[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-43090/gnome-shell
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29454058 by Salvatore Bonaccorso at 2023-09-18T07:28:36+02:00 Update information on CVE-2023-43090/gnome-shell - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45,10 +45,13 @@ CVE-2023-43091 [Code injection via service.json file] NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gnome-maps/-/commit/d26cd774d524404ef7784e6808f551de83de4bea (v45.rc) CVE-2023-43090 [Screenshot tool allows viewing open windows when session is locked] - gnome-shell 44.5-1 (bug #1052067) + [bullseye] - gnome-shell (Vulnerable code introduced in 42.beta) + [buster] - gnome-shell (Vulnerable code introduced in 42.beta) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2944 - NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/521525948eed85cc27c0796a0b9569d161df81ba - NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/671df28a509ae208e158976f0855d91fdbea16a1 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/521525948eed85cc27c0796a0b9569d161df81ba + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/671df28a509ae208e158976f0855d91fdbea16a1 + NOTE: Introduced around: https://gitlab.gnome.org/GNOME/gnome-shell/-/8ebc478f0f24720870c4911aef707f4dc34d140c CVE-2023-5001 (The Horizontal scrolling announcement for WordPress plugin for WordPre ...) NOT-FOR-US: Horizontal scrolling announcement for WordPress plugin for WordPress CVE-2023-4994 (The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/294540589d1330e46f32066dfdb3404a4f330cc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/294540589d1330e46f32066dfdb3404a4f330cc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b2424b6 by Moritz Muehlenhoff at 2023-09-17T23:22:36+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,9 +23,11 @@ cinder/oldstable -- flac/oldstable (jmm) -- -gnome-shell +gnome-shell (jmm) Maintainer preparing updates -- +gpac/oldstable (jmm) +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- @@ -33,6 +35,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions -- +lldpd +-- nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b2424b6f08917cb6c499f9462923571f817680c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b2424b6f08917cb6c499f9462923571f817680c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 65f3ff83 by Salvatore Bonaccorso at 2023-09-17T22:15:24+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-5028 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: China Unicom TEWA-800G CVE-2023-5027 (A vulnerability classified as critical was found in SourceCodester Sim ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Membership System CVE-2023-5026 (A vulnerability classified as problematic has been found in Tongda OA ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-5025 (A vulnerability was found in KOHA up to 23.05.03. It has been declared ...) NOT-FOR-US: KOHA CVE-2023-5024 (A vulnerability was found in Planno 23.04.04. It has been classified a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f3ff838dd87101a05d205a8496b917900ca2e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f3ff838dd87101a05d205a8496b917900ca2e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00b50173 by security tracker role at 2023-09-17T20:12:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-5028 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-5027 (A vulnerability classified as critical was found in SourceCodester Sim ...) + TODO: check +CVE-2023-5026 (A vulnerability classified as problematic has been found in Tongda OA ...) + TODO: check CVE-2023-5025 (A vulnerability was found in KOHA up to 23.05.03. It has been declared ...) NOT-FOR-US: KOHA CVE-2023-5024 (A vulnerability was found in Planno 23.04.04. It has been classified a ...) @@ -759,7 +765,7 @@ CVE-2023-4900 (Inappropriate implementation in Custom Tabs in Google Chrome on A - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 ...) - {DSA-5498-1 DSA-5497-1 DSA-5496-1 DLA-3568-1} + {DSA-5497-2 DSA-5498-1 DSA-5497-1 DSA-5496-1 DLA-3569-1 DLA-3568-1} - chromium 117.0.5938.62-1 (unimportant) [buster] - chromium (see DSA 5046) - firefox 117.0.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00b50173dd42fc5d0b2ede1882ffe81f25b31717 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00b50173dd42fc5d0b2ede1882ffe81f25b31717 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-29390/libjpeg-turbo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d395e245 by Salvatore Bonaccorso at 2023-09-17T22:01:13+02:00 Update information for CVE-2021-29390/libjpeg-turbo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174021,9 +174021,12 @@ CVE-2021-29392 CVE-2021-29391 RESERVED CVE-2021-29390 (libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 byte ...) - - libjpeg-turbo + - libjpeg-turbo (Vulnerable code not in a Debian released version) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943797 - TODO: check, no sensible information and RHBZ#1943797 is restricted + NOTE: Context: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/724 + NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/476 + NOTE: Introduced by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/42825b68d570fb07fe820ac62ad91017e61e9a25 (2.0.90) + NOTE: Fixed by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469 (2.1.0) CVE-2021-29389 RESERVED CVE-2021-29388 (A stored cross-site scripting (XSS) vulnerability in SourceCodester Bu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d395e24584aa1245fbd47ef38909abcb805932ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d395e24584aa1245fbd47ef38909abcb805932ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add gnome-shell to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13586562 by Salvatore Bonaccorso at 2023-09-17T20:43:19+02:00 Add gnome-shell to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,6 +23,9 @@ cinder/oldstable -- flac/oldstable (jmm) -- +gnome-shell + Maintainer preparing updates +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135865629979fc2ba2d51b189b887001dc44b11a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135865629979fc2ba2d51b189b887001dc44b11a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixes via unstable for CVE-2023-43090/gnome-shell
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b057534 by Salvatore Bonaccorso at 2023-09-17T20:40:18+02:00 Add fixes via unstable for CVE-2023-43090/gnome-shell - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38,7 +38,7 @@ CVE-2023-43091 [Code injection via service.json file] NOTE: Introduced with merge: https://gitlab.gnome.org/GNOME/gnome-maps/-/merge_requests/227 (v43.alpha) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gnome-maps/-/commit/d26cd774d524404ef7784e6808f551de83de4bea (v45.rc) CVE-2023-43090 [Screenshot tool allows viewing open windows when session is locked] - - gnome-shell (bug #1052067) + - gnome-shell 44.5-1 (bug #1052067) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2944 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/521525948eed85cc27c0796a0b9569d161df81ba View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b0575346dbc4fa044e0632773677f60f2623da1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b0575346dbc4fa044e0632773677f60f2623da1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add entry for DSA 5497-2/libwebp in bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdcfa143 by Salvatore Bonaccorso at 2023-09-17T20:37:27+02:00 Add entry for DSA 5497-2/libwebp in bullseye - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[13 Sep 2023] DSA-5497-2 libwebp - security update + {CVE-2023-4863} + [bullseye] - libwebp 0.6.1-2.1+deb11u2 [15 Sep 2023] DSA-5498-1 thunderbird - security update {CVE-2023-4863} [bullseye] - thunderbird 1:102.15.1-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdcfa143a9feeb6d3804f51626c1badbfd8bb2bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdcfa143a9feeb6d3804f51626c1badbfd8bb2bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take flac
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ffe4cba3 by Moritz Muehlenhoff at 2023-09-17T19:54:33+02:00 take flac - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -21,13 +21,11 @@ chromium (jmm) -- cinder/oldstable -- -flac/oldstable +flac/oldstable (jmm) -- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- -libwebp/oldstable (jmm) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe4cba3b47d3af04bc73751f3fdc7f027a1b85c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe4cba3b47d3af04bc73751f3fdc7f027a1b85c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a09a96cc by Thorsten Alteholz at 2023-09-17T19:39:24+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,7 @@ dogecoin -- elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) + NOTE: 20230917: testing package -- exempi NOTE: 20230907: Added by Front-Desk (lamby) @@ -61,6 +62,7 @@ exiv2 -- file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) + NOTE: 20230917: testing package -- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09a96cc32d49e72d0a2158b58788e8965b3e44a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09a96cc32d49e72d0a2158b58788e8965b3e44a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-42464/netatalk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6c48934 by Salvatore Bonaccorso at 2023-09-17T15:28:37+02:00 Add CVE-2023-42464/netatalk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7870,6 +7870,9 @@ CVE-2023-34968 (A path disclosure vulnerability was found in Samba. As part of t {DSA-5477-1} - samba 2:4.18.5+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2023-34968.html +CVE-2023-42464 + - netatalk (bug #1052087) + NOTE: https://github.com/Netatalk/netatalk/issues/486 CVE-2023-34967 (A Type Confusion vulnerability was found in Samba's mdssvc RPC service ...) {DSA-5477-1} - samba 2:4.18.5+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6c4893452c9cf74bee953b701eddf95d88007f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6c4893452c9cf74bee953b701eddf95d88007f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-24904/viagee
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 207a3662 by Salvatore Bonaccorso at 2023-09-17T13:30:18+02:00 Track fixed version for CVE-2020-24904/viagee - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -217056,12 +217056,13 @@ CVE-2020-24906 CVE-2020-24905 RESERVED CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...) - - viagee (bug #1051726) + - viagee 3.7-1 (bug #1051726) [bookworm] - viagee (Minor issue) - gnome-gmail [bullseye] - gnome-gmail (Minor issue) [buster] - gnome-gmail (Minor issue) NOTE: https://github.com/davesteele/gnome-gmail/issues/84 + NOTE: https://github.com/davesteele/viagee/commit/c961b7431018976abc9c964ce594b371fb84183e CVE-2020-24903 (Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scri ...) NOT-FOR-US: Cute Editor for ASP.NET CVE-2020-24902 (Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207a36626dd28abf3bfbd40144efdc4f06b02b91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207a36626dd28abf3bfbd40144efdc4f06b02b91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3569-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 043bf358 by Emilio Pozuelo Monfort at 2023-09-17T11:41:51+02:00 Reserve DLA-3569-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Sep 2023] DLA-3569-1 thunderbird - security update + {CVE-2023-4863} + [buster] - thunderbird 1:102.15.1-1~deb10u1 [16 Sep 2023] DLA-3568-1 firefox-esr - security update {CVE-2023-4863} [buster] - firefox-esr 102.15.1esr-1~deb10u1 = data/dla-needed.txt = @@ -220,9 +220,6 @@ suricata NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230915: Added by Front-Desk (pochu) --- tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f40e3872 by Salvatore Bonaccorso at 2023-09-17T11:24:55+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -228772,7 +228772,7 @@ CVE-2020-19561 CVE-2020-19560 RESERVED CVE-2020-19559 (An issue in Diebold Aglis XFS for Opteva v.4.1.61.1 allows a remote at ...) - TODO: check + NOT-FOR-US: Diebold Aglis XFS for Opteva CVE-2020-19558 RESERVED CVE-2020-19557 @@ -229298,17 +229298,17 @@ CVE-2020-19325 CVE-2020-19324 RESERVED CVE-2020-19323 (An issue was discovered in /bin/mini_upnpd on D-Link DIR-619L 2.06beta ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-19322 RESERVED CVE-2020-19321 RESERVED CVE-2020-19320 (Buffer overflow vulnerability in DLINK 619L version B 2.06beta via the ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-19319 (Buffer overflow vulnerability in DLINK 619L version B 2.06beta via the ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-19318 (Buffer Overflow vulnerability in D-Link DIR-605L, hardware version AX, ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-19317 RESERVED CVE-2020-19316 (OS Command injection vulnerability in function link in Filesystem.php ...) @@ -287975,9 +287975,9 @@ CVE-2019-16473 CVE-2019-16472 RESERVED CVE-2019-16471 (Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-16470 (Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-16469 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-16468 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) @@ -315447,7 +315447,7 @@ CVE-2019-7821 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 201 CVE-2019-7820 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7819 (Adobe Acrobat Reader versions 2019.010.20098 and earlier are affected ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7818 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7817 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40e3872704a188fc3602486e693528b67c75b67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40e3872704a188fc3602486e693528b67c75b67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41900/jetty9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fc75054 by Salvatore Bonaccorso at 2023-09-17T11:11:25+02:00 Add CVE-2023-41900/jetty9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,7 +56,10 @@ CVE-2023-42336 (An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote CVE-2023-41901 REJECTED CVE-2023-41900 (Jetty is a Java based web server and servlet engine. Versions 9.4.21 t ...) - TODO: check + - jetty9 + NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 + NOTE: https://github.com/eclipse/jetty.project/pull/9528 (10.0.16, 11.0.16) + NOTE: https://github.com/eclipse/jetty.project/pull/9660 (9.4.52) CVE-2023-41626 (Gradio v3.27.0 was discovered to contain an arbitrary file upload vuln ...) NOT-FOR-US: Gradio CVE-2023-41436 (Cross Site Scripting vulnerability in CSZCMS v.1.3.0 allows a local at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fc75054a925710d587c8448dbc1797fcd9e8dbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fc75054a925710d587c8448dbc1797fcd9e8dbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41887/openrefine
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e5c7ac2 by Salvatore Bonaccorso at 2023-09-17T11:06:46+02:00 Add CVE-2023-41887/openrefine - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -148,7 +148,9 @@ CVE-2023-42270 (Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF CVE-2023-41889 (SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHI ...) NOT-FOR-US: SHIRASAGI CVE-2023-41887 (OpenRefine is a powerful free, open source tool for working with messy ...) - TODO: check + - openrefine 3.7.5-1 + NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5 + NOTE: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 (3.7.5) CVE-2023-41886 (OpenRefine is a powerful free, open source tool for working with messy ...) - openrefine 3.7.5-1 NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5c7ac2a5b42423198cb612a8a324a9f884a665 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5c7ac2a5b42423198cb612a8a324a9f884a665 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41886/openrefine
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 293ea5b8 by Salvatore Bonaccorso at 2023-09-17T11:04:52+02:00 Add CVE-2023-41886/openrefine - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -150,7 +150,10 @@ CVE-2023-41889 (SHIRASAGI is a Content Management System. Prior to version 1.18. CVE-2023-41887 (OpenRefine is a powerful free, open source tool for working with messy ...) TODO: check CVE-2023-41886 (OpenRefine is a powerful free, open source tool for working with messy ...) - TODO: check + - openrefine 3.7.5-1 + NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m + NOTE: https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d (master) + NOTE: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 (3.7.5) CVE-2023-41880 (Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions fr ...) NOT-FOR-US: Wasmtime CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/293ea5b8f4f1f65b29207da4409fd86318f58a7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/293ea5b8f4f1f65b29207da4409fd86318f58a7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40167/jetty9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63ca9038 by Salvatore Bonaccorso at 2023-09-17T10:59:09+02:00 Add CVE-2023-40167/jetty9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -192,7 +192,8 @@ CVE-2023-40868 (Cross Site Request Forgery vulnerability in mooSocial MooSocial CVE-2023-40588 (Discourse is an open-source discussion platform. Prior to version 3.1. ...) NOT-FOR-US: Discourse CVE-2023-40167 (Jetty is a Java based web server and servlet engine. Prior to versions ...) - TODO: check + - jetty9 + NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 CVE-2023-40019 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) - freeswitch (bug #389591) CVE-2023-40018 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ca90385cd8d57872fb06ef5f40c59b00ee519b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ca90385cd8d57872fb06ef5f40c59b00ee519b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust source package name for CVE-2023-2604{8,9} and track fixed version via experimental
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49598ed3 by Salvatore Bonaccorso at 2023-09-17T10:55:36+02:00 Adjust source package name for CVE-2023-2604{8,9} and track fixed version via experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32481,12 +32481,14 @@ CVE-2023-26051 (Saleor is a headless, GraphQL commerce platform delivering perso CVE-2023-26050 RESERVED CVE-2023-26049 (Jetty is a java based web server and servlet engine. Nonstandard cooki ...) - - jetty + [experimental] - jetty9 9.4.51-1 + - jetty9 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c NOTE: https://github.com/eclipse/jetty.project/pull/9339 NOTE: https://github.com/eclipse/jetty.project/pull/9352 CVE-2023-26048 (Jetty is a java based web server and servlet engine. In affected versi ...) - - jetty + [experimental] - jetty9 9.4.51-1 + - jetty9 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 NOTE: https://github.com/eclipse/jetty.project/issues/9076 NOTE: https://github.com/eclipse/jetty.project/pull/9344 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49598ed373ad7e01cf3b0a35a80b271c4d422743 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49598ed373ad7e01cf3b0a35a80b271c4d422743 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4075a7d1 by Salvatore Bonaccorso at 2023-09-17T10:48:25+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,17 +17,17 @@ CVE-2023-5018 (A vulnerability classified as critical has been found in SourceCo CVE-2023-5017 (A vulnerability was found in lmxcms up to 1.41. It has been rated as c ...) NOT-FOR-US: lmxcms CVE-2023-5016 (A vulnerability was found in spider-flow up to 0.5.0. It has been decl ...) - TODO: check + NOT-FOR-US: spider-flow CVE-2023-5015 (A vulnerability was found in UCMS 1.4.7. It has been classified as pro ...) NOT-FOR-US: UCMS CVE-2023-5014 (A vulnerability was found in Sakshi2610 Food Ordering Website 1.0 and ...) NOT-FOR-US: Sakshi2610 Food Ordering Website CVE-2023-5013 (A vulnerability has been found in Pluck CMS 4.7.18 and classified as p ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2023-5012 (A vulnerability, which was classified as problematic, was found in Top ...) - TODO: check + NOT-FOR-US: Topaz OFD CVE-2023-38040 (A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earl ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2023-3025 (The Dropbox Folder Share plugin for WordPress is vulnerable to Server- ...) NOT-FOR-US: Dropbox Folder Share plugin for WordPress CVE-2023-43091 [Code injection via service.json file] @@ -66,7 +66,7 @@ CVE-2023-41157 (Multiple stored cross-site scripting (XSS) vulnerabilities in Us CVE-2023-39777 (A cross-site scripting (XSS) vulnerability in the Admin Control Panel ...) NOT-FOR-US: vBulletin CVE-2023-39612 (A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23 ...) - TODO: check + NOT-FOR-US: FileBrowser CVE-2023-36735 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2023-36727 (Microsoft Edge (Chromium-based) Spoofing Vulnerability) @@ -144,7 +144,7 @@ CVE-2023-42398 (An issue in zzCMS v.2023 allows a remote attacker to execute arb CVE-2023-42362 (An arbitrary file upload vulnerability in Teller Web App v.4.4.0 allow ...) NOT-FOR-US: Teller Web App CVE-2023-42270 (Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).) - TODO: check + NOT-FOR-US: Grocy CVE-2023-41889 (SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHI ...) NOT-FOR-US: SHIRASAGI CVE-2023-41887 (OpenRefine is a powerful free, open source tool for working with messy ...) @@ -152,7 +152,7 @@ CVE-2023-41887 (OpenRefine is a powerful free, open source tool for working with CVE-2023-41886 (OpenRefine is a powerful free, open source tool for working with messy ...) TODO: check CVE-2023-41880 (Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions fr ...) - TODO: check + NOT-FOR-US: Wasmtime CVE-2023-41592 (Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site ...) NOT-FOR-US: Froala Editor CVE-2023-41325 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...) @@ -212,7 +212,7 @@ CVE-2023-39639 (LeoTheme leoblog up to v3.1.2 was discovered to contain a SQL in CVE-2023-39638 (D-LINK DIR-859 A1 1.05 and A1 1.06B01 Beta01 was discovered to contain ...) NOT-FOR-US: D-LINK CVE-2023-38912 (SQL injection vulnerability in Super Store Finder PHP Script v.3.6 all ...) - TODO: check + NOT-FOR-US: Super Store Finder PHP Script CVE-2023-38891 (SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote auth ...) NOT-FOR-US: Vtiger CRM CVE-2023-38706 (Discourse is an open-source discussion platform. Prior to version 3.1. ...) @@ -226,11 +226,11 @@ CVE-2023-37281 (Contiki-NG is an operating system for internet-of-things devices CVE-2023-37263 (Strapi is the an open-source headless content management system. Prior ...) NOT-FOR-US: Strapi CVE-2023-36659 (An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. Long ...) - TODO: check + NOT-FOR-US: OPSWAT MetaDefender KIOSK CVE-2023-36658 (An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. It ha ...) - TODO: check + NOT-FOR-US: OPSWAT MetaDefender KIOSK CVE-2023-36657 (An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. Built ...) - TODO: check + NOT-FOR-US: OPSWAT MetaDefender KIOSK CVE-2023-36479 (Eclipse Jetty Canonical Repository is the canonical repository for the ...) TODO: check CVE-2023-36472 (Strapi is the an open-source headless content management system. Prior ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4075a7d10df2fb7175c2c4bed53f5cde3d35ca55 -- View
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f374d67 by Salvatore Bonaccorso at 2023-09-17T10:19:02+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,27 +1,27 @@ CVE-2023-5025 (A vulnerability was found in KOHA up to 23.05.03. It has been declared ...) - TODO: check + NOT-FOR-US: KOHA CVE-2023-5024 (A vulnerability was found in Planno 23.04.04. It has been classified a ...) - TODO: check + NOT-FOR-US: Planno CVE-2023-5023 (A vulnerability was found in Tongda OA 2017 and classified as critical ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-5022 (A vulnerability has been found in DedeCMS up to 5.7.100 and classified ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2023-5021 (A vulnerability, which was classified as problematic, was found in Sou ...) - TODO: check + NOT-FOR-US: SourceCodester AC Repair and Services System CVE-2023-5020 (A vulnerability, which was classified as critical, has been found in 0 ...) - TODO: check + NOT-FOR-US: 07FLY CRM CVE-2023-5019 (A vulnerability classified as critical was found in Tongda OA. This vu ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-5018 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Lost and Found Information System CVE-2023-5017 (A vulnerability was found in lmxcms up to 1.41. It has been rated as c ...) - TODO: check + NOT-FOR-US: lmxcms CVE-2023-5016 (A vulnerability was found in spider-flow up to 0.5.0. It has been decl ...) TODO: check CVE-2023-5015 (A vulnerability was found in UCMS 1.4.7. It has been classified as pro ...) - TODO: check + NOT-FOR-US: UCMS CVE-2023-5014 (A vulnerability was found in Sakshi2610 Food Ordering Website 1.0 and ...) - TODO: check + NOT-FOR-US: Sakshi2610 Food Ordering Website CVE-2023-5013 (A vulnerability has been found in Pluck CMS 4.7.18 and classified as p ...) TODO: check CVE-2023-5012 (A vulnerability, which was classified as problematic, was found in Top ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f374d670416164751118c3fdbcce54464f60d0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f374d670416164751118c3fdbcce54464f60d0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37b3c7ac by security tracker role at 2023-09-17T08:12:08+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2023-5025 (A vulnerability was found in KOHA up to 23.05.03. It has been declared ...) + TODO: check +CVE-2023-5024 (A vulnerability was found in Planno 23.04.04. It has been classified a ...) + TODO: check +CVE-2023-5023 (A vulnerability was found in Tongda OA 2017 and classified as critical ...) + TODO: check +CVE-2023-5022 (A vulnerability has been found in DedeCMS up to 5.7.100 and classified ...) + TODO: check +CVE-2023-5021 (A vulnerability, which was classified as problematic, was found in Sou ...) + TODO: check +CVE-2023-5020 (A vulnerability, which was classified as critical, has been found in 0 ...) + TODO: check +CVE-2023-5019 (A vulnerability classified as critical was found in Tongda OA. This vu ...) + TODO: check +CVE-2023-5018 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2023-5017 (A vulnerability was found in lmxcms up to 1.41. It has been rated as c ...) + TODO: check +CVE-2023-5016 (A vulnerability was found in spider-flow up to 0.5.0. It has been decl ...) + TODO: check +CVE-2023-5015 (A vulnerability was found in UCMS 1.4.7. It has been classified as pro ...) + TODO: check +CVE-2023-5014 (A vulnerability was found in Sakshi2610 Food Ordering Website 1.0 and ...) + TODO: check +CVE-2023-5013 (A vulnerability has been found in Pluck CMS 4.7.18 and classified as p ...) + TODO: check +CVE-2023-5012 (A vulnerability, which was classified as problematic, was found in Top ...) + TODO: check +CVE-2023-38040 (A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earl ...) + TODO: check CVE-2023-3025 (The Dropbox Folder Share plugin for WordPress is vulnerable to Server- ...) NOT-FOR-US: Dropbox Folder Share plugin for WordPress CVE-2023-43091 [Code injection via service.json file] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37b3c7acee8449e407a2dfecefc55261a472858a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37b3c7acee8449e407a2dfecefc55261a472858a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-42503
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33830f7b by Salvatore Bonaccorso at 2023-09-17T08:51:54+02:00 Track fixed version via unstable for CVE-2023-42503 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -270,7 +270,7 @@ CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DL CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) NOT-FOR-US: PaperCut CVE-2023-42503 (Improper Input Validation, Uncontrolled Resource Consumption vulnerabi ...) - - libcommons-compress-java (bug #1052065) + - libcommons-compress-java 1.24.0-1 (bug #1052065) [bullseye] - libcommons-compress-java (Vulnerable code introduced later) [buster] - libcommons-compress-java (Vulnerable code introduced later) NOTE: https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33830f7b21433a5cbb69450f177e184d4b193dcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33830f7b21433a5cbb69450f177e184d4b193dcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits