[Git][security-tracker-team/security-tracker][master] Associate CVE-2023-51651 with aws-sdk-for-php source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04ec253a by Salvatore Bonaccorso at 2024-01-06T08:57:34+01:00 Associate CVE-2023-51651 with aws-sdk-for-php source package Thanks: David Prévot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1685,7 +1685,9 @@ CVE-2023-6972 (The Backup Migration plugin for WordPress is vulnerable to Path T CVE-2023-6971 (The Backup Migration plugin for WordPress is vulnerable to Remote File ...) NOT-FOR-US: WordPress plugin CVE-2023-51651 (AWS SDK for PHP is the Amazon Web Services software development kit fo ...) - NOT-FOR-US: AWS SDK for PHP + - aws-sdk-for-php + NOTE: https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m + NOTE: https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2 (3.288.1) CVE-2023-51650 (Hertzbeat is an open source, real-time monitoring system. Prior to ver ...) NOT-FOR-US: Hertzbeat CVE-2023-51451 (Symbolicator is a service used in Sentry. Starting in Symbolicator ver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ec253afe05896afde30ebd0b218764abfa6362 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ec253afe05896afde30ebd0b218764abfa6362 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for wireshark issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5010d5b by Salvatore Bonaccorso at 2024-01-06T07:45:08+01:00 Track fixed version for wireshark issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -376,19 +376,19 @@ CVE-2024-21627 (PrestaShop is an open-source e-commerce platform. Prior to versi CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to commit db ...) NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html @@ -396,13 +396,13 @@ CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", NOTE: the more severe "Bug log 1" only affected unreleased versions CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-01.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5010d5b7daf0efea28be22e6099eada4071642d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5010d5b7daf0efea28be22e6099eada4071642d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3563 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a1bb7fb by Salvatore Bonaccorso at 2024-01-06T07:40:09+01:00 Track fixed version for CVE-2021-3563 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -182269,7 +182269,7 @@ CVE-2021-33499 (Pexip Infinity before 26 allows remote denial of service because CVE-2021-33498 (Pexip Infinity before 26 allows remote denial of service because of mi ...) NOT-FOR-US: Pexip Infinity CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 characters o ...) - - keystone (bug #989998) + - keystone 2:23.0.0-3 (bug #989998) [bookworm] - keystone (Minor issue) [bullseye] - keystone (Minor issue) [buster] - keystone (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a1bb7fb40f3660372f074f2c488eac61d4c1cdb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a1bb7fb40f3660372f074f2c488eac61d4c1cdb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim postfix in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bdf2ecb3 by Markus Koschany at 2024-01-05T23:22:16+01:00 Claim postfix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,7 +166,7 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- -postfix +postfix (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3708-1 for exim4
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f36ff2f by Markus Koschany at 2024-01-05T23:04:57+01:00 Reserve DLA-3708-1 for exim4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Jan 2024] DLA-3708-1 exim4 - security update + {CVE-2023-51766} + [buster] - exim4 4.92-8+deb10u9 [05 Jan 2024] DLA-3707-1 tomcat9 - security update {CVE-2023-46589} [buster] - tomcat9 9.0.31-1~deb10u11 = data/dla-needed.txt = @@ -78,9 +78,6 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -exim4 (Markus Koschany) - NOTE: 20231224: Added by Front-Desk (ta) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b239a420 by Salvatore Bonaccorso at 2024-01-05T21:36:11+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,89 +1,89 @@ CVE-2024-0247 (A vulnerability classified as critical was found in CodeAstro Online F ...) - TODO: check + NOT-FOR-US: CodeAstro Online Food Ordering System CVE-2024-0246 (A vulnerability classified as problematic has been found in IceWarp 12 ...) - TODO: check + NOT-FOR-US: IceWarp CVE-2023-52151 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52149 (Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floatin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52148 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52146 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52145 (Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou R ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52143 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52136 (Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52130 (Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffil ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52129 (Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler tea ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52128 (Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP White Label ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52127 (Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Produc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52126 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52125 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52124 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52123 (Cross-Site Request Forgery (CSRF) vulnerability in WPChill Strong Test ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52122 (Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52121 (Cross-Site Request Forgery (CSRF) vulnerability in NitroPack Inc. Nitr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52120 (Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms \u2 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52119 (Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Eng ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51678 (Cross-Site Request Forgery (CSRF) vulnerability in Doofinder Doofinder ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51673 (Cross-Site Request Forgery (CSRF) vulnerability in Designful Stylish P ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51668 (Cross-Site Request Forgery (CSRF) vulnerability in WP Zone Inline Imag ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51539 (Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apol ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51538 (Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Tea ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51535 (Cross-Site Request Forgery (CSRF) vulnerability in \u0421leanTalk - An ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50991 (Buffer Overflow vulnerability in Tenda i29 versions 1.0 V1.0.0.5 and 1 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-50027 (SQL Injection vulnerability in Buy Addons baproductzoommagnifier modul ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2023-47560 (An OS command injection vulnerability has been reported to affect QuMa ...) - TODO: check + NOT-FOR-US: QNAP CVE-2023-47559 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74d47310 by security tracker role at 2024-01-05T20:12:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,89 @@ +CVE-2024-0247 (A vulnerability classified as critical was found in CodeAstro Online F ...) + TODO: check +CVE-2024-0246 (A vulnerability classified as problematic has been found in IceWarp 12 ...) + TODO: check +CVE-2023-52151 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-52149 (Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floatin ...) + TODO: check +CVE-2023-52148 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-52146 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-52145 (Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou R ...) + TODO: check +CVE-2023-52143 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-52136 (Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custo ...) + TODO: check +CVE-2023-52130 (Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffil ...) + TODO: check +CVE-2023-52129 (Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler tea ...) + TODO: check +CVE-2023-52128 (Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP White Label ...) + TODO: check +CVE-2023-52127 (Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Produc ...) + TODO: check +CVE-2023-52126 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-52125 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-52124 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-52123 (Cross-Site Request Forgery (CSRF) vulnerability in WPChill Strong Test ...) + TODO: check +CVE-2023-52122 (Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple ...) + TODO: check +CVE-2023-52121 (Cross-Site Request Forgery (CSRF) vulnerability in NitroPack Inc. Nitr ...) + TODO: check +CVE-2023-52120 (Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms \u2 ...) + TODO: check +CVE-2023-52119 (Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Eng ...) + TODO: check +CVE-2023-51678 (Cross-Site Request Forgery (CSRF) vulnerability in Doofinder Doofinder ...) + TODO: check +CVE-2023-51673 (Cross-Site Request Forgery (CSRF) vulnerability in Designful Stylish P ...) + TODO: check +CVE-2023-51668 (Cross-Site Request Forgery (CSRF) vulnerability in WP Zone Inline Imag ...) + TODO: check +CVE-2023-51539 (Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apol ...) + TODO: check +CVE-2023-51538 (Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Tea ...) + TODO: check +CVE-2023-51535 (Cross-Site Request Forgery (CSRF) vulnerability in \u0421leanTalk - An ...) + TODO: check +CVE-2023-50991 (Buffer Overflow vulnerability in Tenda i29 versions 1.0 V1.0.0.5 and 1 ...) + TODO: check +CVE-2023-50027 (SQL Injection vulnerability in Buy Addons baproductzoommagnifier modul ...) + TODO: check +CVE-2023-47560 (An OS command injection vulnerability has been reported to affect QuMa ...) + TODO: check +CVE-2023-47559 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2023-47219 (A SQL injection vulnerability has been reported to affect QuMagie. If ...) + TODO: check +CVE-2023-45044 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-45043 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-45042 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-45041 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-45040 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-45039 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-41289 (An OS command injection vulnerability has been reported to affect Qcal ...) + TODO: check +CVE-2023-41288 (An OS command injection vulnerability has been reported to affect Vide ...) + TODO: check +CVE-2023-41287 (A SQL injection vulnerability has been reported to affect Video Statio
[Git][security-tracker-team/security-tracker][master] Revert "Update information for CVE-2023-1192/linux"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a47f209 by Salvatore Bonaccorso at 2024-01-05T20:23:44+01:00 Revert Update information for CVE-2023-1192/linux This reverts commit 0191d6dab32795188024bb6335afcc7eb3b190f1. It is currently not clear that this is the real fix, as per discussion in https://lore.kernel.org/linux-cifs/aca1c4e755e8c005b874c57a6210c4c6a34d2324.ca...@debian.org/ For now revert the change on fixed version syncing up with kernel-sec in https://salsa.debian.org/kernel-team/kernel-sec/-/commit/35bb35745e9b1cd0de77926c52200b58ab91fc40 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46858,8 +46858,7 @@ CVE-2023-1193 (A use-after-free flaw was found in setup_async_work in the KSMBD NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154177 NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS ...) - - linux 6.5.6-1 - [bookworm] - linux 6.1.64-1 + - linux [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178 CVE-2023-1191 (A vulnerability classified as problematic has been found in fastcms. T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a47f2099a84170cc8e9747c2fdd76fab81bcce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a47f2099a84170cc8e9747c2fdd76fab81bcce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for CVE-2024-0217
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12e977a7 by Salvatore Bonaccorso at 2024-01-05T19:02:55+01:00 Add note for CVE-2024-0217 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -187,6 +187,7 @@ CVE-2024-21622 (Craft is a content management system. This is a potential modera CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some conditions, th ...) - packagekit (bug #1060016) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624 + NOTE: Reducing impact via: https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79 (v1.2.7) TODO: check, RHBZ#2256624 claims fixed in upstream 1.2.7 but provides no references CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e977a707344a8c6598537e3d5b3154ee558479 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e977a707344a8c6598537e3d5b3154ee558479 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-1192/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0191d6da by Salvatore Bonaccorso at 2024-01-05T15:47:03+01:00 Update information for CVE-2023-1192/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46857,7 +46857,8 @@ CVE-2023-1193 (A use-after-free flaw was found in setup_async_work in the KSMBD NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154177 NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS ...) - - linux + - linux 6.5.6-1 + [bookworm] - linux 6.1.64-1 [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178 CVE-2023-1191 (A vulnerability classified as problematic has been found in fastcms. T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0191d6dab32795188024bb6335afcc7eb3b190f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0191d6dab32795188024bb6335afcc7eb3b190f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about keystone
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 19c47591 by Bastien Roucariès at 2024-01-05T14:04:27+00:00 Add note about keystone - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,7 @@ jenkins-htmlunit-core-js keystone (rouca) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) + NOTE: 20240105: FTBFS due to https://github.com/testing-cabal/subunit/pull/40 (rouca) -- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c475914d9f267ff5d69bff4c4d791c898eadbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c475914d9f267ff5d69bff4c4d791c898eadbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] condor fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1be025b1 by Moritz Muehlenhoff at 2024-01-05T14:31:09+01:00 condor fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -131238,7 +131238,7 @@ CVE-2022-26111 (The BeanShell components of IRISNext through 9.8.28 allow execut NOT-FOR-US: IRISNext CVE-2022-26110 (An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before ...) {DSA-5144-1 DLA-2984-1} - - condor (bug #1008634) + - condor 23.2.0+dfsg-1 (bug #1008634) NOTE: https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003 NOTE: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca (V8_8_16) NOTE: https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b (V8_8_16) @@ -147986,7 +147986,7 @@ CVE-2021-45102 (An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x - condor (Only affects 9.0.0 and above) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/ CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, ...) - - condor (bug #1002540) + - condor 23.2.0+dfsg-1 (bug #1002540) [buster] - condor (Patch is too intrusive to backport) [stretch] - condor (Patch is too destructive to backport it; Patch does not apply cleanly. Too many calls in patch, not existed in this version of the software) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/ @@ -297816,7 +297816,7 @@ CVE-2019-18824 (Barco ClickShare Button R9861500D01 devices before 1.10.0.13 hav NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and development serie ...) {DSA-5144-1 DLA-2724-1} - - condor (bug #963777) + - condor 23.2.0+dfsg-1 (bug #963777) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html NOTE: https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-52323
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e579804 by Salvatore Bonaccorso at 2024-01-05T13:56:16+01:00 Add Debian bug reference for CVE-2023-52323 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an u CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) - - pycryptodome + - pycryptodome (bug #1060059) NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e57980443c52af9f0e56f993606d296b3bf468e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e57980443c52af9f0e56f993606d296b3bf468e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1badb9be by Salvatore Bonaccorso at 2024-01-05T13:19:38+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,7 +32,7 @@ CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability in WooC ...) NOT-FOR-US: WordPress plugin CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-ta ...) - TODO: check + NOT-FOR-US: nbviewer-app (aka Jupyter Notebook Viewer) CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacke ...) NOT-FOR-US: ZTE CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an integer overfl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1badb9be15dc4eaecae427e30c452efb2af4cb33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1badb9be15dc4eaecae427e30c452efb2af4cb33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for civicrm issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b1e5caa by Salvatore Bonaccorso at 2024-01-05T12:58:17+01:00 Track fixed version for civicrm issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45871,7 +45871,7 @@ CVE-2023-28117 (Sentry SDK is the official Python SDK for Sentry, real-time cras CVE-2023-28116 (Contiki-NG is an open-source, cross-platform operating system for inte ...) NOT-FOR-US: Contiki-NG CVE-2023-28115 (Snappy is a PHP library allowing thumbnail, snapshot or PDF generation ...) - - civicrm (bug #1036284) + - civicrm 5.68.1+dfsg1-1 (bug #1036284) [bullseye] - civicrm (Minor issue) NOTE: https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc NOTE: https://github.com/KnpLabs/snappy/pull/469 @@ -53945,7 +53945,7 @@ CVE-2023-25442 (Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability i CVE-2023-25441 RESERVED CVE-2023-25440 (Stored Cross Site Scripting (XSS) vulnerability in the add contact fun ...) - - civicrm (bug #1036695) + - civicrm 5.68.1+dfsg1-1 (bug #1036695) [bullseye] - civicrm (Minor issue) NOTE: https://packetstormsecurity.com/files/172470/CiviCRM-5.59.alpha1-Cross-Site-Scripting.html CVE-2023-25439 (Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionIn ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1e5caa648e9702170fed210bb67bc01aa01421 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1e5caa648e9702170fed210bb67bc01aa01421 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-34457/python-mechanicalsoup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8d91c4a by Salvatore Bonaccorso at 2024-01-05T12:32:11+01:00 Track fixed version for CVE-2023-34457/python-mechanicalsoup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29326,7 +29326,7 @@ CVE-2023-34472 (AMI SPx contains a vulnerability in the BMC where an Attacker ma CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cause a m ...) NOT-FOR-US: AMI SPx CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) - - python-mechanicalsoup (bug #1041814) + - python-mechanicalsoup 1.3.0-1 (bug #1041814) [bookworm] - python-mechanicalsoup (Minor issue) [bullseye] - python-mechanicalsoup (Minor issue) [buster] - python-mechanicalsoup (Minor issue; invasive backport required) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d91c4a6a27349b0ad0ac4330d9e9337be51e22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d91c4a6a27349b0ad0ac4330d9e9337be51e22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: baf17973 by Moritz Muehlenhoff at 2024-01-05T12:18:25+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1156,6 +1156,8 @@ CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop i NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - jayway-jsonpath + [bookworm] - jayway-jsonpath (Minor issue) + [bullseye] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro @@ -2854,8 +2856,13 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 + [bookworm] - phpseclib (Minor issue) + [bullseye] - phpseclib (Minor issue) - php-phpseclib 2.0.46-1 + [bookworm] - php-phpseclib (Minor issue) + [bullseye] - php-phpseclib (Minor issue) - php-phpseclib3 3.0.35-1 + [bookworm] - php-phpseclib3 (Minor issue) - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -2934,12 +2941,18 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - libcrypto++ (bug #1059312) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -3989,6 +4002,8 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - m2crypto (bug #1059292) + [bookworm] - m2crypto (Minor issue) + [bullseye] - m2crypto (Minor issue) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -13161,6 +13176,8 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - libxml-security-java (bug #1059313) + [bookworm] - libxml-security-java (Minor issue) + [bullseye] - libxml-security-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -18706,6 +18723,8 @@ CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allow NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - ansible (bug #1055300) + [bookworm] - ansible (Minor issue) + [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 NOTE: https://github.com/advisories/GHSA-ww3m-ffrm-qvqv = data/dsa-needed.txt = @@ -48,6 +48,8 @@ python3.11/stable (carnil) -- python3.9/oldstable -- +python-asyncssh +-- redmine/stable -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baf179734b0fede4b1a1c6cf53b59b1721456257 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3707-1 for tomcat9
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d144513 by Bastien Roucariès at 2024-01-05T09:36:26+00:00 Reserve DLA-3707-1 for tomcat9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Jan 2024] DLA-3707-1 tomcat9 - security update + {CVE-2023-46589} + [buster] - tomcat9 9.0.31-1~deb10u11 [04 Jan 2024] DLA-3706-1 netatalk - security update {CVE-2022-22995} [buster] - netatalk 3.1.12~ds-3+deb10u5 = data/dla-needed.txt = @@ -260,11 +260,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tomcat9 (rouca) - NOTE: 20231129: Added by Front-Desk (Beuc) - NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) - NOTE: 20121221: apo ask to go forward (rouca) --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d1445134409fead580ed8f2be495625cb8fe2a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d1445134409fead580ed8f2be495625cb8fe2a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52323/pycryptodome
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 684dd36e by Salvatore Bonaccorso at 2024-01-05T10:24:38+01:00 Add CVE-2023-52323/pycryptodome - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,8 @@ CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an u CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) - TODO: check + - pycryptodome + NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684dd36ebbc85100574c587c0c3c08ca0d4c8d63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684dd36ebbc85100574c587c0c3c08ca0d4c8d63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6b4bb0b by Salvatore Bonaccorso at 2024-01-05T10:22:16+01:00 Process some NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-f CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...) NOT-FOR-US: Pico HTTP Server CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...) - TODO: check + NOT-FOR-US: cherry HTTP server CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...) NOT-FOR-US: Firefly CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) @@ -13,11 +13,11 @@ CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 NOTE: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0) CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to ...) - TODO: check + NOT-FOR-US: govuk_tech_docs ruby gem CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...) - TODO: check + NOT-FOR-US: view_component framework CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an uncont ...) - TODO: check + NOT-FOR-US: encoded_id-rails CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6b4bb0b957e366fb91a240d61d129abb18cf142 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6b4bb0b957e366fb91a240d61d129abb18cf142 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 251ca76c by Salvatore Bonaccorso at 2024-01-05T09:39:31+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,21 +19,21 @@ CVE-2024-21636 (view_component is a framework for building reusable, testable, a CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an uncont ...) TODO: check CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) TODO: check CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. Dyna ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability in WooC ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-ta ...) TODO: check CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacke ...) - TODO: check + NOT-FOR-US: ZTE CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an integer overfl ...) - ruby-commonmarker 0.23.4-1 [bullseye] - ruby-commonmarker (Minor issue) @@ -261935,9 +261935,9 @@ CVE-2020-13881 (In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ sha CVE-2020-13880 RESERVED CVE-2020-13879 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-bas ...) - TODO: check + NOT-FOR-US: IrfanView B3D PlugIns CVE-2020-13878 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-bas ...) - TODO: check + NOT-FOR-US: IrfanView B3D PlugIns CVE-2020-13877 (SQL Injection issues in various ASPX pages of ResourceXpress Meeting M ...) NOT-FOR-US: ResourceXpress Meeting Monitor CVE-2020-13876 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251ca76c5df71e1a1f6c5e47dc911963c13ad5c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251ca76c5df71e1a1f6c5e47dc911963c13ad5c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f160a1b by Salvatore Bonaccorso at 2024-01-05T09:33:50+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in ...) - TODO: check + NOT-FOR-US: Lotos WebServer CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...) - TODO: check + NOT-FOR-US: Pico HTTP Server CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...) TODO: check CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...) - TODO: check + NOT-FOR-US: Firefly CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) - TODO: check + NOT-FOR-US: Iodine (not the same as src:iodine) CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...) - ruby-httparty 0.21.0-1 NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f160a1be404fc2225363ae5c18743b4610d2481 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f160a1be404fc2225363ae5c18743b4610d2481 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22049/ruby-httparty
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eca650cd by Salvatore Bonaccorso at 2024-01-05T09:33:16+01:00 Add CVE-2024-22049/ruby-httparty - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,9 @@ CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) TODO: check CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...) - TODO: check + - ruby-httparty 0.21.0-1 + NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 + NOTE: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0) CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to ...) TODO: check CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca650cde432a650c99021081958c50f4538f2c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca650cde432a650c99021081958c50f4538f2c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5a4a21b by security tracker role at 2024-01-05T08:12:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,38 @@ -CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption] +CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in ...) + TODO: check +CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...) + TODO: check +CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...) + TODO: check +CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...) + TODO: check +CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) + TODO: check +CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...) + TODO: check +CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to ...) + TODO: check +CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...) + TODO: check +CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an uncont ...) + TODO: check +CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) + TODO: check +CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) + TODO: check +CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) + TODO: check +CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. Dyna ...) + TODO: check +CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability in WooC ...) + TODO: check +CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-ta ...) + TODO: check +CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacke ...) + TODO: check +CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an integer overfl ...) - ruby-commonmarker 0.23.4-1 [bullseye] - ruby-commonmarker (Minor issue) [buster] - ruby-commonmarker (Minor issue) @@ -7,7 +41,7 @@ CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to he NOTE: https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3 (v0.23.4) NOTE: This is a specific CVE assignment for the issue covered in CVE-2022-24724 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256887 -CVE-2024-22047 +CVE-2024-22047 (A race condition exists in Audited 4.0.0 to 5.3.3 that can result in a ...) NOT-FOR-US: audited ruby gem CVE-2024-21625 (SideQuest is a place to get virtual reality applications for Oculus Qu ...) NOT-FOR-US: SideQuest @@ -1498,6 +1532,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might a [buster] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) NOTE: https://arxiv.org/abs/2309.02545 CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKIN ...) + {DSA-5597-1} - exim4 4.97-3 (bug #1059387) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 @@ -3637,7 +3672,7 @@ CVE-2023-49820 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2023-49813 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2023-49786 (Asterisk is an open source private branch exchange and telephony toolk ...) - {DLA-3696-1} + {DSA-5596-1 DLA-3696-1} - asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059033) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq NOTE: https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 @@ -3661,7 +3696,7 @@ CVE-2023-49708 (SQLi vulnerability in Starshop component for Joomla.) CVE-2023-49707 (SQLi vulnerability in S5 Register module for Joomla.) NOT-FOR-US: Joomla module CVE-2023-49294 (Asterisk is an open source private branch exchange and telephony toolk ...) - {DLA-3696-1} + {DSA-5596-1 DLA-3696-1} - asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059032) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f NOTE: