[Git][security-tracker-team/security-tracker][master] CVE-2018-20060/python-urllib3: Improve note wording.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: b27d4ca9 by Guilhem Moulin at 2023-10-08T03:14:33+02:00 CVE-2018-20060/python-urllib3: Improve note wording. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -333772,7 +333772,7 @@ CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HT NOTE: https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e NOTE: https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532 NOTE: Fixed upstream in 1.23 - NOTE: Lowercase headers were not removed until 1.24.2: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc + NOTE: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up for lowercase headers, 1.24.2) CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.) NOT-FOR-US: Pippo CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path traversal ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b27d4ca9e1eae02519014df08cd1720d5aaa7b1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b27d4ca9e1eae02519014df08cd1720d5aaa7b1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20060/python-urllib3: Add note for lowercase headers.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 32641f68 by Guilhem Moulin at 2023-10-08T02:08:27+02:00 CVE-2018-20060/python-urllib3: Add note for lowercase headers. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -333772,6 +333772,7 @@ CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HT NOTE: https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e NOTE: https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532 NOTE: Fixed upstream in 1.23 + NOTE: Lowercase headers were not removed until 1.24.2: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.) NOT-FOR-US: Pippo CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path traversal ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32641f687c9fdd7ea89d39eb20785158f2e6d0c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32641f687c9fdd7ea89d39eb20785158f2e6d0c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take krb5
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab22b739 by Adrian Bunk at 2023-10-08T02:30:13+03:00 dla: take krb5 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,7 +103,7 @@ inetutils (guilhem) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- -krb5 +krb5 (Adrian Bunk) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab22b739c230d3a5fc7f4bf2f093a21bd52acfcd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab22b739c230d3a5fc7f4bf2f093a21bd52acfcd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-5312 (Rejected, duplicate of CVE-2023-43226)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31bea454 by Salvatore Bonaccorso at 2023-10-07T23:06:16+02:00 Remove notes from CVE-2023-5312 (Rejected, duplicate of CVE-2023-43226) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,6 @@ CVE-2023-5441 (NULL Pointer Dereference in GitHub repository vim/vim prior to 20 NOTE: Crash in CLI tool, no security impact CVE-2023-5312 REJECTED - NOT-FOR-US: DedeCMS CVE-2023-45243 (Sensitive information disclosure due to missing authorization. The fol ...) NOT-FOR-US: Acronis CVE-2023-45242 (Sensitive information disclosure due to missing authorization. The fol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31bea45458f988b1020e063f82dced4522e6ea24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31bea45458f988b1020e063f82dced4522e6ea24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a01731b by security tracker role at 2023-10-07T20:12:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,7 +115,8 @@ CVE-2023-5441 (NULL Pointer Dereference in GitHub repository vim/vim prior to 20 NOTE: https://huntr.dev/bounties/b54cbdf5-3e85-458d-bb38-9ea2c0b669f2 NOTE: https://github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960 (v9.0.1992) NOTE: Crash in CLI tool, no security impact -CVE-2023-5312 (A vulnerability classified as critical has been found in DedeCMS 5.7.1 ...) +CVE-2023-5312 + REJECTED NOT-FOR-US: DedeCMS CVE-2023-45243 (Sensitive information disclosure due to missing authorization. The fol ...) NOT-FOR-US: Acronis @@ -5205,39 +5206,47 @@ CVE-2023-41044 (Graylog is a free and open log management platform. A partial pa CVE-2023-41034 (Eclipse Leshan is a device management server and client Java implement ...) NOT-FOR-US: Eclipse Leshan CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x NOTE: https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416 (3.0.0-beta3) NOTE: https://github.com/FreeRDP/FreeRDP/commit/c659973bb4cd65c065f2fe1a807dbc6805c684c6 (2.11.0) CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m NOTE: https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e (2.11.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.1) CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6f9d33a7db0b346195b6a15b5b99944ba41beee (3.0.0-beta3) CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6 NOTE: https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def (2.11.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0) CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f NOTE: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b (2.11.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj NOTE: https://github.com/FreeRDP/FreeRDP/commit/7daaba3c1411f71ac7260d01216ab8f8d3687c65 (3.0.0-beta1) NOTE: https://github.com/FreeRDP/FreeRDP/commit/856ecaa463e963ecfebc9734423d69139e7b3916 (2.11.0) CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq NOTE: https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0) CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh NOTE: https://github.com/FreeRDP/FreeRDP/commit/7ece410ce5b5660b9191e1ccb6835158afa11822 (2.11.0) @@ -5437,6 +5446,7 @@ CVE-2023-40592 (In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an CVE-2023-40582 (find-exec is a utility to discover available shell commands. Versions ...) NOT-FOR-US: Node find-exec CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) + {DLA-3606-1} - freerdp2
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2010-1765
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69ee7d24 by Salvatore Bonaccorso at 2023-10-07T22:07:09+02:00 Remove notes from CVE-2010-1765 The assigning CNA decided to not use the CVE. For Debian context it has almost no impact as for webkit it was anyway not-affected and for chromium-browser affecting an ancient version fixed with 5.0.375.55~r47796-1 . As the CVE is officially rejected and we did not use it still in an advisory, it does not make sense to keep the association. Drop the notes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -586498,10 +586498,6 @@ CVE-2010-1766 (Off-by-one error in the WebSocketHandshake::readServerHandshake f NOTE: http://trac.webkit.org/changeset/56380 CVE-2010-1765 REJECTED - - webkit (doesn't include cf code) - - chromium-browser 5.0.375.55~r47796-1 - NOTE: https://bugs.webkit.org/show_bug.cgi?id=37933 - NOTE: http://trac.webkit.org/changeset/57995 CVE-2010-1764 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69ee7d242929f6dacaa5b1b25cfaa852ee82b590 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69ee7d242929f6dacaa5b1b25cfaa852ee82b590 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-2222
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2335304 by Salvatore Bonaccorso at 2023-10-07T22:04:26+02:00 Remove notes from CVE-2023- CVE got rejected with reason: This was deemed not a security vulnerability by upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20562,12 +20562,8 @@ CVE-2023-2224 (The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise NOT-FOR-US: WordPress plugin CVE-2023-2223 (The Login rebuilder WordPress plugin before 2.8.1 does not sanitise an ...) NOT-FOR-US: WordPress plugin -CVE-2023- [objdump SEGV in concat_filename() at dwarf2.c:2060] +CVE-2023- REJECTED - - binutils 2.39.50.20221224-1 (unimportant) - NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29936 - NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09 - NOTE: binutils not covered by security support CVE-2023-2221 (The WP Custom Cursors WordPress plugin before 3.2 does not properly sa ...) NOT-FOR-US: WordPress plugin CVE-2022-4944 (A vulnerability, which was classified as problematic, has been found i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c23353042ff5eb8660d874b51d723d535fce7540 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c23353042ff5eb8660d874b51d723d535fce7540 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-32302 as CVE is rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b20fbb6 by Salvatore Bonaccorso at 2023-10-07T22:03:15+02:00 Remove notes from CVE-2023-32302 as CVE is rejected Link: https://github.com/github/advisory-database/pull/2575#issuecomment-1745811653 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9507,7 +9507,6 @@ CVE-2023-33493 (An Unrestricted Upload of File with Dangerous Type vulnerability NOT-FOR-US: Prestashop addon CVE-2023-32302 REJECTED - NOT-FOR-US: Silverstripe Framework CVE-2023-31710 (TP-Link Archer AX21(US)_V3_1.1.4 Build 20230219 and AX21(US)_V3.6_1.1. ...) NOT-FOR-US: TP-Link CVE-2023-4058 (Memory safety bugs present in Firefox 115. Some of these bugs showed e ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b20fbb6ff59f8f23f9c53f447f184f2d7118f8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b20fbb6ff59f8f23f9c53f447f184f2d7118f8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-4567
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc7ac2df by Salvatore Bonaccorso at 2023-10-07T21:59:06+02:00 Remove notes from CVE-2023-4567 The CVE got rejected, with reason: Issue has been found to be non-reproducible, therefore not a viable flaw.. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5880,11 +5880,6 @@ CVE-2023-4569 (A memory leak flaw was found in nft_set_catchall_flush in net/net NOTE: https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7) CVE-2023-4567 REJECTED - - ansible (bug #1051725) - [bookworm] - ansible (Minor issue) - [bullseye] - ansible (Minor issue) - [buster] - ansible (Minor issue) - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369 CVE-2023-4563 REJECTED CVE-2023-41109 (SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Com ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc7ac2df95cc85d80a79120e94d3fcac52831b1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc7ac2df95cc85d80a79120e94d3fcac52831b1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove pending ceph from bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5979df9 by Salvatore Bonaccorso at 2023-10-07T21:03:16+02:00 Remove pending ceph from bullseye-pu As maintainer has not followed up on question from release team #1026078 is now closed. Can be respined again with fresh updates. - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -6,8 +6,6 @@ CVE-2023-29499 [bullseye] - glib2.0 2.66.8-1+deb11u1 CVE-2023-5157 [bullseye] - galera-4 26.4.14-0+deb11u1 -CVE-2022-3650 - [bullseye] - ceph 14.2.21-1+deb11u1 CVE-2021-32718 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-32719 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5979df94dccd7eb857193516607c1799a01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5979df94dccd7eb857193516607c1799a01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record gst-plugins-bad1.0 fixed in 1.22.6 directly
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6373883c by Salvatore Bonaccorso at 2023-10-07T20:55:56+02:00 Record gst-plugins-bad1.0 fixed in 1.22.6 directly - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1416,18 +1416,21 @@ CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack overwrit NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0008.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9 + NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fddda166222a067d0e511950a0a8cfb9f5a521b7 (1.22.6) CVE-2023-40475 [Integer overflow leading to heap overwrite in MXF file handling with AES3 audio] - gst-plugins-bad1.0 (bug #1053260) - gst-plugins-bad0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0007.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39 + NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1edd1c38dcc5d27e7c5649d999ee8278872a16d4 (1.22.6) CVE-2023-40474 [Integer overflow leading to heap overwrite in MXF file handling with uncompressed video] - gst-plugins-bad1.0 (bug #1053261) - gst-plugins-bad0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0006.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0 + NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f73fc41f2ca6a0cd4e883aee64bf8e1c15ff68ce (1.22.6) CVE-2023-5236 NOT-FOR-US: Infinispan CVE-2023-5223 (A vulnerability, which was classified as critical, has been found in H ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6373883c2ce755a9bc0f6b57625d15b10baefdfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6373883c2ce755a9bc0f6b57625d15b10baefdfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Readd freerdp2, missed a few CVEs.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3444d5a6 by Tobias Frost at 2023-10-07T20:14:56+02:00 Readd freerdp2, missed a few CVEs. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,11 @@ freeimage (gladk) NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- +freerdp2 (tobi) + NOTE: 20230924: Added by Front-Desk (apo) + NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) + NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. +-- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3606-1 Fix wrong number in CVE, paste error
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a2b73022 by Tobias Frost at 2023-10-07T20:12:43+02:00 DLA-3606-1 Fix wrong number in CVE, paste error s/CVE-2023-39357/CVE-2023-40567/ - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -3,7 +3,7 @@ [07 Oct 2023] DLA-3607-1 gnome-boxes - security update [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update - {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} + {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u3 [06 Oct 2023] DLA-3605-1 grub2 - security update {CVE-2023-4692 CVE-2023-4693} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3608-1 for vinagre
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c0436bd8 by Tobias Frost at 2023-10-07T19:35:16+02:00 Reserve DLA-3608-1 for vinagre - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Oct 2023] DLA-3608-1 vinagre - security update + [buster] - vinagre 3.22.0-6+deb10u1 [07 Oct 2023] DLA-3607-1 gnome-boxes - security update [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3607-1 for gnome-boxes
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fad6642 by Tobias Frost at 2023-10-07T19:34:57+02:00 Reserve DLA-3607-1 for gnome-boxes - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Oct 2023] DLA-3607-1 gnome-boxes - security update + [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3606-1 for freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e68e24 by Tobias Frost at 2023-10-07T19:34:11+02:00 Reserve DLA-3606-1 for freerdp2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -242062,7 +242062,6 @@ CVE-2020-15104 (In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when - envoyproxy (bug #987544) CVE-2020-15103 (In FreeRDP less than or equal to 2.1.2, an integer overflow exists due ...) - freerdp2 2.2.0+dfsg1-1 (bug #965979) - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Vulnerable gfx code not present) NOTE: https://github.com/FreeRDP/FreeRDP/pull/6381 @@ -246924,19 +246923,16 @@ CVE-2020-13399 CVE-2020-13398 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea CVE-2020-13397 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8 CVE-2020-13396 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc CVE-2020-13395 @@ -254026,29 +254022,24 @@ CVE-2016-11023 (odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection NOT-FOR-US: odata4j CVE-2020-11099 (In FreeRDP before version 2.1.2, there is an out of bounds read in lic ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h CVE-2020-11098 (In FreeRDP before version 2.1.2, there is an out-of-bound read in glyp ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv CVE-2020-11097 (In FreeRDP before version 2.1.2, an out of bounds read occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f CVE-2020-11096 (In FreeRDP before version 2.1.2, there is a global OOB read in update_ ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2 @@ -254064,30 +254055,25 @@ CVE-2020-11090 (In Indy Node 1.12.2, there is an Uncontrolled Resource Consumpti NOT-FOR-US: Indy Node CVE-2020-11089 (In FreeRDP before 2.1.0, there is an out-of-bound read in irp function ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hfc7-c5gv-8c2h CVE-2020-11088 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xh4f-fh87-43hp CVE-2020-11087 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-84vj-g73m-chw7 CVE-2020-11086 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fg8v-w34r-c974 CVE-2020-11085 (In FreeRDP before 2.1.0, there is an out-of-bounds read in cliprdr_rea ...) - freerdp2 2.1.1+dfsg1-1 -
[Git][security-tracker-team/security-tracker][master] CVE-2021-33503/python-urllib3: Versions <1.25.4 are unaffected.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 505f879c by Guilhem Moulin at 2023-10-07T18:49:49+02:00 CVE-2021-33503/python-urllib3: Versions 1.25.4 are unaffected. Per upstream advisory at https://github.com/advisories/GHSA-q2q7-5pp4-w6pg . Likely introduced in https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165855,8 +165855,8 @@ CVE-2021-33504 (Couchbase Server before 7.1.0 has Incorrect Access Control.) NOT-FOR-US: Couchbase Server CVE-2021-33503 (An issue was discovered in urllib3 before 1.26.5. When provided with a ...) - python-urllib3 1.26.5-1~exp1 (bug #989848) - [buster] - python-urllib3 (Minor issue) - [stretch] - python-urllib3 (Intrusive to backport) + [buster] - python-urllib3 (Vulnerable code introduced later) + [stretch] - python-urllib3 (Vulnerable code introduced later) NOTE: https://github.com/advisories/GHSA-q2q7-5pp4-w6pg NOTE: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec CVE-2021-33502 (The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505f879cccf65c19953e8542097be5f0f832a288 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505f879cccf65c19953e8542097be5f0f832a288 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ca4b9e0d by Emilio Pozuelo Monfort at 2023-10-07T18:43:54+02:00 lts: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,9 +50,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl +curl (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) + NOTE: 20231007: upcoming high severity CVE (pochu) -- dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take dbus
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 39cc5aad by Emilio Pozuelo Monfort at 2023-10-07T18:42:12+02:00 lts: take dbus - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,7 @@ curl NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) -- -dbus +dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim inetutils in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 4638c324 by Guilhem Moulin at 2023-10-07T18:21:51+02:00 LTS: claim inetutils in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -inetutils +inetutils (guilhem) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4638c324db933f4e1e60f91c6bb9bc031aca2b54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4638c324db933f4e1e60f91c6bb9bc031aca2b54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: dla: add batik
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 55830c5a by Sylvain Beucler at 2023-10-07T18:06:48+02:00 dla: add batik - - - - - 31b4dd45 by Sylvain Beucler at 2023-10-07T18:06:48+02:00 dla: add dbus - - - - - db4400b6 by Sylvain Beucler at 2023-10-07T18:06:48+02:00 dla: add krb5 - - - - - 87f0b2c1 by Sylvain Beucler at 2023-10-07T18:06:48+02:00 dla: add inetutils - - - - - e0917b19 by Sylvain Beucler at 2023-10-07T18:06:48+02:00 dla: add org-mode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,10 @@ audiofile axis (Adrian Bunk) NOTE: 20230924: Added by Front-Desk (apo) -- +batik + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Follow fixes from bullseye 11.8 (2 CVEs) (Beuc/front-desk) +-- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) -- @@ -50,6 +54,10 @@ curl NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) -- +dbus + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -89,6 +97,14 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +inetutils + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) +-- +krb5 + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -133,6 +149,10 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- +org-mode + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Cf. Debian 11.8 point release and DLA-3416-1 (Beuc/front-desk) +-- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/562144ad247e3f656dda4922f7b3ffe818da1ee7...e0917b198a65bc15512cab14122fb6b6fa89212b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/562144ad247e3f656dda4922f7b3ffe818da1ee7...e0917b198a65bc15512cab14122fb6b6fa89212b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-43898/libstb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 562144ad by Salvatore Bonaccorso at 2023-10-07T17:06:51+02:00 Add Debian bug reference for CVE-2023-43898/libstb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -436,7 +436,7 @@ CVE-2023-43952 (SSCMS 7.2.2 was discovered to contain a stored cross-site script CVE-2023-43951 (SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vul ...) NOT-FOR-US: SSCMS CVE-2023-43898 (Nothings stb 2.28 was discovered to contain a Null Pointer Dereference ...) - - libstb + - libstb (bug #1053627) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) [buster] - libstb (Minor issue, DoS / clean crash) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/562144ad247e3f656dda4922f7b3ffe818da1ee7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/562144ad247e3f656dda4922f7b3ffe818da1ee7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-45322/libxml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a506106f by Salvatore Bonaccorso at 2023-10-07T17:05:45+02:00 Add Debian bug reference for CVE-2023-45322/libxml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-5182 (Sensitive data could be exposed in logs of subiquity version 23.09.1 a ...) TODO: check CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only occur after ...) - - libxml2 + - libxml2 (bug #1053629) [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) [buster] - libxml2 (Minor issue, very hard/unlikely to trigger) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a506106f5d909b57edf84597a21e190aba4f6209 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a506106f5d909b57edf84597a21e190aba4f6209 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-43804/python-urllib3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e31292b0 by Salvatore Bonaccorso at 2023-10-07T17:02:12+02:00 Add Debian bug reference for CVE-2023-43804/python-urllib3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -337,7 +337,7 @@ CVE-2023-44075 (Cross Site Scripting vulnerability in Small CRM in PHP v.3.0 all CVE-2023-43838 (An arbitrary file upload vulnerability in Personal Management System v ...) NOT-FOR-US: Personal Management System CVE-2023-43804 (urllib3 is a user-friendly HTTP client library for Python. urllib3 doe ...) - - python-urllib3 + - python-urllib3 (bug #1053626) NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f NOTE: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb (1.26.17) CVE-2023-43261 (An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31292b047be89ef14a5a2344e16baa55019080e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e31292b047be89ef14a5a2344e16baa55019080e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add curl
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ccea213d by Sylvain Beucler at 2023-10-07T16:57:02+02:00 dla: add curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +curl + NOTE: 20231007: Added by Front-Desk (Beuc) + NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccea213db201592daafc6fa68d69d6934a3b03fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccea213db201592daafc6fa68d69d6934a3b03fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-4900/php7.4: not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 49920c85 by Sylvain Beucler at 2023-10-07T16:23:04+02:00 CVE-2022-4900/php7.4: not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39369,10 +39369,11 @@ CVE-2022-4900 - php8.2 (Fixed before initial upload) - php7.4 [bullseye] - php7.4 (Minor issue, fix along in future update) - - php7.3 + - php7.3 NOTE: https://github.com/php/php-src/issues/8989 NOTE: https://github.com/php/php-src/pull/9000 NOTE: https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 (php-8.0.22RC1) + NOTE: Introduced by: https://github.com/php/php-src/commit/82effb3fc7bcab0efcc343b3e03355f5f2f663c9 (php-7.4.0RC1) CVE-2022-4899 (A vulnerability was found in zstd v1.4.10, where an attacker can suppl ...) - libzstd 1.5.4+dfsg2-1 [bullseye] - libzstd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49920c858f8d13f428870e55d4b8e579894f0b3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49920c858f8d13f428870e55d4b8e579894f0b3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track nomad as removed from everywhere supported
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e468c06 by Salvatore Bonaccorso at 2023-10-07T15:58:31+02:00 Track nomad as removed from everywhere supported - - - - - 1 changed file: - data/packages/removed-packages Changes: = data/packages/removed-packages = @@ -953,3 +953,4 @@ nvidia-graphics-drivers-tesla-510 rtpproxy masqmail openjdk-18 +nomad View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e468c0642adbb5a21ff56513e32125116683240 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e468c0642adbb5a21ff56513e32125116683240 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-45322/libxml2: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 435aa228 by Sylvain Beucler at 2023-10-07T15:54:28+02:00 CVE-2023-45322/libxml2: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,7 @@ CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only occur - libxml2 [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) + [buster] - libxml2 (Minor issue, very hard/unlikely to trigger) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/435aa2288b59dd8c3b982691d74aaa114df78b79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/435aa2288b59dd8c3b982691d74aaa114df78b79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39323/golang-1.11: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: dab37b40 by Sylvain Beucler at 2023-10-07T15:06:25+02:00 CVE-2023-39323/golang-1.11: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -146,6 +146,7 @@ CVE-2023-39323 (Line directives ("//line") can be used to bypass the restriction - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/63211 NOTE: https://go.dev/cl/533215 NOTE: https://groups.google.com/g/golang-announce/c/XBa1oHDevAo View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab37b40b2ceb0bb615639c3578dfaaf95fc7c08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab37b40b2ceb0bb615639c3578dfaaf95fc7c08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Fix typo in version for CVE-2023-39356/freerdp2"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 054f7dde by Salvatore Bonaccorso at 2023-10-07T12:18:50+02:00 Revert Fix typo in version for CVE-2023-39356/freerdp2 This reverts commit 04a568264120bc97b1ca29977b4ed8f15f22ed95. See 79f21cdef44a055de40a3b8fb5569cf57b28df58 . The commit landed only in 2.11.1 upstream after the 2.11.0 release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5208,7 +5208,7 @@ CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m NOTE: https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e (2.11.0) - NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.1) CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/054f7dde916bc95a2d57dc729c848549ca80ef1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/054f7dde916bc95a2d57dc729c848549ca80ef1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in version for CVE-2023-39356/freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 04a56826 by Tobias Frost at 2023-10-07T12:15:20+02:00 Fix typo in version for CVE-2023-39356/freerdp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5208,7 +5208,7 @@ CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m NOTE: https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e (2.11.0) - NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.1) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.0) CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] swap order of patches for CVE-2023-39353, as they have to be applied in that order.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 54c94596 by Tobias Frost at 2023-10-07T12:12:59+02:00 swap order of patches for CVE-2023-39353, as they have to be applied in that order. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5210,8 +5210,8 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f - NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for some linux issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21da85b9 by Salvatore Bonaccorso at 2023-10-07T11:48:18+02:00 Track fixed version for some linux issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -669,7 +669,7 @@ CVE-2023-5346 (Type confusion in V8 in Google Chrome prior to 117.0.5938.149 all - chromium 117.0.5938.149-1 [buster] - chromium (see DSA 5046) CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/client com ...) - - linux + - linux 6.5.6-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e6e43b8aa7cd3c3af686caf0c2e11819a886d705 @@ -1888,7 +1888,7 @@ CVE-2023-43040 [Improperly verified POST keys] - ceph NOTE: https://www.openwall.com/lists/oss-security/2023/09/26/10 CVE-2023-5197 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - - linux + - linux 6.5.6-1 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/f15f29fd4779be8a418b66e9d52979bb6d6c2325 (6.6-rc3) NOTE: https://kernel.dance/f15f29fd4779be8a418b66e9d52979bb6d6c2325 @@ -2211,7 +2211,7 @@ CVE-2023-32284 (An out-of-bounds write vulnerability exists in the tiff_planar_a CVE-2022-48605 (Input verification vulnerability in the fingerprint module. Successful ...) NOT-FOR-US: Huawei CVE-2023-42756 (A flaw was found in the Netfilter subsystem of the Linux kernel. A rac ...) - - linux + - linux 6.5.6-1 [bookworm] - linux 6.1.55-1 [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2023/09/27/2 @@ -2788,7 +2788,7 @@ CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creatin [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 CVE-2023-42754 (A NULL pointer dereference flaw was found in the Linux kernel ipv4 sta ...) - - linux + - linux 6.5.6-1 [bookworm] - linux 6.1.55-1 NOTE: https://www.openwall.com/lists/oss-security/2023/10/02/8 NOTE: https://git.kernel.org/linus/0113d9c9d1ccc07f5a3710dac4aa24b6d711278c (6.6-rc3) @@ -3429,7 +3429,7 @@ CVE-2023-4527 (A flaw was found in glibc. When the getaddrinfo function is calle NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch) NOTE: https://www.openwall.com/lists/oss-security/2023/09/25/1 CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - - linux + - linux 6.5.6-1 [bookworm] - linux 6.1.55-1 NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8 NOTE: https://git.kernel.org/linus/8fc134fee27f2263988ae38920bc03da416b03d8 (6.6-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21da85b9767cbd71ff6a6cf6fdc7145424168a5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21da85b9767cbd71ff6a6cf6fdc7145424168a5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Merge linux changes for bookworm 12.2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 84bf7d53 by Salvatore Bonaccorso at 2023-10-06T22:54:46+02:00 Merge linux changes for bookworm 12.2 - - - - - 6cdc0263 by Salvatore Bonaccorso at 2023-10-06T22:54:48+02:00 Merge changes for updates with CVEs via bookworm 12.2 - - - - - 2bd96443 by Salvatore Bonaccorso at 2023-10-06T22:54:49+02:00 Merge changes for updates without CVEs via bookworm 12.2 - - - - - 8b02225d by Salvatore Bonaccorso at 2023-10-07T08:39:15+00:00 Merge branch bookworm-12.2 into master Merge changes accepted for bookworm 12.2 release See merge request security-tracker-team/security-tracker!148 - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -382,10 +382,12 @@ CVE-2023-39194 [net: xfrm: Fix xfrm_address_filter OOB read] NOTE: https://git.kernel.org/linus/dfa73c17d55b921e1d4e154976de35317e43a93a (6.5-rc7) CVE-2023-39193 [netfilter: xt_sctp: validate the flag_info count] - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1491/ NOTE: https://git.kernel.org/linus/e99476497687ef9e850748fe6d232264f30bc8f9 (6.6-rc1) CVE-2023-39192 [netfilter: xt_u32: validate user space input] - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1490/ NOTE: https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1) CVE-2023-39191 (An improper input validation flaw was found in the eBPF subsystem in t ...) @@ -1146,7 +1148,7 @@ CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of s NOT-FOR-US: Zod CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...) - lemonldap-ng 2.17.1+ds-1 - [bookworm] - lemonldap-ng (Minor issue) + [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2 [bullseye] - lemonldap-ng (Minor issue) [buster] - lemonldap-ng (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 @@ -1592,7 +1594,7 @@ CVE-2023-32458 (Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack NOT-FOR-US: Dell CVE-2023- [code execution via malformed XTGETTCAP] - foot 1.15.3-2 (bug #1053115) - [bookworm] - foot (Minor issue) + [bookworm] - foot 1.13.1-2+deb12u1 [bullseye] - foot (Minor issue) NOTE: https://codeberg.org/dnkl/foot/commit/8a5f2915e9d327d1517d1da49ce7e2303fe61d36 CVE-2023-5183 (Unsafe deserialization of untrusted JSON allows execution of arbitrary ...) @@ -2210,11 +2212,13 @@ CVE-2022-48605 (Input verification vulnerability in the fingerprint module. Succ NOT-FOR-US: Huawei CVE-2023-42756 (A flaw was found in the Netfilter subsystem of the Linux kernel. A rac ...) - linux + [bookworm] - linux 6.1.55-1 [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2023/09/27/2 NOTE: https://git.kernel.org/linus/7433b6d2afd512d04398c73aa984d1e285be125b (6.6-rc3) CVE-2023-42755 (A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) clas ...) - linux 6.3.7-1 + [bookworm] - linux 6.1.55-1 NOTE: https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pe02bkng9...@mail.gmail.com/ NOTE: https://git.kernel.org/linus/265b4da82dbf5df04bee5a5d46b7474b1aaf326a (6.3-rc1) CVE-2023-40581 (yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp ...) @@ -2616,7 +2620,7 @@ CVE-2023-2508 (The `PaperCutNG Mobility Print` version 1.0.3512 application allo CVE-2023-4504 (Due to failure in validating the length provided by an attacker-crafte ...) {DLA-3594-1} - cups 2.4.2-6 - [bookworm] - cups (Minor issue) + [bookworm] - cups 2.4.2-3+deb12u2 [bullseye] - cups (Minor issue) - libppd (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/09/20/3 @@ -2785,14 +2789,17 @@ CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creatin NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 CVE-2023-42754 (A NULL pointer dereference flaw was found in the Linux kernel ipv4 sta ...) - linux + [bookworm] - linux 6.1.55-1 NOTE: https://www.openwall.com/lists/oss-security/2023/10/02/8 NOTE: https://git.kernel.org/linus/0113d9c9d1ccc07f5a3710dac4aa24b6d711278c (6.6-rc3) CVE-2023-42753 (An array indexing vulnerability was found in the netfilter subsystem o ...) - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 NOTE: https://www.openwall.com/lists/oss-security/2023/09/22/10 NOTE:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45322/libxml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07d1a72a by Salvatore Bonaccorso at 2023-10-07T10:32:03+02:00 Add CVE-2023-45322/libxml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,13 @@ CVE-2023-5182 (Sensitive data could be exposed in logs of subiquity version 23.09.1 a ...) TODO: check CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only occur after ...) - TODO: check + - libxml2 + [bookworm] - libxml2 (Minor issue) + [bullseye] - libxml2 (Minor issue) + NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 + NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 + NOTE: http://www.openwall.com/lists/oss-security/2023/10/06/5 CVE-2023-45199 (Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can ...) TODO: check CVE-2023-44860 (An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07d1a72a81c858ddfc316058041f820f11146675 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07d1a72a81c858ddfc316058041f820f11146675 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3af1761d by Salvatore Bonaccorso at 2023-10-07T10:22:25+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91031,7 +91031,7 @@ CVE-2022-34357 CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) NOT-FOR-US: IBM CVE-2022-34355 (IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6 ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-34354 (IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage o ...) NOT-FOR-US: IBM CVE-2022-34353 @@ -94050,7 +94050,7 @@ CVE-2022-33162 CVE-2022-33161 RESERVED CVE-2022-33160 (IBM Security Directory Suite 8.0.1 uses weaker than expected cryptogra ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-33159 (IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user cre ...) NOT-FOR-US: IBM CVE-2022-33158 (Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3af1761ded302a7c216500e0f72c1c5918af59ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3af1761ded302a7c216500e0f72c1c5918af59ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4a2cea0 by security tracker role at 2023-10-07T08:11:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-5182 (Sensitive data could be exposed in logs of subiquity version 23.09.1 a ...) + TODO: check +CVE-2023-45322 (libxml2 through 2.11.5 has a use-after-free that can only occur after ...) + TODO: check +CVE-2023-45199 (Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can ...) + TODO: check +CVE-2023-44860 (An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker t ...) + TODO: check +CVE-2023-44061 (File Upload vulnerability in Simple and Nice Shopping Cart Script v.1. ...) + TODO: check +CVE-2023-43615 (Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.) + TODO: check +CVE-2023-36123 (Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 ...) + TODO: check CVE-2023-5452 (Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-i ...) - snipe-it (bug #1005172) CVE-2023-5214 (In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges ...) @@ -91016,8 +91030,8 @@ CVE-2022-34357 RESERVED CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) NOT-FOR-US: IBM -CVE-2022-34355 - RESERVED +CVE-2022-34355 (IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6 ...) + TODO: check CVE-2022-34354 (IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage o ...) NOT-FOR-US: IBM CVE-2022-34353 @@ -94035,8 +94049,8 @@ CVE-2022-33162 RESERVED CVE-2022-33161 RESERVED -CVE-2022-33160 - RESERVED +CVE-2022-33160 (IBM Security Directory Suite 8.0.1 uses weaker than expected cryptogra ...) + TODO: check CVE-2022-33159 (IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user cre ...) NOT-FOR-US: IBM CVE-2022-33158 (Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4a2cea0eb8593dc6238fee855f64a8614f4cef2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4a2cea0eb8593dc6238fee855f64a8614f4cef2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits