[Git][security-tracker-team/security-tracker][master] Take grub2 announement
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c748ef4 by Utkarsh Gupta at 2023-10-04T03:16:18+05:30 Take grub2 announement - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,7 +70,7 @@ freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) -- -grub2 +grub2 (utkarsh) NOTE: 20231003: Maintainer prepared an uploaded the update NOTE: 20231003: https://lists.debian.org/debian-lts-changes/2023/10/msg5.html -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c748ef47a01ea4706c08149df753f2449ba4b32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c748ef47a01ea4706c08149df753f2449ba4b32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3600-1 for postgresql-11
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c0dce80 by Utkarsh Gupta at 2023-10-04T03:15:50+05:30 Reserve DLA-3600-1 for postgresql-11 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7448,7 +7448,6 @@ CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found - postgresql-13 [bullseye] - postgresql-13 (Minor issue, fix along with next round of updates) - postgresql-11 - [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/ NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4) = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Oct 2023] DLA-3600-1 postgresql-11 - security update + {CVE-2023-39417} + [buster] - postgresql-11 11.21-0+deb10u2 [02 Oct 2023] DLA-3599-1 exim4 - security update {CVE-2023-42114 CVE-2023-42116} [buster] - exim4 4.92-8+deb10u8 = data/dla-needed.txt = @@ -134,9 +134,6 @@ poppler (Adrian Bunk) NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- -postgresql-11 (Utkarsh) - NOTE: 20231001: Myon uploaded and asked on #debian-lts to do the paperwork. (utkarsh) --- prometheus-alertmanager (rouca) NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Vulnerable code is in ui/app/src/Views/AlertList/AlertView.elm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c0dce8074f7d577d32768f9d93fd093c8c98fc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c0dce8074f7d577d32768f9d93fd093c8c98fc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4886/foreman
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6538b2a by Salvatore Bonaccorso at 2023-10-03T22:42:44+02:00 Add CVE-2023-4886/foreman - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2023-5255 (For certificates that utilize the auto-renew feature in Puppet Se CVE-2023-4929 (All firmware versions of the NPort 5000 Series are affected by an impr ...) NOT-FOR-US: Moxa CVE-2023-4886 (A sensitive information exposure vulnerability was found in foreman. C ...) - TODO: check + - foreman (bug #663101) CVE-2023-4885 (Man in the Middle vulnerability, which could allow an attacker to inte ...) TODO: check CVE-2023-4884 (An attacker could send an HTTP request to an Open5GS endpoint and retr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6538b2ad5622322d83d41935cc03c701764ef97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6538b2ad5622322d83d41935cc03c701764ef97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 147e0f96 by Salvatore Bonaccorso at 2023-10-03T22:42:11+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-5353 (Improper Access Control in GitHub repository salesagility/suitecrm pri ...) - TODO: check + NOT-FOR-US: suitecrm CVE-2023-5351 (Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/ ...) - TODO: check + NOT-FOR-US: suitecrm CVE-2023-5350 (SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14 ...) - TODO: check + NOT-FOR-US: suitecrm CVE-2023-5255 (For certificates that utilize the auto-renew feature in Puppet Server, ...) TODO: check CVE-2023-4929 (All firmware versions of the NPort 5000 Series are affected by an impr ...) - TODO: check + NOT-FOR-US: Moxa CVE-2023-4886 (A sensitive information exposure vulnerability was found in foreman. C ...) TODO: check CVE-2023-4885 (Man in the Middle vulnerability, which could allow an attacker to inte ...) @@ -43,33 +43,33 @@ CVE-2023-4098 (It has been identified that the web application does not correctl CVE-2023-4097 (The file upload functionality is not implemented correctly and allows ...) TODO: check CVE-2023-43976 (An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to ...) - TODO: check + NOT-FOR-US: CatoNetworks CatoClient CVE-2023-42508 (JFrog Artifactory prior to version 7.66.0 is vulnerable to specific en ...) - TODO: check + NOT-FOR-US: JFrog Artifactory CVE-2023-41693 (Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview My ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-41244 (Cross-Site Request Forgery (CSRF) vulnerability in Buildfail Localize ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40830 (Tenda AC6 v15.03.05.19 is vulnerable to Buffer Overflow as the Index p ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-40558 (Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouT ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40212 (Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Product ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40210 (Cross-Site Request Forgery (CSRF) vulnerability in Sean Barton (Tortoi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40202 (Cross-Site Request Forgery (CSRF) vulnerability in Hannes Etzelstorfer ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40201 (Cross-Site Request Forgery (CSRF) vulnerability inFuturioWP Futurio Ex ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40199 (Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like But ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40198 (Cross-Site Request Forgery (CSRF) vulnerability in Antsanchez Easy Coo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-40009 (Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3654 (cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwic ...) - TODO: check + NOT-FOR-US: cashIT! CVE-2023-3350 (A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, ...) TODO: check CVE-2023-3349 (Information exposure vulnerability in IBERMATICA RPS 2019, which explo ...) @@ -77,37 +77,37 @@ CVE-2023-3349 (Information exposure vulnerability in IBERMATICA RPS 2019, which CVE-2023-3196 (This vulnerability could allow an attacker to store a malicious JavaSc ...) TODO: check CVE-2023-39989 (Cross-Site Request Forgery (CSRF) vulnerability in 99robots Header Foo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39923 (Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Pos ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39917 (Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39165 (Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39159 (Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Fraud P ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-39158 (Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-38398 (Cross-Site Request Forgery (CSRF) vulnerability in Taboola plugin <=2. ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4732/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5067cea0 by Salvatore Bonaccorso at 2023-10-03T22:37:18+02:00 Add CVE-2023-4732/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,11 @@ CVE-2023-4882 (DOS vulnerability that could allow an attacker to register a new CVE-2023-4817 (This vulnerability allows an authenticated attacker to upload maliciou ...) TODO: check CVE-2023-4732 (A flaw was found in the Linux Kernel's memory management subsytem. A t ...) - TODO: check + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2236982 + NOTE: https://git.kernel.org/linus/8f34f1eac3820fc2722e5159acceb22545b30b0d (5.14-rc1) CVE-2023-4564 (This vulnerability could allow an attacker to store a malicious JavaSc ...) TODO: check CVE-2023-4103 (QSige statistics are affected by a remote SQLi vulnerability. It has b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5067cea0459d59b2d2693050da111fe8bba0cdab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5067cea0459d59b2d2693050da111fe8bba0cdab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-43655/composer via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6048efcf by Salvatore Bonaccorso at 2023-10-03T22:28:09+02:00 Track fixed version for CVE-2023-43655/composer via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -585,7 +585,7 @@ CVE-2023-43944 (A Stored Cross Site Scripting (XSS) vulnerability was found in S CVE-2023-43909 (Hospital Management System thru commit 4770d was discovered to contain ...) NOT-FOR-US: Hospital Management System CVE-2023-43655 (Composer is a dependency manager for PHP. Users publishing a composer. ...) - - composer + - composer 2.6.4-1 [buster] - composer (Minor issue, only a problem when configured improperly) NOTE: https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf NOTE: https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d (1.10.27) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6048efcf79c9ae7297a87d4a7093537e05ba8c43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6048efcf79c9ae7297a87d4a7093537e05ba8c43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c634e94 by security tracker role at 2023-10-03T20:14:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,10 +1,141 @@ +CVE-2023-5353 (Improper Access Control in GitHub repository salesagility/suitecrm pri ...) + TODO: check +CVE-2023-5351 (Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/ ...) + TODO: check +CVE-2023-5350 (SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14 ...) + TODO: check +CVE-2023-5255 (For certificates that utilize the auto-renew feature in Puppet Server, ...) + TODO: check +CVE-2023-4929 (All firmware versions of the NPort 5000 Series are affected by an impr ...) + TODO: check +CVE-2023-4886 (A sensitive information exposure vulnerability was found in foreman. C ...) + TODO: check +CVE-2023-4885 (Man in the Middle vulnerability, which could allow an attacker to inte ...) + TODO: check +CVE-2023-4884 (An attacker could send an HTTP request to an Open5GS endpoint and retr ...) + TODO: check +CVE-2023-4883 (Invalid pointer release vulnerability. Exploitation of this vulnerabil ...) + TODO: check +CVE-2023-4882 (DOS vulnerability that could allow an attacker to register a new VNF ( ...) + TODO: check +CVE-2023-4817 (This vulnerability allows an authenticated attacker to upload maliciou ...) + TODO: check +CVE-2023-4732 (A flaw was found in the Linux Kernel's memory management subsytem. A t ...) + TODO: check +CVE-2023-4564 (This vulnerability could allow an attacker to store a malicious JavaSc ...) + TODO: check +CVE-2023-4103 (QSige statistics are affected by a remote SQLi vulnerability. It has b ...) + TODO: check +CVE-2023-4102 (QSige login SSO does not have an access control mechanism to verify wh ...) + TODO: check +CVE-2023-4101 (The QSige login SSO does not have an access control mechanism to verif ...) + TODO: check +CVE-2023-4100 (Allows an attacker to perform XSS attacks stored on certain resources. ...) + TODO: check +CVE-2023-4099 (The QSige Monitor application does not have an access control mechanis ...) + TODO: check +CVE-2023-4098 (It has been identified that the web application does not correctly fil ...) + TODO: check +CVE-2023-4097 (The file upload functionality is not implemented correctly and allows ...) + TODO: check +CVE-2023-43976 (An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to ...) + TODO: check +CVE-2023-42508 (JFrog Artifactory prior to version 7.66.0 is vulnerable to specific en ...) + TODO: check +CVE-2023-41693 (Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview My ...) + TODO: check +CVE-2023-41244 (Cross-Site Request Forgery (CSRF) vulnerability in Buildfail Localize ...) + TODO: check +CVE-2023-40830 (Tenda AC6 v15.03.05.19 is vulnerable to Buffer Overflow as the Index p ...) + TODO: check +CVE-2023-40558 (Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouT ...) + TODO: check +CVE-2023-40212 (Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Product ...) + TODO: check +CVE-2023-40210 (Cross-Site Request Forgery (CSRF) vulnerability in Sean Barton (Tortoi ...) + TODO: check +CVE-2023-40202 (Cross-Site Request Forgery (CSRF) vulnerability in Hannes Etzelstorfer ...) + TODO: check +CVE-2023-40201 (Cross-Site Request Forgery (CSRF) vulnerability inFuturioWP Futurio Ex ...) + TODO: check +CVE-2023-40199 (Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like But ...) + TODO: check +CVE-2023-40198 (Cross-Site Request Forgery (CSRF) vulnerability in Antsanchez Easy Coo ...) + TODO: check +CVE-2023-40009 (Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes ...) + TODO: check +CVE-2023-3654 (cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwic ...) + TODO: check +CVE-2023-3350 (A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, ...) + TODO: check +CVE-2023-3349 (Information exposure vulnerability in IBERMATICA RPS 2019, which explo ...) + TODO: check +CVE-2023-3196 (This vulnerability could allow an attacker to store a malicious JavaSc ...) + TODO: check +CVE-2023-39989 (Cross-Site Request Forgery (CSRF) vulnerability in 99robots Header Foo ...) + TODO: check +CVE-2023-39923 (Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Pos ...) + TODO: check +CVE-2023-39917 (Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team ...) + TODO: check +CVE-2023-39165 (Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign- ...) + TODO:
[Git][security-tracker-team/security-tracker][master] Clarify that introducing commit for CVE-2023-4911 was backported and included in debian/2.31-12
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b913ece1 by Salvatore Bonaccorso at 2023-10-03T22:06:38+02:00 Clarify that introducing commit for CVE-2023-4911 was backported and included in debian/2.31-12 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,7 @@ CVE-2023-4911 [buffer overflow in dynamic loader's processing of the GLIBC_TUNAB - glibc 2.37-12 [buster] - glibc (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/2 - NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=2ed18c5b534d9e92fc006202a5af0df6b72e7aca (glibc-2.34) + NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=2ed18c5b534d9e92fc006202a5af0df6b72e7aca (glibc-2.34; backported in debian/2.31-12) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa NOTE: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt CVE-2023-43789 [libXpm: out of bounds read on XPM with corrupted colormap] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b913ece186288b4a17162874972e49b10c39f9b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b913ece186288b4a17162874972e49b10c39f9b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track pending linux updates for bullseye-pu and bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d08e39d by Salvatore Bonaccorso at 2023-10-03T22:00:02+02:00 Track pending linux updates for bullseye-pu and bookworm-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -228,3 +228,27 @@ CVE-2023-44469 [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5 CVE-2021-38185 [bullseye] - cpio 2.13+dfsg-7.1~deb11u1 +CVE-2023-1989 + [bullseye] - linux 5.10.197-1 +CVE-2023-20588 + [bullseye] - linux 5.10.197-1 +CVE-2023-3772 + [bullseye] - linux 5.10.197-1 +CVE-2023-3773 + [bullseye] - linux 5.10.197-1 +CVE-2023-4244 + [bullseye] - linux 5.10.197-1 +CVE-2023-42753 + [bullseye] - linux 5.10.197-1 +CVE-2023-42754 + [bullseye] - linux 5.10.197-1 +CVE-2023-42755 + [bullseye] - linux 5.10.197-1 +CVE-2023-42756 + [bullseye] - linux 5.10.197-1 +CVE-2023-4622 + [bullseye] - linux 5.10.197-1 +CVE-2023-4623 + [bullseye] - linux 5.10.197-1 +CVE-2023-4921 + [bullseye] - linux 5.10.197-1 = data/next-point-update.txt = @@ -63,6 +63,24 @@ CVE-2023-43115 [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2 CVE-2023-44469 [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2 +CVE-2023-25775 + [bookworm] - linux 6.1.55-1 +CVE-2023-4244 + [bookworm] - linux 6.1.55-1 +CVE-2023-42752 + [bookworm] - linux 6.1.55-1 +CVE-2023-42753 + [bookworm] - linux 6.1.55-1 +CVE-2023-42754 + [bookworm] - linux 6.1.55-1 +CVE-2023-42755 + [bookworm] - linux 6.1.55-1 +CVE-2023-42756 + [bookworm] - linux 6.1.55-1 +CVE-2023-4623 + [bookworm] - linux 6.1.55-1 +CVE-2023-4921 + [bookworm] - linux 6.1.55-1 CVE-2023- [receiving with Lightning: partial MPP might be accepted] [bookworm] - electrum 4.3.4+dfsg1-1+deb12u1 CVE-2023- [code execution via malformed XTGETTCAP] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d08e39dcf210b160f9455fc148036c96848254e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d08e39dcf210b160f9455fc148036c96848254e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference CVE list for DSA-5513-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c00609b by Salvatore Bonaccorso at 2023-10-03T21:55:25+02:00 Reference CVE list for DSA-5513-1 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -3,6 +3,7 @@ [bullseye] - glibc 2.31-13+deb11u7 [bookworm] - glibc 2.36-9+deb12u3 [03 Oct 2023] DSA-5513-1 thunderbird - security update + {CVE-2023-5176 CVE-2023-5171 CVE-2023-5169 CVE-2023-5217} [bullseye] - thunderbird 1:115.3.1-1~deb11u1 [bookworm] - thunderbird 1:115.3.1-1~deb12u1 [02 Oct 2023] DSA-5512-1 exim4 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c00609b912d4e4981472bdfc1885bd1ad9ddfb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c00609b912d4e4981472bdfc1885bd1ad9ddfb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Expand commit id for tenttive/possible patch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6317adf by Salvatore Bonaccorso at 2023-10-03T21:51:07+02:00 Expand commit id for tenttive/possible patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4532,7 +4532,7 @@ CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq - NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243c + NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0) CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6317adf58b4c33bdfb42373cd30dc86ed0e8e85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6317adf58b4c33bdfb42373cd30dc86ed0e8e85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add grub2 to dla-needed.txt
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 4895c1ee by Santiago Ruano Rincón at 2023-10-03T16:48:40-03:00 Add grub2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,6 +70,10 @@ freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) -- +grub2 + NOTE: 20231003: Maintainer prepared an uploaded the update + NOTE: 20231003: https://lists.debian.org/debian-lts-changes/2023/10/msg5.html +-- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4895c1ee2a0d1eb39c80a3bb759aba7e04f8ee79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4895c1ee2a0d1eb39c80a3bb759aba7e04f8ee79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add grub2 to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b562b01 by Salvatore Bonaccorso at 2023-10-03T20:35:31+02:00 Add grub2 to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -21,6 +21,9 @@ cinder/oldstable -- gpac/oldstable (jmm) -- +grub2 + Maintainer prepared an update +-- gst-plugins-bad1.0 (carnil) -- libreswan (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b562b013ab9eab96fd5b6435e16a7b7fd7212c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b562b013ab9eab96fd5b6435e16a7b7fd7212c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add libx11 and libxpm to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7779542c by Salvatore Bonaccorso at 2023-10-03T20:28:33+02:00 Add libx11 and libxpm to dsa-needed list - - - - - d869ba57 by Salvatore Bonaccorso at 2023-10-03T20:34:22+02:00 Add new grub2 NTFS driver vulnerabilities - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-4693 [Crafted file system images can cause out-of-bounds write and may leak sensitive information into the GRUB pager] + - grub2 2.12~rc1-11 + NOTE: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html +CVE-2023-4692 [Crafted file system images can cause heap-based buffer overflow and may allow arbitrary code execution and secure boot bypass] + - grub2 2.12~rc1-11 + NOTE: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html CVE-2023-4911 [buffer overflow in dynamic loader's processing of the GLIBC_TUNABLES environment variable] - glibc 2.37-12 [buster] - glibc (Vulnerable code introduced later) = data/dsa-needed.txt = @@ -28,6 +28,10 @@ libreswan (jmm) -- libvpx (carnil) -- +libx11 (jmm) +-- +libxpm (jmm) +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96380cb3811243f3186881476dfa3a6f8fa9592b...d869ba572c99436e8caae40c275ee09826eab7be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96380cb3811243f3186881476dfa3a6f8fa9592b...d869ba572c99436e8caae40c275ee09826eab7be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-4911
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96380cb3 by Salvatore Bonaccorso at 2023-10-03T20:26:35+02:00 Update information on CVE-2023-4911 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,8 @@ CVE-2023-4911 [buffer overflow in dynamic loader's processing of the GLIBC_TUNABLES environment variable] - glibc 2.37-12 [buster] - glibc (Vulnerable code introduced later) + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/2 + NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=2ed18c5b534d9e92fc006202a5af0df6b72e7aca (glibc-2.34) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa NOTE: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt CVE-2023-43789 [libXpm: out of bounds read on XPM with corrupted colormap] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96380cb3811243f3186881476dfa3a6f8fa9592b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96380cb3811243f3186881476dfa3a6f8fa9592b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-4911/glibc via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 892e1d5e by Salvatore Bonaccorso at 2023-10-03T20:20:51+02:00 Track fixed version for CVE-2023-4911/glibc via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-4911 [buffer overflow in dynamic loader's processing of the GLIBC_TUNABLES environment variable] - - glibc + - glibc 2.37-12 [buster] - glibc (Vulnerable code introduced later) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa NOTE: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892e1d5e12e295507ac74201679568266f344b57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892e1d5e12e295507ac74201679568266f344b57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for glibc update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af69ce33 by Salvatore Bonaccorso at 2023-10-03T19:20:11+02:00 Reserve DSA number for glibc update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[03 Oct 2023] DSA-5514-1 glibc - security update + {CVE-2023-4911} + [bullseye] - glibc 2.31-13+deb11u7 + [bookworm] - glibc 2.36-9+deb12u3 [03 Oct 2023] DSA-5513-1 thunderbird - security update [bullseye] - thunderbird 1:115.3.1-1~deb11u1 [bookworm] - thunderbird 1:115.3.1-1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af69ce3385619a4b11b4176c0c0ea66297d9d33f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af69ce3385619a4b11b4176c0c0ea66297d9d33f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add CVE-2023-4911/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c4ad9da by Salvatore Bonaccorso at 2023-10-03T19:02:28+02:00 Add CVE-2023-4911/glibc - - - - - 2ef48767 by Salvatore Bonaccorso at 2023-10-03T19:03:11+02:00 Track fixes glibc fixes previously pending for bookworm-pu - - - - - f7104b66 by Salvatore Bonaccorso at 2023-10-03T19:06:34+02:00 Add upstream commit reference for CVE-2023-4911 - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-4911 [buffer overflow in dynamic loader's processing of the GLIBC_TUNABLES environment variable] + - glibc + [buster] - glibc (Vulnerable code introduced later) + NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa + NOTE: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt CVE-2023-43789 [libXpm: out of bounds read on XPM with corrupted colormap] - libxpm NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 @@ -2724,13 +2729,14 @@ CVE-2023-4813 (A flaw was found in glibc. In an uncommon situation, the gaih_ine NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215 (glibc-2.36) CVE-2023-4806 (A flaw was found in glibc. In an extremely rare situation, the getaddr ...) - glibc 2.37-10 - [bookworm] - glibc (Minor issue) + [bookworm] - glibc 2.36-9+deb12u3 [bullseye] - glibc (Minor issue) [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843 NOTE: When fixing this issue in older releases make sure to not open CVE-2023-5156. CVE-2023-4527 (A flaw was found in glibc. When the getaddrinfo function is called wit ...) - glibc 2.37-9 (bug #1051958) + [bookworm] - glibc 2.36-9+deb12u3 [bullseye] - glibc (Vulnerable code not present) [buster] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 = data/next-point-update.txt = @@ -57,10 +57,6 @@ CVE-2023-38039 [bookworm] - curl 7.88.1-10+deb12u3 CVE-2023-43770 [bookworm] - roundcube 1.6.3+dfsg-1~deb12u1 -CVE-2023-4527 - [bookworm] - glibc 2.36-9+deb12u2 -CVE-2023-4806 - [bookworm] - glibc 2.36-9+deb12u2 CVE-2023-38559 [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2 CVE-2023-43115 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/170cf61c22811f68a6ccea95598950302780ebab...f7104b6649fb096a878bc147c12bd2972c275066 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/170cf61c22811f68a6ccea95598950302780ebab...f7104b6649fb096a878bc147c12bd2972c275066 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track new libx11 and libxpm issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 170cf61c by Salvatore Bonaccorso at 2023-10-03T18:56:45+02:00 Track new libx11 and libxpm issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2023-43789 [libXpm: out of bounds read on XPM with corrupted colormap] + - libxpm + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 +CVE-2023-43788 [libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()] + - libxpm + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/2fa554b01ef6079a9b35df9332bdc4f139ed67e0 +CVE-2023-43787 [ibX11: integer overflow in XCreateImage() leading to a heap overflow] + - libx11 + - libxpm + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0 + NOTE: Hardening: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/91f887b41bf75648df725a4ed3be036da02e911e +CVE-2023-43786 [libX11: stack exhaustion from infinite recursion in PutSubImage()] + - libx11 + - libxpm + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86 + NOTE: Hardening: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a + NOTE: Hardening: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b + NOTE: Hardening: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/84fb14574c039f19ad7face87eb9acc31a50701c +CVE-2023-43785 [libX11: out-of-bounds memory access in _XkbReadKeySyms()] + - libx11 + NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1 + NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/client com ...) - linux NOTE: https://git.kernel.org/linus/e6e43b8aa7cd3c3af686caf0c2e11819a886d705 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/170cf61c22811f68a6ccea95598950302780ebab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/170cf61c22811f68a6ccea95598950302780ebab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] foot spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aa66a7c2 by Moritz Mühlenhoff at 2023-10-03T17:51:56+02:00 foot spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -69,3 +69,5 @@ CVE-2023-44469 [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2 CVE-2023- [receiving with Lightning: partial MPP might be accepted] [bookworm] - electrum 4.3.4+dfsg1-1+deb12u1 +CVE-2023- [code execution via malformed XTGETTCAP] + [bookworm] - foot 1.13.1-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa66a7c24de6ed4dca1e817d6f0b89ff76fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa66a7c24de6ed4dca1e817d6f0b89ff76fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41580/phpipam
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6caa6984 by Salvatore Bonaccorso at 2023-10-03T17:42:40+02:00 Add CVE-2023-41580/phpipam - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101,7 +101,7 @@ CVE-2023-41800 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-41797 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2023-41580 (Phpipam before v1.5.2 was discovered to contain a LDAP injection vulne ...) - TODO: check + - phpipam (bug #731713) CVE-2023-41086 (Cross-site request forgery (CSRF) vulnerability exists in FURUNO SYSTE ...) NOT-FOR-US: FURUNO SYSTEMS wireless LAN access point devices CVE-2023-40744 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6caa69846c6aee6224f5b3a7f34fbdd0597ffa1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6caa69846c6aee6224f5b3a7f34fbdd0597ffa1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae836529 by Salvatore Bonaccorso at 2023-10-03T17:42:12+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65,19 +65,19 @@ CVE-2023-44008 (File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remot CVE-2023-43980 (Presto Changeo testsitecreator up to v1.1.1 was discovered to contain ...) NOT-FOR-US: Presto Changeo testsitecreator CVE-2023-43893 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netis CVE-2023-43892 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netis CVE-2023-43891 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netis CVE-2023-43890 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Netis CVE-2023-43836 (There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, ...) NOT-FOR-US: Jizhicms CVE-2023-43835 (Super Store Finder 3.7 and below is vulnerable to authenticated Arbitr ...) NOT-FOR-US: Super Store Finder CVE-2023-43627 (Path traversal vulnerability in ACERA 1320 firmware ver.01.26 and earl ...) - TODO: check + NOT-FOR-US: ACERA firmware CVE-2023-43361 (Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local a ...) TODO: check CVE-2023-43297 (An issue in animal-art-lab v13.6.1 allows attackers to send crafted no ...) @@ -87,7 +87,7 @@ CVE-2023-43268 (Deyue Remote Vehicle Management System v1.1 was discovered to co CVE-2023-43267 (A cross-site scripting (XSS) vulnerability in the publish article func ...) NOT-FOR-US: emlog CVE-2023-42771 (Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 a ...) - TODO: check + NOT-FOR-US: ACERA firmware CVE-2023-41859 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Asho ...) NOT-FOR-US: WordPress plugin CVE-2023-41856 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ClickToT ...) @@ -117,9 +117,9 @@ CVE-2023-3768 (Incorrect data input validation vulnerability, which could allow CVE-2023-3744 (Server-Side Request Forgery vulnerability in SLims version 9.6.0. This ...) TODO: check CVE-2023-3656 (cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwic ...) - TODO: check + NOT-FOR-US: cashIT! CVE-2023-3655 (cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwic ...) - TODO: check + NOT-FOR-US: cashIT! CVE-2023-3440 (Incorrect Default Permissions vulnerability in Hitachi JP1/Performance ...) NOT-FOR-US: IBM CVE-2023-3335 (Insertion of Sensitive Information into Log File vulnerability in Hita ...) @@ -129,29 +129,29 @@ CVE-2023-39429 (Cross-site scripting vulnerability in FURUNO SYSTEMS wireless LA CVE-2023-39222 (OS command injection vulnerability in FURUNO SYSTEMS wireless LAN acce ...) NOT-FOR-US: FURUNO SYSTEMS wireless LAN access point devices CVE-2023-37605 (Buffer Overflow vulnerability in baramundi software GmbH EMM Agent 23. ...) - TODO: check + NOT-FOR-US: baramundi CVE-2023-36628 (A flaw exists in VASA which allows users with access to a vSphere/ESXi ...) - TODO: check + NOT-FOR-US: VASA CVE-2023-36627 (A flaw exists in FlashBlade Purity whereby a user with access to an ad ...) - TODO: check + NOT-FOR-US: FlashBlade Purity CVE-2023-33039 (Memory corruption in Automotive Display while destroying the image han ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33035 (Memory corruption while invoking callback function of AFE from ADSP.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33034 (Memory corruption while parsing the ADSP response command.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33029 (Memory corruption in DSP Service during a remote call from HLOS to DSP ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33028 (Memory corruption in WLAN Firmware while doing a memory copy of pmk ca ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33027 (Transient DOS in WLAN Firmware while parsing rsn ies.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33026 (Transient DOS in WLAN Firmware while parsing a NAN management frame.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-32572 (A flaw exists in FlashArray Purity wherein under limited circumstances ...) - TODO: check + NOT-FOR-US: FlashArray Purity CVE-2015-10124 (A vulnerability was found in Most Popular Posts Widget Plugin up to 0. ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5160/mattermost-server, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 731a2ed5 by Salvatore Bonaccorso at 2023-10-03T17:41:05+02:00 Add CVE-2023-5160/mattermost-server, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vul CVE-2023-5290 REJECTED CVE-2023-5160 (Mattermost fails to check the Show Full Name option at the /api/v4/tea ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-5106 (An issue has been discovered in Ultimate-licensed GitLab EE affecting ...) TODO: check CVE-2023-4659 (Cross-Site Request Forgery vulnerability, whose exploitation could all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/731a2ed528aefbf3f258577ea282036a0cc95948 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/731a2ed528aefbf3f258577ea282036a0cc95948 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5344/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c006c435 by Salvatore Bonaccorso at 2023-10-03T17:39:58+02:00 Add CVE-2023-5344/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/clien NOTE: https://git.kernel.org/linus/e6e43b8aa7cd3c3af686caf0c2e11819a886d705 NOTE: https://kernel.dance/#e6e43b8aa7cd3c3af686caf0c2e11819a886d705 CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - TODO: check + - vim + NOTE: https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04 + NOTE: https://huntr.dev/bounties/530cb762-899e-48d7-b50e-dad09eb775bf CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vulnerab ...) NOT-FOR-US: WP Responsive header image slider plugin for WordPress CVE-2023-5290 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c006c435ae4e4d9578f65a31253398bdc9fcb2e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c006c435ae4e4d9578f65a31253398bdc9fcb2e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: dispatch FD slots for first half of 2024
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 19c81084 by Santiago Ruano Rincón at 2023-10-03T12:22:04-03:00 LTS: dispatch FD slots for first half of 2024 - - - - - 1 changed file: - + org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -0,0 +1,53 @@ +From 01-01 to 07-01:Emilio Pozuelo Monfort +From 08-01 to 14-01:Markus Koschany +From 15-01 to 21-01:Ola Lundqvist +From 22-01 to 28-01:Sylvain Beucler +From 29-01 to 04-02:Thorsten Alteholz +From 05-02 to 11-02:Utkarsh Gupta +From 12-02 to 18-02:Chris Lamb +From 19-02 to 25-02:Emilio Pozuelo Monfort +From 26-02 to 03-03:Markus Koschany +From 04-03 to 10-03:Ola Lundqvist +From 11-03 to 17-03:Sylvain Beucler +From 18-03 to 24-03:Thorsten Alteholz +From 25-03 to 31-03:Utkarsh Gupta +From 01-04 to 07-04:Chris Lamb +From 08-04 to 14-04:Emilio Pozuelo Monfort +From 15-04 to 21-04:Markus Koschany +From 22-04 to 28-04:Ola Lundqvist +From 29-04 to 05-05:Sylvain Beucler +From 06-05 to 12-05:Thorsten Alteholz +From 13-05 to 19-05:Utkarsh Gupta +From 20-05 to 26-05:Chris Lamb +From 27-05 to 02-06:Emilio Pozuelo Monfort +From 03-06 to 09-06:Markus Koschany +From 10-06 to 16-06:Ola Lundqvist +From 17-06 to 23-06:Sylvain Beucler +From 24-06 to 30-06:Thorsten Alteholz +From 01-07 to 07-07: +From 08-07 to 14-07: +From 15-07 to 21-07: +From 22-07 to 28-07: +From 29-07 to 04-08: +From 05-08 to 11-08: +From 12-08 to 18-08: +From 19-08 to 25-08: +From 26-08 to 01-09: +From 02-09 to 08-09: +From 09-09 to 15-09: +From 16-09 to 22-09: +From 23-09 to 29-09: +From 30-09 to 06-10: +From 07-10 to 13-10: +From 14-10 to 20-10: +From 21-10 to 27-10: +From 28-10 to 03-11: +From 04-11 to 10-11: +From 11-11 to 17-11: +From 18-11 to 24-11: +From 25-11 to 01-12: +From 02-12 to 08-12: +From 09-12 to 15-12: +From 16-12 to 22-12: +From 23-12 to 29-12: +From 30-12 to 05-01: \ No newline at end of file View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c810849308b46cb941b4279a977dbca1e27874 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c810849308b46cb941b4279a977dbca1e27874 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 17bca3f4 by Moritz Mühlenhoff at 2023-10-03T17:00:15+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[03 Oct 2023] DSA-5513-1 thunderbird - security update + [bullseye] - thunderbird 1:115.3.1-1~deb11u1 + [bookworm] - thunderbird 1:115.3.1-1~deb12u1 [02 Oct 2023] DSA-5512-1 exim4 - security update {CVE-2023-42114 CVE-2023-42115 CVE-2023-42116} [bullseye] - exim4 4.94.2-7+deb11u1 = data/dsa-needed.txt = @@ -84,8 +84,6 @@ samba/oldstable -- tiff (aron) -- -thunderbird (jmm) --- trafficserver -- webkit2gtk View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17bca3f4671b9d8149455b8248bc446264683e68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17bca3f4671b9d8149455b8248bc446264683e68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add python3.7
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 91268d3a by Sylvain Beucler at 2023-10-03T15:51:53+02:00 dla: add python3.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -150,6 +150,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python3.7 + NOTE: 20231003: Added by Front-Desk (Beuc) +-- qemu (Sean Whitton) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Consider fixing postponed issues as well. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91268d3ae5e965b371f8429f946c50a39636ff3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91268d3ae5e965b371f8429f946c50a39636ff3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: tidy golang triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 528957f9 by Sylvain Beucler at 2023-10-03T15:48:51+02:00 dla: tidy golang triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24193,7 +24193,7 @@ CVE-2023-39319 (The html/template package does not apply the proper rules for ha - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/62197 NOTE: https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a (go1.21.1) NOTE: https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5 (go1.20.8) @@ -24206,7 +24206,7 @@ CVE-2023-39318 (The html/template package does not properly handle HTML-like "" - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/62196 NOTE: https://github.com/golang/go/commit/b0e1d3ea26e8e8fce7726690c9ef0597e60739fb (go1.21.1) NOTE: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c (go1.20.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/528957f986a657f8a280e17b6dd440045ac49f78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/528957f986a657f8a280e17b6dd440045ac49f78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "identified potential patch for CVE-2023-39353/freerdp2"
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 35c2267b by Tobias Frost at 2023-10-03T13:01:28+02:00 Revert identified potential patch for CVE-2023-39353/freerdp2 This reverts commit e345b33f305d9f11ad03283806e743dc8039e7a5. (I think this was a wrong call…) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4484,7 +4484,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f - NOTE: likely this patch: https://github.com/FreeRDP/FreeRDP/commit/efa0567c02 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: identified potential patch for CVE-2023-39353/freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e345b33f by Tobias Frost at 2023-10-03T12:42:05+02:00 identified potential patch for CVE-2023-39353/freerdp2 - - - - - 21a3763b by Tobias Frost at 2023-10-03T12:48:48+02:00 Potential patch for CVE-2023-39350/freerdp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4484,12 +4484,14 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f + NOTE: likely this patch: https://github.com/FreeRDP/FreeRDP/commit/efa0567c02 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq + NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243c CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5345/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2b71f3c by Salvatore Bonaccorso at 2023-10-03T11:16:14+02:00 Add CVE-2023-5345/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/client com ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/e6e43b8aa7cd3c3af686caf0c2e11819a886d705 + NOTE: https://kernel.dance/#e6e43b8aa7cd3c3af686caf0c2e11819a886d705 CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) TODO: check CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4d62489 by Salvatore Bonaccorso at 2023-10-03T10:31:18+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/clien CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) TODO: check CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vulnerab ...) - TODO: check + NOT-FOR-US: WP Responsive header image slider plugin for WordPress CVE-2023-5290 REJECTED CVE-2023-5160 (Mattermost fails to check the Show Full Name option at the /api/v4/tea ...) @@ -13,53 +13,53 @@ CVE-2023-5106 (An issue has been discovered in Ultimate-licensed GitLab EE affec CVE-2023-4659 (Cross-Site Request Forgery vulnerability, whose exploitation could all ...) TODO: check CVE-2023-44479 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jim ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44477 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44474 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in MD Jakir ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44463 (An issue was discovered in pretix before 2023.7.1. Incorrect parsing o ...) TODO: check CVE-2023-44266 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jewe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44265 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44264 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44263 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Riya ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44262 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Renz ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44245 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Leap Con ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44244 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44242 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44239 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jobi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44230 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44228 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44218 (A flaw within the SonicWall NetExtender Pre-Logon feature enables an u ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2023-44217 (A local privilege escalation vulnerability in SonicWall Net Extender M ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2023-44145 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jesw ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44144 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dreamfox ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44012 (Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a re ...) - TODO: check + NOT-FOR-US: mojoPortal CVE-2023-44011 (An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute a ...) - TODO: check + NOT-FOR-US: mojoPortal CVE-2023-44009 (File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote atta ...) - TODO: check + NOT-FOR-US: mojoPortal CVE-2023-44008 (File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote atta ...) - TODO: check + NOT-FOR-US: mojoPortal CVE-2023-43980 (Presto Changeo testsitecreator up to v1.1.1 was discovered to contain ...) - TODO: check + NOT-FOR-US: Presto Changeo testsitecreator CVE-2023-43893 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) TODO: check CVE-2023-43892 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) @@ -69,9 +69,9 @@ CVE-2023-43891 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injec CVE-2023-43890 (Netis N3Mv2-V1.0.1.865 was discovered to
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbf9ed4d by security tracker role at 2023-10-03T08:12:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,153 @@ +CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/client com ...) + TODO: check +CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) + TODO: check +CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vulnerab ...) + TODO: check +CVE-2023-5290 + REJECTED +CVE-2023-5160 (Mattermost fails to check the Show Full Name option at the /api/v4/tea ...) + TODO: check +CVE-2023-5106 (An issue has been discovered in Ultimate-licensed GitLab EE affecting ...) + TODO: check +CVE-2023-4659 (Cross-Site Request Forgery vulnerability, whose exploitation could all ...) + TODO: check +CVE-2023-44479 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jim ...) + TODO: check +CVE-2023-44477 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-44474 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in MD Jakir ...) + TODO: check +CVE-2023-44463 (An issue was discovered in pretix before 2023.7.1. Incorrect parsing o ...) + TODO: check +CVE-2023-44266 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jewe ...) + TODO: check +CVE-2023-44265 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) + TODO: check +CVE-2023-44264 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-44263 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Riya ...) + TODO: check +CVE-2023-44262 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Renz ...) + TODO: check +CVE-2023-44245 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Leap Con ...) + TODO: check +CVE-2023-44244 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugi ...) + TODO: check +CVE-2023-44242 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-44239 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jobi ...) + TODO: check +CVE-2023-44230 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) + TODO: check +CVE-2023-44228 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi ...) + TODO: check +CVE-2023-44218 (A flaw within the SonicWall NetExtender Pre-Logon feature enables an u ...) + TODO: check +CVE-2023-44217 (A local privilege escalation vulnerability in SonicWall Net Extender M ...) + TODO: check +CVE-2023-44145 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jesw ...) + TODO: check +CVE-2023-44144 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dreamfox ...) + TODO: check +CVE-2023-44012 (Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a re ...) + TODO: check +CVE-2023-44011 (An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute a ...) + TODO: check +CVE-2023-44009 (File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote atta ...) + TODO: check +CVE-2023-44008 (File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote atta ...) + TODO: check +CVE-2023-43980 (Presto Changeo testsitecreator up to v1.1.1 was discovered to contain ...) + TODO: check +CVE-2023-43893 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) + TODO: check +CVE-2023-43892 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) + TODO: check +CVE-2023-43891 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) + TODO: check +CVE-2023-43890 (Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection v ...) + TODO: check +CVE-2023-43836 (There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, ...) + TODO: check +CVE-2023-43835 (Super Store Finder 3.7 and below is vulnerable to authenticated Arbitr ...) + TODO: check +CVE-2023-43627 (Path traversal vulnerability in ACERA 1320 firmware ver.01.26 and earl ...) + TODO: check +CVE-2023-43361 (Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local a ...) + TODO: check +CVE-2023-43297 (An issue in animal-art-lab v13.6.1 allows attackers to send crafted no ...) + TODO: check +CVE-2023-43268 (Deyue Remote Vehicle Management System v1.1 was discovered to contain ...) + TODO: check +CVE-2023-43267 (A cross-site scripting (XSS) vulnerability
[Git][security-tracker-team/security-tracker][master] lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c002401 by Emilio Pozuelo Monfort at 2023-10-03T09:03:11+02:00 lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster Its likely fixed, but theres no point in having it listed in dla-needed indefinitely. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -179627,6 +179627,7 @@ CVE-2021-28025 (Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg ve [bullseye] - qtsvg-opensource-src (Minor issue) [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 + [buster] - qt4-x11 (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-91507 NOTE: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=7bbf88403fd2d1fe79fab7c8e469f8aeafeb7372 (v5.15.4-lts-lgpl) NOTE: Potentially to be considered a duplicte of CVE-2021-3481, ongoing clarification = data/dla-needed.txt = @@ -154,10 +154,6 @@ qemu (Sean Whitton) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Consider fixing postponed issues as well. (apo) -- -qt4-x11 - NOTE: 20230822: Re-added for one remaining open CVE (roberto) - NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits