[Git][security-tracker-team/security-tracker][master] Add roundcube to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6160043e by Salvatore Bonaccorso at 2023-11-29T08:53:24+01:00 Add roundcube to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -60,6 +60,9 @@ redmine/stable ring might make sense to rebase to current version -- +roundcube (seb) + Maintainer proposed to release a DSA +-- ruby2.7/oldstable Utkarsh Gupta offered help in preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6160043e71fb3cacd647ce106bc22a004f09544d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6160043e71fb3cacd647ce106bc22a004f09544d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-6111/linux via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d423ac62 by Salvatore Bonaccorso at 2023-11-29T08:52:08+01:00 Track fixed version for CVE-2023-6111/linux via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1939,7 +1939,7 @@ CVE-2023-6125 (Code Injection in GitHub repository salesagility/suitecrm prior t CVE-2023-6124 (Server-Side Request Forgery (SSRF) in GitHub repository salesagility/s ...) NOT-FOR-US: suitecrm CVE-2023-6111 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - - linux + - linux 6.5.13-1 [bookworm] - linux (Vulnerable code introduce later) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d423ac623f98978fcde2e7c6d947ef7409a3b902 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d423ac623f98978fcde2e7c6d947ef7409a3b902 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 50d2abe2 by Moritz Muehlenhoff at 2023-11-29T08:49:35+01:00 NFUs (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,7 +61,7 @@ CVE-2023-41264 (Netwrix Usercube before 6.0.215, in certain misconfigured on-pre CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the SolarWinds Pl ...) NOT-FOR-US: SolarWinds CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, ...) - TODO: check + NOT-FOR-US: Spring Boot CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...) - tomcat10 - tomcat9 9.0.70-2 @@ -167,7 +167,7 @@ CVE-2023-35136 (An improper input validation vulnerability in the \u201cQuagga\u CVE-2023-34054 (In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versi ...) TODO: check CVE-2023-34053 (In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user ...) - TODO: check + - libspring-java (Only affects 6.x) CVE-2023-32065 (OroCommerce is an open-source Business to Business Commerce applicatio ...) NOT-FOR-US: OroCommerce CVE-2023-32064 (OroCommerce package with customer portal and non authenticated visitor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50d2abe29cad04014a0f7fdaa90500c0752e7cc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50d2abe29cad04014a0f7fdaa90500c0752e7cc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for gst-plugins-bad1.0 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b07e45fe by Salvatore Bonaccorso at 2023-11-29T07:22:33+01:00
Track fixed version for gst-plugins-bad1.0 via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10123,7 +10123,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read
Information Disclosure Vu
NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
CVE-2023-6 [MXF demuxer use-after-free]
{DSA-5565-1}
- - gst-plugins-bad1.0 (bug #1056101)
+ - gst-plugins-bad1.0 1.22.7-1 (bug #1056101)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0010.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635
@@ -10131,7 +10131,7 @@ CVE-2023-6 [MXF demuxer use-after-free]
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353
(1.22.7)
CVE-2023-44429 [AV1 codec parser buffer overflow]
{DSA-5565-1}
- - gst-plugins-bad1.0 (bug #1056102)
+ - gst-plugins-bad1.0 1.22.7-1 (bug #1056102)
[buster] - gst-plugins-bad1.0 (Vulnerable code was
introduced later)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0009.html
@@ -10140,7 +10140,7 @@ CVE-2023-44429 [AV1 codec parser buffer overflow]
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b76a801f57353b893c344025cac56413140fca6d
(1.22.7)
CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack
overwrite]
{DSA-5533-1 DLA-3633-1}
- - gst-plugins-bad1.0 (bug #1053259)
+ - gst-plugins-bad1.0 1.22.7-1 (bug #1053259)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0008.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364
@@ -10148,7 +10148,7 @@ CVE-2023-40476 [Integer overflow in H.265 video parser
leading to stack overwrit
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fddda166222a067d0e511950a0a8cfb9f5a521b7
(1.22.6)
CVE-2023-40475 [Integer overflow leading to heap overwrite in MXF file
handling with AES3 audio]
{DSA-5533-1 DLA-3633-1}
- - gst-plugins-bad1.0 (bug #1053260)
+ - gst-plugins-bad1.0 1.22.7-1 (bug #1053260)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0007.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362
@@ -10156,7 +10156,7 @@ CVE-2023-40475 [Integer overflow leading to heap
overwrite in MXF file handling
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1edd1c38dcc5d27e7c5649d999ee8278872a16d4
(1.22.6)
CVE-2023-40474 [Integer overflow leading to heap overwrite in MXF file
handling with uncompressed video]
{DSA-5533-1 DLA-3633-1}
- - gst-plugins-bad1.0 (bug #1053261)
+ - gst-plugins-bad1.0 1.22.7-1 (bug #1053261)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0006.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b07e45fea08114f5e6e4b6b515f9998adae11339
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b07e45fea08114f5e6e4b6b515f9998adae11339
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3673-1 for gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c8dae185 by Thorsten Alteholz at 2023-11-28T23:46:00+01:00
Reserve DLA-3673-1 for gst-plugins-bad1.0
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Nov 2023] DLA-3673-1 gst-plugins-bad1.0 - security update
+ {CVE-2023-6}
+ [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u5
[28 Nov 2023] DLA-3672-1 postgresql-multicorn - security update
[buster] - postgresql-multicorn 1.3.4-4+deb10u1
[28 Nov 2023] DLA-3671-1 mediawiki - security update
=
data/dla-needed.txt
=
@@ -69,9 +69,6 @@ frr
gimp-dds
NOTE: 20231127: Added by Front-Desk (Beuc)
--
-gst-plugins-bad1.0 (Thorsten Alteholz)
- NOTE: 20231118: Added by Front-Desk (apo)
---
horizon
NOTE: 20231101: Added by Front-Desk (lamby)
NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dae1851184b8cbf0ac3c82ef343799f04510c7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dae1851184b8cbf0ac3c82ef343799f04510c7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2018-14628/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0050497a by Salvatore Bonaccorso at 2023-11-28T23:03:35+01:00 Add reference for CVE-2018-14628/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -362177,6 +362177,7 @@ CVE-2018-14628 (An information leak vulnerability was discovered in Samba's LDAP [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13595 + NOTE: https://www.samba.org/samba/security/CVE-2018-14628.html CVE-2018-14627 (The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not h ...) - wildfly (bug #752018) NOTE: https://issues.jboss.org/browse/WFLY-9107 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0050497ac7ac5613467ea14a1458be824539a677 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0050497ac7ac5613467ea14a1458be824539a677 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Mark CVE-2020-21428 as not-affected for stretch"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8a9df901 by Salvatore Bonaccorso at 2023-11-28T22:49:29+01:00
Revert Mark CVE-2020-21428 as not-affected for stretch
This reverts commit 6619bfa58413f9d3459f33f21a696aa0da67fb3b.
Suspect - but asked Anton Gladky - that this was either meant for
[buster] or maybe should have been applied for the ELTS tracker. For
time beeing revert it so can either be added again with [buster] tag if
that was the intention.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -236985,7 +236985,6 @@ CVE-2020-21429
CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in
PluginDDS.cpp in ...)
{DLA-3662-1}
- freeimage 3.18.0+ds2-10 (bug #1051738)
- [stretch] - freeimage (vulnerable code is not present)
NOTE: https://sourceforge.net/p/freeimage/bugs/299/
NOTE: Fixed with r1877 from
http://svn.code.sf.net/p/freeimage/svn/FreeImage/
CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in
PluginB ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a9df9017ea1caceb37353dd2b9ca98b69b11a2a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a9df9017ea1caceb37353dd2b9ca98b69b11a2a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add myself for zbar
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 03fa999f by Bastien Roucariès at 2023-11-28T21:30:02+00:00 Add myself for zbar - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -244,7 +244,7 @@ wireshark (Adrian Bunk) zabbix NOTE: 20231015: Added by Front-Desk (ta) -- -zbar +zbar (rouca) NOTE: 20231119: Added by Front-Desk (apo) -- zfs-linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03fa999fed87a2a122cc2e90fb936c34a1ad2d4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03fa999fed87a2a122cc2e90fb936c34a1ad2d4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45539/haproxy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b51133a7 by Salvatore Bonaccorso at 2023-11-28T21:37:42+01:00 Add CVE-2023-45539/haproxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,11 @@ CVE-2023-48121 (An authentication bypass vulnerability in the Direct Connection CVE-2023-48042 (Amazzing Filter for Prestashop through 3.2.2 is vulnerable to Cross-Si ...) NOT-FOR-US: Amazzing Filter for Prestashop CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component, which mig ...) - TODO: check + - haproxy 2.6.15-1 + NOTE: https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html + NOTE: https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 (v2.9-dev3) + NOTE: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9 (v2.6.15) + NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.3.31) CVE-2023-45286 (A race condition in go-resty can result in HTTP request body disclosur ...) TODO: check CVE-2023-42505 (An authenticated user with read permissions on database connections me ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b51133a722b90be9b0c41d093d1e79c58bde45b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b51133a722b90be9b0c41d093d1e79c58bde45b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 791852ef by Salvatore Bonaccorso at 2023-11-28T21:26:59+01:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +chromium (dilinger) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/791852ef0ee79d3142a35d7823f98cc8e23e24a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/791852ef0ee79d3142a35d7823f98cc8e23e24a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 571001e5 by Salvatore Bonaccorso at 2023-11-28T21:26:08+01:00 Add new chromium issues Link: https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2023-6351 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-6350 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-6348 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-6347 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-6346 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-6345 + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-6359 (A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LM ...) NOT-FOR-US: Alumne LMS CVE-2023-6239 (Improperly calculated effective permissions in M-Files Server versions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/571001e52ff1e9995d9f8937dd53433ca20e430a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/571001e52ff1e9995d9f8937dd53433ca20e430a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7666a459 by Salvatore Bonaccorso at 2023-11-28T21:21:24+01:00
Process new NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,43 +1,43 @@
CVE-2023-6359 (A Cross-Site Scripting (XSS) vulnerability has been found in
Alumne LM ...)
- TODO: check
+ NOT-FOR-US: Alumne LMS
CVE-2023-6239 (Improperly calculated effective permissions in M-Files Server
versions ...)
- TODO: check
+ NOT-FOR-US: M-Files
CVE-2023-6201 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
- TODO: check
+ NOT-FOR-US: Univera Computer System Panorama
CVE-2023-6151 (Improper Privilege Management vulnerability in ESKOM Computer
e-munici ...)
- TODO: check
+ NOT-FOR-US: ESKOM Computer e-municipality module
CVE-2023-6150 (Improper Privilege Management vulnerability in ESKOM Computer
e-munici ...)
- TODO: check
+ NOT-FOR-US: ESKOM Computer e-municipality module
CVE-2023-49314 (Asana Desktop 2.1.0 on macOS allows code injection because of
specific ...)
- TODO: check
+ NOT-FOR-US: Asana Desktop
CVE-2023-49313 (A dylib injection vulnerability in XMachOViewer 0.04 allows
attackers ...)
- TODO: check
+ NOT-FOR-US: XMachOViewer
CVE-2023-49078 (raptor-web is a CMS for game server communities that can be
used to ho ...)
- TODO: check
+ NOT-FOR-US: raptor-web CMS
CVE-2023-49062 (Katran could disclose non-initialized kernel memory as part of
an IP h ...)
TODO: check
CVE-2023-48848 (An arbitrary file read vulnerability in ureport v2.2.9 allows
a remote ...)
TODO: check
CVE-2023-48121 (An authentication bypass vulnerability in the Direct
Connection Module ...)
- TODO: check
+ NOT-FOR-US: Direct Connection Module in Ezviz
CVE-2023-48042 (Amazzing Filter for Prestashop through 3.2.2 is vulnerable to
Cross-Si ...)
- TODO: check
+ NOT-FOR-US: Amazzing Filter for Prestashop
CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component,
which mig ...)
TODO: check
CVE-2023-45286 (A race condition in go-resty can result in HTTP request body
disclosur ...)
TODO: check
CVE-2023-42505 (An authenticated user with read permissions on database
connections me ...)
- TODO: check
+ NOT-FOR-US: Apache Superset
CVE-2023-42504 (An authenticated malicious user could initiate multiple
concurrent req ...)
- TODO: check
+ NOT-FOR-US: Apache Superset
CVE-2023-42502 (An authenticated attacker with update datasets permission
could change ...)
- TODO: check
+ NOT-FOR-US: Apache Superset
CVE-2023-42004 (IBM Security Guardium 11.3, 11.4, and 11.5 is potentially
vulnerable t ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2023-41264 (Netwrix Usercube before 6.0.215, in certain misconfigured
on-premises ...)
- TODO: check
+ NOT-FOR-US: Netwrix Usercube
CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the
SolarWinds Pl ...)
- TODO: check
+ NOT-FOR-US: SolarWinds
CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and
3.1.0-3.1.5, ...)
TODO: check
CVE-2023-46589 (Improper Input Validation vulnerability in Apache
Tomcat.Tomcat from 1 ...)
@@ -61,7 +61,7 @@ CVE-2023-6219 (The BookingPress plugin for WordPress is
vulnerable to arbitrary
CVE-2023-5960 (An improper privilege management vulnerability in the hotspot
feature ...)
NOT-FOR-US: Zyxel
CVE-2023-5885 (The discontinued FFS Colibri product allows a remote user to
access fi ...)
- TODO: check
+ NOT-FOR-US: FFS Colibri
CVE-2023-5797 (An improper privilege management vulnerability in the debug CLI
comman ...)
NOT-FOR-US: Zyxel
CVE-2023-5773
@@ -35043,7 +35043,7 @@ CVE-2023-29062
CVE-2023-29061
RESERVED
CVE-2023-29060 (The FACSChorus\xe2\u201e\xa2 workstation operating system does
not res ...)
- TODO: check
+ NOT-FOR-US: facschorus
CVE-2023-1764 (Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X
10.9.5 ...)
NOT-FOR-US: Canon
CVE-2023-1763 (Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X
10.9.5 ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7666a459a59807df6676c79010648ff79088d6fc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7666a459a59807df6676c79010648ff79088d6fc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7f6af1c1 by security tracker role at 2023-11-28T20:13:45+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,46 @@
-CVE-2023-46589 [HTTP request smuggling via malformed trailer headers]
+CVE-2023-6359 (A Cross-Site Scripting (XSS) vulnerability has been found in
Alumne LM ...)
+ TODO: check
+CVE-2023-6239 (Improperly calculated effective permissions in M-Files Server
versions ...)
+ TODO: check
+CVE-2023-6201 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
+ TODO: check
+CVE-2023-6151 (Improper Privilege Management vulnerability in ESKOM Computer
e-munici ...)
+ TODO: check
+CVE-2023-6150 (Improper Privilege Management vulnerability in ESKOM Computer
e-munici ...)
+ TODO: check
+CVE-2023-49314 (Asana Desktop 2.1.0 on macOS allows code injection because of
specific ...)
+ TODO: check
+CVE-2023-49313 (A dylib injection vulnerability in XMachOViewer 0.04 allows
attackers ...)
+ TODO: check
+CVE-2023-49078 (raptor-web is a CMS for game server communities that can be
used to ho ...)
+ TODO: check
+CVE-2023-49062 (Katran could disclose non-initialized kernel memory as part of
an IP h ...)
+ TODO: check
+CVE-2023-48848 (An arbitrary file read vulnerability in ureport v2.2.9 allows
a remote ...)
+ TODO: check
+CVE-2023-48121 (An authentication bypass vulnerability in the Direct
Connection Module ...)
+ TODO: check
+CVE-2023-48042 (Amazzing Filter for Prestashop through 3.2.2 is vulnerable to
Cross-Si ...)
+ TODO: check
+CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component,
which mig ...)
+ TODO: check
+CVE-2023-45286 (A race condition in go-resty can result in HTTP request body
disclosur ...)
+ TODO: check
+CVE-2023-42505 (An authenticated user with read permissions on database
connections me ...)
+ TODO: check
+CVE-2023-42504 (An authenticated malicious user could initiate multiple
concurrent req ...)
+ TODO: check
+CVE-2023-42502 (An authenticated attacker with update datasets permission
could change ...)
+ TODO: check
+CVE-2023-42004 (IBM Security Guardium 11.3, 11.4, and 11.5 is potentially
vulnerable t ...)
+ TODO: check
+CVE-2023-41264 (Netwrix Usercube before 6.0.215, in certain misconfigured
on-premises ...)
+ TODO: check
+CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the
SolarWinds Pl ...)
+ TODO: check
+CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and
3.1.0-3.1.5, ...)
+ TODO: check
+CVE-2023-46589 (Improper Input Validation vulnerability in Apache
Tomcat.Tomcat from 1 ...)
- tomcat10
- tomcat9 9.0.70-2
- tomcat8
@@ -112,7 +154,7 @@ CVE-2023-32063 (OroCalendarBundle enables a Calendar
feature and related functio
NOT-FOR-US: OroCalendarBundle
CVE-2023-32062 (OroPlatform is a package that assists system and user calendar
managem ...)
NOT-FOR-US: OroPlatform
-CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on
[PLATF ...)
+CVE-2023-6329 (An authentication bypass vulnerability exists in Control iD
iDSecure v ...)
NOT-FOR-US: Control iD iDSecure
CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance
before ...)
- check-mk
@@ -1083,7 +1125,7 @@ CVE-2023-48017 (Dreamer_cms 4.1.3 is vulnerable to Cross
Site Request Forgery (C
NOT-FOR-US: Dreamer CMS
CVE-2023-46745 (LibreNMS is an auto-discovering PHP/MySQL/SNMP based network
monitorin ...)
NOT-FOR-US: LibreNMS
-CVE-2023-46402 (git-urls version 1.0.1 is vulnerable to ReDOS (Regular
Expression Deni ...)
+CVE-2023-46402 (git-urls 1.0.0 allows ReDOS (Regular Expression Denial of
Service) in ...)
NOT-FOR-US: git-urls
CVE-2023-44796 (Cross Site Scripting (XSS) vulnerability in LimeSurvey before
version ...)
- limesurvey (bug #472802)
@@ -1615,7 +1657,7 @@ CVE-2023-5985 (A CWE-79 Improper Neutralization of Input
During Web Page Generat
NOT-FOR-US: Schneider Electric
CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check
vulnerability exist ...)
NOT-FOR-US: Schneider Electric
-CVE-2023-5981 [ttiming side-channel inside RSA-PSK key exchange]
+CVE-2023-5981 (A vulnerability was found that the response times to malformed
ciphert ...)
{DLA-3660-1}
- gnutls28 (bug #1056188)
[bookworm] - gnutls28 (Minor issue; can be fixed via point
release)
@@ -8361,7 +8403,7 @@ CVE-2023-45360 (An issue was discovered in MediaWiki
before 1.35.12, 1.36.x thro
[buster] - mediawiki (Minor issue: prior to 1.32 any sysop
could edit sitewide CSS/JS anyway)
NOTE:
[Git][security-tracker-team/security-tracker][master] Document status for ldap-account-manager and phpseclib variants
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc47976 by Salvatore Bonaccorso at 2023-11-28T20:51:54+01:00 Document status for ldap-account-manager and phpseclib variants - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3071,9 +3071,12 @@ tzdata phpseclib - collabtive 2.0+dfsg-6 (embed; bug #781414) - spotweb (embed; bug #781420) - - ldap-account-manager (embed; bug #781419) + - ldap-account-manager 6.6-1 (embed; bug #781419) - icinga-web (embed; bug #781415) +php-phpseclib3 + - ldap-account-manager (embed; bug #1057036) + doctrine - icinga-web (embed; bug #781415) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc47976274d9ea64f116033f0966c45d32880dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc47976274d9ea64f116033f0966c45d32880dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark gtkpod as removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1ee7834 by Salvatore Bonaccorso at 2023-11-28T20:43:56+01:00 Mark gtkpod as removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165669,7 +165669,7 @@ CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813. [bullseye] - atomicparsley (Minor issue) [buster] - atomicparsley (Minor issue) [stretch] - atomicparsley (Minor issue) - - gtkpod (bug #993375) + - gtkpod (bug #993375) [bookworm] - gtkpod (Minor issue) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1ee7834783c85a9bc7abcc98b5d472952b58ea5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1ee7834783c85a9bc7abcc98b5d472952b58ea5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3672-1 for postgresql-multicorn
Bastien Roucariès pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
63978e84 by Bastien Roucariès at 2023-11-28T16:41:53+00:00
Reserve DLA-3672-1 for postgresql-multicorn
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[28 Nov 2023] DLA-3672-1 postgresql-multicorn - security update
+ [buster] - postgresql-multicorn 1.3.4-4+deb10u1
[28 Nov 2023] DLA-3671-1 mediawiki - security update
{CVE-2023-3550 CVE-2023-45362 CVE-2023-45363}
[buster] - mediawiki 1:1.31.16-1+deb10u7
=
data/dla-needed.txt
=
@@ -153,10 +153,6 @@ osslsigncode
NOTE: 20230925: Added by Front-Desk (apo)
NOTE: 20230925: Maybe a new upstream release should just do the trick here.
--
-postgresql-multicorn (rouca)
- NOTE: 20231108: Added by Front-Desk (santiago)
- NOTE: 20231108: Need to handle incompatibilities with versions in debian
packages, brought up by PEP 440. See
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
---
python-django (Chris Lamb)
NOTE: 20231006: Added by Front-Desk (Beuc)
NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists
(Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63978e84995998fb881bcc3998bd86e51e28f341
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63978e84995998fb881bcc3998bd86e51e28f341
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46589: Add references to upstream commits
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c643ad2b by Salvatore Bonaccorso at 2023-11-28T17:30:29+01:00 CVE-2023-46589: Add references to upstream commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,6 +3,8 @@ CVE-2023-46589 [HTTP request smuggling via malformed trailer headers] - tomcat9 9.0.70-2 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 + NOTE: https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08 (10.1.16) + NOTE: https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd (9.0.83) NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version CVE-2024-0070 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c643ad2bcb7ff07cd8fe82d763a131455de2b98a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c643ad2bcb7ff07cd8fe82d763a131455de2b98a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46589/tomcat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9fd05e8 by Salvatore Bonaccorso at 2023-11-28T17:21:04+01:00 Add CVE-2023-46589/tomcat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-46589 [HTTP request smuggling via malformed trailer headers] + - tomcat10 + - tomcat9 9.0.70-2 + - tomcat8 + NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 + NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version CVE-2024-0070 REJECTED CVE-2024-0069 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fd05e8c38874e3c09c6bc3cc63343afacbcf65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fd05e8c38874e3c09c6bc3cc63343afacbcf65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-phpseclib3 spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f75b9e8 by Moritz Muehlenhoff at 2023-11-28T17:00:55+01:00 php-phpseclib3 spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -167,6 +167,7 @@ CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price NOT-FOR-US: WordPress plugin CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) - php-phpseclib3 3.0.34-1 (bug #1057008) + [bookworm] - php-phpseclib3 (Minor issue) NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34) TODO: check if affecting ldap-account-manager or unused path CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) = data/next-point-update.txt = @@ -93,3 +93,5 @@ CVE-2023-47471 [bookworm] - libde265 1.0.11-1+deb12u1 CVE-2023-49208 [bookworm] - glewlwyd 2.7.5-3+deb12u1 +CVE-2023-49316 + [bookworm] - php-phpseclib3 3.0.19-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f75b9e80d8a07e46e165b3c447e961d6d7e10b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f75b9e80d8a07e46e165b3c447e961d6d7e10b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9afdec9f by Moritz Muehlenhoff at 2023-11-28T16:59:29+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -7320,6 +7320,8 @@ CVE-2023-5554 (Lack of TLS certificate verification in log transmission of a fin NOT-FOR-US: LINE CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 20230618. ...) - libjson-java (bug #1053882) + [bookworm] - libjson-java (Minor issue) + [bullseye] - libjson-java (Minor issue) [buster] - libjson-java (Minor issue) - jenkins-json (bug #1053883) [bookworm] - jenkins-json (Minor issue) @@ -71351,9 +71353,13 @@ CVE-2022-44012 (An issue was discovered in /DS/LM_API/api/SelectionService/Inser NOT-FOR-US: Simmeth Lieferantenmanager CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An authentic ...) - clickhouse + [bookworm] - clickhouse (Minor issue) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An attacker ...) - clickhouse + [bookworm] - clickhouse (Minor issue) + [bullseye] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40292 CVE-2022-44009 (Improper access control in Key-Value RBAC in StackStorm version 3.7.0 ...) NOT-FOR-US: StackStorm = data/next-oldstable-point-update.txt = @@ -100,4 +100,3 @@ CVE-2023-43887 [bullseye] - libde265 1.0.11-0+deb11u2 CVE-2023-47471 [bullseye] - libde265 1.0.11-0+deb11u2 -CVE-2022-27240 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9afdec9f7f782cfd87ba68516b73cb4f3910a5ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9afdec9f7f782cfd87ba68516b73cb4f3910a5ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add bouncycastle note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ba47008 by Sylvain Beucler at 2023-11-28T15:42:20+01:00 dla: add bouncycastle note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,7 @@ bind9 (Thorsten Alteholz) bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) + NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba470087b73649dd30d5784bf0e7879d68f51c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba470087b73649dd30d5784bf0e7879d68f51c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3671-1 for mediawiki
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ead906b by Guilhem Moulin at 2023-11-28T12:20:18+01:00
Reserve DLA-3671-1 for mediawiki
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -10873,7 +10873,6 @@ CVE-2023-3664 (The FileOrganizer WordPress plugin
through 1.0.2 does not restric
CVE-2023-3550 (Mediawiki v1.40.0 does not validate namespaces used in XML
files. The ...)
{DSA-5520-1}
- mediawiki 1:1.39.5-1
- [buster] - mediawiki (Wait until it lands in 1.35)
NOTE: https://phabricator.wikimedia.org/T341565
CVE-2023-3547 (The All in One B2B for WooCommerce WordPress plugin through
1.0.3 does ...)
NOT-FOR-US: WordPress plugin
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Nov 2023] DLA-3671-1 mediawiki - security update
+ {CVE-2023-3550 CVE-2023-45362 CVE-2023-45363}
+ [buster] - mediawiki 1:1.31.16-1+deb10u7
[28 Nov 2023] DLA-3670-1 minizip - security update
{CVE-2023-45853}
[buster] - minizip 1.1-8+deb10u1
=
data/dla-needed.txt
=
@@ -117,9 +117,6 @@ linux (Ben Hutchings)
linux-5.10
NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
--
-mediawiki (guilhem)
- NOTE: 20231011: Added by Front-Desk (ta)
---
netatalk (gladk)
NOTE: 20231119: Added by Front-Desk (apo)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ead906bcaf3b0ef8b888dd18994dd4199c11997
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ead906bcaf3b0ef8b888dd18994dd4199c11997
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some additional NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6a11634 by Salvatore Bonaccorso at 2023-11-28T09:33:35+01:00 Process some additional NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,23 +21,23 @@ CVE-2023-5650 (An improper privilege management vulnerability in the ZySH of the CVE-2023-4667 (The web interface of the PAC Device allows the device administrator us ...) TODO: check CVE-2023-4398 (An integer overflow vulnerability in the source code of the QuickSec I ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-4397 (A buffer overflow vulnerability in the Zyxel ATP series firmware versi ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-4226 (Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4225 (Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Cham ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4224 (Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chami ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4223 (Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Cham ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4222 (Command injection in `main/lp/openoffice_text_document.class.php` in C ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4221 (Command injection in `main/lp/openoffice_presentation.class.php` in Ch ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-4220 (Unrestricted file upload in big file upload functionality in `/main/in ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-49145 (Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Process ...) NOT-FOR-US: Apache NiFi CVE-2023-49075 (The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBund ...) @@ -51,21 +51,21 @@ CVE-2023-48713 (Knative Serving builds on Kubernetes to support deploying and se CVE-2023-48188 (SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4 ...) NOT-FOR-US: PrestaShop opartdevis CVE-2023-48034 (An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker ...) - TODO: check + NOT-FOR-US: Acer CVE-2023-48023 (Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor' ...) - TODO: check + NOT-FOR-US: Anyscale Ray CVE-2023-48022 (Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbit ...) - TODO: check + NOT-FOR-US: Anyscale Ray CVE-2023-47503 (An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to exec ...) - TODO: check + NOT-FOR-US: jflyfox jfinalCMS CVE-2023-47437 (A vulnerability has been identified in Pachno 1.0.6 allowing an authen ...) TODO: check CVE-2023-46480 (An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitr ...) TODO: check CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules for P ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) - busybox NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 @@ -79,31 +79,31 @@ CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf funct - busybox NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865 CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-3533 (Path traversal in file upload functionality in `/main/webservices/addi ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-3368 (Command injection in `/main/webservices/additional_webservices.php` in ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-37926 (A buffer overflow vulnerability in the Zyxel ATP series firmware versi ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-37925 (An improper privilege management vulnerability in the debug CLI comman ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-35139 (A cross-site scripting (XSS) vulnerability in the CGI program of the Z ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-35136 (An improper input validation vulnerability in the \u201cQuagga\u201d p ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-34054 (In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versi ...) TODO: check CVE-2023-34053 (In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user ...)
[Git][security-tracker-team/security-tracker][master] Add new busybox issues (need further triage)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27a8d663 by Salvatore Bonaccorso at 2023-11-28T09:32:36+01:00 Add new busybox issues (need further triage) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,13 +67,17 @@ CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) TODO: check CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) - TODO: check + - busybox + NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) - TODO: check + - busybox + NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) - TODO: check + - busybox + NOTE: https://bugs.busybox.net/show_bug.cgi?id=15868 CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf function in ...) - TODO: check + - busybox + NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865 CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo ...) TODO: check CVE-2023-3533 (Path traversal in file upload functionality in `/main/webservices/addi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27a8d66313905b240bd23867073a0718a7011bef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27a8d66313905b240bd23867073a0718a7011bef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28b0c12d by Salvatore Bonaccorso at 2023-11-28T09:27:07+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,21 +3,21 @@ CVE-2024-0070 CVE-2024-0069 REJECTED CVE-2023-6226 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6225 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6219 (The BookingPress plugin for WordPress is vulnerable to arbitrary file ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5960 (An improper privilege management vulnerability in the hotspot feature ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-5885 (The discontinued FFS Colibri product allows a remote user to access fi ...) TODO: check CVE-2023-5797 (An improper privilege management vulnerability in the debug CLI comman ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-5773 REJECTED CVE-2023-5650 (An improper privilege management vulnerability in the ZySH of the Zyxe ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-4667 (The web interface of the PAC Device allows the device administrator us ...) TODO: check CVE-2023-4398 (An integer overflow vulnerability in the source code of the QuickSec I ...) @@ -39,17 +39,17 @@ CVE-2023-4221 (Command injection in `main/lp/openoffice_presentation.class.php` CVE-2023-4220 (Unrestricted file upload in big file upload functionality in `/main/in ...) TODO: check CVE-2023-49145 (Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Process ...) - TODO: check + NOT-FOR-US: Apache NiFi CVE-2023-49075 (The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBund ...) - TODO: check + NOT-FOR-US: Admin Classic Bundle for Pimcore CVE-2023-49044 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-49030 (SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows ...) - TODO: check + NOT-FOR-US: in32ns KLive CVE-2023-48713 (Knative Serving builds on Kubernetes to support deploying and serving ...) TODO: check CVE-2023-48188 (SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4 ...) - TODO: check + NOT-FOR-US: PrestaShop opartdevis CVE-2023-48034 (An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker ...) TODO: check CVE-2023-48023 (Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor' ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b0c12dddb2c68309e86b108e3f69ad9994a252 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b0c12dddb2c68309e86b108e3f69ad9994a252 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94a863e9 by security tracker role at 2023-11-28T08:21:09+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,105 @@ +CVE-2024-0070 + REJECTED +CVE-2024-0069 + REJECTED +CVE-2023-6226 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) + TODO: check +CVE-2023-6225 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) + TODO: check +CVE-2023-6219 (The BookingPress plugin for WordPress is vulnerable to arbitrary file ...) + TODO: check +CVE-2023-5960 (An improper privilege management vulnerability in the hotspot feature ...) + TODO: check +CVE-2023-5885 (The discontinued FFS Colibri product allows a remote user to access fi ...) + TODO: check +CVE-2023-5797 (An improper privilege management vulnerability in the debug CLI comman ...) + TODO: check +CVE-2023-5773 + REJECTED +CVE-2023-5650 (An improper privilege management vulnerability in the ZySH of the Zyxe ...) + TODO: check +CVE-2023-4667 (The web interface of the PAC Device allows the device administrator us ...) + TODO: check +CVE-2023-4398 (An integer overflow vulnerability in the source code of the QuickSec I ...) + TODO: check +CVE-2023-4397 (A buffer overflow vulnerability in the Zyxel ATP series firmware versi ...) + TODO: check +CVE-2023-4226 (Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo ...) + TODO: check +CVE-2023-4225 (Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Cham ...) + TODO: check +CVE-2023-4224 (Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chami ...) + TODO: check +CVE-2023-4223 (Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Cham ...) + TODO: check +CVE-2023-4222 (Command injection in `main/lp/openoffice_text_document.class.php` in C ...) + TODO: check +CVE-2023-4221 (Command injection in `main/lp/openoffice_presentation.class.php` in Ch ...) + TODO: check +CVE-2023-4220 (Unrestricted file upload in big file upload functionality in `/main/in ...) + TODO: check +CVE-2023-49145 (Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Process ...) + TODO: check +CVE-2023-49075 (The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBund ...) + TODO: check +CVE-2023-49044 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) + TODO: check +CVE-2023-49030 (SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows ...) + TODO: check +CVE-2023-48713 (Knative Serving builds on Kubernetes to support deploying and serving ...) + TODO: check +CVE-2023-48188 (SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4 ...) + TODO: check +CVE-2023-48034 (An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker ...) + TODO: check +CVE-2023-48023 (Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor' ...) + TODO: check +CVE-2023-48022 (Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbit ...) + TODO: check +CVE-2023-47503 (An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to exec ...) + TODO: check +CVE-2023-47437 (A vulnerability has been identified in Pachno 1.0.6 allowing an authen ...) + TODO: check +CVE-2023-46480 (An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitr ...) + TODO: check +CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules for P ...) + TODO: check +CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) + TODO: check +CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) + TODO: check +CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) + TODO: check +CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) + TODO: check +CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf function in ...) + TODO: check +CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo ...) + TODO: check +CVE-2023-3533 (Path traversal in file upload functionality in `/main/webservices/addi ...) + TODO: check +CVE-2023-3368 (Command injection in `/main/webservices/additional_webservices.php` in ...) + TODO: check +CVE-2023-37926 (A buffer overflow vulnerability in the Zyxel ATP series firmware versi ...) + TODO: check +CVE-2023-37925 (An improper privilege management vulnerability in the debug CLI comman ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] php-phpseclib3 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 545ef814 by Moritz Muehlenhoff at 2023-11-28T09:11:29+01:00 php-phpseclib3 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60,7 +60,7 @@ CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not va CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price of a ...) NOT-FOR-US: WordPress plugin CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) - - php-phpseclib3 (bug #1057008) + - php-phpseclib3 3.0.34-1 (bug #1057008) NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34) TODO: check if affecting ldap-account-manager or unused path CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/545ef8142d42957d2f7f45b89aa65cf52d10a2b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/545ef8142d42957d2f7f45b89aa65cf52d10a2b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
