[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: 9abcedc7 by Andres Salomon at 2023-11-15T18:01:48-05:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[15 Nov 2023] DSA-5556-1 chromium - security update + {CVE-2023-5997 CVE-2023-6112} + [bullseye] - chromium 119.0.6045.159-1~deb11u1 + [bookworm] - chromium 119.0.6045.159-1~deb12u1 [15 Nov 2023] DSA--1 openvpn - security update {CVE-2023-46849 CVE-2023-46850} [bookworm] - openvpn 2.6.3-1+deb12u2 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -chromium (dilinger) -- cinder/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9abcedc7e36f4f4d499b68d0dd172cdab68ee919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9abcedc7e36f4f4d499b68d0dd172cdab68ee919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2023-0010
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: da193412 by Alberto Garcia at 2023-11-15T22:46:16+01:00 webkit2gtk / wpewebkit upstream advisory WSA-2023-0010 - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3482,7 +3482,12 @@ CVE-2023-42856 (The issue was addressed with improved memory handling. This issu CVE-2023-42854 (This issue was addressed by removing the vulnerable code. This issue i ...) NOT-FOR-US: Apple CVE-2023-42852 (A logic issue was addressed with improved checks. This issue is fixed ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.2-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.2-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.42 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2023-42850 (The issue was addressed with improved permissions logic. This issue is ...) NOT-FOR-US: Apple CVE-2023-42849 (The issue was addressed with improved memory handling. This issue is f ...) @@ -3522,7 +3527,11 @@ CVE-2023-41989 (The issue was addressed by restricting options offered on a lock CVE-2023-41988 (This issue was addressed by restricting options offered on a locked de ...) NOT-FOR-US: Apple CVE-2023-41983 (The issue was addressed with improved memory handling. This issue is f ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.2-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.2-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2023-41982 (This issue was addressed by restricting options offered on a locked de ...) NOT-FOR-US: Apple CVE-2023-41977 (The issue was addressed with improved handling of caches. This issue i ...) @@ -3594,6 +3603,7 @@ CVE-2023-32359 (This issue was addressed with improved redaction of sensitive in - wpewebkit 2.42.0-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.42 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2023-46660 (Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time compari ...) NOT-FOR-US: Jenkins plugin CVE-2023-46659 (Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac ...) @@ -60696,6 +60706,7 @@ CVE-2022-46725 (A spoofing issue existed in the handling of URLs. This issue was {DSA-5341-1 DSA-5340-1} - webkit2gtk 2.38.4-1 - wpewebkit 2.38.4-1 + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2022-46724 (This issue was addressed by restricting options offered on a locked de ...) NOT-FOR-US: Apple CVE-2022-46723 (This issue was addressed with improved checks. This issue is fixed in ...) @@ -60738,6 +60749,7 @@ CVE-2022-46705 (A spoofing issue existed in the handling of URLs. This issue was {DSA-5341-1 DSA-5340-1} - webkit2gtk 2.38.4-1 - wpewebkit 2.38.4-1 + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2022-46704 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2022-46703 (A logic issue was addressed with improved restrictions. This issue is ...) @@ -101894,6 +101906,7 @@ CVE-2022-32933 [A website may be able to track the websites a user visited in Sa {DSA-5241-1 DSA-5240-1} - webkit2gtk 2.38.0-1 - wpewebkit 2.38.0-1 + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2022-32932 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2022-32931 @@ -101927,6 +101940,7 @@ CVE-2022-32919 [Visiting a website that frames malicious content may lead to UI {DSA-5341-1 DSA-5340-1} - webkit2gtk 2.38.4-1 - wpewebkit 2.38.4-1 + NOTE: https://webkitgtk.org/security/WSA-2023-0010.html CVE-2022-32918 (This issue was addressed with improved data protection. This issue is ...) NOT-FOR-US: Apple CVE-2022-32917 (The issue was addressed with improved bounds checks. This issue is fix ...) = data/dsa-needed.txt = @@ -94,6 +94,8 @@ tiff (aron) -- tor -- +webkit2gtk (berto) +-- xen (jmm) -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1934120544a2c5aa22d2ecd9a5efa5ba31ded2 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-46445
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4df6d13 by Salvatore Bonaccorso at 2023-11-15T22:01:02+01:00 Add Debian bug reference for CVE-2023-46445 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -656,7 +656,7 @@ CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to con - python-asyncssh (bug #1055999) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...) - - python-asyncssh + - python-asyncssh (bug #1056000) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5 CVE-2023-46021 (SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank ...) NOT-FOR-US: Code-Projects Blood Bank View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4df6d132f036a70256abc772a06dd21e71abfb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4df6d132f036a70256abc772a06dd21e71abfb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-46446
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d0d7c5c by Salvatore Bonaccorso at 2023-11-15T21:54:02+01:00 Add Debian bug reference for CVE-2023-46446 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -653,7 +653,7 @@ CVE-2023-47346 (Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and S CVE-2023-47117 (Label Studio is an open source data labeling tool. In all current vers ...) NOT-FOR-US: Label Studio CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...) - - python-asyncssh + - python-asyncssh (bug #1055999) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...) - python-asyncssh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d7c5c059da08ccb32c5a93de6191aa0337b7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d7c5c059da08ccb32c5a93de6191aa0337b7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes and references for CVE-2023-4128
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b54d5df7 by Salvatore Bonaccorso at 2023-11-15T21:33:32+01:00 Drop notes and references for CVE-2023-4128 Finally the CVE got rejected, as it was a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/DSA/list Changes: = data/CVE/list = @@ -14972,11 +14972,6 @@ CVE-2023-4275 REJECTED CVE-2023-4128 REJECTED - {DSA-5492-1 DSA-5480-1 DLA-3623-1} - - linux 6.4.11-1 - NOTE: https://git.kernel.org/linus/3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 (6.5-rc5) - NOTE: https://git.kernel.org/linus/76e42ae831991c828cffa8c37736ebfb831ad5ec (6.5-rc5) - NOTE: https://git.kernel.org/linus/b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 (6.5-rc5) CVE-2023-40216 (OpenBSD 7.3 before errata 014 is missing an argument-count bounds chec ...) NOT-FOR-US: OpenBSD CVE-2023-39966 (1Panel is an open source Linux server operation and maintenance manage ...) = data/DLA/list = @@ -88,7 +88,7 @@ {CVE-2023-44981} [buster] - zookeeper 3.4.13-2+deb10u1 [19 Oct 2023] DLA-3623-1 linux-5.10 - security update - {CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3141 CVE-2023-3212 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194 CVE-2023-4244 CVE-2023-4273 CVE-2023-4622 CVE-2023-4623 CVE-2023-4921 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400 CVE-2023-31084 CVE-2023-34256 CVE-2023-34319 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-40283 CVE-2023-42753 CVE-2023-42755 CVE-2023-42756} + {CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3141 CVE-2023-3212 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194 CVE-2023-4244 CVE-2023-4273 CVE-2023-4622 CVE-2023-4623 CVE-2023-4921 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400 CVE-2023-31084 CVE-2023-34256 CVE-2023-34319 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-40283 CVE-2023-42753 CVE-2023-42755 CVE-2023-42756} [buster] - linux-5.10 5.10.197-1~deb10u1 [17 Oct 2023] DLA-3622-1 axis - security update {CVE-2023-40743} = data/DSA/list = @@ -242,7 +242,7 @@ [bullseye] - open-vm-tools 2:11.2.5-2+deb11u2 [bookworm] - open-vm-tools 2:12.2.0-1+deb12u1 [09 Sep 2023] DSA-5492-1 linux - security update - {CVE-2023-1206 CVE-2023-1989 CVE-2023-2430 CVE-2023-2898 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3777 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155 CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-4273 CVE-2023-4569 CVE-2023-4622 CVE-2023-20588 CVE-2023-34319 CVE-2023-40283} + {CVE-2023-1206 CVE-2023-1989 CVE-2023-2430 CVE-2023-2898 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3777 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155 CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-4273 CVE-2023-4569 CVE-2023-4622 CVE-2023-20588 CVE-2023-34319 CVE-2023-40283} [bookworm] - linux 6.1.52-1 [07 Sep 2023] DSA-5491-1 chromium - security update {CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764} @@ -285,7 +285,7 @@ [bullseye] - fastdds 2.1.0+ds-9+deb11u1 [bookworm] - fastdds 2.9.1+ds-1+deb12u1 [18 Aug 2023] DSA-5480-1 linux - security update - {CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194 CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400 CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283} + {CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194 CVE-2023-4273 CVE-2023-20588
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-23549/check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bd21d65 by Salvatore Bonaccorso at 2023-11-15T21:28:33+01:00 Add CVE-2023-23549/check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49623,7 +49623,7 @@ CVE-2023-23776 (An exposure of sensitive information to an unauthorized actor [C CVE-2023-23775 RESERVED CVE-2023-23549 (Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 ...) - TODO: check + - check-mk CVE-2023-23548 (Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, ...) - check-mk CVE-2023-22359 (User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bd21d65a2e0f6ff828e0c8ba3027310830c929d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bd21d65a2e0f6ff828e0c8ba3027310830c929d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cfa6a03 by Salvatore Bonaccorso at 2023-11-15T21:28:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,11 +35,11 @@ CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimco CVE-2023-41699 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) NOT-FOR-US: Payara CVE-2023-34982 (This external control vulnerability, if exploited, could allow a local ...) - TODO: check + NOT-FOR-US: AVEVA CVE-2023-34062 (In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versi ...) TODO: check CVE-2023-33873 (This privilege escalation vulnerability, if exploited, cloud allow a l ...) - TODO: check + NOT-FOR-US: AVEVA CVE-2023-6133 (The Forminator plugin for WordPress is vulnerable to arbitrary file up ...) NOT-FOR-US: WordPress plugin CVE-2023-6032 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) @@ -27628,7 +27628,7 @@ CVE-2023-30956 (A security defect was identified in Foundry Comments that enable CVE-2023-30955 (A security defect was identified in Foundry workspace-server that enab ...) NOT-FOR-US: Palantir CVE-2023-30954 (The Gotham video-application-server service contained a race condition ...) - TODO: check + NOT-FOR-US: Gotham video-application-server service CVE-2023-30953 RESERVED CVE-2023-30952 (A security defect was discovered in Foundry Issues that enabled users ...) @@ -53025,7 +53025,7 @@ CVE-2023-22820 CVE-2023-22819 RESERVED CVE-2023-22818 (Multiple DLL Search Order Hijack vulnerabilities were addressed in the ...) - TODO: check + NOT-FOR-US: SanDisk Security Installer for Windows CVE-2023-22817 RESERVED CVE-2023-22816 (A post-authentication remote command injection vulnerability in a CGI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfa6a03f32c874722d120fa2c0b4fe416dcac47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfa6a03f32c874722d120fa2c0b4fe416dcac47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc248231 by Salvatore Bonaccorso at 2023-11-15T21:22:58+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2023-6079 REJECTED CVE-2023-5720 (A flaw was found in Quarkus, where it does not properly sanitize artif ...) - TODO: check + NOT-FOR-US: Quarkus CVE-2023-5676 (In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an ...) - TODO: check + NOT-FOR-US: Eclipse OpenJ9 CVE-2023-5245 (FileUtil.extract() enumerates all zip file entries and extracts each f ...) TODO: check CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) - TODO: check + NOT-FOR-US: XXL-Job CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) - TODO: check + NOT-FOR-US: XXL-Job CVE-2023-48087 (xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job ...) - TODO: check + NOT-FOR-US: XXL-Job CVE-2023-48014 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a sta ...) - gpac NOTE: https://github.com/gpac/gpac/issues/2613 @@ -29,11 +29,11 @@ CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain NOTE: https://github.com/gpac/gpac/issues/2611 NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) - TODO: check + NOT-FOR-US: Pimcore CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...) - TODO: check + NOT-FOR-US: Pimcore Admin Classic Bundle CVE-2023-41699 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) - TODO: check + NOT-FOR-US: Payara CVE-2023-34982 (This external control vulnerability, if exploited, could allow a local ...) TODO: check CVE-2023-34062 (In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc2482316f2ad24a749fe41ddba5040338d816ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc2482316f2ad24a749fe41ddba5040338d816ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new gpac issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a17e0e37 by Salvatore Bonaccorso at 2023-11-15T21:22:20+01:00 Add three new gpac issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,11 +17,17 @@ CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) CVE-2023-48087 (xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job ...) TODO: check CVE-2023-48014 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a sta ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2613 + NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b CVE-2023-48013 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a dou ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2612 + NOTE: https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893 CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a hea ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2611 + NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) TODO: check CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a17e0e376817af5825db759927268b01b675cb17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a17e0e376817af5825db759927268b01b675cb17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-48219/tinymce
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bfdb6cb8 by Salvatore Bonaccorso at 2023-11-15T21:21:45+01:00 Add CVE-2023-48219/tinymce - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2023-5245 (FileUtil.extract() enumerates all zip file entries and extracts e CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross ...) TODO: check CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - TODO: check + - tinymce CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) TODO: check CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfdb6cb80ce76f1de499b812732d1f00795d89b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfdb6cb80ce76f1de499b812732d1f00795d89b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b12a32c by security tracker role at 2023-11-15T20:12:08+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,39 @@ +CVE-2023-6079 + REJECTED +CVE-2023-5720 (A flaw was found in Quarkus, where it does not properly sanitize artif ...) + TODO: check +CVE-2023-5676 (In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an ...) + TODO: check +CVE-2023-5245 (FileUtil.extract() enumerates all zip file entries and extracts each f ...) + TODO: check +CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross ...) + TODO: check +CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) + TODO: check +CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) + TODO: check +CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) + TODO: check +CVE-2023-48087 (xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job ...) + TODO: check +CVE-2023-48014 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a sta ...) + TODO: check +CVE-2023-48013 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a dou ...) + TODO: check +CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a hea ...) + TODO: check +CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) + TODO: check +CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...) + TODO: check +CVE-2023-41699 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) + TODO: check +CVE-2023-34982 (This external control vulnerability, if exploited, could allow a local ...) + TODO: check +CVE-2023-34062 (In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versi ...) + TODO: check +CVE-2023-33873 (This privilege escalation vulnerability, if exploited, cloud allow a l ...) + TODO: check CVE-2023-6133 (The Forminator plugin for WordPress is vulnerable to arbitrary file up ...) NOT-FOR-US: WordPress plugin CVE-2023-6032 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) @@ -230,10 +266,10 @@ CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Exe NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10069 (restricted) -CVE-2023-6112 +CVE-2023-6112 (Use after free in Navigation in Google Chrome prior to 119.0.6045.159 ...) - chromium 119.0.6045.159-1 [buster] - chromium (see DSA 5046) -CVE-2023-5997 +CVE-2023-5997 (Use after free in Garbage Collection in Google Chrome prior to 119.0.6 ...) - chromium 119.0.6045.159-1 [buster] - chromium (see DSA 5046) CVE-2023-6131 (Code Injection in GitHub repository salesagility/suitecrm prior to 7.1 ...) @@ -808,6 +844,7 @@ CVE-2023-4804 (Anunauthorized user could access debug features in Quantum HD Uni CVE-2023-47122 (Gitsign is software for keyless Git signing using Sigstore. In version ...) - gitsign (bug #1019518) CVE-2023-46850 (Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined ...) + {DSA--1} - openvpn 2.6.7-1 (bug #1055805) [bullseye] - openvpn (Vulnerable code not present) [buster] - openvpn (Vulnerable code not present) @@ -816,6 +853,7 @@ CVE-2023-46850 (Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to und NOTE: Introduced by: https://github.com/OpenVPN/openvpn/commit/9a7b95fda56127df6de6fe7c60e08fb5b67a9919 (v2.6_beta1) NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/57a5cd1e12f193927c9b7429f8778fec7e04c50a (v2.6.7) CVE-2023-46849 (Using the --fragment option in certain configuration setups OpenVPN ve ...) + {DSA--1} - openvpn 2.6.7-1 (bug #1055805) [bullseye] - openvpn (Vulnerable code not present) [buster] - openvpn (Vulnerable code not present) @@ -12614,7 +12652,7 @@ CVE-2023-4526 REJECTED CVE-2023-4525 REJECTED -CVE-2023-4522 (An issue has been discovered in GitLab affecting all versions starting ...) +CVE-2023-4522 (An issue has been discovered in GitLab affecting all versions before 1 ...) - gitlab CVE-2023-4296 (If an attacker tricks an admin user of PTC Codebeamer into clicking on ...) NOT-FOR-US: PTC Codebeamer @@ -13498,7 +13536,7 @@
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-46121/yt-dlp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82f76ecd by Salvatore Bonaccorso at 2023-11-15T20:39:13+01:00 Add Debian bug reference for CVE-2023-46121/yt-dlp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -100,7 +100,7 @@ CVE-2023-46580 (Cross-Site Scripting (XSS) vulnerability in Inventory Management CVE-2023-46132 (Hyperledger Fabric is an open source permissioned distributed ledger f ...) NOT-FOR-US: Hyperledger Fabric CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. The Ge ...) - - yt-dlp + - yt-dlp (bug #1055996) [bookworm] - yt-dlp (Minor issue) NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x NOTE: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb (2023.11.14) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82f76ecd3818989f179751817655d162cea367d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82f76ecd3818989f179751817655d162cea367d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-37276/python-aiohttp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 338c4ede by Salvatore Bonaccorso at 2023-11-15T20:33:55+01:00 Track fixed version for CVE-2023-37276/python-aiohttp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17953,7 +17953,7 @@ CVE-2023-37748 (ngiflib commit 5e7292 was discovered to contain an infinite loop CVE-2023-37733 (An arbitrary file upload vulnerability in tduck-platform v4.0 allows a ...) NOT-FOR-US: Grav CMStduck-platform CVE-2023-37276 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - - python-aiohttp + - python-aiohttp 3.8.5-1 [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) [buster] - python-aiohttp (doesn't use llhttp, PoC is rejected with Bad Request) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/338c4ede8c86e90b0087bf8726493e741a12f743 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/338c4ede8c86e90b0087bf8726493e741a12f743 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2023-37276
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c46b7d2 by Salvatore Bonaccorso at 2023-11-15T20:33:28+01:00 Add upstream tag information for CVE-2023-37276 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17958,7 +17958,7 @@ CVE-2023-37276 (aiohttp is an asynchronous HTTP client/server framework for asyn [bullseye] - python-aiohttp (Minor issue) [buster] - python-aiohttp (doesn't use llhttp, PoC is rejected with Bad Request) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w - NOTE: https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 + NOTE: https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 (v3.8.5) NOTE: https://hackerone.com/reports/2001873 NOTE: http-parser->llhttp switch: https://github.com/aio-libs/aiohttp/commit/485a5fc49050f8f8bf0d7eec8a85b4d9b450386c (v3.8.0a4) CVE-2023-35900 (IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.4 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46b7d2ba7996f601ec6cbb197ed2afdfe6c835 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46b7d2ba7996f601ec6cbb197ed2afdfe6c835 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5981/gnutls28
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 707fb2a9 by Salvatore Bonaccorso at 2023-11-15T20:18:49+01:00 Add CVE-2023-5981/gnutls28 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,10 @@ CVE-2023-5985 (A CWE-79 Improper Neutralization of Input During Web Page Generat NOT-FOR-US: Schneider Electric CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check vulnerability exist ...) NOT-FOR-US: Schneider Electric +CVE-2023-5981 [ttiming side-channel inside RSA-PSK key exchange] + - gnutls28 + NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2023-November/004837.html + NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d (3.8.2) CVE-2023-4889 (The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Sit ...) NOT-FOR-US: WordPress plugin CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for build ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/707fb2a96f6d06bdb1f9102b344d82609c61bb0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/707fb2a96f6d06bdb1f9102b344d82609c61bb0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entry for bookworm for CVE-2023-47641/python-aiohttp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5f9828b by Salvatore Bonaccorso at 2023-11-15T20:30:57+01:00 Remove no-dsa tagged entry for bookworm for CVE-2023-47641/python-aiohttp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,7 +22,6 @@ CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all NOT-FOR-US: ASUSTeK CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - python-aiohttp 3.8.1-1 - [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j NOTE: https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (v3.8.0b0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f9828b3417fa7a0b844e3c5918442392d7ba04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f9828b3417fa7a0b844e3c5918442392d7ba04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2023-46121
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48111687 by Salvatore Bonaccorso at 2023-11-15T20:26:00+01:00 Add upstream tag information for CVE-2023-46121 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104,7 +104,7 @@ CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. - yt-dlp [bookworm] - yt-dlp (Minor issue) NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x - NOTE: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb + NOTE: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb (2023.11.14) CVE-2023-46026 (Cross Site Scripting (XSS) vulnerability in profile.php in phpgurukul ...) NOT-FOR-US: phpgurukul CVE-2023-46025 (SQL Injection vulnerability in teacher-info.php in phpgurukul Teacher ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48111687fac3ac48d9ce7ab70d1a7654361602e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48111687fac3ac48d9ce7ab70d1a7654361602e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openvpn DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b8ab89e by Moritz Mühlenhoff at 2023-11-15T20:10:09+01:00 openvpn DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[15 Nov 2023] DSA--1 openvpn - security update + {CVE-2023-46849 CVE-2023-46850} + [bookworm] - openvpn 2.6.3-1+deb12u2 [13 Nov 2023] DSA-5554-1 postgresql-13 - security update {CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417} [bullseye] - postgresql-13 13.13-0+deb11u1 = data/dsa-needed.txt = @@ -45,8 +45,6 @@ nodejs -- nova/oldstable -- -openvpn (jmm) --- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b8ab89eedbe46298ef252b5ea79cb36a7de9f42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b8ab89eedbe46298ef252b5ea79cb36a7de9f42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] symfony spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ab70491f by Moritz Mühlenhoff at 2023-11-15T19:48:00+01:00 symfony spu/ospu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -858,10 +858,13 @@ CVE-2023-46735 (Symfony is a PHP framework for web and console applications and NOTE: https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962 (v6.3.8) CVE-2023-46734 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.31+dfsg-1 (bug #1055774) + [bookworm] - symfony (Minor issue) + [bullseye] - symfony (Minor issue) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3 NOTE: https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c (v4.4.51, v5.4.31, v6.3.8) CVE-2023-46733 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.31+dfsg-1 (bug #1055775) + [bookworm] - symfony (Minor issue) [bullseye] - symfony (Vulnerable code introduced later) [buster] - symfony (Vulnerable code introduced later) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx = data/next-oldstable-point-update.txt = @@ -80,3 +80,5 @@ CVE-2023-46586 [bullseye] - weborf 0.17-3+deb11u1 CVE-2021-33880 [bullseye] - python-websockets 8.1-1+deb11u1 +CVE-2023-46734 + [bullseye] - symfony 4.4.19+dfsg-2+deb11u4 = data/next-point-update.txt = @@ -64,3 +64,7 @@ CVE-2023-37369 [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1 CVE-2023-38197 [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1 +CVE-2023-46734 + [bookworm] - symfony 5.4.23+dfsg-1+deb12u1 +CVE-2023-46733 + [bookworm] - symfony 5.4.23+dfsg-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab70491fc36e274e8a449873b2c9d75bb406ebce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab70491fc36e274e8a449873b2c9d75bb406ebce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gimp fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5f25c2e by Moritz Muehlenhoff at 2023-11-15T15:45:41+01:00 gimp fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -200,27 +200,27 @@ CVE-2023-35080 (A vulnerability has been identified in the Ivanti Secure Access CVE-2023-34060 (VMware Cloud Director Appliance contains an authentication bypass vuln ...) NOT-FOR-US: VMware CVE-2023-4 [GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability] - - gimp (bug #1055984) + - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1591/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1 NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10071 (restricted) CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability] - - gimp (bug #1055984) + - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/96f536a33590bb9811da5b5639e1d6c25aaf2e01 NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10072 (restricted) CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - - gimp (bug #1055984) + - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10101 (restricted) CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - - gimp (bug #1055984) + - gimp 2.10.36-1 (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc (GIMP_2_10_36) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5f25c2e1d0b695271fd312b92a9433a8be5977e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5f25c2e1d0b695271fd312b92a9433a8be5977e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 36ee72f2 by Moritz Muehlenhoff at 2023-11-15T14:44:11+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -517,7 +517,7 @@ CVE-2023-32278 (Path transversal in some Intel(R) NUC Uniwill Service Driver for CVE-2023-32204 (Improper access control in some Intel(R) OFU software before version 1 ...) NOT-FOR-US: Intel CVE-2023-31320 (Improper input validation in the AMD RadeonTM Graphics display driver ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-31273 (Protection mechanism failure in some Intel DCM software before version ...) NOT-FOR-US: Intel CVE-2023-31247 (A memory corruption vulnerability exists in the HTTP Server Host heade ...) @@ -27224,7 +27224,7 @@ CVE-2023-31102 (7-Zip through 22.01 on Linux allows an integer underflow and cod CVE-2023-31101 (Insecure Default Initialization of Resource Vulnerability in Apache So ...) NOT-FOR-US: Apache InLong CVE-2023-31100 (Improper Access Control in SMI handler vulnerability in Phoenix Secure ...) - TODO: check + NOT-FOR-US: Phoenix CVE-2023-31099 (Zoho ManageEngine OPManager through 126323 allows an authenticated use ...) NOT-FOR-US: Zoho ManageEngine CVE-2023-31098 (Weak Password Requirements vulnerability in Apache Software Foundation ...) @@ -70281,7 +70281,7 @@ CVE-2023-20598 (An improper privilege management in the AMD Radeon\u2122Graphics CVE-2023-20597 (Improper initialization of variables in the DXE driver may allow a pri ...) NOT-FOR-US: AMD CVE-2023-20596 (Improper input validation in the SMM Supervisor may allow an attacker ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20595 RESERVED CVE-2023-20594 (Improper initialization of variables in the DXE driver may allow a pri ...) @@ -70358,7 +70358,7 @@ CVE-2023-20573 CVE-2023-20572 RESERVED CVE-2023-20571 (A race condition in System Management Mode (SMM) code may allow an att ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20570 RESERVED CVE-2023-20569 (A side channel vulnerability on some of the AMD CPUs may allow an atta ...) @@ -70384,17 +70384,17 @@ CVE-2023-20569 (A side channel vulnerability on some of the AMD CPUs may allow a NOTE: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/08/08/4 CVE-2023-20568 (Improper signature verification of RadeonTM RX Vega M Graphics driver ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20567 (Improper signature verification of RadeonTM RX Vega M Graphics driver ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20566 (Improper address validation in ASP with SNP enabled may potentially al ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20565 (Insufficient protections in System Management Mode (SMM) code may allo ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20564 (Insufficient validation in the IOCTL (Input Output Control) input buff ...) NOT-FOR-US: AMD CVE-2023-20563 (Insufficient protections in System Management Mode (SMM) code may allo ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20562 (Insufficient validation in the IOCTL (Input Output Control) input buff ...) NOT-FOR-US: AMD CVE-2023-20561 (Insufficient validation of the IOCTL (Input Output Control) input buff ...) @@ -70454,7 +70454,7 @@ CVE-2023-20535 CVE-2023-20534 RESERVED CVE-2023-20533 (Insufficient DRAM address validation in System Management Unit (SMU) m ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20532 (Insufficient input validation in the SMU may allow an attacker to impr ...) NOT-FOR-US: AMD CVE-2023-20531 (Insufficient bound checks in the SMU may allow an attacker to update t ...) @@ -70468,7 +70468,7 @@ CVE-2023-20528 (Insufficient input validation in the SMU may allow a physical at CVE-2023-20527 (Improper syscall input validation in the ASP Bootloader may allow a pr ...) NOT-FOR-US: AMD CVE-2023-20526 (Insufficient input validation in the ASP Bootloader may enable a privi ...) - TODO: check + NOT-FOR-US: AMD CVE-2023-20525 (Insufficient syscall input validation in the ASP Bootloader may allow ...) NOT-FOR-US: AMD CVE-2023-20524 (An attacker with a compromised ASP could possibly send malformed comma ...) @@ -70478,11 +70478,11 @@ CVE-2023-20523 (TOCTOU in the ASP may allow a physical attacker to write beyond CVE-2023-20522 (Insufficient input validation in ASP may allow an attacker with a mali ...) NOT-FOR-US: AMD CVE-2023-20521 (TOCTOU in the ASP Bootloader may allow an attacker with physical acces ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for gimp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7489cd90 by Salvatore Bonaccorso at 2023-11-15T13:39:59+01:00 Add Debian bug reference for gimp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -200,27 +200,27 @@ CVE-2023-35080 (A vulnerability has been identified in the Ivanti Secure Access CVE-2023-34060 (VMware Cloud Director Appliance contains an authentication bypass vuln ...) NOT-FOR-US: VMware CVE-2023-4 [GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability] - - gimp + - gimp (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1591/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1 NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10071 (restricted) CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability] - - gimp + - gimp (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/96f536a33590bb9811da5b5639e1d6c25aaf2e01 NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10072 (restricted) CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - - gimp + - gimp (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10101 (restricted) CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - - gimp + - gimp (bug #1055984) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc (GIMP_2_10_36) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7489cd907ffaef6107546bc34f3387d8740aa6cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7489cd907ffaef6107546bc34f3387d8740aa6cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatively try to take care of the gimp DSA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96002008 by Salvatore Bonaccorso at 2023-11-15T13:18:17+01:00 Tentatively try to take care of the gimp DSA - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,7 +19,7 @@ cinder/oldstable fastdds Awaiting feedback from maintainer on bullseye status -- -gimp +gimp (carnil) -- gpac/oldstable (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96002008ab5aa2841bee0bdb2e005a8c039810d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96002008ab5aa2841bee0bdb2e005a8c039810d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update references for gimp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e9426c0 by Salvatore Bonaccorso at 2023-11-15T13:13:47+01:00 Update references for gimp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -203,24 +203,29 @@ CVE-2023-4 [GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerabi - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1591/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1 + NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10071 (restricted) CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities - NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/96f536a33590bb9811da5b5639e1d6c25aaf2e01 + NOTE: Backport to gimp-2.10: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (GIMP_2_10_36) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10072 (restricted) CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities - NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10101 (restricted) CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities - NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc (gimp-2-10) - NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe (gimp-2-10) - NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc (GIMP_2_10_36) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe (GIMP_2_10_36) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 (GIMP_2_10_36) NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10069 (restricted) CVE-2023-6112 - chromium 119.0.6045.159-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e9426c0677ea84ed02105d5dfddfd7e695239a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e9426c0677ea84ed02105d5dfddfd7e695239a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libclamunrar for tracking under CVE-2023-40477 for the embedded unrar copy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63536a5c by Salvatore Bonaccorso at 2023-11-15T12:55:50+01:00 Add libclamunrar for tracking under CVE-2023-40477 for the embedded unrar copy So we are inline with the recently issued DLA, DLA-3653-1, from CVE tracking point of view. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13494,8 +13494,12 @@ CVE-2023-40477 - unrar-nonfree 1:6.2.10-1 [bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1 [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3 + - libclamunrar 1.0.3-1 + [bookworm] - libclamunrar 1.0.3-1~deb12u1 + [bullseye] - libclamunrar 0.103.10-1~deb11u1 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ NOTE: https://www.win-rar.com/singlenewsview.html?=0_ttnews%5Btt_news%5D=232=c5bf79590657e32554c6683296a8e8aa + NOTE: https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html CVE-2023-38831 (RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code w ...) NOTE: RARLabs WinRAR CVE-2023-38422 (Walchem Intuition 9 firmware versions prior to v4.21 are missing authe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63536a5ce5553f793a5a15bfc1daa140740dae74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63536a5ce5553f793a5a15bfc1daa140740dae74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust version for CVE-2023-47641
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4bfc275 by Salvatore Bonaccorso at 2023-11-15T12:19:36+01:00 Adjust version for CVE-2023-47641 As it looks 3.8.1-1 did got accepted to unstable, so the first version was already the -1 revision one. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all versio ...) NOT-FOR-US: ASUSTeK CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - - python-aiohttp 3.8.1-2 + - python-aiohttp 3.8.1-1 [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4bfc275738596fa2d701d659b899a7256fb4b9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4bfc275738596fa2d701d659b899a7256fb4b9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c174d13 by Moritz Muehlenhoff at 2023-11-15T11:26:23+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -18,6 +18,8 @@ CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all NOT-FOR-US: ASUSTeK CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - python-aiohttp 3.8.1-2 + [bookworm] - python-aiohttp (Minor issue) + [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j NOTE: https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (v3.8.0b0) CVE-2023-47640 (DataHub is an open-source metadata platform. The HMAC signature for Da ...) @@ -28,6 +30,8 @@ CVE-2023-47630 (Kyverno is a policy engine designed for Kubernetes. An issue was NOT-FOR-US: Kyverno CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - python-aiohttp 3.8.6-1 + [bookworm] - python-aiohttp (Minor issue) + [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg NOTE: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d (v3.8.6) CVE-2023-47586 (Multiple heap-based buffer overflow vulnerabilities exist in V-Server ...) @@ -1110,6 +1114,8 @@ CVE-2023-45875 (An issue was discovered in Couchbase Server 7.2.0. There is a pr NOT-FOR-US: Couchbase Server CVE-2023-45857 (An issue discovered in Axios 1.5.1 inadvertently reveals the confident ...) - node-axios + [bookworm] - node-axios (Minor issue) + [bullseye] - node-axios (Minor issue) NOTE: https://github.com/axios/axios/issues/6006 CVE-2023-45225 (Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, ...) NOT-FOR-US: Zavio = data/dsa-needed.txt = @@ -19,6 +19,8 @@ cinder/oldstable fastdds Awaiting feedback from maintainer on bullseye status -- +gimp +-- gpac/oldstable (jmm) -- intel-microcode (carnil) @@ -92,6 +94,8 @@ squid -- tiff (aron) -- +tor +-- xen (jmm) -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c174d13cb3c42bf2643b125d0e78af75826a749 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c174d13cb3c42bf2643b125d0e78af75826a749 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gpac issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f585cbbc by Moritz Muehlenhoff at 2023-11-15T10:49:53+01:00 new gpac issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -269,7 +269,9 @@ CVE-2023-47554 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-47550 (Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donations Ma ...) NOT-FOR-US: WordPress plugin CVE-2023-47384 (MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contai ...) - TODO: check + - gpac + [bullseye] - gpac (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2672 CVE-2023-47262 (In Abbott ID NOW before 7.1, settings can be modified via physical acc ...) NOT-FOR-US: Abbott ID NOW CVE-2023-47127 (TYPO3 is an open source PHP based web content management system releas ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f585cbbcf450b6d92b29181e0dde20e7c7e96dd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f585cbbcf450b6d92b29181e0dde20e7c7e96dd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 233ebb45 by Moritz Muehlenhoff at 2023-11-15T10:45:25+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,7 +83,7 @@ CVE-2023-47130 (Yii is an open source PHP web framework. yiisoft/yii before vers CVE-2023-47125 (TYPO3 is an open source PHP based web content management system releas ...) NOT-FOR-US: TYPO3 CVE-2023-46672 (An issue was identified by Elastic whereby sensitive information is re ...) - TODO: check + - logstash (bug #664841) CVE-2023-46582 (SQL injection vulnerability in Inventory Management v.1.0 allows a loc ...) NOT-FOR-US: Inventory Management CVE-2023-46581 (SQL injection vulnerability in Inventory Management v.1.0 allows a loc ...) @@ -91,7 +91,7 @@ CVE-2023-46581 (SQL injection vulnerability in Inventory Management v.1.0 allows CVE-2023-46580 (Cross-Site Scripting (XSS) vulnerability in Inventory Management V1.0 ...) NOT-FOR-US: Inventory Management CVE-2023-46132 (Hyperledger Fabric is an open source permissioned distributed ledger f ...) - TODO: check + NOT-FOR-US: Hyperledger Fabric CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. The Ge ...) - yt-dlp [bookworm] - yt-dlp (Minor issue) @@ -136,7 +136,7 @@ CVE-2023-45615 (There are buffer overflow vulnerabilities in the underlying CLI CVE-2023-45614 (There are buffer overflow vulnerabilities in the underlying CLI servic ...) NOT-FOR-US: Aruba CVE-2023-43979 (ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL inject ...) - TODO: check + NOT-FOR-US: ETS Soft ybc_blog CVE-2023-43591 (Improper privilege management in Zoom Rooms for macOS before version ...) NOT-FOR-US: Zoom CVE-2023-43590 (Link following in Zoom Rooms for macOS before version 5.16.0 may allo ...) @@ -148,53 +148,53 @@ CVE-2023-43582 (Improper authorization in some Zoom clients may allow an authori CVE-2023-41718 (When a particular process flow is initiated, an attacker may be able t ...) NOT-FOR-US: Ivanti CVE-2023-41597 (EyouCms v1.6.2 was discovered to contain a reflected cross-site script ...) - TODO: check + NOT-FOR-US: EyouCms CVE-2023-41570 (MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect acc ...) NOT-FOR-US: MikroTik CVE-2023-40923 (MyPrestaModules ordersexport before v5.0 was discovered to contain mul ...) NOT-FOR-US: MyPrestaModules ordersexport CVE-2023-39537 (AMI AptioV contains a vulnerability in BIOS where an Attacker may use ...) - TODO: check + NOT-FOR-US: AMI CVE-2023-39536 (AMI AptioV contains a vulnerability in BIOS where an Attacker may use ...) - TODO: check + NOT-FOR-US: AMI CVE-2023-39535 (AMI AptioV contains a vulnerability in BIOS where an Attacker may use ...) - TODO: check + NOT-FOR-US: AMI CVE-2023-39337 (A security vulnerability in EPMM Versions 11.10, 11.9 and 11.8 older a ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-39335 (A security vulnerability has been identified in EPMM Versions 11.10, 1 ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-39206 (Buffer overflow in some Zoom clients may allow an unauthenticated user ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39205 (Improper conditions check in Zoom Team Chat for Zoom clients may allow ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39204 (Buffer overflow in some Zoom clients may allow an unauthenticated user ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39203 (Uncontrolled resource consumption in Zoom Team Chat for Zoom Desktop C ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39202 (Untrusted search path in Zoom Rooms Client for Windows and Zoom VDI Cl ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-39199 (Cryptographic issues with In-Meeting Chat for some Zoom clients may al ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-38544 (A logged in user can modify specific files that may lead to unauthoriz ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-38543 (When a specific component is loaded a local attacker and is able to se ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-38043 (When a specific component is loaded a local attacker and is able to se ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-36558 (ASP.NET Core - Security Feature Bypass Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-36437 (Azure DevOps Server Remote Code Execution Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-36049 (.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnera ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3653-1 for libclamunrar
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2eff54 by Emilio Pozuelo Monfort at 2023-11-15T10:41:08+01:00 Reserve DLA-3653-1 for libclamunrar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Nov 2023] DLA-3653-1 libclamunrar - security update + {CVE-2023-40477} + [buster] - libclamunrar 0.103.10-0+deb10u1 [14 Nov 2023] DLA-3652-1 ruby-sanitize - security update {CVE-2023-36823} [buster] - ruby-sanitize 4.6.6-2.1~deb10u2 = data/dla-needed.txt = @@ -100,10 +100,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libclamunrar (Emilio) - NOTE: 20231113: Added by Front-Desk (apo) - NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ebd52e54 by Salvatore Bonaccorso at 2023-11-15T10:27:17+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,11 +85,11 @@ CVE-2023-47125 (TYPO3 is an open source PHP based web content management system CVE-2023-46672 (An issue was identified by Elastic whereby sensitive information is re ...) TODO: check CVE-2023-46582 (SQL injection vulnerability in Inventory Management v.1.0 allows a loc ...) - TODO: check + NOT-FOR-US: Inventory Management CVE-2023-46581 (SQL injection vulnerability in Inventory Management v.1.0 allows a loc ...) - TODO: check + NOT-FOR-US: Inventory Management CVE-2023-46580 (Cross-Site Scripting (XSS) vulnerability in Inventory Management V1.0 ...) - TODO: check + NOT-FOR-US: Inventory Management CVE-2023-46132 (Hyperledger Fabric is an open source permissioned distributed ledger f ...) TODO: check CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. The Ge ...) @@ -98,61 +98,61 @@ CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x NOTE: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb CVE-2023-46026 (Cross Site Scripting (XSS) vulnerability in profile.php in phpgurukul ...) - TODO: check + NOT-FOR-US: phpgurukul CVE-2023-46025 (SQL Injection vulnerability in teacher-info.php in phpgurukul Teacher ...) - TODO: check + NOT-FOR-US: phpgurukul CVE-2023-46024 (SQL Injection vulnerability in index.php in phpgurukul Teacher Subject ...) - TODO: check + NOT-FOR-US: phpgurukul CVE-2023-46023 (SQL injection vulnerability in addTask.php in Code-Projects Simple Tas ...) - TODO: check + NOT-FOR-US: Code-Projects Simple Task List CVE-2023-46022 (SQL Injection vulnerability in delete.php in Code-Projects Blood Bank ...) - TODO: check + NOT-FOR-US: Code-Projects Blood Bank CVE-2023-45627 (An authenticated Denial-of-Service (DoS) vulnerability exists in the C ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45626 (An authenticated vulnerability has been identified allowing an attacke ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45625 (Multiple authenticated command injection vulnerabilities exist in the ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45624 (An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45623 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the W ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45622 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the B ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45621 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the C ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45620 (Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the C ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45619 (There is an arbitrary file deletion vulnerability in the RSSI service ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45618 (There are arbitrary file deletion vulnerabilities in the AirWave clien ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45617 (There are arbitrary file deletion vulnerabilities in the CLI service a ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45616 (There is a buffer overflow vulnerability in the underlying AirWave cli ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45615 (There are buffer overflow vulnerabilities in the underlying CLI servic ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-45614 (There are buffer overflow vulnerabilities in the underlying CLI servic ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-43979 (ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL inject ...) TODO: check CVE-2023-43591 (Improper privilege management in Zoom Rooms for macOS before version ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-43590 (Link following in Zoom Rooms for macOS before version 5.16.0 may allo ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-43588 (Insufficient control flow management in some Zoom clients may allow an ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-43582 (Improper authorization in some Zoom clients may allow an authorized us ...) - TODO: check + NOT-FOR-US: Zoom CVE-2023-41718 (When a particular process flow is initiated, an attacker may be able t ...) -
[Git][security-tracker-team/security-tracker][master] new yt-dlp issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3945901f by Moritz Muehlenhoff at 2023-11-15T10:07:43+01:00 new yt-dlp issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,7 +93,10 @@ CVE-2023-46580 (Cross-Site Scripting (XSS) vulnerability in Inventory Management CVE-2023-46132 (Hyperledger Fabric is an open source permissioned distributed ledger f ...) TODO: check CVE-2023-46121 (yt-dlp is a youtube-dl fork with additional features and fixes. The Ge ...) - TODO: check + - yt-dlp + [bookworm] - yt-dlp (Minor issue) + NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x + NOTE: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb CVE-2023-46026 (Cross Site Scripting (XSS) vulnerability in profile.php in phpgurukul ...) TODO: check CVE-2023-46025 (SQL Injection vulnerability in teacher-info.php in phpgurukul Teacher ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3945901ff60fb1760ac260b33f02d63c2422e0df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3945901ff60fb1760ac260b33f02d63c2422e0df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2023-47641/python-aiohttp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fe95534 by Salvatore Bonaccorso at 2023-11-15T09:56:14+01:00 Add CVE-2023-47641/python-aiohttp - - - - - 90d2b996 by Salvatore Bonaccorso at 2023-11-15T09:56:15+01:00 Add CVE-2023-47627/python-aiohttp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,9 @@ CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all versio ...) NOT-FOR-US: ASUSTeK CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - TODO: check + - python-aiohttp 3.8.1-2 + NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j + NOTE: https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (v3.8.0b0) CVE-2023-47640 (DataHub is an open-source metadata platform. The HMAC signature for Da ...) NOT-FOR-US: DataHub CVE-2023-47631 (vantage6 is a framework to manage and deploy privacy enhancing technol ...) @@ -25,7 +27,9 @@ CVE-2023-47631 (vantage6 is a framework to manage and deploy privacy enhancing t CVE-2023-47630 (Kyverno is a policy engine designed for Kubernetes. An issue was found ...) NOT-FOR-US: Kyverno CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - TODO: check + - python-aiohttp 3.8.6-1 + NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg + NOTE: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d (v3.8.6) CVE-2023-47586 (Multiple heap-based buffer overflow vulnerabilities exist in V-Server ...) NOT-FOR-US: FUJI CVE-2023-47585 (Out-of-bounds read vulnerability exists in V-Server V4.0.18.0 and earl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2490cdffab061b0e80494e870971aa502d4325b...90d2b996a183d6cde139f20d31e6b8d6c78472d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2490cdffab061b0e80494e870971aa502d4325b...90d2b996a183d6cde139f20d31e6b8d6c78472d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c2490cdf by Moritz Muehlenhoff at 2023-11-15T09:53:00+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,69 +15,69 @@ CVE-2023-4889 (The Shareaholic plugin for WordPress is vulnerable to Stored Cros CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for build ...) NOT-FOR-US: Statamic CMS CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all versio ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) TODO: check CVE-2023-47640 (DataHub is an open-source metadata platform. The HMAC signature for Da ...) - TODO: check + NOT-FOR-US: DataHub CVE-2023-47631 (vantage6 is a framework to manage and deploy privacy enhancing technol ...) - TODO: check + NOT-FOR-US: vantage6 CVE-2023-47630 (Kyverno is a policy engine designed for Kubernetes. An issue was found ...) - TODO: check + NOT-FOR-US: Kyverno CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) TODO: check CVE-2023-47586 (Multiple heap-based buffer overflow vulnerabilities exist in V-Server ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47585 (Out-of-bounds read vulnerability exists in V-Server V4.0.18.0 and earl ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47584 (Out-of-bounds write vulnerability exists in V-Server V4.0.18.0 and ear ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47583 (Multiple out-of-bounds read vulnerabilities exist in TELLUS Simulator ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47582 (Access of uninitialized pointer vulnerability exists in TELLUS V4.0.17 ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47581 (Out-of-bounds read vulnerability exists in TELLUS V4.0.17.0 and earlie ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47580 (Multiple improper restriction of operations within the bounds of a mem ...) - TODO: check + NOT-FOR-US: FUJI CVE-2023-47549 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability on302 respo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47547 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactor ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47546 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilityin Walte ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47545 (Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Fat ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47544 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47533 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpde ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47532 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47528 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sajj ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47524 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability (requiresPH ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47522 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Fe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47520 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47518 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47517 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPres ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47446 (Pre-School Enrollment version 1.0 is vulnerable to Cross Site Scriptin ...) - TODO: check + NOT-FOR-US: Pre-School Enrollment CVE-2023-47445 (Pre-School Enrollment version 1.0 is vulnerable to SQL Injection via t ...) - TODO: check + NOT-FOR-US: Pre-School Enrollment version CVE-2023-47309 (Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripti ...) - TODO: check + NOT-FOR-US: Nukium nkmgls CVE-2023-47308 (In the module "Newsletter Popup PRO with Voucher/Coupon code" (newslet ...) - TODO: check + NOT-FOR-US: PrestaShop addon CVE-2023-47130 (Yii is an open source PHP web framework. yiisoft/yii before version 1. ...) -
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5be7391e by Salvatore Bonaccorso at 2023-11-15T09:49:55+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,19 +1,19 @@ CVE-2023-6133 (The Forminator plugin for WordPress is vulnerable to arbitrary file up ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6032 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-5987 (A CWE-79 Improper Neutralization of Input During Web Page Generation ( ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-5986 (A CWE-601 URL Redirection to Untrusted Site vulnerability exists that ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-5985 (A CWE-79 Improper Neutralization of Input During Web Page Generation v ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check vulnerability exist ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-4889 (The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Sit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for build ...) - TODO: check + NOT-FOR-US: Statamic CMS CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all versio ...) TODO: check CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5be7391efd237c66ceadf775c78afaf4611a9740 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5be7391efd237c66ceadf775c78afaf4611a9740 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gimp references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e6edbb3 by Moritz Muehlenhoff at 2023-11-15T09:35:55+01:00 gimp references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -196,14 +196,21 @@ CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vul - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 (gimp-2-10) CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10101 (restricted) CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/ NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 (gimp-2-10) + NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/10069 (restricted) CVE-2023-6112 - chromium 119.0.6045.159-1 [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e6edbb3cca1288f69aa4b5b013a2ce8b5c98274 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e6edbb3cca1288f69aa4b5b013a2ce8b5c98274 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bceb538c by security tracker role at 2023-11-15T08:12:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,193 @@ +CVE-2023-6133 (The Forminator plugin for WordPress is vulnerable to arbitrary file up ...) + TODO: check +CVE-2023-6032 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + TODO: check +CVE-2023-5987 (A CWE-79 Improper Neutralization of Input During Web Page Generation ( ...) + TODO: check +CVE-2023-5986 (A CWE-601 URL Redirection to Untrusted Site vulnerability exists that ...) + TODO: check +CVE-2023-5985 (A CWE-79 Improper Neutralization of Input During Web Page Generation v ...) + TODO: check +CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check vulnerability exist ...) + TODO: check +CVE-2023-4889 (The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Sit ...) + TODO: check +CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for build ...) + TODO: check +CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all versio ...) + TODO: check +CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) + TODO: check +CVE-2023-47640 (DataHub is an open-source metadata platform. The HMAC signature for Da ...) + TODO: check +CVE-2023-47631 (vantage6 is a framework to manage and deploy privacy enhancing technol ...) + TODO: check +CVE-2023-47630 (Kyverno is a policy engine designed for Kubernetes. An issue was found ...) + TODO: check +CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) + TODO: check +CVE-2023-47586 (Multiple heap-based buffer overflow vulnerabilities exist in V-Server ...) + TODO: check +CVE-2023-47585 (Out-of-bounds read vulnerability exists in V-Server V4.0.18.0 and earl ...) + TODO: check +CVE-2023-47584 (Out-of-bounds write vulnerability exists in V-Server V4.0.18.0 and ear ...) + TODO: check +CVE-2023-47583 (Multiple out-of-bounds read vulnerabilities exist in TELLUS Simulator ...) + TODO: check +CVE-2023-47582 (Access of uninitialized pointer vulnerability exists in TELLUS V4.0.17 ...) + TODO: check +CVE-2023-47581 (Out-of-bounds read vulnerability exists in TELLUS V4.0.17.0 and earlie ...) + TODO: check +CVE-2023-47580 (Multiple improper restriction of operations within the bounds of a mem ...) + TODO: check +CVE-2023-47549 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability on302 respo ...) + TODO: check +CVE-2023-47547 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactor ...) + TODO: check +CVE-2023-47546 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilityin Walte ...) + TODO: check +CVE-2023-47545 (Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Fat ...) + TODO: check +CVE-2023-47544 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visu ...) + TODO: check +CVE-2023-47533 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpde ...) + TODO: check +CVE-2023-47532 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum ...) + TODO: check +CVE-2023-47528 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sajj ...) + TODO: check +CVE-2023-47524 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability (requiresPH ...) + TODO: check +CVE-2023-47522 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Fe ...) + TODO: check +CVE-2023-47520 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael ...) + TODO: check +CVE-2023-47518 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew ...) + TODO: check +CVE-2023-47517 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPres ...) + TODO: check +CVE-2023-47446 (Pre-School Enrollment version 1.0 is vulnerable to Cross Site Scriptin ...) + TODO: check +CVE-2023-47445 (Pre-School Enrollment version 1.0 is vulnerable to SQL Injection via t ...) + TODO: check +CVE-2023-47309 (Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripti ...) + TODO: check +CVE-2023-47308 (In the module "Newsletter Popup PRO with Voucher/Coupon code" (newslet ...) + TODO: check +CVE-2023-47130 (Yii is an open source PHP web framework. yiisoft/yii before version 1. ...) + TODO: check +CVE-2023-47125 (TYPO3 is an open source PHP based web content management system releas ...) + TODO: check +CVE-2023-46672 (An issue was identified by Elastic whereby sensitive information is re ...)
[Git][security-tracker-team/security-tracker][master] Add one more gimp issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c47848f by Salvatore Bonaccorso at 2023-11-15T09:09:06+01:00 Add one more gimp issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-4 [GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability] + - gimp + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1591/ + NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability] - gimp NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c47848f5e9b05e0292273389d0bd0b1e890a8cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c47848f5e9b05e0292273389d0bd0b1e890a8cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new gimp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9b5bea8 by Salvatore Bonaccorso at 2023-11-15T09:08:10+01:00 Add new gimp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2023-3 [GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability] + - gimp + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1593/ + NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities +CVE-2023-2 [GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] + - gimp + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1594/ + NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities +CVE-2023-1 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability] + - gimp + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/ + NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities CVE-2023-6112 - chromium 119.0.6045.159-1 [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9b5bea88043dd89986006abfd3d277d9c8b053a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9b5bea88043dd89986006abfd3d277d9c8b053a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits