[Git][security-tracker-team/security-tracker][master] Add CVE-2024-1635/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e58baf37 by Salvatore Bonaccorso at 2024-02-20T08:45:48+01:00 Add CVE-2024-1635/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-1635 + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2264928 CVE-2024-25983 (Insufficient checks in a web service made it possible to add comments ...) - moodle CVE-2024-25982 (The link to update all installed language packs did not include the ne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58baf3746cef43a299e7f82bfcea5e681339f0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58baf3746cef43a299e7f82bfcea5e681339f0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim bind9 in dla-needed.txt
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 033d9d04 by Santiago Ruano Rincón at 2024-02-19T19:14:36-03:00 Claim bind9 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -34,7 +34,7 @@ atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. -- -bind9 +bind9 (santiago) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033d9d0433aa62d22cfcf13e11ed1c51478c0bf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033d9d0433aa62d22cfcf13e11ed1c51478c0bf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-24758/node-undici
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b250937 by Salvatore Bonaccorso at 2024-02-19T22:41:28+01:00 Add Debian bug reference for CVE-2024-24758/node-undici - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91,7 +91,7 @@ CVE-2024-25113 CVE-2024-25083 (An issue was discovered in BeyondTrust Privilege Management for Window ...) NOT-FOR-US: BeyondTrust CVE-2024-24758 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - - node-undici + - node-undici (bug #1064312) [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 NOTE: https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef (v6.6.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b250937aa0b69e7ddcb25081202ab5db1ab0032 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b250937aa0b69e7ddcb25081202ab5db1ab0032 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-1580/dav1d
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8357803c by Salvatore Bonaccorso at 2024-02-19T22:40:05+01:00 Add Debian bug reference for CVE-2024-1580/dav1d - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader) CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...) TODO: check CVE-2024-1580 (An integer overflow in dav1d AV1 decoder that can occur when decoding ...) - - dav1d + - dav1d (bug #1064310) NOTE: https://code.videolan.org/videolan/dav1d/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51 (1.4.0) CVE-2024-1346 (Weak MySQL database root password in LaborOfficeFree affects version 1 ...) NOT-FOR-US: LaborOfficeFree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8357803c76d49329a2360b24d39897ce0a9b0637 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8357803c76d49329a2360b24d39897ce0a9b0637 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-45918
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1240b341 by Salvatore Bonaccorso at 2024-02-19T21:39:07+01:00 Add additional reference for CVE-2023-45918 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -247,6 +247,7 @@ CVE-2023-50951 (IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak f CVE-2023-45918 (ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinf ...) - ncurses 6.4+20230625-1 NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg5.html + NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230615 NOTE: Fixed in ncurses-6.4-20230615 patchlevel CVE-2023-31728 (Teltonika RUT240 devices with firmware before 07.04.2, when bridge mod ...) NOT-FOR-US: Teltonika RUT240 devices View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1240b34196460875e938eb849e008be704ad6346 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1240b34196460875e938eb849e008be704ad6346 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45918/ncurses
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df5c2ee5 by Salvatore Bonaccorso at 2024-02-19T21:37:38+01:00 Add CVE-2023-45918/ncurses - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -245,7 +245,9 @@ CVE-2023-52097 (Vulnerability of foreground service restrictions being bypassed CVE-2023-50951 (IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Sec ...) NOT-FOR-US: IBM CVE-2023-45918 (ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinf ...) - TODO: check + - ncurses 6.4+20230625-1 + NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg5.html + NOTE: Fixed in ncurses-6.4-20230615 patchlevel CVE-2023-31728 (Teltonika RUT240 devices with firmware before 07.04.2, when bridge mod ...) NOT-FOR-US: Teltonika RUT240 devices CVE-2022-48621 (Vulnerability of missing authentication for critical functions in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df5c2ee53308bd014f1a1314a97f4645bc424fdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df5c2ee53308bd014f1a1314a97f4645bc424fdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-1580/dav1d
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7e53e2f by Salvatore Bonaccorso at 2024-02-19T21:32:57+01:00 Add CVE-2024-1580/dav1d - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,8 @@ CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader) CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...) TODO: check CVE-2024-1580 (An integer overflow in dav1d AV1 decoder that can occur when decoding ...) - TODO: check + - dav1d + NOTE: https://code.videolan.org/videolan/dav1d/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51 (1.4.0) CVE-2024-1346 (Weak MySQL database root password in LaborOfficeFree affects version 1 ...) NOT-FOR-US: LaborOfficeFree CVE-2024-1345 (Weak MySQL database root password in LaborOfficeFree affects version 1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e53e2fb89dbfe974eb6afecf739c70a8bd7e90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e53e2fb89dbfe974eb6afecf739c70a8bd7e90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25623/mastodon
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52ab11ec by Salvatore Bonaccorso at 2024-02-19T21:31:24+01:00 Add CVE-2024-25623/mastodon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2024-25626 (Yocto Project is an open source collaboration project that helps CVE-2024-25625 (Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A po ...) NOT-FOR-US: Pimcore's Admin Classic Bundle CVE-2024-25623 (Mastodon is a free, open-source social network server based on Activit ...) - TODO: check + - mastodon (bug #859741) CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader) loops ...) TODO: check CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ab11ecf173d06873c0d8e7910ed96b28267b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52ab11ecf173d06873c0d8e7910ed96b28267b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c774c806 by Salvatore Bonaccorso at 2024-02-19T21:27:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,17 +11,17 @@ CVE-2024-25979 (The URL parameters accepted by forum search were not limited to CVE-2024-25978 (Insufficient file size checks resulted in a denial of service risk in ...) - moodle CVE-2024-25640 (Iris is a web collaborative platform that helps incident responders sh ...) - TODO: check + NOT-FOR-US: Iris CVE-2024-25636 (Misskey is an open source, decentralized social media platform with Ac ...) - TODO: check + NOT-FOR-US: Misskey CVE-2024-25635 (alf.io is an open source ticket reservation system. Prior to version 2 ...) - TODO: check + NOT-FOR-US: Alf.io CVE-2024-25634 (alf.io is an open source ticket reservation system. Prior to version 2 ...) - TODO: check + NOT-FOR-US: Alf.io CVE-2024-25626 (Yocto Project is an open source collaboration project that helps devel ...) TODO: check CVE-2024-25625 (Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A po ...) - TODO: check + NOT-FOR-US: Pimcore's Admin Classic Bundle CVE-2024-25623 (Mastodon is a free, open-source social network server based on Activit ...) TODO: check CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader) loops ...) @@ -31,13 +31,13 @@ CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL CVE-2024-1580 (An integer overflow in dav1d AV1 decoder that can occur when decoding ...) TODO: check CVE-2024-1346 (Weak MySQL database root password in LaborOfficeFree affects version 1 ...) - TODO: check + NOT-FOR-US: LaborOfficeFree CVE-2024-1345 (Weak MySQL database root password in LaborOfficeFree affects version 1 ...) - TODO: check + NOT-FOR-US: LaborOfficeFree CVE-2024-1344 (Encrypted database credentials in LaborOfficeFree affecting version 19 ...) - TODO: check + NOT-FOR-US: LaborOfficeFree CVE-2024-1343 (A weak permission was found in the backup directory in LaborOfficeFree ...) - TODO: check + NOT-FOR-US: LaborOfficeFree CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) TODO: check CVE-2024-26308 (Allocation of Resources Without Limits or Throttling vulnerability in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c774c80666087256f3112fae03936572cba64324 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c774c80666087256f3112fae03936572cba64324 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new moodle issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7dc2756 by Salvatore Bonaccorso at 2024-02-19T21:18:02+01:00 Process some new moodle issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2024-25983 (Insufficient checks in a web service made it possible to add comments ...) - TODO: check + - moodle CVE-2024-25982 (The link to update all installed language packs did not include the ne ...) - TODO: check + - moodle CVE-2024-25981 (Separate Groups mode restrictions were not honored when performing a f ...) - TODO: check + - moodle CVE-2024-25980 (Separate Groups mode restrictions were not honored in the H5P attempts ...) - TODO: check + - moodle CVE-2024-25979 (The URL parameters accepted by forum search were not limited to the al ...) - TODO: check + - moodle CVE-2024-25978 (Insufficient file size checks resulted in a denial of service risk in ...) - TODO: check + - moodle CVE-2024-25640 (Iris is a web collaborative platform that helps incident responders sh ...) TODO: check CVE-2024-25636 (Misskey is an open source, decentralized social media platform with Ac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7dc2756d717b4413eccc0f9d12415ea7aedf359 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7dc2756d717b4413eccc0f9d12415ea7aedf359 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
56db434c by security tracker role at 2024-02-19T20:12:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,10 +1,52 @@
-CVE-2024-26308 [Apache Commons Compress: OutOfMemoryError unpacking broken
Pack200 file]
+CVE-2024-25983 (Insufficient checks in a web service made it possible to add
comments ...)
+ TODO: check
+CVE-2024-25982 (The link to update all installed language packs did not
include the ne ...)
+ TODO: check
+CVE-2024-25981 (Separate Groups mode restrictions were not honored when
performing a f ...)
+ TODO: check
+CVE-2024-25980 (Separate Groups mode restrictions were not honored in the H5P
attempts ...)
+ TODO: check
+CVE-2024-25979 (The URL parameters accepted by forum search were not limited
to the al ...)
+ TODO: check
+CVE-2024-25978 (Insufficient file size checks resulted in a denial of service
risk in ...)
+ TODO: check
+CVE-2024-25640 (Iris is a web collaborative platform that helps incident
responders sh ...)
+ TODO: check
+CVE-2024-25636 (Misskey is an open source, decentralized social media platform
with Ac ...)
+ TODO: check
+CVE-2024-25635 (alf.io is an open source ticket reservation system. Prior to
version 2 ...)
+ TODO: check
+CVE-2024-25634 (alf.io is an open source ticket reservation system. Prior to
version 2 ...)
+ TODO: check
+CVE-2024-25626 (Yocto Project is an open source collaboration project that
helps devel ...)
+ TODO: check
+CVE-2024-25625 (Pimcore's Admin Classic Bundle provides a Backend UI for
Pimcore. A po ...)
+ TODO: check
+CVE-2024-25623 (Mastodon is a free, open-source social network server based on
Activit ...)
+ TODO: check
+CVE-2024-1633 (During the secure boot, bl2 (the second stage of the
bootloader) loops ...)
+ TODO: check
+CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject
SQL if u ...)
+ TODO: check
+CVE-2024-1580 (An integer overflow in dav1d AV1 decoder that can occur when
decoding ...)
+ TODO: check
+CVE-2024-1346 (Weak MySQL database root password in LaborOfficeFree affects
version 1 ...)
+ TODO: check
+CVE-2024-1345 (Weak MySQL database root password in LaborOfficeFree affects
version 1 ...)
+ TODO: check
+CVE-2024-1344 (Encrypted database credentials in LaborOfficeFree affecting
version 19 ...)
+ TODO: check
+CVE-2024-1343 (A weak permission was found in the backup directory in
LaborOfficeFree ...)
+ TODO: check
+CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation
of the ...)
+ TODO: check
+CVE-2024-26308 (Allocation of Resources Without Limits or Throttling
vulnerability in ...)
- libcommons-compress-java
[bookworm] - libcommons-compress-java (Minor issue)
[bullseye] - libcommons-compress-java (Vulnerable code
introduced later)
[buster] - libcommons-compress-java (Vulnerable code
introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/2
-CVE-2024-25710 [Apache Commons Compress: Denial of service caused by an
infinite loop for a corrupted DUMP file]
+CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop')
vulnerability i ...)
- libcommons-compress-java
[bookworm] - libcommons-compress-java (Minor issue)
[bullseye] - libcommons-compress-java (Minor issue)
@@ -3499,7 +3541,7 @@ CVE-2024-0853 (curl inadvertently kept the SSL session ID
for connections in its
NOTE: Introduced by:
https://github.com/curl/curl/commit/395365ad2d9a6c3f1a35d5e268a6af2824129832
(curl-8_5_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/c28e9478cb2548848eca9b765d0d409bfb18668c
(curl-8_6_0)
CVE-2024-21626 (runc is a CLI tool for spawning and running containers on
Linux accord ...)
- {DSA-5615-1}
+ {DSA-5615-1 DLA-3735-1}
- runc 1.1.12+ds1-1 (bug #1062532)
NOTE: https://www.openwall.com/lists/oss-security/2024/01/31/6
NOTE:
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
@@ -161701,7 +161743,7 @@ CVE-2021-43786 (Nodebb is an open source Node.js
based forum software. In affect
CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker
componen ...)
NOT-FOR-US: @joeattardi/emoji-button
CVE-2021-43784 (runc is a CLI tool for spawning and running containers on
Linux accord ...)
- {DLA-2841-1}
+ {DLA-3735-1 DLA-2841-1}
- runc 1.0.3+ds1-1
[bullseye] - runc (Minor issue; not exploitable in 1.0.0)
NOTE:
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
View it on GitLab:
[Git][security-tracker-team/security-tracker][master] CVE-2023-5388/nss Add upstream patch reference.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: dcbb8807 by Tobias Frost at 2024-02-19T20:56:17+01:00 CVE-2023-5388/nss Add upstream patch reference. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21838,6 +21838,7 @@ CVE-2023-5388 [buster] - nss (Minor issue) NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: Vendor patch (Rocky Linux, not upstreamed): https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd + NOTE: Upstream patch: https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2 CVE-2023-5551 (Separate Groups mode restrictions were not honoured in the forum summa ...) - moodle CVE-2023-5550 (In a shared hosting environment that has been misconfigured to allow a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-48624/less
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e699dbe by Salvatore Bonaccorso at 2024-02-19T20:41:17+01:00 Add Debian bug reference for CVE-2022-48624/less - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,7 +24,7 @@ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because Login CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server and F ...) NOT-FOR-US: 12d Synergy Server CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote calls ...) - - less + - less (bug #1064293) [bookworm] - less (Minor issue) [bullseye] - less (Minor issue) NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e699dbea7434d6a6679a8e3f7415caa3b2ec1ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e699dbea7434d6a6679a8e3f7415caa3b2ec1ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-26308
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1978b00d by Salvatore Bonaccorso at 2024-02-19T20:38:28+01:00 Update status for CVE-2024-26308 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,8 @@ CVE-2024-26308 [Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file] - libcommons-compress-java [bookworm] - libcommons-compress-java (Minor issue) - [bullseye] - libcommons-compress-java (Minor issue) + [bullseye] - libcommons-compress-java (Vulnerable code introduced later) + [buster] - libcommons-compress-java (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/2 CVE-2024-25710 [Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file] - libcommons-compress-java View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1978b00dac3f4b6b274b516eba0ae78444dfe584 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1978b00dac3f4b6b274b516eba0ae78444dfe584 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f7e3e98 by Roberto C. Sánchez at 2024-02-19T12:47:23-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ cinder composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) -- -curl (rouca) +curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 @@ -153,7 +153,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libssh (Sean Whitton) +libssh NOTE: 20231219: Added by Front-Desk (ta) NOTE: 20240111: Still working on backporting the patches (spwhitton). -- @@ -208,11 +208,11 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- -python-asyncssh (dleidert) +python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7e3e98d43ed2c4ec3281ff929ce4a56bc52130 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7e3e98d43ed2c4ec3281ff929ce4a56bc52130 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libuv1 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 406e8e91 by Moritz Muehlenhoff at 2024-02-19T17:28:03+01:00 libuv1 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1993,7 +1993,7 @@ CVE-2024-25146 (Liferay Portal 7.2.0 through 7.4.1, and older unsupported versio CVE-2024-25144 (The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older ...) NOT-FOR-US: Liferay Portal CVE-2024-24806 (libuv is a multi-platform support library with a focus on asynchronous ...) - - libuv1 (bug #1063484) + - libuv1 1.48.0-1 (bug #1063484) NOTE: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 NOTE: Introduced by: https://github.com/libuv/libuv/commit/6dd44caa35b4697d7e8c1b9fa0ba8e95d73355de (v1.24.0) NOTE: Fixed by: https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629 (v1.48.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/406e8e9190b66733cd56f79752139baadeac3966 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/406e8e9190b66733cd56f79752139baadeac3966 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 665fd4d0 by Moritz Muehlenhoff at 2024-02-19T16:56:11+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,9 +19,9 @@ CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vf - qemu NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because LoginPage.t ...) - TODO: check + NOT-FOR-US: Serenity CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server and F ...) - TODO: check + NOT-FOR-US: 12d Synergy Server CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote calls ...) - less [bookworm] - less (Minor issue) @@ -71,23 +71,23 @@ CVE-2024-21984 (StorageGRID (formerly StorageGRID Webscale) versions prior to 11 CVE-2024-21983 (StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 ar ...) NOT-FOR-US: StorageGRID CVE-2024-21500 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21499 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21498 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21497 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21496 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21495 (Versions of the package github.com/greenpau/caddy-security before 1.0. ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21494 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21493 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-21492 (All versions of the package github.com/greenpau/caddy-security are vul ...) - TODO: check + NOT-FOR-US: caddy-security (addon for src:caddy) CVE-2024-20986 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2024-20980 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) @@ -143,11 +143,11 @@ CVE-2024-1512 (The MasterStudy LMS WordPress Plugin \u2013 for Online Courses an CVE-2024-0610 (The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is v ...) NOT-FOR-US: WordPress Plugin CVE-2023-6749 (Unchecked length coming from user input in settings shell) - TODO: check + NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-6249 (Signed to unsigned conversion esp32_ipm_send) - TODO: check + NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-5779 (can: out of bounds in remove_rx_filter function) - TODO: check + NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-52387 (Resource reuse vulnerability in the GPU module. Successful exploitatio ...) NOT-FOR-US: Huawei CVE-2023-52381 (Script injection vulnerability in the email module.Successful exploita ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/665fd4d039f5e19870f0d0ba30d2a06551f23246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/665fd4d039f5e19870f0d0ba30d2a06551f23246 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libcommons-compress-java issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 94b3e87d by Moritz Muehlenhoff at 2024-02-19T16:15:56+01:00 new libcommons-compress-java issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2024-26308 [Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file] + - libcommons-compress-java + [bookworm] - libcommons-compress-java (Minor issue) + [bullseye] - libcommons-compress-java (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/2 +CVE-2024-25710 [Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file] + - libcommons-compress-java + [bookworm] - libcommons-compress-java (Minor issue) + [bullseye] - libcommons-compress-java (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 CVE-2024-23114 NOT-FOR-US: Apache Camel CVE-2024-22369 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b3e87d3fd723101d88a09ad79b38e0897f800b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b3e87d3fd723101d88a09ad79b38e0897f800b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 835024bc by Moritz Muehlenhoff at 2024-02-19T16:03:54+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-23114 + NOT-FOR-US: Apache Camel +CVE-2024-22369 + NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835024bcb149a6d4a2dd3c2df1a821342c9c268e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835024bcb149a6d4a2dd3c2df1a821342c9c268e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim iwd.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3eef94d6 by Chris Lamb at 2024-02-19T14:33:37+00:00 data/dla-needed.txt: Claim iwd. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -iwd +iwd (Chris Lamb) NOTE: 20240218: Added by Front-Desk (lamby) -- jenkins-htmlunit-core-js View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eef94d60a4b05b7633bdb320f7507820486 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eef94d60a4b05b7633bdb320f7507820486 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 666a81a2 by Moritz Muehlenhoff at 2024-02-19T14:28:13+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -10,6 +10,8 @@ CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server TODO: check CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote calls ...) - less + [bookworm] - less (Minor issue) + [bullseye] - less (Minor issue) NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) - glade 3.38.2-1 @@ -32,6 +34,7 @@ CVE-2024-25083 (An issue was discovered in BeyondTrust Privilege Management for NOT-FOR-US: BeyondTrust CVE-2024-24758 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - node-undici + [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 NOTE: https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef (v6.6.1) NOTE: https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458 (v5.28.3) @@ -1474,6 +1477,8 @@ CVE-2024-23513 (Deserialization of Untrusted Data vulnerability in PropertyHive. NOT-FOR-US: WordPress plugin CVE-2024-1433 (A vulnerability, which was classified as problematic, was found in KDE ...) - plasma-workspace (bug #1064063) + [bookworm] - plasma-workspace (Minor issue) + [bullseye] - plasma-workspace (Minor issue) NOTE: https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 CVE-2023-52429 (dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6 ...) - linux = data/dsa-needed.txt = @@ -95,5 +95,7 @@ squid (apo) -- varnish -- +wpa +-- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/666a81a2fbf3e5b35caf41d48a4d0358fd85e64f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/666a81a2fbf3e5b35caf41d48a4d0358fd85e64f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 23fa34c5 by Sylvain Beucler at 2024-02-19T11:22:35+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,7 @@ cacti (Sylvain Beucler) NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc) NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc) + NOTE: 20240219: Backport patches, update patch commits (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23fa34c55e30baa5a17bcafd3399ff7c0afebd5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23fa34c55e30baa5a17bcafd3399ff7c0afebd5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-3735-1 for runc
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 77e961eb by Daniel Leidert at 2024-02-19T03:04:51+01:00 Reserve DLA-3735-1 for runc - - - - - f20527be by Daniel Leidert at 2024-02-19T10:47:42+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -249,10 +249,12 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -runc (dleidert) +runc NOTE: 20240204: Added by Front-Desk (ta) - NOTE: 20240208: Will need 2-3 more days (dleidert) - NOTE: 20240211: Ready to upload, except for https://lists.debian.org/debian-lts/2024/02/msg00014.html - will wait 2-3 days (dleidert) + NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of + NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and + NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951. + NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert). -- samba NOTE: 20230918: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20ce78fbefbaf1516dbd9e7d6679974b1e985dce...f20527be01dee485467e235605493d25e9e005e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20ce78fbefbaf1516dbd9e7d6679974b1e985dce...f20527be01dee485467e235605493d25e9e005e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing reservation for DLA-3735-1
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
20ce78fb by Emilio Pozuelo Monfort at 2024-02-19T10:00:27+01:00
Add missing reservation for DLA-3735-1
https://lists.debian.org/debian-lts/2024/02/msg00016.html
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -161683,7 +161683,6 @@ CVE-2021-43784 (runc is a CLI tool for spawning and
running containers on Linux
{DLA-2841-1}
- runc 1.0.3+ds1-1
[bullseye] - runc (Minor issue; not exploitable in 1.0.0)
- [buster] - runc (Minor issue; not exploitable in 1.0.0)
NOTE:
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1
NOTE: Fixed by:
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Feb 2024] DLA-3735-1 runc - security update
+ {CVE-2021-43784 CVE-2024-21626}
+ [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3
[17 Feb 2024] DLA-3734-1 openvswitch - security update
{CVE-2023-5366}
[buster] - openvswitch 2.10.7+ds1-0+deb10u5
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-36774/glade
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c9eae18 by Salvatore Bonaccorso at 2024-02-19T09:47:41+01:00 Add CVE-2020-36774/glade - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,7 +12,10 @@ CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote - less NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) - TODO: check + - glade 3.38.2-1 + NOTE: https://gitlab.gnome.org/GNOME/glade/-/issues/479 + NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/7acdd3c6f6934f47b8974ebc2190a59ea5d2ed17 (GLADE_3_40_0) + NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/2e2475bb27f891d3ad71cbd5b7152b4751da5874 (GLADE_3_38_1) CVE-2024-25628 (Alf.io is a free and open source event attendance management system. I ...) NOT-FOR-US: Alf.io CVE-2024-25627 (Alf.io is a free and open source event attendance management system. A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c9eae1828f33321eb81198b1d7868ac961bec77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c9eae1828f33321eb81198b1d7868ac961bec77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-48624/less
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1da3c125 by Salvatore Bonaccorso at 2024-02-19T09:29:42+01:00 Add CVE-2022-48624/less - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,8 @@ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because Login CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server and F ...) TODO: check CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote calls ...) - TODO: check + - less + NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) TODO: check CVE-2024-25628 (Alf.io is a free and open source event attendance management system. I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1da3c1256e1cca8969976eedb31ec83238ea1c99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1da3c1256e1cca8969976eedb31ec83238ea1c99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new qemu issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58ab2f51 by Salvatore Bonaccorso at 2024-02-19T09:26:09+01:00 Add two new qemu issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,9 @@ CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - TODO: check + - qemu + NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - TODO: check + - qemu + NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because LoginPage.t ...) TODO: check CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server and F ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ab2f5147f7401128f2ed62004a63e61f797331 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ab2f5147f7401128f2ed62004a63e61f797331 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89f02d79 by security tracker role at 2024-02-19T08:11:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) + TODO: check +CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) + TODO: check +CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because LoginPage.t ...) + TODO: check +CVE-2024-24722 (An unquoted service path vulnerability in the 12d Synergy Server and F ...) + TODO: check +CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote calls ...) + TODO: check +CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) + TODO: check CVE-2024-25628 (Alf.io is a free and open source event attendance management system. I ...) NOT-FOR-US: Alf.io CVE-2024-25627 (Alf.io is a free and open source event attendance management system. A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89f02d795e083d2e5aa2a08810f557929d0ca166 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89f02d795e083d2e5aa2a08810f557929d0ca166 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
