[Git][security-tracker-team/security-tracker][master] Associate CVE-2023-51651 with aws-sdk-for-php source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04ec253a by Salvatore Bonaccorso at 2024-01-06T08:57:34+01:00 Associate CVE-2023-51651 with aws-sdk-for-php source package Thanks: David Prévot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1685,7 +1685,9 @@ CVE-2023-6972 (The Backup Migration plugin for WordPress is vulnerable to Path T CVE-2023-6971 (The Backup Migration plugin for WordPress is vulnerable to Remote File ...) NOT-FOR-US: WordPress plugin CVE-2023-51651 (AWS SDK for PHP is the Amazon Web Services software development kit fo ...) - NOT-FOR-US: AWS SDK for PHP + - aws-sdk-for-php + NOTE: https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m + NOTE: https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2 (3.288.1) CVE-2023-51650 (Hertzbeat is an open source, real-time monitoring system. Prior to ver ...) NOT-FOR-US: Hertzbeat CVE-2023-51451 (Symbolicator is a service used in Sentry. Starting in Symbolicator ver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ec253afe05896afde30ebd0b218764abfa6362 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ec253afe05896afde30ebd0b218764abfa6362 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for wireshark issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5010d5b by Salvatore Bonaccorso at 2024-01-06T07:45:08+01:00 Track fixed version for wireshark issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -376,19 +376,19 @@ CVE-2024-21627 (PrestaShop is an open-source e-commerce platform. Prior to versi CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to commit db ...) NOT-FOR-US: OTCLient CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html @@ -396,13 +396,13 @@ CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", NOTE: the more severe "Bug log 1" only affected unreleased versions CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-01.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via ...) - - wireshark (bug #1059925) + - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5010d5b7daf0efea28be22e6099eada4071642d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5010d5b7daf0efea28be22e6099eada4071642d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3563 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a1bb7fb by Salvatore Bonaccorso at 2024-01-06T07:40:09+01:00 Track fixed version for CVE-2021-3563 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -182269,7 +182269,7 @@ CVE-2021-33499 (Pexip Infinity before 26 allows remote denial of service because CVE-2021-33498 (Pexip Infinity before 26 allows remote denial of service because of mi ...) NOT-FOR-US: Pexip Infinity CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 characters o ...) - - keystone (bug #989998) + - keystone 2:23.0.0-3 (bug #989998) [bookworm] - keystone (Minor issue) [bullseye] - keystone (Minor issue) [buster] - keystone (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a1bb7fb40f3660372f074f2c488eac61d4c1cdb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a1bb7fb40f3660372f074f2c488eac61d4c1cdb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim postfix in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bdf2ecb3 by Markus Koschany at 2024-01-05T23:22:16+01:00 Claim postfix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,7 +166,7 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- -postfix +postfix (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3708-1 for exim4
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3f36ff2f by Markus Koschany at 2024-01-05T23:04:57+01:00
Reserve DLA-3708-1 for exim4
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Jan 2024] DLA-3708-1 exim4 - security update
+ {CVE-2023-51766}
+ [buster] - exim4 4.92-8+deb10u9
[05 Jan 2024] DLA-3707-1 tomcat9 - security update
{CVE-2023-46589}
[buster] - tomcat9 9.0.31-1~deb10u11
=
data/dla-needed.txt
=
@@ -78,9 +78,6 @@ edk2
NOTE: 20231230: Added by Front-Desk (lamby)
NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release
(lamby)
--
-exim4 (Markus Koschany)
- NOTE: 20231224: Added by Front-Desk (ta)
---
frr
NOTE: 20231119: Added by Front-Desk (apo)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b239a420 by Salvatore Bonaccorso at 2024-01-05T21:36:11+01:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,89 +1,89 @@
CVE-2024-0247 (A vulnerability classified as critical was found in CodeAstro
Online F ...)
- TODO: check
+ NOT-FOR-US: CodeAstro Online Food Ordering System
CVE-2024-0246 (A vulnerability classified as problematic has been found in
IceWarp 12 ...)
- TODO: check
+ NOT-FOR-US: IceWarp
CVE-2023-52151 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52149 (Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company
Floatin ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52148 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52146 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52145 (Cross-Site Request Forgery (CSRF) vulnerability in Marios
Alexandrou R ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52143 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52136 (Cross-Site Request Forgery (CSRF) vulnerability in Smash
Balloon Custo ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52130 (Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider,
wpaffil ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52129 (Cross-Site Request Forgery (CSRF) vulnerability in Michael
Winkler tea ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52128 (Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP
White Label ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52127 (Cross-Site Request Forgery (CSRF) vulnerability in WPClever
WPC Produc ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52126 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52125 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52124 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52123 (Cross-Site Request Forgery (CSRF) vulnerability in WPChill
Strong Test ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52122 (Cross-Site Request Forgery (CSRF) vulnerability in PressTigers
Simple ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52121 (Cross-Site Request Forgery (CSRF) vulnerability in NitroPack
Inc. Nitr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52120 (Cross-Site Request Forgery (CSRF) vulnerability in Basix
NEX-Forms \u2 ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52119 (Cross-Site Request Forgery (CSRF) vulnerability in Icegram
Icegram Eng ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51678 (Cross-Site Request Forgery (CSRF) vulnerability in Doofinder
Doofinder ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51673 (Cross-Site Request Forgery (CSRF) vulnerability in Designful
Stylish P ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51668 (Cross-Site Request Forgery (CSRF) vulnerability in WP Zone
Inline Imag ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51539 (Cross-Site Request Forgery (CSRF) vulnerability in
Apollo13Themes Apol ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51538 (Cross-Site Request Forgery (CSRF) vulnerability in Awesome
Support Tea ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51535 (Cross-Site Request Forgery (CSRF) vulnerability in
\u0421leanTalk - An ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-50991 (Buffer Overflow vulnerability in Tenda i29 versions 1.0
V1.0.0.5 and 1 ...)
- TODO: check
+ NOT-FOR-US: Tenda
CVE-2023-50027 (SQL Injection vulnerability in Buy Addons
baproductzoommagnifier modul ...)
- TODO: check
+ NOT-FOR-US: PrestaShop module
CVE-2023-47560 (An OS command injection vulnerability has been reported to
affect QuMa ...)
- TODO: check
+ NOT-FOR-US: QNAP
CVE-2023-47559 (A cross-site scripting (XSS) vulnerability has been reported
to affect ...)
- TODO: check
+ NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
74d47310 by security tracker role at 2024-01-05T20:12:16+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,89 @@
+CVE-2024-0247 (A vulnerability classified as critical was found in CodeAstro
Online F ...)
+ TODO: check
+CVE-2024-0246 (A vulnerability classified as problematic has been found in
IceWarp 12 ...)
+ TODO: check
+CVE-2023-52151 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2023-52149 (Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company
Floatin ...)
+ TODO: check
+CVE-2023-52148 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2023-52146 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2023-52145 (Cross-Site Request Forgery (CSRF) vulnerability in Marios
Alexandrou R ...)
+ TODO: check
+CVE-2023-52143 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2023-52136 (Cross-Site Request Forgery (CSRF) vulnerability in Smash
Balloon Custo ...)
+ TODO: check
+CVE-2023-52130 (Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider,
wpaffil ...)
+ TODO: check
+CVE-2023-52129 (Cross-Site Request Forgery (CSRF) vulnerability in Michael
Winkler tea ...)
+ TODO: check
+CVE-2023-52128 (Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP
White Label ...)
+ TODO: check
+CVE-2023-52127 (Cross-Site Request Forgery (CSRF) vulnerability in WPClever
WPC Produc ...)
+ TODO: check
+CVE-2023-52126 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
+ TODO: check
+CVE-2023-52125 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-52124 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-52123 (Cross-Site Request Forgery (CSRF) vulnerability in WPChill
Strong Test ...)
+ TODO: check
+CVE-2023-52122 (Cross-Site Request Forgery (CSRF) vulnerability in PressTigers
Simple ...)
+ TODO: check
+CVE-2023-52121 (Cross-Site Request Forgery (CSRF) vulnerability in NitroPack
Inc. Nitr ...)
+ TODO: check
+CVE-2023-52120 (Cross-Site Request Forgery (CSRF) vulnerability in Basix
NEX-Forms \u2 ...)
+ TODO: check
+CVE-2023-52119 (Cross-Site Request Forgery (CSRF) vulnerability in Icegram
Icegram Eng ...)
+ TODO: check
+CVE-2023-51678 (Cross-Site Request Forgery (CSRF) vulnerability in Doofinder
Doofinder ...)
+ TODO: check
+CVE-2023-51673 (Cross-Site Request Forgery (CSRF) vulnerability in Designful
Stylish P ...)
+ TODO: check
+CVE-2023-51668 (Cross-Site Request Forgery (CSRF) vulnerability in WP Zone
Inline Imag ...)
+ TODO: check
+CVE-2023-51539 (Cross-Site Request Forgery (CSRF) vulnerability in
Apollo13Themes Apol ...)
+ TODO: check
+CVE-2023-51538 (Cross-Site Request Forgery (CSRF) vulnerability in Awesome
Support Tea ...)
+ TODO: check
+CVE-2023-51535 (Cross-Site Request Forgery (CSRF) vulnerability in
\u0421leanTalk - An ...)
+ TODO: check
+CVE-2023-50991 (Buffer Overflow vulnerability in Tenda i29 versions 1.0
V1.0.0.5 and 1 ...)
+ TODO: check
+CVE-2023-50027 (SQL Injection vulnerability in Buy Addons
baproductzoommagnifier modul ...)
+ TODO: check
+CVE-2023-47560 (An OS command injection vulnerability has been reported to
affect QuMa ...)
+ TODO: check
+CVE-2023-47559 (A cross-site scripting (XSS) vulnerability has been reported
to affect ...)
+ TODO: check
+CVE-2023-47219 (A SQL injection vulnerability has been reported to affect
QuMagie. If ...)
+ TODO: check
+CVE-2023-45044 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-45043 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-45042 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-45041 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-45040 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-45039 (A buffer copy without checking size of input vulnerability has
been re ...)
+ TODO: check
+CVE-2023-41289 (An OS command injection vulnerability has been reported to
affect Qcal ...)
+ TODO: check
+CVE-2023-41288 (An OS command injection vulnerability has been reported to
affect Vide ...)
+ TODO: check
+CVE-2023-41287 (A SQL injection vulnerability has been reported to affect
Video Statio
[Git][security-tracker-team/security-tracker][master] Revert "Update information for CVE-2023-1192/linux"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a47f209 by Salvatore Bonaccorso at 2024-01-05T20:23:44+01:00 Revert Update information for CVE-2023-1192/linux This reverts commit 0191d6dab32795188024bb6335afcc7eb3b190f1. It is currently not clear that this is the real fix, as per discussion in https://lore.kernel.org/linux-cifs/aca1c4e755e8c005b874c57a6210c4c6a34d2324.ca...@debian.org/ For now revert the change on fixed version syncing up with kernel-sec in https://salsa.debian.org/kernel-team/kernel-sec/-/commit/35bb35745e9b1cd0de77926c52200b58ab91fc40 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46858,8 +46858,7 @@ CVE-2023-1193 (A use-after-free flaw was found in setup_async_work in the KSMBD NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154177 NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS ...) - - linux 6.5.6-1 - [bookworm] - linux 6.1.64-1 + - linux [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178 CVE-2023-1191 (A vulnerability classified as problematic has been found in fastcms. T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a47f2099a84170cc8e9747c2fdd76fab81bcce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a47f2099a84170cc8e9747c2fdd76fab81bcce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for CVE-2024-0217
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12e977a7 by Salvatore Bonaccorso at 2024-01-05T19:02:55+01:00 Add note for CVE-2024-0217 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -187,6 +187,7 @@ CVE-2024-21622 (Craft is a content management system. This is a potential modera CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some conditions, th ...) - packagekit (bug #1060016) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624 + NOTE: Reducing impact via: https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79 (v1.2.7) TODO: check, RHBZ#2256624 claims fixed in upstream 1.2.7 but provides no references CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e977a707344a8c6598537e3d5b3154ee558479 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e977a707344a8c6598537e3d5b3154ee558479 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-1192/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0191d6da by Salvatore Bonaccorso at 2024-01-05T15:47:03+01:00 Update information for CVE-2023-1192/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46857,7 +46857,8 @@ CVE-2023-1193 (A use-after-free flaw was found in setup_async_work in the KSMBD NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154177 NOTE: https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 (6.3-rc6) CVE-2023-1192 (A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS ...) - - linux + - linux 6.5.6-1 + [bookworm] - linux 6.1.64-1 [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2154178 CVE-2023-1191 (A vulnerability classified as problematic has been found in fastcms. T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0191d6dab32795188024bb6335afcc7eb3b190f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0191d6dab32795188024bb6335afcc7eb3b190f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about keystone
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 19c47591 by Bastien Roucariès at 2024-01-05T14:04:27+00:00 Add note about keystone - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,7 @@ jenkins-htmlunit-core-js keystone (rouca) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) + NOTE: 20240105: FTBFS due to https://github.com/testing-cabal/subunit/pull/40 (rouca) -- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c475914d9f267ff5d69bff4c4d791c898eadbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c475914d9f267ff5d69bff4c4d791c898eadbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] condor fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1be025b1 by Moritz Muehlenhoff at 2024-01-05T14:31:09+01:00
condor fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -131238,7 +131238,7 @@ CVE-2022-26111 (The BeanShell components of IRISNext
through 9.8.28 allow execut
NOT-FOR-US: IRISNext
CVE-2022-26110 (An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x
before ...)
{DSA-5144-1 DLA-2984-1}
- - condor (bug #1008634)
+ - condor 23.2.0+dfsg-1 (bug #1008634)
NOTE: https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003
NOTE:
https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca
(V8_8_16)
NOTE:
https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b
(V8_8_16)
@@ -147986,7 +147986,7 @@ CVE-2021-45102 (An issue was discovered in HTCondor
9.0.x before 9.0.4 and 9.1.x
- condor (Only affects 9.0.0 and above)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/
CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x
before 9.0.4, ...)
- - condor (bug #1002540)
+ - condor 23.2.0+dfsg-1 (bug #1002540)
[buster] - condor (Patch is too intrusive to backport)
[stretch] - condor (Patch is too destructive to backport it;
Patch does not apply cleanly. Too many calls in patch, not existed in this
version of the software)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/
@@ -297816,7 +297816,7 @@ CVE-2019-18824 (Barco ClickShare Button R9861500D01
devices before 1.10.0.13 hav
NOT-FOR-US: Barco ClickShare Button R9861500D01 devices
CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and
development serie ...)
{DSA-5144-1 DLA-2724-1}
- - condor (bug #963777)
+ - condor 23.2.0+dfsg-1 (bug #963777)
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html
NOTE:
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html
NOTE:
https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1be025b1121790cac7f68d01a3e21ae083b618f3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-52323
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e579804 by Salvatore Bonaccorso at 2024-01-05T13:56:16+01:00 Add Debian bug reference for CVE-2023-52323 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an u CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) - - pycryptodome + - pycryptodome (bug #1060059) NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e57980443c52af9f0e56f993606d296b3bf468e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e57980443c52af9f0e56f993606d296b3bf468e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1badb9be by Salvatore Bonaccorso at 2024-01-05T13:19:38+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,7 +32,7 @@ CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability in WooC ...) NOT-FOR-US: WordPress plugin CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-ta ...) - TODO: check + NOT-FOR-US: nbviewer-app (aka Jupyter Notebook Viewer) CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacke ...) NOT-FOR-US: ZTE CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an integer overfl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1badb9be15dc4eaecae427e30c452efb2af4cb33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1badb9be15dc4eaecae427e30c452efb2af4cb33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for civicrm issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b1e5caa by Salvatore Bonaccorso at 2024-01-05T12:58:17+01:00 Track fixed version for civicrm issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45871,7 +45871,7 @@ CVE-2023-28117 (Sentry SDK is the official Python SDK for Sentry, real-time cras CVE-2023-28116 (Contiki-NG is an open-source, cross-platform operating system for inte ...) NOT-FOR-US: Contiki-NG CVE-2023-28115 (Snappy is a PHP library allowing thumbnail, snapshot or PDF generation ...) - - civicrm (bug #1036284) + - civicrm 5.68.1+dfsg1-1 (bug #1036284) [bullseye] - civicrm (Minor issue) NOTE: https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc NOTE: https://github.com/KnpLabs/snappy/pull/469 @@ -53945,7 +53945,7 @@ CVE-2023-25442 (Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability i CVE-2023-25441 RESERVED CVE-2023-25440 (Stored Cross Site Scripting (XSS) vulnerability in the add contact fun ...) - - civicrm (bug #1036695) + - civicrm 5.68.1+dfsg1-1 (bug #1036695) [bullseye] - civicrm (Minor issue) NOTE: https://packetstormsecurity.com/files/172470/CiviCRM-5.59.alpha1-Cross-Site-Scripting.html CVE-2023-25439 (Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionIn ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1e5caa648e9702170fed210bb67bc01aa01421 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1e5caa648e9702170fed210bb67bc01aa01421 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-34457/python-mechanicalsoup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8d91c4a by Salvatore Bonaccorso at 2024-01-05T12:32:11+01:00 Track fixed version for CVE-2023-34457/python-mechanicalsoup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29326,7 +29326,7 @@ CVE-2023-34472 (AMI SPx contains a vulnerability in the BMC where an Attacker ma CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cause a m ...) NOT-FOR-US: AMI SPx CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) - - python-mechanicalsoup (bug #1041814) + - python-mechanicalsoup 1.3.0-1 (bug #1041814) [bookworm] - python-mechanicalsoup (Minor issue) [bullseye] - python-mechanicalsoup (Minor issue) [buster] - python-mechanicalsoup (Minor issue; invasive backport required) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d91c4a6a27349b0ad0ac4330d9e9337be51e22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d91c4a6a27349b0ad0ac4330d9e9337be51e22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: baf17973 by Moritz Muehlenhoff at 2024-01-05T12:18:25+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1156,6 +1156,8 @@ CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop i NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - jayway-jsonpath + [bookworm] - jayway-jsonpath (Minor issue) + [bullseye] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro @@ -2854,8 +2856,13 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) - phpseclib 1.0.22-1 + [bookworm] - phpseclib (Minor issue) + [bullseye] - phpseclib (Minor issue) - php-phpseclib 2.0.46-1 + [bookworm] - php-phpseclib (Minor issue) + [bullseye] - php-phpseclib (Minor issue) - php-phpseclib3 3.0.35-1 + [bookworm] - php-phpseclib3 (Minor issue) - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) @@ -2934,12 +2941,18 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - libcrypto++ (bug #1059312) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -3989,6 +4002,8 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - m2crypto (bug #1059292) + [bookworm] - m2crypto (Minor issue) + [bullseye] - m2crypto (Minor issue) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -13161,6 +13176,8 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - libxml-security-java (bug #1059313) + [bookworm] - libxml-security-java (Minor issue) + [bullseye] - libxml-security-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -18706,6 +18723,8 @@ CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allow NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - ansible (bug #1055300) + [bookworm] - ansible (Minor issue) + [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 NOTE: https://github.com/advisories/GHSA-ww3m-ffrm-qvqv = data/dsa-needed.txt = @@ -48,6 +48,8 @@ python3.11/stable (carnil) -- python3.9/oldstable -- +python-asyncssh +-- redmine/stable -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baf179734b0fede4b1a1c6cf53b59b1721456257 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3707-1 for tomcat9
Bastien Roucariès pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4d144513 by Bastien Roucariès at 2024-01-05T09:36:26+00:00
Reserve DLA-3707-1 for tomcat9
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Jan 2024] DLA-3707-1 tomcat9 - security update
+ {CVE-2023-46589}
+ [buster] - tomcat9 9.0.31-1~deb10u11
[04 Jan 2024] DLA-3706-1 netatalk - security update
{CVE-2022-22995}
[buster] - netatalk 3.1.12~ds-3+deb10u5
=
data/dla-needed.txt
=
@@ -260,11 +260,6 @@ tinymce
NOTE: 20231216: upstream's patch is backportable, as the code has changed a
NOTE: 20231216: lot. (spwhitton)
--
-tomcat9 (rouca)
- NOTE: 20231129: Added by Front-Desk (Beuc)
- NOTE: 20131217: I have made a fix, tests are ok but due to high popcon
prefer a review by apo (rouca)
- NOTE: 20121221: apo ask to go forward (rouca)
---
varnish (Abhijith PA)
NOTE: 20231117: Added by Front-Desk (apo)
NOTE: 20231204: Working on pre commits for CVE-2023-44487,
https://github.com/varnishcache/varnish-cache/pull/4004
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d1445134409fead580ed8f2be495625cb8fe2a1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d1445134409fead580ed8f2be495625cb8fe2a1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52323/pycryptodome
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
684dd36e by Salvatore Bonaccorso at 2024-01-05T10:24:38+01:00
Add CVE-2023-52323/pycryptodome
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -21,7 +21,8 @@ CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2
are affected by an u
CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video
Slider & Pos ...)
NOT-FOR-US: WordPress plugin
CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow
side-channel leakag ...)
- TODO: check
+ - pycryptodome
+ NOTE:
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd
(v3.19.1)
CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job
Portal WP Jo ...)
NOT-FOR-US: WordPress plugin
CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684dd36ebbc85100574c587c0c3c08ca0d4c8d63
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684dd36ebbc85100574c587c0c3c08ca0d4c8d63
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6b4bb0b by Salvatore Bonaccorso at 2024-01-05T10:22:16+01:00 Process some NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-f CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...) NOT-FOR-US: Pico HTTP Server CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...) - TODO: check + NOT-FOR-US: cherry HTTP server CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...) NOT-FOR-US: Firefly CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) @@ -13,11 +13,11 @@ CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 NOTE: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0) CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to ...) - TODO: check + NOT-FOR-US: govuk_tech_docs ruby gem CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...) - TODO: check + NOT-FOR-US: view_component framework CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an uncont ...) - TODO: check + NOT-FOR-US: encoded_id-rails CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...) NOT-FOR-US: WordPress plugin CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6b4bb0b957e366fb91a240d61d129abb18cf142 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6b4bb0b957e366fb91a240d61d129abb18cf142 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
251ca76c by Salvatore Bonaccorso at 2024-01-05T09:39:31+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19,21 +19,21 @@ CVE-2024-21636 (view_component is a framework for building
reusable, testable, a
CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an
uncont ...)
TODO: check
CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video
Slider & Pos ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow
side-channel leakag ...)
TODO: check
CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job
Portal WP Jo ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation
S.R.L. Dyna ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability
in WooC ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has
the get-ta ...)
TODO: check
CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an
attacke ...)
- TODO: check
+ NOT-FOR-US: ZTE
CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an
integer overfl ...)
- ruby-commonmarker 0.23.4-1
[bullseye] - ruby-commonmarker (Minor issue)
@@ -261935,9 +261935,9 @@ CVE-2020-13881 (In support.c in pam_tacplus 1.3.8
through 1.5.1, the TACACS+ sha
CVE-2020-13880
RESERVED
CVE-2020-13879 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f
heap-bas ...)
- TODO: check
+ NOT-FOR-US: IrfanView B3D PlugIns
CVE-2020-13878 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef
heap-bas ...)
- TODO: check
+ NOT-FOR-US: IrfanView B3D PlugIns
CVE-2020-13877 (SQL Injection issues in various ASPX pages of ResourceXpress
Meeting M ...)
NOT-FOR-US: ResourceXpress Meeting Monitor
CVE-2020-13876
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251ca76c5df71e1a1f6c5e47dc911963c13ad5c9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251ca76c5df71e1a1f6c5e47dc911963c13ad5c9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f160a1b by Salvatore Bonaccorso at 2024-01-05T09:33:50+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in ...) - TODO: check + NOT-FOR-US: Lotos WebServer CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...) - TODO: check + NOT-FOR-US: Pico HTTP Server CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...) TODO: check CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...) - TODO: check + NOT-FOR-US: Firefly CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) - TODO: check + NOT-FOR-US: Iodine (not the same as src:iodine) CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...) - ruby-httparty 0.21.0-1 NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f160a1be404fc2225363ae5c18743b4610d2481 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f160a1be404fc2225363ae5c18743b4610d2481 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22049/ruby-httparty
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eca650cd by Salvatore Bonaccorso at 2024-01-05T09:33:16+01:00 Add CVE-2024-22049/ruby-httparty - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,9 @@ CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...) TODO: check CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...) - TODO: check + - ruby-httparty 0.21.0-1 + NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 + NOTE: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0) CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to ...) TODO: check CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca650cde432a650c99021081958c50f4538f2c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca650cde432a650c99021081958c50f4538f2c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d5a4a21b by security tracker role at 2024-01-05T08:12:10+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,38 @@
-CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to
heap memory corruption]
+CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a
use-after-free in ...)
+ TODO: check
+CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has
an sprint ...)
+ TODO: check
+CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an
sscanf stack ...)
+ TODO: check
+CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks
HTML Inject ...)
+ TODO: check
+CVE-2024-22050 (Path traversal in the static file service in Iodine less than
0.7.33 a ...)
+ TODO: check
+CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable
web param ...)
+ TODO: check
+CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are
vulnerable to ...)
+ TODO: check
+CVE-2024-21636 (view_component is a framework for building reusable, testable,
and enc ...)
+ TODO: check
+CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an
uncont ...)
+ TODO: check
+CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video
Slider & Pos ...)
+ TODO: check
+CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow
side-channel leakag ...)
+ TODO: check
+CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job
Portal WP Jo ...)
+ TODO: check
+CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation
S.R.L. Dyna ...)
+ TODO: check
+CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability
in WooC ...)
+ TODO: check
+CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has
the get-ta ...)
+ TODO: check
+CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an
attacke ...)
+ TODO: check
+CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an
integer overfl ...)
- ruby-commonmarker 0.23.4-1
[bullseye] - ruby-commonmarker (Minor issue)
[buster] - ruby-commonmarker (Minor issue)
@@ -7,7 +41,7 @@ CVE-2024-22051 [integer overflow in cmark-gfm's table row
parsing may lead to he
NOTE:
https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3
(v0.23.4)
NOTE: This is a specific CVE assignment for the issue covered in
CVE-2022-24724
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256887
-CVE-2024-22047
+CVE-2024-22047 (A race condition exists in Audited 4.0.0 to 5.3.3 that can
result in a ...)
NOT-FOR-US: audited ruby gem
CVE-2024-21625 (SideQuest is a place to get virtual reality applications for
Oculus Qu ...)
NOT-FOR-US: SideQuest
@@ -1498,6 +1532,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of
DRAM are used, might a
[buster] - openssh (Revisit once hardening/mitigation for
Rowhammer type of attack exists)
NOTE: https://arxiv.org/abs/2309.02545
CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain
PIPELINING/CHUNKIN ...)
+ {DSA-5597-1}
- exim4 4.97-3 (bug #1059387)
NOTE:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
@@ -3637,7 +3672,7 @@ CVE-2023-49820 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2023-49813 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2023-49786 (Asterisk is an open source private branch exchange and
telephony toolk ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059033)
NOTE:
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
NOTE:
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
@@ -3661,7 +3696,7 @@ CVE-2023-49708 (SQLi vulnerability in Starshop component
for Joomla.)
CVE-2023-49707 (SQLi vulnerability in S5 Register module for Joomla.)
NOT-FOR-US: Joomla module
CVE-2023-49294 (Asterisk is an open source private branch exchange and
telephony toolk ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059032)
NOTE:
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
NOTE:
