and later allows command
injection ...)
+ TODO: check
+CVE-2023-40292 (Harman Infotainment 20190525031613 and later discloses the IP
address ...)
+ TODO: check
+CVE-2023-40291 (Harman Infotainment 20190525031613 allows root access via SSH
over a U ...)
+ TODO: check
+CVE-2023-40283 (An issue was discovered in l2cap_sock_release in
net/bluetooth/l2cap_s ...)
+ TODO: check
+CVE-2023-40274 (An issue was discovered in zola 0.13.0 through 0.17.2. The
custom impl ...)
+ TODO: check
+CVE-2023-3267 (When adding a remote backup location, an authenticated user can
pass a ...)
+ TODO: check
+CVE-2023-3266 (A non-feature complete authentication mechanism exists in the
producti ...)
+ TODO: check
+CVE-2023-3265 (An authentication bypass exists on CyberPower PowerPanel
Enterprise by ...)
+ TODO: check
+CVE-2023-3264 (The Dataprobe iBoot PDU running firmware version 1.43.03312023
or earl ...)
+ TODO: check
+CVE-2023-3263 (The Dataprobe iBoot PDU running firmware version 1.43.03312023
or earl ...)
+ TODO: check
+CVE-2023-3262 (The Dataprobe iBoot PDU running firmware version 1.43.03312023
or earl ...)
+ TODO: check
+CVE-2023-3261 (When adding a remote backup location, an authenticated user can
pass a ...)
+ TODO: check
+CVE-2023-3260 (When adding a remote backup location, an authenticated user can
pass a ...)
+ TODO: check
+CVE-2023-3259 (The Dataprobe iBoot PDU running firmware version 1.43.03312023
or earl ...)
+ TODO: check
CVE-2023-39406 (Permission control vulnerability in the XLayout component.
Successful ...)
TODO: check
CVE-2023-39405 (Vulnerability of out-of-bounds parameter read/write in the
Wi-Fi modul ...)
@@ -36292,8 +36330,8 @@ CVE-2023-23210
RESERVED
CVE-2023-23209
RESERVED
-CVE-2023-23208
- RESERVED
+CVE-2023-23208 (Genesys Administrator Extension (GAX) before 9.0.105.15 is
vulnerable ...)
+ TODO: check
CVE-2023-23207
RESERVED
CVE-2023-23206
@@ -395242,7 +395280,8 @@ CVE-2017-14252 (SQL Injection exists in the
EyesOfNetwork web interface (aka eon
CVE-2017-14251 (Unrestricted File Upload vulnerability in the fileDenyPattern
in sysex ...)
- typo3-src
[wheezy] - typo3-src (Not supported in Wheezy LTS)
-CVE-2017-14250 (In TP-LINK TL-WR741N / TL-WR741ND 150M Wireless Lite N Router
with Fir ...)
+CVE-2017-14250
+ REJECTED
NOT-FOR-US: TP-Link Router
CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage
in coder ...)
{DLA-2366-1 DLA-1785-1 DLA-1131-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4b6d1d374ebe5eedc7d45e83c7badf7d4d3eb18
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4b6d1d374ebe5eedc7d45e83c7badf7d4d3eb18
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
