[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-7008/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f069bff1 by Salvatore Bonaccorso at 2023-12-22T08:32:19+01:00 Add reference for CVE-2023-7008/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -249,6 +249,7 @@ CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC= [bullseye] - systemd (Minor issue) [buster] - systemd (Minor issue, should be fixed after newer releases are done) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 + NOTE: https://github.com/systemd/systemd/issues/25676 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server CVE-2023-6910 (A vulnerable API method in M-Files Server before 23.12.13195.0 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f069bff1f6b4c851bfa0708ba403bb9182863166 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f069bff1f6b4c851bfa0708ba403bb9182863166 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-42465/sudo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d69caa2 by Salvatore Bonaccorso at 2023-12-22T07:30:53+01:00 Add CVE-2023-42465/sudo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-42465 [Targeted Corruption of Register and Stack Variables] + - sudo 1.9.15p2-2 + NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9 + NOTE: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f (SUDO_1_9_15p1) CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) NOT-FOR-US: Devolutions CVE-2023-7042 (A null pointer dereference vulnerability was found in ath10k_wmi_tlv_o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d69caa2e78c827787e7f394218af60834bf4337 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d69caa2e78c827787e7f394218af60834bf4337 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for cpio issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75d75bfc by Salvatore Bonaccorso at 2023-12-22T07:26:32+01:00 Update status for cpio issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -514986,6 +514986,9 @@ CVE-2015-1030 (Memory leak in the rfc2553_connect_to function in jbsocket.c in P NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch=1.130=1.131=v_3_0_22 CVE-2023- [Path traversal vulnerability due to partial revert of fix for CVE-2015-1197] - cpio (bug #1059163) + [bookworm] - cpio (Minor issue) + [bullseye] - cpio (Minor issue) + [buster] - cpio (Partial CVE-2015-1197 patch revert not applied) NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/8 CVE-2015-1197 (cpio 2.11, when using the --no-absolute-filenames option, allows local ...) - cpio 2.11+dfsg-4.1 (low; bug #774669) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75d75bfcc207215d6dfb10679be831fba9f00659 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75d75bfcc207215d6dfb10679be831fba9f00659 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-7008 as postponed
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 37ac1784 by Thorsten Alteholz at 2023-12-22T01:02:02+01:00 mark CVE-2023-7008 as postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -243,6 +243,7 @@ CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC= - systemd [bookworm] - systemd (Minor issue) [bullseye] - systemd (Minor issue) + [buster] - systemd (Minor issue, should be fixed after newer releases are done) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ac1784e5dcf5c90265d20cf5ec33c17dfb5884 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ac1784e5dcf5c90265d20cf5ec33c17dfb5884 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-47118/clickhouse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 148bc377 by Salvatore Bonaccorso at 2023-12-21T22:46:31+01:00 Add CVE-2023-47118/clickhouse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -315,7 +315,8 @@ CVE-2023-47507 (Deserialization of Untrusted Data vulnerability in Master Slider CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database management s ...) - TODO: check + - clickhouse + NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin CVE-2023-46149 (Unrestricted Upload of File with Dangerous Type vulnerability in Themi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/148bc3779b436905b9fb5aa29d237afb9d768c84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/148bc3779b436905b9fb5aa29d237afb9d768c84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e50f87b8 by Salvatore Bonaccorso at 2023-12-21T22:43:39+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,11 +32,11 @@ CVE-2023-5989 (Improper Neutralization of Input During Web Page Generation ('Cro CVE-2023-5988 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: LioXERP CVE-2023-5594 (Improper validation of the server\u2019s certificate chain in secure t ...) - TODO: check + NOT-FOR-US: ESET CVE-2023-51655 (In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible ...) - intellij-idea (bug #747616) CVE-2023-51442 (Navidrome is an open source web-based music collection server and stre ...) - TODO: check + NOT-FOR-US: Navidrome CVE-2023-51052 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) NOT-FOR-US: S-CMS CVE-2023-51051 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) @@ -78,15 +78,15 @@ CVE-2023-50732 (XWiki Platform is a generic wiki platform offering runtime servi CVE-2023-50724 (Resque (pronounced like "rescue") is a Redis-backed library for creati ...) TODO: check CVE-2023-50481 (An issue was discovered in blinksocks version 3.3.8, allows remote att ...) - TODO: check + NOT-FOR-US: blinksocks CVE-2023-50477 (An issue was discovered in nos client version 0.6.6, allows remote att ...) - TODO: check + NOT-FOR-US: nos client CVE-2023-50475 (An issue was discovered in bcoin-org bcoin version 2.2.0, allows remot ...) - TODO: check + NOT-FOR-US: bcoin-org bcoin CVE-2023-50473 (Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI vers ...) - TODO: check + NOT-FOR-US: bill-ahmed qbit-matUI CVE-2023-50377 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50119 REJECTED CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) @@ -94,71 +94,71 @@ CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has be CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) TODO: check CVE-2023-49826 (Deserialization of Untrusted Data vulnerability in PenciDesign Soledad ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49778 (Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49765 (Authorization Bypass Through User-Controlled Key vulnerability in Blaz ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49762 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49162 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48288 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48116 (SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored X ...) - TODO: check + NOT-FOR-US: SmarterTools SmarterMail CVE-2023-48115 (SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored D ...) - TODO: check + NOT-FOR-US: SmarterTools SmarterMail CVE-2023-48114 (SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored X ...) - TODO: check + NOT-FOR-US: SmarterTools SmarterMail CVE-2023-47527 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47525 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47191 (Authorization Bypass Through User-Controlled Key vulnerability in Kain ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46791 (Online Matrimonial Project v1.0 is vulnerable to multiple Unauthentica ...) - TODO: check + NOT-FOR-US: Online Matrimonial Project CVE-2023-45127 (Online Examination System v1.0 is vulnerable to multiple Authenticated ...) - TODO: check + NOT-FOR-US: Online Examination System CVE-2023-45126 (Online Examination System v1.0 is vulnerable to multiple Authenticated ...) - TODO: check + NOT-FOR-US: Online Examination System CVE-2023-45125 (Online Examination System v1.0 is vulnerable to multiple Authenticated ...) - TODO: check + NOT-FOR-US: Online Examination System CVE-2023-45124 (Online
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-51655/intellij-idea, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fc87edf by Salvatore Bonaccorso at 2023-12-21T22:40:39+01:00 Add CVE-2023-51655/intellij-idea, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,7 @@ CVE-2023-5988 (Improper Neutralization of Input During Web Page Generation ('Cro CVE-2023-5594 (Improper validation of the server\u2019s certificate chain in secure t ...) TODO: check CVE-2023-51655 (In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible ...) - TODO: check + - intellij-idea (bug #747616) CVE-2023-51442 (Navidrome is an open source web-based music collection server and stre ...) TODO: check CVE-2023-51052 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fc87edf6edaef08c1d0ba4c4c811d5425778376 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fc87edf6edaef08c1d0ba4c4c811d5425778376 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-3019/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 779de98b by Salvatore Bonaccorso at 2023-12-21T22:24:46+01:00 Update information for CVE-2023-3019/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25970,12 +25970,13 @@ CVE-2023-3023 (The WP EasyCart plugin for WordPress is vulnerable to time-based NOT-FOR-US: WP EasyCart plugin for WordPress CVE-2023-3019 (A DMA reentrancy issue leading to a use-after-free error was found in ...) [experimental] - qemu 1:8.1.0+ds-1~exp1 - - qemu (bug #1041102) + - qemu 1:8.2.0+ds-1 (bug #1041102) [bookworm] - qemu (Minor issue, revisit when fixed upstream) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243 NOTE: Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9050f976e447444ea6ee2ba12c9f77e4b0dc54bc (v8.2.0-rc1) CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request ...) NOT-FOR-US: ARMember plugin for WordPress CVE-2023-37767 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779de98b3c0fd010f25e3f939a4388c5610097f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779de98b3c0fd010f25e3f939a4388c5610097f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for fish via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa92c9a9 by Salvatore Bonaccorso at 2023-12-21T22:06:38+01:00 Track proposed update for fish via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -44,3 +44,5 @@ CVE-2023-49208 [bookworm] - glewlwyd 2.7.5-3+deb12u1 CVE-2023-22084 [bookworm] - mariadb 1:10.11.6-0+deb12u1 +CVE-2023-49284 + [bookworm] - fish 3.6.0-3.1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa92c9a95902763cab3fd8d2a5853942133bf208 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa92c9a95902763cab3fd8d2a5853942133bf208 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes via experimental for three libsass issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2662c05f by Salvatore Bonaccorso at 2023-12-21T22:00:53+01:00 Track fixes via experimental for three libsass issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80333,12 +80333,14 @@ CVE-2022-43360 CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered ...) NOT-FOR-US: Gifdec CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function Sass::C ...) + [experimental] - libsass 3.6.5+20231221-1 - libsass (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3178 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...) + [experimental] - libsass 3.6.5+20231221-1 - libsass (bug #1051893) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) @@ -127555,6 +127557,7 @@ CVE-2022-26594 (Multiple cross-site scripting (XSS) vulnerabilities in Liferay P CVE-2022-26593 (Cross-site scripting (XSS) vulnerability in the Asset module's asset c ...) NOT-FOR-US: Liferay CVE-2022-26592 (Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector ...) + [experimental] - libsass 3.6.5+20231221-1 - libsass (bug #1051894) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2662c05fa19af11490b58f0d11f59da8eb0022a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2662c05fa19af11490b58f0d11f59da8eb0022a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-6610
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a73e903 by Salvatore Bonaccorso at 2023-12-21T21:58:07+01:00 Update information for CVE-2023-6610 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2907,6 +2907,7 @@ CVE-2023-6611 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has be CVE-2023-6610 (An out-of-bounds read vulnerability was found in smb2_dump_detail in f ...) - linux (unimportant) NOTE: CONFIG_CIFS_DEBUG2 not enabled in Debian + NOTE: https://git.kernel.org/linus/567320c46a60a3c39b69aa1df802d753817a3f86 CVE-2023-6609 (A vulnerability was found in osCommerce 4. It has been classified as p ...) NOT-FOR-US: osCommerce CVE-2023-6608 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a73e903583ae952070b742ebf20ab44bc054f05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a73e903583ae952070b742ebf20ab44bc054f05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-6606/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b633b33 by Salvatore Bonaccorso at 2023-12-21T21:55:19+01:00 Update information on CVE-2023-6606/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2915,6 +2915,8 @@ CVE-2023-6607 (A vulnerability has been found in Tongda OA 2017 up to 11.10 and NOT-FOR-US: Tongda OA CVE-2023-6606 (An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb ...) - linux + NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=218218 + NOTE: https://git.kernel.org/linus/b35858b3786ddbb56e1c35138ba25d6adf8d0bef CVE-2023-6507 (An issue was found in CPython 3.12.0 `subprocess` module on POSIX plat ...) - python3.12 3.12.1-1 - python3.11 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b633b33118734c667ae3189b47fd58dbf5f73f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b633b33118734c667ae3189b47fd58dbf5f73f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-7042/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15d76fa9 by Salvatore Bonaccorso at 2023-12-21T21:48:30+01:00 Add CVE-2023-7042/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,8 @@ CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) NOT-FOR-US: Devolutions CVE-2023-7042 (A null pointer dereference vulnerability was found in ath10k_wmi_tlv_o ...) - TODO: check + - linux + NOTE: https://patchwork.kernel.org/project/linux-wireless/patch/20231208043433.271449-1-hdth...@gmail.com/ CVE-2023-7041 (A vulnerability, which was classified as critical, has been found in c ...) NOT-FOR-US: codelyfe Stupid Simple CMS CVE-2023-7040 (A vulnerability classified as problematic was found in codelyfe Stupid ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15d76fa9069852edca3978c75a4c5bbaa6dbde0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15d76fa9069852edca3978c75a4c5bbaa6dbde0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6546/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82a55f3a by Salvatore Bonaccorso at 2023-12-21T21:34:21+01:00 Add CVE-2023-6546/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,11 @@ CVE-2023-7036 (A vulnerability was found in automad up to 1.10.9. It has been cl CVE-2023-7035 (A vulnerability was found in automad up to 1.10.9 and classified as pr ...) NOT-FOR-US: automad CVE-2023-6546 (A race condition was found in the GSM 0710 tty multiplexor in the Linu ...) - TODO: check + - linux 6.4.13-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux 5.10.197-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3c4f8333b582487a2d1e02171f1465531cde53e3 (6.5-rc7) CVE-2023-6145 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Istanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software CVE-2023-6122 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82a55f3ab6a5c8a1bf14bde64f994e6363d6be87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82a55f3ab6a5c8a1bf14bde64f994e6363d6be87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64dd9b6a by Salvatore Bonaccorso at 2023-12-21T21:24:21+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,31 +1,31 @@ CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2023-7042 (A null pointer dereference vulnerability was found in ath10k_wmi_tlv_o ...) TODO: check CVE-2023-7041 (A vulnerability, which was classified as critical, has been found in c ...) - TODO: check + NOT-FOR-US: codelyfe Stupid Simple CMS CVE-2023-7040 (A vulnerability classified as problematic was found in codelyfe Stupid ...) - TODO: check + NOT-FOR-US: codelyfe Stupid Simple CMS CVE-2023-7039 (A vulnerability classified as critical has been found in Beijing Baich ...) - TODO: check + NOT-FOR-US: Beijing Baichuo S210 CVE-2023-7038 (A vulnerability was found in automad up to 1.10.9. It has been rated a ...) - TODO: check + NOT-FOR-US: automad CVE-2023-7037 (A vulnerability was found in automad up to 1.10.9. It has been declare ...) - TODO: check + NOT-FOR-US: automad CVE-2023-7036 (A vulnerability was found in automad up to 1.10.9. It has been classif ...) - TODO: check + NOT-FOR-US: automad CVE-2023-7035 (A vulnerability was found in automad up to 1.10.9 and classified as pr ...) - TODO: check + NOT-FOR-US: automad CVE-2023-6546 (A race condition was found in the GSM 0710 tty multiplexor in the Linu ...) TODO: check CVE-2023-6145 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Istanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software CVE-2023-6122 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Istanbul Soft Informatics and Consultancy Limited Company Softomi Software CVE-2023-5989 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: LioXERP CVE-2023-5988 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: LioXERP CVE-2023-5594 (Improper validation of the server\u2019s certificate chain in secure t ...) TODO: check CVE-2023-51655 (In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible ...) @@ -33,43 +33,43 @@ CVE-2023-51655 (In JetBrains IntelliJ IDEA before 2023.3.2 code execution was po CVE-2023-51442 (Navidrome is an open source web-based music collection server and stre ...) TODO: check CVE-2023-51052 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2023-51051 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2023-51050 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2023-51049 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2023-51048 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2023-50834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50833 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50832 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50831 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50830 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50829 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50828 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50827 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50826 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50825 (Improper
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b53a10f5 by security tracker role at 2023-12-21T20:12:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,159 @@ +CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) + TODO: check +CVE-2023-7042 (A null pointer dereference vulnerability was found in ath10k_wmi_tlv_o ...) + TODO: check +CVE-2023-7041 (A vulnerability, which was classified as critical, has been found in c ...) + TODO: check +CVE-2023-7040 (A vulnerability classified as problematic was found in codelyfe Stupid ...) + TODO: check +CVE-2023-7039 (A vulnerability classified as critical has been found in Beijing Baich ...) + TODO: check +CVE-2023-7038 (A vulnerability was found in automad up to 1.10.9. It has been rated a ...) + TODO: check +CVE-2023-7037 (A vulnerability was found in automad up to 1.10.9. It has been declare ...) + TODO: check +CVE-2023-7036 (A vulnerability was found in automad up to 1.10.9. It has been classif ...) + TODO: check +CVE-2023-7035 (A vulnerability was found in automad up to 1.10.9 and classified as pr ...) + TODO: check +CVE-2023-6546 (A race condition was found in the GSM 0710 tty multiplexor in the Linu ...) + TODO: check +CVE-2023-6145 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-6122 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-5989 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-5988 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-5594 (Improper validation of the server\u2019s certificate chain in secure t ...) + TODO: check +CVE-2023-51655 (In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible ...) + TODO: check +CVE-2023-51442 (Navidrome is an open source web-based music collection server and stre ...) + TODO: check +CVE-2023-51052 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check +CVE-2023-51051 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check +CVE-2023-51050 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check +CVE-2023-51049 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check +CVE-2023-51048 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability via ...) + TODO: check +CVE-2023-50834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50833 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50832 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50831 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50830 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50829 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50828 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50827 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50826 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50825 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50824 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50823 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50822 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-50732 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check +CVE-2023-50724 (Resque (pronounced like "rescue") is a Redis-backed library for creati ...) + TODO: check +CVE-2023-50481 (An issue was discovered in blinksocks version 3.3.8, allows remote att ...) + TODO: check +CVE-2023-50477 (An issue was discovered in nos client version 0.6.6, allows remote att ...) + TODO: check +CVE-2023-50475 (An issue was discovered in bcoin-org bcoin version 2.2.0, allows remot ...) + TODO: check +CVE-2023-50473 (Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI vers ...) +
[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: 95b63dcb by Andres Salomon at 2023-12-21T15:08:13-05:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[21 Dec 2023] DSA-5585-1 chromium - security update + {CVE-2023-7024} + [bullseye] - chromium 120.0.6099.129-1~deb11u1 + [bookworm] - chromium 120.0.6099.129-1~deb12u1 [21 Dec 2023] DSA-5584-1 bluez - security update {CVE-2023-45866} [bullseye] - bluez 5.55-3.1+deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk -- -chromium (dilinger) --- cryptojs -- curl View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95b63dcbc5b9b13d58086ec5a559560740800337 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95b63dcbc5b9b13d58086ec5a559560740800337 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for rust-unsafe-libyaml issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c3d0ddf by Salvatore Bonaccorso at 2023-12-21T20:54:19+01:00 Add Debian bug reference for rust-unsafe-libyaml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2023-50783 CVE-2023-51656 NOT-FOR-US: Apache IoTDB CVE-2023- [RUSTSEC-2023-0075] - - rust-unsafe-libyaml + - rust-unsafe-libyaml (bug #1059234) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html NOTE: https://github.com/dtolnay/unsafe-libyaml/issues/21 CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c3d0ddf4f2979c0ec0a5a85705d836fdc595092 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c3d0ddf4f2979c0ec0a5a85705d836fdc595092 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-43646/node-get-func-name via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10e180bc by Salvatore Bonaccorso at 2023-12-21T20:52:51+01:00 Track fixed version for CVE-2023-43646/node-get-func-name via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15562,7 +15562,7 @@ CVE-2023-43856 (Dreamer CMS v4.1.3 was discovered to contain an arbitrary file r CVE-2023-43775 (Denial-of-service vulnerability in the web server of the Eaton SMP Gat ...) NOT-FOR-US: Eaton CVE-2023-43646 (get-func-name is a module to retrieve a function's name securely and c ...) - - node-get-func-name (bug #1053262) + - node-get-func-name 2.0.2-1 (bug #1053262) [bookworm] - node-get-func-name (Minor issue) [bullseye] - node-get-func-name (Minor issue) [buster] - node-get-func-name (Minor issue, ReDoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10e180bc7357b801701b395ab83fb217579a9e03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10e180bc7357b801701b395ab83fb217579a9e03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60d4ba8b by Moritz Muehlenhoff at 2023-12-21T20:51:04+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208 CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) NOT-FOR-US: KylinSoft hedron-domain-hook CVE-2023-7024 - - chromium + - chromium 120.0.6099.129-1 [buster] - chromium (see DSA 5046) CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) NOT-FOR-US: Tongda OA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d4ba8bd5aede053b9d06a5999efe614183ed0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim osslsigncode in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f0ad6d03 by Tobias Frost at 2023-12-21T20:42:27+01:00 LTS: claim osslsigncode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -161,7 +161,7 @@ nvidia-cuda-toolkit openssh NOTE: 20231219: Added by Front-Desk (ta) -- -osslsigncode +osslsigncode (tobi) NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for bluez update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4eed934 by Salvatore Bonaccorso at 2023-12-21T20:33:39+01:00 Reserve DSA number for bluez update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[21 Dec 2023] DSA-5584-1 bluez - security update + {CVE-2023-45866} + [bullseye] - bluez 5.55-3.1+deb11u1 + [bookworm] - bluez 5.66-1+deb12u1 [21 Dec 2023] DSA-5583-1 gst-plugins-bad1.0 - security update [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 [21 Dec 2023] DSA-5582-1 thunderbird - security update = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk -- -bluez (carnil) --- chromium (dilinger) -- cryptojs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4eed934ce95527e172e90d7ad83fc0582ae0355 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4eed934ce95527e172e90d7ad83fc0582ae0355 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop unneeded note on consequences for tinyssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c9c146b by Salvatore Bonaccorso at 2023-12-21T20:24:03+01:00 Drop unneeded note on consequences for tinyssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -758,9 +758,9 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: tinyssh: https://github.com/janmojzis/tinyssh/commit/ebaa1bd23c2c548af70cc8151e85c74f4c8594bb NOTE: tinyssh: 20230101-4 implements kex-strict-s-...@openssh.com for the strict kex support. But - NOTE: since there is no support for EXT_INFO in tinyssh, even with the present chacha20-poly1...@openssh.com - NOTE: encryption algorith, there is no downgrade of the connection security. An attack might result in - NOTE: hanging or breaking connction. + NOTE: tinyssh: since there is no support for EXT_INFO in tinyssh, even with the present + NOTE: tinyssh: chacha20-poly1...@openssh.com encryption algorith, there is no downgrade of the + NOTE: tinyssh: connection security. CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c9c146b319f10b4550f0e1bd8109fc6b06d27a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c9c146b319f10b4550f0e1bd8109fc6b06d27a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add cross reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9a5242e by Moritz Mühlenhoff at 2023-12-21T20:20:01+01:00 add cross reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14985,6 +14985,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) [buster] - gst-plugins-bad1.0 (Vulnerable code not present) - gst-plugins-bad0.10 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a5242eb13d59cc1a5cff10f3e4a3ad67c19cca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gst-plugins-bad1.0, thunderbird DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e2e33f3 by Moritz Mühlenhoff at 2023-12-21T20:18:23+01:00 gst-plugins-bad1.0, thunderbird DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[21 Dec 2023] DSA-5583-1 gst-plugins-bad1.0 - security update + [bookworm] - gst-plugins-bad1.0 1.22.0-4+deb12u4 +[21 Dec 2023] DSA-5582-1 thunderbird - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} + [bullseye] - thunderbird 1:115.6.0-1~deb11u1 + [bookworm] - thunderbird 1:115.6.0-1~deb12u1 [20 Dec 2023] DSA-5581-1 firefox-esr - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} [bullseye] - firefox-esr 115.6.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -29,8 +29,6 @@ frr -- gpac/oldstable -- -gst-plugins-bad1.0 (jmm) --- h2o (jmm) -- haproxy (carnil) @@ -99,8 +97,6 @@ slurm-wlm -- squid -- -thunderbird (jmm) --- varnish -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e2e33f3a0ad6e49954a2b4877e60aca15e70e07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-16723/cacti: add patches versions
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 23bdb162 by Sylvain Beucler at 2023-12-21T18:25:50+01:00 CVE-2019-16723/cacti: add patches versions - - - - - 1a7e573a by Sylvain Beucler at 2023-12-21T18:29:37+01:00 CVE-2023-37543/cacti: buster ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21747,8 +21747,8 @@ CVE-2023-37625 (A stored cross-site scripting (XSS) vulnerability in Netbox v3.4 - netbox (bug #1017079) CVE-2023-37543 (Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for ...) - cacti 1.2.6+ds1-1 - [buster] - cacti (Minor issue) - NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj + [buster] - cacti (Unclear issue; can only be reproduced by reverting CVE-2019-16723 fixes; probably a different vector of the same vulnerability) + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj (404) NOTE: https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed NOTE: https://github.com/Cacti/cacti/issues/5523 NOTE: Not possible to pinpoint exact fix, but upstream confirms that the fix is in @@ -30,17 +30,17 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza [stretch] - cacti (vulnerability introduced later) [jessie] - cacti (vulnerability introduced later) NOTE: vulnerability introduced in - NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 + NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 (release/1.0.0) NOTE: see Debian bug report for more information NOTE: https://github.com/Cacti/cacti/issues/2964 - NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 - NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 + NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 (release/1.2.7) + NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 (release/1.2.7) NOTE: after further discussion, upstream issued a new fix which reverts previous commits - NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b + NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b (release/1.2.8) NOTE: which turned out to be insufficient to fix the issue, follow up patches: - NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 - NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 - NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df + NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 (release/1.2.8) + NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 (release/1.2.8) + NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df (release/1.2.8) NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/702da29d82f17ff864d63375c457beae4555e6ea...1a7e573aee513e7fc8df567644fa7a3259e5182d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/702da29d82f17ff864d63375c457beae4555e6ea...1a7e573aee513e7fc8df567644fa7a3259e5182d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for postfix details
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 702da29d by Salvatore Bonaccorso at 2023-12-21T18:15:32+01:00 Add reference for postfix details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,7 @@ CVE-2023- [SMTP smuggling attack] - postfix (bug #1059230) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 + NOTE: postfix: https://www.postfix.org/smtp-smuggling.html NOTE: postfix: https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html NOTE: postfix: Short-term Mitigation: smtpd_forbid_unauth_pipelining = yes TODO: track other major mailserver implementations View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702da29d82f17ff864d63375c457beae4555e6ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702da29d82f17ff864d63375c457beae4555e6ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add oss-security reference for cpio issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aca81b00 by Salvatore Bonaccorso at 2023-12-21T18:11:40+01:00 Add oss-security reference for cpio issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -514810,6 +514810,7 @@ CVE-2015-1030 (Memory leak in the rfc2553_connect_to function in jbsocket.c in P NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch=1.130=1.131=v_3_0_22 CVE-2023- [Path traversal vulnerability due to partial revert of fix for CVE-2015-1197] - cpio (bug #1059163) + NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/8 CVE-2015-1197 (cpio 2.11, when using the --no-absolute-filenames option, allows local ...) - cpio 2.11+dfsg-4.1 (low; bug #774669) [wheezy] - cpio (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aca81b00b84de3ad91510f9377848ab81980d782 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aca81b00b84de3ad91510f9377848ab81980d782 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for postfix issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d72b3577 by Salvatore Bonaccorso at 2023-12-21T18:05:24+01:00 Add Debian bug reference for postfix issue - - - - - 7ec16f1b by Salvatore Bonaccorso at 2023-12-21T18:07:23+01:00 Add todo item for SMTP issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,10 @@ CVE-2023- [SMTP smuggling attack] - - postfix + - postfix (bug #1059230) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: postfix: https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html NOTE: postfix: Short-term Mitigation: smtpd_forbid_unauth_pipelining = yes + TODO: track other major mailserver implementations CVE-2023-48291 - airflow (bug #819700) CVE-2023-47265 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf3a53e23ed0e4f398fd5cd36ffe3dfff24427f0...7ec16f1baa33f40ff2d3710c4dedd85f73abac34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf3a53e23ed0e4f398fd5cd36ffe3dfff24427f0...7ec16f1baa33f40ff2d3710c4dedd85f73abac34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add temporary entry for SMTP smuggling attack issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf3a53e2 by Salvatore Bonaccorso at 2023-12-21T17:52:03+01:00 Add temporary entry for SMTP smuggling attack issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023- [SMTP smuggling attack] + - postfix + NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ + NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 + NOTE: postfix: https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html + NOTE: postfix: Short-term Mitigation: smtpd_forbid_unauth_pipelining = yes CVE-2023-48291 - airflow (bug #819700) CVE-2023-47265 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf3a53e23ed0e4f398fd5cd36ffe3dfff24427f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf3a53e23ed0e4f398fd5cd36ffe3dfff24427f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f9b1d76 by Salvatore Bonaccorso at 2023-12-21T17:01:57+01:00 Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -712,7 +712,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-mod-proxy - putty 0.80-1 - python-asyncssh (bug #1059007) - - tinyssh 20230101-4 (bug #1059058) + - tinyssh 20230101-4 (bug #1059058; unimportant) - trilead-ssh2 NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 @@ -749,6 +749,10 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: tinyssh: https://github.com/janmojzis/tinyssh/commit/ebaa1bd23c2c548af70cc8151e85c74f4c8594bb + NOTE: tinyssh: 20230101-4 implements kex-strict-s-...@openssh.com for the strict kex support. But + NOTE: since there is no support for EXT_INFO in tinyssh, even with the present chacha20-poly1...@openssh.com + NOTE: encryption algorith, there is no downgrade of the connection security. An attack might result in + NOTE: hanging or breaking connction. CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9b1d76b49ce0061f6cf9c567a0757192565fdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9b1d76b49ce0061f6cf9c567a0757192565fdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a1eec85 by Emilio Pozuelo Monfort at 2023-12-21T16:00:09+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,9 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +firefox-esr (Emilio) + NOTE: 20231221: Added by pochu +-- frr NOTE: 20231119: Added by Front-Desk (apo) -- @@ -229,6 +232,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20231221: Added by pochu +-- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 66bc6291 by Moritz Muehlenhoff at 2023-12-21T15:43:36+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2023-48291 + - airflow (bug #819700) +CVE-2023-47265 + - airflow (bug #819700) +CVE-2023-49920 + - airflow (bug #819700) +CVE-2023-50783 + - airflow (bug #819700) +CVE-2023-51656 + NOT-FOR-US: Apache IoTDB CVE-2023- [RUSTSEC-2023-0075] - rust-unsafe-libyaml NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html @@ -50,7 +60,7 @@ CVE-2023-48433 (Online Voting System Project v1.0 is vulnerable to multiple Unau CVE-2023-47093 (An issue was discovered in Stormshield Network Security (SNS) 4.0.0 th ...) NOT-FOR-US: Stormshield Network Security (SNS) CVE-2023-46131 (Grails is a framework used to build web applications with the Groovy p ...) - TODO: check + - grails (bug #473213) CVE-2023-45703 (HCL Launch may mishandle input validation of an uploaded archive file ...) NOT-FOR-US: HCL CVE-2023-45700 (HCL Launch is vulnerable to HTML injection. This vulnerability may all ...) @@ -97,7 +107,7 @@ CVE-2023-51457 (Adobe Experience Manager versions 6.5.18 and earlier are affecte CVE-2023-50628 (Buffer Overflow vulnerability in libming version 0.4.8, allows attacke ...) - ming CVE-2023-50249 (Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Reg ...) - TODO: check + NOT-FOR-US: Sentry-Javascript CVE-2023-50044 (Buffer Overflow vulnerability in Cesanta MJS version 2.22.0, allows at ...) NOT-FOR-US: Cesenta MJS CVE-2023-49825 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -153,7 +163,7 @@ CVE-2023-40204 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2023-40010 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-3742 (Insufficient policy enforcement in ADB in Google Chrome on ChromeOS pr ...) - TODO: check + NOT-FOR-US: Google Chrome on ChromeOS CVE-2023-38519 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-38513 (Authorization Bypass Through User-Controlled Key vulnerability in Jord ...) @@ -38415,11 +38425,11 @@ CVE-2023-29489 (An issue was discovered in cPanel before 11.109..116. XSS ca CVE-2023-29488 RESERVED CVE-2023-29487 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29486 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29485 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) - TODO: check + NOT-FOR-US: Heimdal Thor CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are able to lo ...) NOT-FOR-US: Terminalfour CVE-2023-29483 @@ -65915,7 +65925,7 @@ CVE-2022-41834 CVE-2020-36611 (Incorrect Default Permissions vulnerability in Hitachi Tuning Manager ...) NOT-FOR-US: Hitachi CVE-2023-0011 (A flaw in the input validation in TOBY-L2 allows a user to execute arb ...) - TODO: check + NOT-FOR-US: TOBY-L2 CVE-2022-47193 RESERVED CVE-2022-47192 (Generex UPS CS141 below 2.06 version, could allow a remote attacker to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66bc6291e062b20d168e8c070df0adca56b2c91f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-unsafe-libyaml issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0dbdb9c by Moritz Muehlenhoff at 2023-12-21T15:25:24+01:00 new rust-unsafe-libyaml issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023- [RUSTSEC-2023-0075] + - rust-unsafe-libyaml + NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html + NOTE: https://github.com/dtolnay/unsafe-libyaml/issues/21 CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) NOT-FOR-US: Lightxun IPTV Gateway CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0dbdb9caabe4c50c67e46381cdebea5ab01cd94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6873 only affects src:firefox
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 83a0ef39 by Moritz Muehlenhoff at 2023-12-21T12:35:17+01:00 CVE-2023-6873 only affects src:firefox - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -388,9 +388,7 @@ CVE-2023-6862 (A use-after-free was identified in the `nsDNSService::Init`. Thi NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6862 CVE-2023-6873 (Memory safety bugs present in Firefox 120. Some of these bugs showed e ...) - firefox 121.0-1 - - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6873 - NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6873 CVE-2023-6864 (Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thun ...) {DSA-5581-1} - firefox 121.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a0ef398e265561eadff2795daeae578d28f791 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 433acc83 by Moritz Muehlenhoff at 2023-12-21T11:08:54+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingfac NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - systemd + [bookworm] - systemd (Minor issue) + [bullseye] - systemd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server @@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) vulnerability in KodeExplo NOT-FOR-US: kalcaddle KodExplorer CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version ...) - phpsysinfo 3.4.3-1 + [bookworm] - phpsysinfo (Minor issue) + [bullseye] - phpsysinfo (Minor issue) NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/ NOTE: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 (v3.4.3) CVE-2023-46804 (An attacker sending specially crafted data packets to the Mobile Devic ...) @@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) - dropbear (bug #1059001) - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) + [bookworm] - erlang (Minor issue) + [bullseye] - erlang (Minor issue) - golang-go.crypto (bug #1059003) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh (bug #1059004) @@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress (Minor issue) + [bullseye] - wordpress (Vulnerable code was introduced in 5.9) [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php @@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023- [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 - - gst-plugins-bad0.10 + [bullseye] - gst-plugins-bad1.0 (Vulnerable code not present) + [buster] - gst-plugins-bad1.0 (Vulnerable code not present) + - gst-plugins-bad0.10 (Vulnerable code not present) NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9 @@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P NOTE: Probably fixed with r1832 and r1836 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) + [bookworm] - freeimage (Revisit when patches are available) + [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit from patches are available) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected = data/dsa-needed.txt = @@ -29,6 +29,8 @@ frr -- gpac/oldstable -- +gst-plugins-bad1.0 (jmm) +-- h2o (jmm) -- haproxy (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Add new chromium issue and add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c297713 by Salvatore Bonaccorso at 2023-12-21T09:47:02+01:00 Add new chromium issue and add chromium to dsa-needed list - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2,6 +2,9 @@ CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208 NOT-FOR-US: Lightxun IPTV Gateway CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) NOT-FOR-US: KylinSoft hedron-domain-hook +CVE-2023-7024 + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) NOT-FOR-US: Tongda OA CVE-2023-7022 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been de ...) = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk -- bluez (carnil) -- +chromium (dilinger) +-- cryptojs -- curl View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2977135f54939cc9df67eb9d4c47fd15cdf56b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2977135f54939cc9df67eb9d4c47fd15cdf56b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9385fe66 by Salvatore Bonaccorso at 2023-12-21T09:40:17+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,21 +35,21 @@ CVE-2023-50983 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command inje CVE-2023-50639 (Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 a ...) NOT-FOR-US: CuteHttpFileServer CVE-2023-49032 (An issue in LTB Self Service Password before v.1.5.4 allows a remote a ...) - TODO: check + NOT-FOR-US: LTB Self Service Password CVE-2023-48434 (Online Voting System Project v1.0 is vulnerable to multiple Unauthenti ...) - TODO: check + NOT-FOR-US: Online Voting System Project CVE-2023-48433 (Online Voting System Project v1.0 is vulnerable to multiple Unauthenti ...) - TODO: check + NOT-FOR-US: Online Voting System Project CVE-2023-47093 (An issue was discovered in Stormshield Network Security (SNS) 4.0.0 th ...) - TODO: check + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2023-46131 (Grails is a framework used to build web applications with the Groovy p ...) TODO: check CVE-2023-45703 (HCL Launch may mishandle input validation of an uploaded archive file ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-45700 (HCL Launch is vulnerable to HTML injection. This vulnerability may all ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-41166 (An issue was discovered in Stormshield Network Security (SNS) 3.7.0 th ...) - TODO: check + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingface/tra ...) NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] @@ -176,9 +176,9 @@ CVE-2023-33209 (Improper Neutralization of Special Elements used in an SQL Comma CVE-2023-32743 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-32590 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32128 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37544 (Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy ...) NOT-FOR-US: Apache Pulsar CVE-2023-6977 (This vulnerability enables malicious users to read sensitive files on ...) @@ -33419,7 +33419,7 @@ CVE-2023-31233 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-31232 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Davi ...) NOT-FOR-US: WordPress plugin CVE-2023-31231 (Unrestricted Upload of File with Dangerous Type vulnerability in Unlim ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-31230 (Cross-Site Request Forgery (CSRF) vulnerability in Haoqisir Baidu Tong ...) NOT-FOR-US: Haoqisir Baidu Tongji generator CVE-2023-31229 @@ -33547,7 +33547,7 @@ CVE-2023-31217 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi CVE-2023-31216 (Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plu ...) NOT-FOR-US: WordPress plugin CVE-2023-31215 (Unrestricted Upload of File with Dangerous Type vulnerability in Amade ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-31214 RESERVED CVE-2023-31213 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -33919,7 +33919,7 @@ CVE-2023-31094 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in La CVE-2023-31093 (Cross-Site Request Forgery (CSRF) vulnerability in Chronosly Chronosly ...) NOT-FOR-US: WordPress plugin CVE-2023-31092 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-31091 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Prad ...) NOT-FOR-US: WordPress plugin CVE-2023-31090 @@ -34540,7 +34540,7 @@ CVE-2023-30874 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-30873 RESERVED CVE-2023-30872 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-30871 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PT Woo P ...) NOT-FOR-US: WordPress plugin CVE-2023-30870 @@ -35111,7 +35111,7 @@ CVE-2023-30752 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-30751 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in iCon ...)
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 049ed6fd by Salvatore Bonaccorso at 2023-12-21T09:32:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,39 +1,39 @@ CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) - TODO: check + NOT-FOR-US: Lightxun IPTV Gateway CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) - TODO: check + NOT-FOR-US: KylinSoft hedron-domain-hook CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-7022 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been de ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-7021 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been cl ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-7020 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-51390 (journalpump is a daemon that takes log messages from journald and pump ...) - TODO: check + NOT-FOR-US: journalpump CVE-2023-50993 (Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 ...) - TODO: check + NOT-FOR-US: Ruijie CVE-2023-50992 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50990 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50989 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50988 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50987 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50986 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50985 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50984 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50983 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50639 (Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 a ...) - TODO: check + NOT-FOR-US: CuteHttpFileServer CVE-2023-49032 (An issue in LTB Self Service Password before v.1.5.4 allows a remote a ...) TODO: check CVE-2023-48434 (Online Voting System Project v1.0 is vulnerable to multiple Unauthenti ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/049ed6fd858b87ecd5a00712825d333d4ea59a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/049ed6fd858b87ecd5a00712825d333d4ea59a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 953815a5 by security tracker role at 2023-12-21T08:12:00+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It ...) + TODO: check +CVE-2023-7025 (A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0. ...) + TODO: check +CVE-2023-7023 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been ra ...) + TODO: check +CVE-2023-7022 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been de ...) + TODO: check +CVE-2023-7021 (A vulnerability was found in Tongda OA 2017 up to 11.9. It has been cl ...) + TODO: check +CVE-2023-7020 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) + TODO: check +CVE-2023-51390 (journalpump is a daemon that takes log messages from journald and pump ...) + TODO: check +CVE-2023-50993 (Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 ...) + TODO: check +CVE-2023-50992 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2023-50990 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50989 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection ...) + TODO: check +CVE-2023-50988 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50987 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50986 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50985 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50984 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow vi ...) + TODO: check +CVE-2023-50983 (Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection ...) + TODO: check +CVE-2023-50639 (Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 a ...) + TODO: check +CVE-2023-49032 (An issue in LTB Self Service Password before v.1.5.4 allows a remote a ...) + TODO: check +CVE-2023-48434 (Online Voting System Project v1.0 is vulnerable to multiple Unauthenti ...) + TODO: check +CVE-2023-48433 (Online Voting System Project v1.0 is vulnerable to multiple Unauthenti ...) + TODO: check +CVE-2023-47093 (An issue was discovered in Stormshield Network Security (SNS) 4.0.0 th ...) + TODO: check +CVE-2023-46131 (Grails is a framework used to build web applications with the Groovy p ...) + TODO: check +CVE-2023-45703 (HCL Launch may mishandle input validation of an uploaded archive file ...) + TODO: check +CVE-2023-45700 (HCL Launch is vulnerable to HTML injection. This vulnerability may all ...) + TODO: check +CVE-2023-41166 (An issue was discovered in Stormshield Network Security (SNS) 3.7.0 th ...) + TODO: check CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingface/tra ...) NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] @@ -38347,12 +38399,12 @@ CVE-2023-29489 (An issue was discovered in cPanel before 11.109..116. XSS ca NOT-FOR-US: cPanel CVE-2023-29488 RESERVED -CVE-2023-29487 - RESERVED -CVE-2023-29486 - RESERVED -CVE-2023-29485 - RESERVED +CVE-2023-29487 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) + TODO: check +CVE-2023-29486 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) + TODO: check +CVE-2023-29485 (An issue was discovered in Heimdal Thor agent versions 3.4.2 and befor ...) + TODO: check CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are able to lo ...) NOT-FOR-US: Terminalfour CVE-2023-29483 @@ -43745,8 +43797,8 @@ CVE-2023-1308 (A vulnerability classified as critical has been found in SourceCo NOT-FOR-US: SourceCodester Online Graduate Tracer System CVE-2013-10021 (A vulnerability was found in dd32 Debug Bar Plugin up to 0.8 on WordPr ...) NOT-FOR-US: dd32 Debug Bar Plugin -CVE-2023-28025 - RESERVED +CVE-2023-28025 (Due to this vulnerability, the Master operator could potentially incor ...) + TODO: check CVE-2023-28024 RESERVED CVE-2023-28023 (A cross site request forgery vulnerability in the BigFix WebUI Softwar ...) @@ -106855,7 +106907,7 @@ CVE-2022-33682 (TLS hostname verification cannot be enabled in the Pulsar Broker NOT-FOR-US: Apache Pulsar