[Git][security-tracker-team/security-tracker][master] Take care of releasing updates for librsvg prepared by maintainer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d1fdcfa by Salvatore Bonaccorso at 2023-08-20T07:07:34+02:00 Take care of releasing updates for librsvg prepared by maintainer - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,7 +23,9 @@ frr (aron) -- libreswan (jmm) -- -librsvg +librsvg (carnil) + Maintainer prepared updates to be released +-- -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d1fdcfaa91e858e3368efd11a6078c40ba41aa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d1fdcfaa91e858e3368efd11a6078c40ba41aa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add php7.3
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 589fd541 by Thorsten Alteholz at 2023-08-20T01:03:43+02:00 add php7.3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -145,6 +145,9 @@ otrs2 (guilhem) NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) -- +php7.3 + NOTE: 20230820: Added by Front-Desk (ta) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/589fd541ed0ed35e4bdf2901b4537220beb62a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/589fd541ed0ed35e4bdf2901b4537220beb62a88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2023-33953 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d4cf9587 by Thorsten Alteholz at 2023-08-20T00:12:49+02:00 mark CVE-2023-33953 as postponed for Buster - - - - - 1d2c4770 by Thorsten Alteholz at 2023-08-20T00:18:35+02:00 add firmware-nonfree - - - - - e609abc6 by Thorsten Alteholz at 2023-08-20T00:30:27+02:00 mark CVE-2023-40303 as no-dsa for Buster - - - - - 2bc0891c by Thorsten Alteholz at 2023-08-20T00:33:27+02:00 mark CVE-2023-38857 and CVE-2023-38858 as postponed for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -554,11 +554,13 @@ CVE-2023-38858 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote a - faad2 (bug #1050095) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) + [buster] - faad2 (recheck when fixed upstream) NOTE: https://github.com/knik0/faad2/issues/173 CVE-2023-38857 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - faad2 (bug #1050094) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) + [buster] - faad2 (recheck when fixed upstream) NOTE: https://github.com/knik0/faad2/issues/171 CVE-2023-38856 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacke ...) - r-cran-readxl (unimportant) @@ -703,6 +705,7 @@ CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because - inetutils (bug #1049365) [bookworm] - inetutils (Minor issue) [bullseye] - inetutils (Minor issue) + [buster] - inetutils (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) @@ -1259,6 +1262,7 @@ CVE-2023-34545 (A SQL injection vulnerability in CSZCMS 1.3.0 allows remote atta NOT-FOR-US: CSZCMS CVE-2023-33953 (gRPC contains a vulnerability that allows hpack table accounting error ...) - grpc + [buster] - grpc (recheck when upstream patch is available/published) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2230890 NOTE: https://cloud.google.com/support/bulletins#gcp-2023-022 CVE-2023-33469 (In instances where the screen is visible and remote mouse connection i ...) = data/dla-needed.txt = @@ -47,6 +47,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firmware-nonfree + NOTE: 20230820: Added by Front-Desk (ta) +-- flask (Sean Whitton) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Check DSA-5442-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2906605c03b2deeff3b845c825356e2835148f0...2bc0891c47c21b59ebbaf61a6ffe841ccc906836 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2906605c03b2deeff3b845c825356e2835148f0...2bc0891c47c21b59ebbaf61a6ffe841ccc906836 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-40305 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a2906605 by Thorsten Alteholz at 2023-08-19T20:21:01+02:00 mark CVE-2023-40305 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -697,6 +697,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent (bug #1049366) [bookworm] - indent (Minor issue) [bullseye] - indent (Minor issue) + [buster] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - inetutils (bug #1049365) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2906605c03b2deeff3b845c825356e2835148f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2906605c03b2deeff3b845c825356e2835148f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update w3m status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fb8ec48 by Sylvain Beucler at 2023-08-19T20:16:13+02:00 dla: update w3m status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,6 +225,7 @@ w3m (Sylvain Beucler) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) + NOTE: 20230819: No ASAN errors with the PoCs, but the backported fixes do bring some (!), more testing needed. (Beuc) -- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb8ec48bd756e99666061cf5da9029e3c6ac124 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb8ec48bd756e99666061cf5da9029e3c6ac124 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for faad2 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6bc3768 by Salvatore Bonaccorso at 2023-08-19T19:22:17+02:00 Add Debian bug references for faad2 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -551,12 +551,12 @@ CVE-2023-38861 (An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a re CVE-2023-38860 (An issue in LangChain v.0.0.231 allows a remote attacker to execute ar ...) NOT-FOR-US: LangChain CVE-2023-38858 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - - faad2 + - faad2 (bug #1050095) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/173 CVE-2023-38857 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - - faad2 + - faad2 (bug #1050094) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/171 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6bc37685dc4755141560f9a4ecd05ff6e26a1da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6bc37685dc4755141560f9a4ecd05ff6e26a1da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2023-4135
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df49fdc6 by Salvatore Bonaccorso at 2023-08-19T19:09:04+02:00 Reference upstream commit for CVE-2023-4135 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2040,7 +2040,7 @@ CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nv NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229101 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521 NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) - NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00516.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf (v8.1.0-rc4) CVE-2023-39552 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) NOT-FOR-US: PHPGurukul Online Security Guards Hiring System CVE-2023-39551 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df49fdc6342a39a36a36cda62cb25ff821c5613d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df49fdc6342a39a36a36cda62cb25ff821c5613d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40165 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50d54116 by Salvatore Bonaccorso at 2023-08-19T17:01:11+02:00 Mark CVE-2023-40165 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -136,7 +136,7 @@ CVE-2023-40272 (Apache Airflow Spark Provider, versions before 4.1.3, is affecte CVE-2023-40168 (TurboWarp is a desktop application that compiles scratch projects to J ...) NOT-FOR-US: TurboWarp CVE-2023-40165 (rubygems.org is the Ruby community's primary gem (library) hosting ser ...) - TODO: check + NOT-FOR-US: rubygems/rubygems.org CVE-2023-3698 (Printer service fails to adequately handle user input, allowing an rem ...) NOT-FOR-US: ASUSTOR CVE-2023-3697 (Printer service fails to adequately handle user input, allowing an rem ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50d541166b358c357ab8f37a719d5e113517e743 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50d541166b358c357ab8f37a719d5e113517e743 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process CVE-2023-39908 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d0d12b5 by Salvatore Bonaccorso at 2023-08-19T16:55:37+02:00 Process CVE-2023-39908 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -663,7 +663,7 @@ CVE-2023-3328 (The Custom Field For WP Job Manager WordPress plugin before 1.2 d CVE-2023-3160 (The vulnerability potentially allows an attacker to misuse ESET\u2019s ...) NOT-FOR-US: ESET CVE-2023-39908 (The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not proper ...) - TODO: check + NOT-FOR-US: YubiHSM 2 SDK CVE-2023-39293 (A Command Injection vulnerability has been identified in the MiVoice O ...) NOT-FOR-US: Mitel CVE-2023-39292 (A SQL Injection vulnerability has been identified in the MiVoice Offic ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d0d12b5b12bdbebdaebfb3acda98b345a9192e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d0d12b5b12bdbebdaebfb3acda98b345a9192e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39743/lrzip-next, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90c5093d by Salvatore Bonaccorso at 2023-08-19T16:50:50+02:00 Add CVE-2023-39743/lrzip-next, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -154,7 +154,7 @@ CVE-2023-39971 (Improper Neutralization of Input During Web Page Generation vuln CVE-2023-39970 (Unrestricted Upload of File with Dangerous Type vulnerability in AcyMa ...) NOT-FOR-US: Joomla component CVE-2023-39743 (lrzip-next LZMA v23.01 was discovered to contain an access violation v ...) - TODO: check + - lrzip-next (bug #1042088) CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the libzpaq ...) - lrzip NOTE: https://github.com/ckolivas/lrzip/issues/246 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c5093d4fc92053bae46cf2024ea60d5786820d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c5093d4fc92053bae46cf2024ea60d5786820d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-39975
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc80c8eb by Salvatore Bonaccorso at 2023-08-19T16:26:59+02:00 Add additional reference for CVE-2023-39975 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -281,6 +281,7 @@ CVE-2023-4204 (NPort IAW5000A-I/O Series firmware version v2.2 and prior is affe NOT-FOR-US: NPort IAW5000A-I/O Series firmware CVE-2023-39975 (kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a ...) - krb5 (Vulnerable code not present) + NOTE: https://github.com/krb5/krb5/pull/1312 NOTE: Introduced by: https://github.com/krb5/krb5/commit/a9705a1e0b2cf0cde3e6f8dee14c25ffc074c00a (krb5-1.21-beta1) NOTE: Fixed by: https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840 CVE-2023-39507 (Improper authorization in the custom URL scheme handler in "Rikunabi N ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc80c8eb4f29f34ff9d2daaa38b8c24c069b742f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc80c8eb4f29f34ff9d2daaa38b8c24c069b742f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for rar via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29c8e570 by Salvatore Bonaccorso at 2023-08-19T15:18:46+02:00 Track proposed update for rar via bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -171,3 +171,5 @@ CVE-2022-0194 [bullseye] - netatalk 3.1.12~ds-8+deb11u1 CVE-2021-31439 [bullseye] - netatalk 3.1.12~ds-8+deb11u1 +CVE-2022-30333 + [bullseye] - rar 2:6.20-0.1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29c8e570d53bbeec0b2c1d9894b2b37bb5e49d8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29c8e570d53bbeec0b2c1d9894b2b37bb5e49d8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40175/puma
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd05ee42 by Salvatore Bonaccorso at 2023-08-19T14:59:46+02:00 Add Debian bug reference for CVE-2023-40175/puma - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-4433 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit- CVE-2023-4432 (Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq ...) NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...) - - puma + - puma (bug #1050079) NOTE: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8 NOTE: https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a (master) NOTE: https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1 (v6.3.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd05ee425e6f871a43cbf711897fdc9e2f634e03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd05ee425e6f871a43cbf711897fdc9e2f634e03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24187/iotjs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f12ef7b5 by Salvatore Bonaccorso at 2023-08-19T14:00:03+02:00 Add CVE-2020-24187/iotjs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -214425,7 +214425,8 @@ CVE-2020-24189 CVE-2020-24188 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: United Planet Intrexx Professional CVE-2020-24187 (An issue was discovered in ecma-helpers.c in jerryscript version 2.3.0 ...) - TODO: check + - iotjs + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4076 CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors wpDiscuz ...) NOT-FOR-US: gVectors wpDiscuz plugin for WordPress CVE-2020-24185 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f12ef7b5efd322a793faf98f7e5a90f1cd6e83a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f12ef7b5efd322a793faf98f7e5a90f1cd6e83a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24904/gnome-gmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 249a46ae by Salvatore Bonaccorso at 2023-08-19T13:58:48+02:00 Add CVE-2020-24904/gnome-gmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -212701,7 +212701,9 @@ CVE-2020-24906 CVE-2020-24905 RESERVED CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...) - TODO: check + - gnome-gmail + NOTE: https://github.com/davesteele/gnome-gmail/issues/84 + TODO: check, might be an issue as well in src:viagee CVE-2020-24903 (Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scri ...) NOT-FOR-US: Cute Editor for ASP.NET CVE-2020-24902 (Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249a46aec5a971cbe0902e44f0a352c3b7e35b9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249a46aec5a971cbe0902e44f0a352c3b7e35b9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d0b3195 by Salvatore Bonaccorso at 2023-08-19T13:58:23+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12603,11 +12603,11 @@ CVE-2023-25183 (In Snap One OvrC Pro versions prior to 7.2, when logged into the CVE-2023-2319 (It was discovered that an update for PCS package in RHBA-2023:2151 err ...) NOT-FOR-US: ed Hat Enterprise Linux 9.2 specific security regression from CVE-2023-28154 CVE-2023-2318 (DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0. ...) - TODO: check + NOT-FOR-US: MarkText CVE-2023-2317 (DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows ...) - TODO: check + NOT-FOR-US: Typora CVE-2023-2316 (Improper path handling in Typora before 1.6.7 on Windows and Linux all ...) - TODO: check + NOT-FOR-US: Typora CVE-2023-2315 RESERVED CVE-2023-31269 @@ -14174,7 +14174,7 @@ CVE-2023-2112 (Desktop component service allows lateral movement between session CVE-2023-2111 (The Fast & Effective Popups & Lead-Generation for WordPress plugin bef ...) NOT-FOR-US: WordPress plugin CVE-2023-2110 (Improper path handling in Obsidian desktop before 1.2.8 on Windows, Li ...) - TODO: check + NOT-FOR-US: Obsidian CVE-2023-30775 (A vulnerability was found in the libtiff library. This security flaw c ...) - tiff 4.5.0-2 (unimportant) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/464 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0b3195249700d99fd7906b0e10cee688ac8e1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0b3195249700d99fd7906b0e10cee688ac8e1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3932 for gitlab
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 225fe5d6 by Salvatore Bonaccorso at 2023-08-19T13:57:09+02:00 Add CVE-2023-3932 for gitlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2256,7 +2256,7 @@ CVE-2023-4111 (A vulnerability was found in PHP Jabbers Bus Reservation System 1 CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability Booking Cal ...) NOT-FOR-US: PHP Jabbers Availability Booking Calendar CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all versions start ...) - TODO: check + - gitlab (Specific to EE) CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that stems fr ...) NOT-FOR-US: odoh-rs Rust crate CVE-2023-3749 (A local user could edit the VideoEdge configuration file and interfere ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/225fe5d6e9b143e84a1c2e5d2e41353e4c62b042 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/225fe5d6e9b143e84a1c2e5d2e41353e4c62b042 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40175/puma
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c58799e by Salvatore Bonaccorso at 2023-08-19T12:50:49+02:00 Add CVE-2023-40175/puma - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,11 @@ CVE-2023-4433 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit- CVE-2023-4432 (Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq ...) NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...) - TODO: check + - puma + NOTE: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8 + NOTE: https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a (master) + NOTE: https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1 (v6.3.1) + NOTE: https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662 (v5.6.7) CVE-2023-40174 (Social media skeleton is an uncompleted/framework social media project ...) NOT-FOR-US: social-media-skeleton CVE-2023-40173 (Social media skeleton is an uncompleted/framework social media project ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c58799ec6444ac394117f3405d3585ca9cb742a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c58799ec6444ac394117f3405d3585ca9cb742a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2ab2e96 by Salvatore Bonaccorso at 2023-08-19T12:30:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2023-4433 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) - TODO: check + NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-4432 (Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq ...) - TODO: check + NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...) TODO: check CVE-2023-40174 (Social media skeleton is an uncompleted/framework social media project ...) - TODO: check + NOT-FOR-US: social-media-skeleton CVE-2023-40173 (Social media skeleton is an uncompleted/framework social media project ...) - TODO: check + NOT-FOR-US: social-media-skeleton CVE-2023-40172 (Social media skeleton is an uncompleted/framework social media project ...) - TODO: check + NOT-FOR-US: social-media-skeleton CVE-2023-40037 (Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in ...) - TODO: check + NOT-FOR-US: Apache NiFi CVE-2023-38839 (SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote ...) - TODO: check + NOT-FOR-US: Kidus Minimati CVE-2023-2971 (Improper path handling in Typora before 1.7.0-dev on Windows and Linux ...) - TODO: check + NOT-FOR-US: Typora CVE-2023-4422 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-4415 (A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. It has b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ab2e96484133351b8e6b1e7000e1e05926a77b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ab2e96484133351b8e6b1e7000e1e05926a77b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4265b5fe by security tracker role at 2023-08-19T08:11:54+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2023-4433 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) + TODO: check +CVE-2023-4432 (Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq ...) + TODO: check +CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...) + TODO: check +CVE-2023-40174 (Social media skeleton is an uncompleted/framework social media project ...) + TODO: check +CVE-2023-40173 (Social media skeleton is an uncompleted/framework social media project ...) + TODO: check +CVE-2023-40172 (Social media skeleton is an uncompleted/framework social media project ...) + TODO: check +CVE-2023-40037 (Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in ...) + TODO: check +CVE-2023-38839 (SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote ...) + TODO: check +CVE-2023-2971 (Improper path handling in Typora before 1.7.0-dev on Windows and Linux ...) + TODO: check CVE-2023-4422 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) NOT-FOR-US: Cockpit Content Platform (different from src:cockpit) CVE-2023-4415 (A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. It has b ...) @@ -2742,7 +2760,7 @@ CVE-2023-4010 (A flaw was found in the USB Host Controller Driver framework in t - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2227726 NOTE: https://github.com/wanrenmi/a-usb-kernel-bug -CVE-2023-3997 (Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a po ...) +CVE-2023-3997 (Splunk SOAR versions lower than 6.1.0 are indirectly affected by a pot ...) NOT-FOR-US: Splunk SOAR CVE-2023-3983 (An authenticated SQL injection vulnerability exists in Advantech iView ...) NOT-FOR-US: Advantech iView @@ -12580,12 +12598,12 @@ CVE-2023-25183 (In Snap One OvrC Pro versions prior to 7.2, when logged into the NOT-FOR-US: Snap One CVE-2023-2319 (It was discovered that an update for PCS package in RHBA-2023:2151 err ...) NOT-FOR-US: ed Hat Enterprise Linux 9.2 specific security regression from CVE-2023-28154 -CVE-2023-2318 - RESERVED -CVE-2023-2317 - RESERVED -CVE-2023-2316 - RESERVED +CVE-2023-2318 (DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0. ...) + TODO: check +CVE-2023-2317 (DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows ...) + TODO: check +CVE-2023-2316 (Improper path handling in Typora before 1.6.7 on Windows and Linux all ...) + TODO: check CVE-2023-2315 RESERVED CVE-2023-31269 @@ -14151,8 +14169,8 @@ CVE-2023-2112 (Desktop component service allows lateral movement between session NOT-FOR-US: M-Files CVE-2023-2111 (The Fast & Effective Popups & Lead-Generation for WordPress plugin bef ...) NOT-FOR-US: WordPress plugin -CVE-2023-2110 - RESERVED +CVE-2023-2110 (Improper path handling in Obsidian desktop before 1.2.8 on Windows, Li ...) + TODO: check CVE-2023-30775 (A vulnerability was found in the libtiff library. This security flaw c ...) - tiff 4.5.0-2 (unimportant) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/464 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4265b5fe2ed284fa9ea23df74a6df364561cf904 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4265b5fe2ed284fa9ea23df74a6df364561cf904 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
