[Git][security-tracker-team/security-tracker][master] Take flac
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e6410196 by Utkarsh Gupta at 2023-08-28T09:12:28+05:30 Take flac - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,7 +57,7 @@ dogecoin firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- -flac +flac (utkarsh) NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e64101968cc7e58b8c887c4c3a5adfff3851f27b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e64101968cc7e58b8c887c4c3a5adfff3851f27b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 47559126 by Utkarsh Gupta at 2023-08-28T07:45:20+05:30 Update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,6 +184,7 @@ rails (utkarsh) NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) + NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3544-1 for clamav
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d4b4f1da by Utkarsh Gupta at 2023-08-28T06:53:52+05:30 Reserve DLA-3544-1 for clamav - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Aug 2023] DLA-3544-1 clamav - security update + {CVE-2023-20197} + [buster] - clamav 0.103.9+dfsg-0+deb10u1 [27 Aug 2023] DLA-3543-1 rar - security update {CVE-2023-40477} [buster] - rar 2:6.23-1~deb10u1 = data/dla-needed.txt = @@ -40,9 +40,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav (Utkarsh) - NOTE: 20230821: Added by Front-Desk (ta) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b4f1daf757ade98bef88cc8e968cf750456ae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b4f1daf757ade98bef88cc8e968cf750456ae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark poppler CVEs as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ca099e7 by Utkarsh Gupta at 2023-08-26T15:03:57+05:30 Mark poppler CVEs as no-dsa for buster - - - - - 99b5d438 by Utkarsh Gupta at 2023-08-26T15:06:07+05:30 Mark wireshark CVEs as no-dsa for buster - - - - - 3f37c81e by Utkarsh Gupta at 2023-08-26T15:11:45+05:30 Add tryton-server to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -64,6 +64,7 @@ CVE-2023-2906 (Due to a failure in validating the length provided by an attacker - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-26.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19229 CVE-2023-4534 (A vulnerability, which was classified as problematic, was found in Neo ...) @@ -309,18 +310,21 @@ CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6. - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19259 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-25.html CVE-2023-4512 (CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of serv ...) - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19144 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-23.html CVE-2023-4511 (BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 t ...) - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19258 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-24.html CVE-2023-4230 (A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4 ...) @@ -73733,6 +73737,7 @@ CVE-2022-38350 CVE-2022-38349 (An issue was discovered in Poppler 22.08.0. There is a reachable asser ...) - poppler 22.12.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1282 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4564a002bcb6094cc460bc0d5ddff9423fe6dd28 (poppler-22.09.0) CVE-2022-38348 @@ -77123,16 +77128,19 @@ CVE-2022-37053 (TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection vi CVE-2022-37052 (A reachable Object::getString assertion in Poppler 22.07.0 allows atta ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8677500399fc2548fa816b619580c2c07915a98c (poppler-22.08.0) CVE-2022-37051 (An issue was discovered in Poppler 22.07.0. There is a reachable abort ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1276 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4631115647c1e4f0482ffe0491c2f38d2231337b (poppler-22.08.0) CVE-2022-37050 (In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers t ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1274 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/dcd5bd8238ea448addd102ff045badd0aca1b990 (poppler-22.08.0) CVE-2022-37049 (The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a ...) = data/dla-needed.txt = @@ -246,3 +246,7 @@ trafficserver NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when NOTE: 20230826: I have the answer here. (utkarsh) -- +tryton-server + NOTE: 20230826: Added by Front-Desk (utkarsh) + NOTE: 20230826: sync with the DSA released. (utkarsh) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d4f988a5442d2dbb52bd91084907ffb7bb6960...3f37c81eb9e0f7a6de071fc7d29e254029f62858 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] 19 commits: Add trafficserver to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: fd0c184e by Utkarsh Gupta at 2023-08-26T14:20:24+05:30 Add trafficserver to dla-needed - - - - - cd8a6baa by Utkarsh Gupta at 2023-08-26T14:23:19+05:30 Add freeimage to dla-needed - - - - - 18ad23b8 by Utkarsh Gupta at 2023-08-26T14:42:11+05:30 Add python2.7 to dla-needed - - - - - d9f282f4 by Utkarsh Gupta at 2023-08-26T14:46:13+05:30 Add c-ares to dla-needed - - - - - ebf6bd82 by Utkarsh Gupta at 2023-08-26T14:47:42+05:30 Mark CVE-2022-447{29,30}/batik as no-dsa for buster - - - - - 6faeaf9d by Utkarsh Gupta at 2023-08-26T14:48:11+05:30 Mark CVE-2022-48174/busybox as no-dsa for buster - - - - - dc545b60 by Utkarsh Gupta at 2023-08-26T14:48:43+05:30 Mark CVE-2022-41444/cacti as no-dsa for buster - - - - - 2d3d57b8 by Utkarsh Gupta at 2023-08-26T14:49:10+05:30 Mark CVE-2022-34038/etcd as no-dsa for buster - - - - - 18591a2c by Utkarsh Gupta at 2023-08-26T14:49:43+05:30 Mark CVE-2020-24904/gnome-gmail as no-dsa for buster - - - - - aab0ef6c by Utkarsh Gupta at 2023-08-26T14:50:06+05:30 Mark CVE-2022-45582/horizon as no-dsa for buster - - - - - 593e97c7 by Utkarsh Gupta at 2023-08-26T14:51:05+05:30 Mark CVE-2020-24187/iotjs as ignored for buster - - - - - e613c18c by Utkarsh Gupta at 2023-08-26T14:51:45+05:30 Mark CVE-2023-38961/iotjs as ignored for buster - - - - - 93239e0d by Utkarsh Gupta at 2023-08-26T14:52:43+05:30 Mark CVE-2022-4857libcrypto++ as no-dsa for buster - - - - - f587f8fe by Utkarsh Gupta at 2023-08-26T14:53:09+05:30 Mark CVE-2022-43358/libsass as no-dsa for buster - - - - - 19eff1f2 by Utkarsh Gupta at 2023-08-26T14:53:35+05:30 Mark CVE-2020-21896/mupdf as no-dsa for buster - - - - - 815e4e60 by Utkarsh Gupta at 2023-08-26T14:53:56+05:30 Mark CVE-2022-29654/nasm as no-das for buster - - - - - 74f6d092 by Utkarsh Gupta at 2023-08-26T14:54:19+05:30 Mark CVE-2021-34193/opensc as no-dsa for buster - - - - - f7f4a9b6 by Utkarsh Gupta at 2023-08-26T14:54:43+05:30 Mark CVE-2022-36648/qemu as postponed for buster - - - - - 89d4f988 by Utkarsh Gupta at 2023-08-26T14:55:20+05:30 Mark CVE-2021-28025/qtsvg-opensource-src as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -564,6 +564,7 @@ CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA sig - libcrypto++ [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/992 NOTE: This issue exists because the CVE-2019-14318 fix was intentionally removed for NOTE: functionality reasons. @@ -701,6 +702,7 @@ CVE-2023-38976 (An issue in weaviate v.1.20.0 allows a remote attacker to cause CVE-2023-38961 (Buffer Overflwo vulnerability in JerryScript Project jerryscript v.3.0 ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5092 CVE-2023-38899 (SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local ...) NOT-FOR-US: berkaygediz O_Blog @@ -41110,6 +41112,7 @@ CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in busybox - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216 NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 CVE-2022-48173 @@ -50550,6 +50553,7 @@ CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru - horizon 3:23.1.0-3 [bookworm] - horizon (Minor issue) [bullseye] - horizon (Minor issue) + [buster] - horizon (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1982676 NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0) NOTE: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0 (20.1.4) @@ -53269,12 +53273,14 @@ CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Softw - batik 1.17+dfsg-1 [bookworm] - batik (Minor issue) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1347 CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...) - batik 1.17+dfsg-1 [bookworm] - batik (Minor issue) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] Add tiff to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: db782f45 by Utkarsh Gupta at 2023-08-26T14:16:57+05:30 Add tiff to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -220,3 +220,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +tiff + NOTE: 20230826: Added by Front-Desk (utkarsh) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db782f459563dab35f523af6a619a1a1f1e68ed9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db782f459563dab35f523af6a619a1a1f1e68ed9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add flac to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8122a805 by Utkarsh Gupta at 2023-08-26T14:15:39+05:30 Add flac to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,10 @@ dogecoin firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- +flac + NOTE: 20230827: Added by Front-Desk (utkarsh) + NOTE: 20230827: incoming DSA +-- flask-security (Sean Whitton) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8122a80577b21d25913c60ae1b7f27dfb61c8a8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8122a80577b21d25913c60ae1b7f27dfb61c8a8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d3f99ea by security tracker role at 2023-08-27T20:12:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4440,6 +4440,7 @@ CVE-2023-3828 (A vulnerability was found in Bug Finder Listplace Directory Listi CVE-2023-3827 (A vulnerability was found in Bug Finder Listplace Directory Listing Pl ...) NOT-FOR-US: Bug Finder CVE-2023-38633 (A directory traversal problem in the URL decoder of librsvg before 2.5 ...) + {DSA-5484-1} - librsvg 2.54.7+dfsg-1 (bug #1041810) [buster] - librsvg (The vulnerable code was introduced later) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1213502 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d3f99eadbd82094564602a14f68ddda7ff2621c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d3f99eadbd82094564602a14f68ddda7ff2621c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-39269 for src:ring
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 792edf9f by Salvatore Bonaccorso at 2023-08-27T21:11:10+02:00 Update information on CVE-2022-39269 for src:ring - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70685,8 +70685,11 @@ CVE-2022-39269 (PJSIP is a free and open source multimedia communication library - asterisk 1:20.3.0~dfsg+~cs6.13.40431413-1 (bug #1032092) - pjproject - ring 20230206.0~ds1-1 + [bullseye] - ring (Vulnerable code introduced later) + [buster] - ring (Vulnerable code introduced later) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg - NOTE: https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc + NOTE: Introduced by: https://github.com/pjsip/pjproject/commit/db4f8f23b9962b4e567faa0784608174376ead8f (2.11) + NOTE: Fixed by: https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc (2.13) CVE-2022-39268 (### Impact In a CSRF attack, an innocent end user is tricked by an att ...) NOT-FOR-US: orchest/orchest CVE-2022-39267 (Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792edf9f55be0553b48419c371ee154f94193407 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792edf9f55be0553b48419c371ee154f94193407 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cf84920 by Thorsten Alteholz at 2023-08-27T19:41:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230813: testing packages (ta) + NOTE: 20230827: still testing package (ta) -- aom (Markus Koschany) NOTE: 20230823: Added by Front-Desk (apo) @@ -169,8 +169,7 @@ rails (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) - NOTE: 20230507: testing package - NOTE: 20230813: testing package, not all tests pass yet + NOTE: 20230827: testing package, almost done -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add some "new" CVEs for ncurses
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba4e92fa by Salvatore Bonaccorso at 2023-08-27T17:48:36+02:00 Add some new CVEs for ncurses - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -226228,17 +226228,23 @@ CVE-2020-19192 CVE-2020-19191 RESERVED CVE-2020-19190 (Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:7 ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc6.md CVE-2020-19189 (Buffer Overflow vulnerability in postprocess_terminfo function in tinf ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc5.md CVE-2020-19188 (Buffer Overflow vulnerability in fmt_entry function in progs/dump_entr ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc4.md CVE-2020-19187 (Buffer Overflow vulnerability in fmt_entry function in progs/dump_entr ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc3.md CVE-2020-19186 (Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc2.md CVE-2020-19185 (Buffer Overflow vulnerability in one_one_mapping function in progs/dum ...) - TODO: check + - ncurses + NOTE: https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc1.md CVE-2020-19184 RESERVED CVE-2020-19183 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba4e92faff1486f8fe8b558d9cc06f7211cd4f01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba4e92faff1486f8fe8b558d9cc06f7211cd4f01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust one source package name for NFU product
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db62b00f by Salvatore Bonaccorso at 2023-08-27T17:32:33+02:00 Adjust one source package name for NFU product - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2249,7 +2249,7 @@ CVE-2023-3386 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-39549 (A vulnerability has been identified in Solid Edge SE2023 (All versions ...) NOT-FOR-US: Siemens Solid Edge CVE-2023-39533 (go-libp2p is the Go implementation of the libp2p Networking Stack. Pri ...) - NOT-FOR-US: go-libp2pC + NOT-FOR-US: go-libp2p CVE-2023-39532 (SES is a JavaScript environment that allows safe execution of arbitrar ...) NOT-FOR-US: SES CVE-2023-39518 (social-media-skeleton is an uncompleted social media project implement ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db62b00f292d7e33104d4b46211044d6de3d78e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db62b00f292d7e33104d4b46211044d6de3d78e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64687fd8 by Salvatore Bonaccorso at 2023-08-27T17:31:41+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,11 +35,11 @@ CVE-2023-40587 (Pyramid is an open source Python web framework. A path traversal NOTE: Underlying issue fixed in Python 3.11 and 3.12. TODO: check, claimed to be only affecting >= 2.0 CVE-2023-40586 (OWASP Coraza WAF is a golang modsecurity compatible web application fi ...) - TODO: check + NOT-FOR-US: OWASP Coraza WAF CVE-2023-40585 (ironic-image is a container image to run OpenStack Ironic as part of M ...) TODO: check CVE-2023-40583 (libp2p is a networking stack and library modularized out of The IPFS P ...) - TODO: check + NOT-FOR-US: go-libp2p CVE-2023-40571 (weblogic-framework is a tool for detecting weblogic vulnerabilities. V ...) TODO: check CVE-2023-40166 (Notepad++ is a free and open-source source code editor. Versions 8.5.6 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64687fd89654dad7b43eb5f0ba22be5e996badf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64687fd89654dad7b43eb5f0ba22be5e996badf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-40577
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef42667d by Salvatore Bonaccorso at 2023-08-27T16:44:54+02:00 Track fixed version via unstable for CVE-2023-40577 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110,7 +110,7 @@ CVE-2023-40580 (Freighter is a Stellar chrome extension. It may be possible for CVE-2023-40579 (OpenFGA is an authorization/permission engine built for developers and ...) NOT-FOR-US: OpenFGA CVE-2023-40577 (Alertmanager handles alerts sent by client applications such as the Pr ...) - - prometheus-alertmanager (bug #1050558) + - prometheus-alertmanager 0.26.0+ds-1 (bug #1050558) NOTE: https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j CVE-2023-40570 (Datasette is an open source multi-tool for exploring and publishing da ...) NOT-FOR-US: Datasette View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef42667ddfe89cbe5553a34ca7145cfc4425f9d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef42667ddfe89cbe5553a34ca7145cfc4425f9d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for librsvg update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f9c3acd by Salvatore Bonaccorso at 2023-08-27T16:20:53+02:00 Reserve DSA number for librsvg update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[27 Aug 2023] DSA-5484-1 librsvg - security update + {CVE-2023-38633} + [bullseye] - librsvg 2.50.3+dfsg-1+deb11u1 + [bookworm] - librsvg 2.54.7+dfsg-1~deb12u1 [25 Aug 2023] DSA-5483-1 chromium - security update {CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430 CVE-2023-4431} [bullseye] - chromium 116.0.5845.110-1~deb11u1 = data/dsa-needed.txt = @@ -24,9 +24,6 @@ frr (aron) libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- -librsvg (carnil) - Maintainer prepared updates to be released --- -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f9c3acd82ee496414e0af05c6575d0f03619885 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f9c3acd82ee496414e0af05c6575d0f03619885 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb90b5b by Salvatore Bonaccorso at 2023-08-27T14:35:15+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-4556 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) - TODO: check + NOT-FOR-US: SourceCodester Online Graduate Tracer System CVE-2023-4555 (A vulnerability has been found in SourceCodester Inventory Management ...) - TODO: check + NOT-FOR-US: SourceCodester Inventory Management System CVE-2023-4548 (A vulnerability classified as critical has been found in SPA-Cart eCom ...) NOT-FOR-US: SPA-Cart eCommerce CMS CVE-2023-4547 (A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb90b5bf91813f6174d5312e73846e947fd5b99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb90b5bf91813f6174d5312e73846e947fd5b99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-48522
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5591159 by Salvatore Bonaccorso at 2023-08-27T14:23:16+02:00 Update information for CVE-2022-48522 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -636,6 +636,8 @@ CVE-2022-48538 (In Cacti 1.2.19, there is an authentication bypass in the web lo NOTE: Only an issue when running with PHP8.2. CVE-2022-48522 (In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based c ...) - perl 5.36.0-4 (unimportant) + [bullseye] - perl (Vulnerable code introduced later) + [buster] - perl (Vulnerable code introduced later) NOTE: Might be related to https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2032667 NOTE: which is just a infinite recursion exhausting the stack, with negligible security NOTE: impact. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5591159f564c44f5a415837bfe2838df20058cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5591159f564c44f5a415837bfe2838df20058cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2023-4508/gerbv
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b06af240 by Salvatore Bonaccorso at 2023-08-27T13:40:08+02:00 Add fixed version via unstable for CVE-2023-4508/gerbv - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71,7 +71,7 @@ CVE-2023-4534 (A vulnerability, which was classified as problematic, was found i CVE-2023-4520 (The FV Flowplayer Video Player plugin for WordPress is vulnerable to S ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2023-4508 (A user able to control file input to Gerbv, between versions 2.4.0 and ...) - - gerbv (bug #1050560) + - gerbv 2.10.0-1 (bug #1050560) NOTE: https://github.com/gerbv/gerbv/issues/191 NOTE: https://github.com/gerbv/gerbv/pull/192 NOTE: https://github.com/gerbv/gerbv/commit/5517e22250e935dc7f86f64ad414aeae3dbcb36a (v2.10.0-rc.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b06af240bbb983ab039779f087e164645142229e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b06af240bbb983ab039779f087e164645142229e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dee70442 by security tracker role at 2023-08-27T08:12:08+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-4556 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) + TODO: check +CVE-2023-4555 (A vulnerability has been found in SourceCodester Inventory Management ...) + TODO: check CVE-2023-4548 (A vulnerability classified as critical has been found in SPA-Cart eCom ...) NOT-FOR-US: SPA-Cart eCommerce CMS CVE-2023-4547 (A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has be ...) @@ -374,6 +378,7 @@ CVE-2023-39583 CVE-2023-39441 (Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provide ...) NOT-FOR-US: Apache Airflow SMTP Provider CVE-2023-40477 + {DLA-3543-1 DLA-3542-1} - rar 2:6.23-1 [bookworm] - rar (Non-free not supported) [bullseye] - rar (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dee70442fface431e2dd3a7bc1aab3f8ab706c86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dee70442fface431e2dd3a7bc1aab3f8ab706c86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop CVE-2023-32001 as rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d61978d6 by Salvatore Bonaccorso at 2023-08-27T08:57:08+02:00 Drop CVE-2023-32001 as rejected The CNA reason (Hackerone) is: Rejected Reason: We issued this CVE pre-maturely, as we have subsequently realized that this issue points out a problem that there really is no safe measures around or protections for. - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -4823,14 +4823,8 @@ CVE-2023-3446 (Issue summary: Checking excessively long DH keys or parameters ma NOTE: https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d (master) NOTE: https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb (openssl-3.0.10) NOTE: https://github.com/openssl/openssl/commit/8780a896543a654e757db1b9396383f9d8095528 (OpenSSL_1_1_1v) -CVE-2023-32001 (libcurl can be told to save cookie, HSTS and/or alt-svc data to files. ...) - {DSA-5460-1} - - curl 7.88.1-11 (bug #1041812) - [bullseye] - curl (Vulnerable code not present) - [buster] - curl (Vulnerable code not present) - NOTE: https://curl.se/docs/CVE-2023-32001.html - NOTE: Introduced at: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) - NOTE: Fixed by: https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde (curl-8_2_0) +CVE-2023-32001 + REJECTED CVE-2023-3740 (Insufficient validation of untrusted input in Themes in Google Chrome ...) {DSA-5456-1} - chromium 115.0.5790.98-1 = data/DSA/list = @@ -82,7 +82,6 @@ {CVE-2023-3390 CVE-2023-3610 CVE-2023-20593} [bullseye] - linux 5.10.179-3 [26 Jul 2023] DSA-5460-1 curl - security update - {CVE-2023-32001} [bookworm] - curl 7.88.1-10+deb12u1 [25 Jul 2023] DSA-5459-1 amd64-microcode - security update {CVE-2023-20593} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d61978d6ee17a25ab0d8cff51f5bb61259d66d1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d61978d6ee17a25ab0d8cff51f5bb61259d66d1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updates for unrar-nonfree and rar via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18569b95 by Salvatore Bonaccorso at 2023-08-27T08:42:53+02:00 Track proposed updates for unrar-nonfree and rar via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -20,3 +20,6 @@ CVE-2022-44729 [bookworm] - batik 1.16+dfsg-1+deb12u1 CVE-2022-44730 [bookworm] - batik 1.16+dfsg-1+deb12u1 +CVE-2023-40477 + [bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1 + [bookworm] - rar 2:6.23-1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18569b950af60fe5e43cabb59136068111fa3218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18569b950af60fe5e43cabb59136068111fa3218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1490561e by Salvatore Bonaccorso at 2023-08-27T08:39:00+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-4548 (A vulnerability classified as critical has been found in SPA-Cart eCom ...) - TODO: check + NOT-FOR-US: SPA-Cart eCommerce CMS CVE-2023-4547 (A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has be ...) - TODO: check + NOT-FOR-US: SPA-Cart eCommerce CMS CVE-2023-4546 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) NOT-FOR-US: Beijing Baichuo Smart S85F Management Plattform CVE-2023-4545 (A vulnerability was found in IBOS OA 4.5.5. It has been classified as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1490561e6e1ca51549068ce48818c6f170ad6758 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1490561e6e1ca51549068ce48818c6f170ad6758 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fixup up back introductory sentence
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1eaeb8f by Salvatore Bonaccorso at 2023-08-27T08:35:13+02:00 Fixup up back introductory sentence - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -1,4 +1,4 @@ -rn LTS security update is needed for the following source packages. +An LTS security update is needed for the following source packages. To add a new entry, please coordinate with this week's Front-Desk person, and use the 'package-operations' LTS tool. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1eaeb8faf14019b34ac687762d1d39a5dfa7071 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1eaeb8faf14019b34ac687762d1d39a5dfa7071 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3543-1 for rar
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ef83169a by Markus Koschany at 2023-08-27T08:23:29+02:00 Reserve DLA-3543-1 for rar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Aug 2023] DLA-3543-1 rar - security update + {CVE-2023-40477} + [buster] - rar 2:6.23-1~deb10u1 [26 Aug 2023] DLA-3542-1 unrar-nonfree - security update {CVE-2023-40477} [buster] - unrar-nonfree 1:5.6.6-1+deb10u4 = data/dla-needed.txt = @@ -167,9 +167,6 @@ rails (utkarsh) NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- -rar (Markus Koschany) - NOTE: 20230826: Added by (apo) --- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef83169aad133d4e475b3b970c5affe1c3edbe36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef83169aad133d4e475b3b970c5affe1c3edbe36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits