[Git][security-tracker-team/security-tracker][master] LTS: add notes on current status of libssh

[Sean Whitton (@spwhitton)]

Sean Whitton pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
73511b68 by Sean Whitton at 2024-02-25T13:50:19+08:00
LTS: add notes on current status of libssh

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -157,7 +157,14 @@ libreswan
 --
 libssh
   NOTE: 20231219: Added by Front-Desk (ta)
-  NOTE: 20240111: Still working on backporting the patches (spwhitton).
+  NOTE: 20240225: Patches backported, tests pass.  The backport should be
+  NOTE: 20240225: reviewed.  I haven't yet tested that Terrapin is actually
+  NOTE: 20240225: mitigated.  Upstream have provided some input on doing that:
+  NOTE: 20240225: .
+  NOTE: 20240225: I've asked upstream whether it's okay to restore the evp
+  NOTE: 20240225: functions and types:
+  NOTE: 20240225: 
+  NOTE: 20240225: (spwhitton).
 --
 libstb
   NOTE: 20231029: Added by Front-Desk (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73511b68ca05fae82cafcb5c46dcedb5c4698fcc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73511b68ca05fae82cafcb5c46dcedb5c4698fcc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb8c85ef by Salvatore Bonaccorso at 2024-02-24T21:22:01+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,19 +1,19 @@
 CVE-2024-1758 (The SuperFaktura WooCommerce plugin for WordPress is vulnerable 
to Ser ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1710 (The Addon Library plugin for WordPress is vulnerable to 
unauthorized a ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1165 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to Di ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-0243 (With the following crawler configuration:  ```python from bs4 
import B ...)
TODO: check
 CVE-2023-5775 (The BackWPup plugin for WordPress is vulnerable to Plaintext 
Storage o ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-43051 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to cross ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-38359 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to cross ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-32344 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to form  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2024-26600 (In the Linux kernel, the following vulnerability has been 
resolved:  p ...)
- linux 
NOTE: 
https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d (6.8-rc3)
@@ -46945,7 +46945,7 @@ CVE-2023-30998
 CVE-2023-30997
RESERVED
 CVE-2023-30996 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be 
vulnerable to ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-30995 (IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 
could allow  ...)
NOT-FOR-US: IBM
 CVE-2023-30994 (IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic 
algorith ...)
@@ -117828,7 +117828,7 @@ CVE-2022-34359
 CVE-2022-34358 (IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site 
scripting. Th ...)
NOT-FOR-US: IBM
 CVE-2022-34357 (IBM Cognos Analytics Mobile Server 11.1.7, 11.2.4, and 12.0.0 
is vulne ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a 
non-privileged local ...)
NOT-FOR-US: IBM
 CVE-2022-34355 (IBM Jazz Foundation (IBM Engineering Lifecycle Management 
6.0.6, 6.0.6 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8c85efea57f75d39680efe7a31e5c5f7076756

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8c85efea57f75d39680efe7a31e5c5f7076756
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff0d4959 by security tracker role at 2024-02-24T20:12:22+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,25 +1,41 @@
-CVE-2024-26600
+CVE-2024-1758 (The SuperFaktura WooCommerce plugin for WordPress is vulnerable 
to Ser ...)
+   TODO: check
+CVE-2024-1710 (The Addon Library plugin for WordPress is vulnerable to 
unauthorized a ...)
+   TODO: check
+CVE-2024-1165 (The Brizy \u2013 Page Builder plugin for WordPress is 
vulnerable to Di ...)
+   TODO: check
+CVE-2024-0243 (With the following crawler configuration:  ```python from bs4 
import B ...)
+   TODO: check
+CVE-2023-5775 (The BackWPup plugin for WordPress is vulnerable to Plaintext 
Storage o ...)
+   TODO: check
+CVE-2023-43051 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to cross ...)
+   TODO: check
+CVE-2023-38359 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to cross ...)
+   TODO: check
+CVE-2023-32344 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable 
to form  ...)
+   TODO: check
+CVE-2024-26600 (In the Linux kernel, the following vulnerability has been 
resolved:  p ...)
- linux 
NOTE: 
https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d (6.8-rc3)
-CVE-2024-26601
+CVE-2024-26601 (In the Linux kernel, the following vulnerability has been 
resolved:  e ...)
- linux 
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e (6.8-rc3)
-CVE-2024-26602
+CVE-2024-26602 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
- linux 
NOTE: 
https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23
-CVE-2024-26603
+CVE-2024-26603 (In the Linux kernel, the following vulnerability has been 
resolved:  x ...)
- linux 
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835 (6.8-rc4)
-CVE-2024-26604
+CVE-2024-26604 (In the Linux kernel, the following vulnerability has been 
resolved:  R ...)
- linux 
[bookworm] - linux  (Vulnerable code not present)
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/3ca8fbabcceb8bfe44f7f50640092fd8f1de375c (6.8-rc5)
-CVE-2024-26605
+CVE-2024-26605 (In the Linux kernel, the following vulnerability has been 
resolved:  P ...)
- linux 
[bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
@@ -3369,6 +3385,7 @@ CVE-2024-25191 (php-jwt 1.0.0 uses strcmp (which is not 
constant time) to verify
 CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to 
verify authe ...)
NOT-FOR-US: l8w8jwt
 CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to 
verify authe ...)
+   {DLA-3739-1}
[experimental] - libjwt 1.17.0-1
- libjwt 1.17.0-2 (bug #1063534)
[bookworm] - libjwt  (Minor issue)
@@ -46927,8 +46944,8 @@ CVE-2023-30998
RESERVED
 CVE-2023-30997
RESERVED
-CVE-2023-30996
-   RESERVED
+CVE-2023-30996 (IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be 
vulnerable to ...)
+   TODO: check
 CVE-2023-30995 (IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 
could allow  ...)
NOT-FOR-US: IBM
 CVE-2023-30994 (IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic 
algorith ...)
@@ -117810,8 +117827,8 @@ CVE-2022-34359
RESERVED
 CVE-2022-34358 (IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site 
scripting. Th ...)
NOT-FOR-US: IBM
-CVE-2022-34357
-   RESERVED
+CVE-2022-34357 (IBM Cognos Analytics Mobile Server 11.1.7, 11.2.4, and 12.0.0 
is vulne ...)
+   TODO: check
 CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a 
non-privileged local ...)
NOT-FOR-US: IBM
 CVE-2022-34355 (IBM Jazz Foundation (IBM Engineering Lifecycle Management 
6.0.6, 6.0.6 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff0d495981a33fe97bf42437af96ddeab27a4e24

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff0d495981a33fe97bf42437af96ddeab27a4e24
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-25629/c-ares via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b02d33e3 by Salvatore Bonaccorso at 2024-02-24T21:06:46+01:00
Track fixed version for CVE-2024-25629/c-ares via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -67,7 +67,7 @@ CVE-2024-25928 (Improper Neutralization of Special Elements 
used in an SQL Comma
 CVE-2024-25915 (Server-Side Request Forgery (SSRF) vulnerability in Raaj 
Trambadia Pex ...)
NOT-FOR-US: Raaj Trambadia Pexels: Free Stock Photos
 CVE-2024-25629 (c-ares is a C library for asynchronous DNS requests. 
`ares__read_line( ...)
-   - c-ares 
+   - c-ares 1.27.0-1
[bookworm] - c-ares  (Minor issue)
[bullseye] - c-ares  (Minor issue)
NOTE: 
https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02d33e36b518b5a1691da9cd97daeae9de38a1a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02d33e36b518b5a1691da9cd97daeae9de38a1a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] take engrampa

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a94a00f8 by Thorsten Alteholz at 2024-02-24T19:40:25+01:00
take engrampa

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -90,7 +90,7 @@ edk2
   NOTE: 20231230: Added by Front-Desk (lamby)
   NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release 
(lamby)
 --
-engrampa
+engrampa (Thorsten Alteholz)
   NOTE: 20240213: Added by Front-Desk (lamby)
 --
 exiftags



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94a00f81d80fe6e88f7edcc5a44c2487da75fab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94a00f81d80fe6e88f7edcc5a44c2487da75fab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2024-26601

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f60d60bd by Salvatore Bonaccorso at 2024-02-24T19:10:49+01:00
Correct tracking for CVE-2024-26601

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,6 @@ CVE-2024-26600
NOTE: 
https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d (6.8-rc3)
 CVE-2024-26601
- linux 
-   [bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e (6.8-rc3)
 CVE-2024-26602



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f60d60bd24309ecda1d80a29c6f019c3be884c98

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f60d60bd24309ecda1d80a29c6f019c3be884c98
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1cb3ce32 by Salvatore Bonaccorso at 2024-02-24T16:39:20+01:00
Merge Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,30 @@
+CVE-2024-26600
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d (6.8-rc3)
+CVE-2024-26601
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e (6.8-rc3)
+CVE-2024-26602
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23
+CVE-2024-26603
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835 (6.8-rc4)
+CVE-2024-26604
+   - linux 
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/3ca8fbabcceb8bfe44f7f50640092fd8f1de375c (6.8-rc5)
+CVE-2024-26605
+   - linux 
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/1e560864159d002b453da42bd2c13a1805515a20 (6.8-rc3)
 CVE-2024-27133 (Insufficient sanitization in MLflow leads to XSS when running 
a recipe ...)
NOT-FOR-US: mlflow
 CVE-2024-27132 (Insufficient sanitization in MLflow leads to XSS when running 
an untru ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb3ce327fe696a4a4e3eaa39a0a6933b017e05a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb3ce327fe696a4a4e3eaa39a0a6933b017e05a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3739-1 for libjwt

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ade0e63a by Thorsten Alteholz at 2024-02-24T11:54:54+01:00
Reserve DLA-3739-1 for libjwt

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -3347,7 +3347,6 @@ CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not 
constant time) to verify
- libjwt 1.17.0-2 (bug #1063534)
[bookworm] - libjwt  (Minor issue)
[bullseye] - libjwt  (Minor issue)
-   [buster] - libjwt  (Minor issue)
NOTE: 
https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
NOTE: 
https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf
 (v1.17.0)
NOTE: 
https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6
 (v1.17.0)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Feb 2024] DLA-3739-1 libjwt - security update
+   {CVE-2024-25189}
+   [buster] - libjwt 1.10.1-1+deb10u1
 [22 Feb 2024] DLA-3738-1 iwd - security update
{CVE-2023-52161}
[buster] - iwd 0.14-2+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade0e63af545190fd113e5ef0e40010902805764

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade0e63af545190fd113e5ef0e40010902805764
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for rust-unsafe-libyaml issue via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f2215af5 by Salvatore Bonaccorso at 2024-02-24T11:34:36+01:00
Track fixed version for rust-unsafe-libyaml issue via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12412,7 +12412,7 @@ CVE-2023-50783 (Apache Airflow, versions before 2.8.0, 
is affected by a vulnerab
 CVE-2023-51656 (Deserialization of Untrusted Data vulnerability in Apache 
IoTDB.This i ...)
NOT-FOR-US: Apache IoTDB
 CVE-2023- [RUSTSEC-2023-0075]
-   - rust-unsafe-libyaml  (bug #1059234)
+   - rust-unsafe-libyaml 0.2.10-1 (bug #1059234)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0075.html
NOTE: https://github.com/dtolnay/unsafe-libyaml/issues/21
 CVE-2023-7026 (A vulnerability was found in Lightxun IPTV Gateway up to 
20231208. It  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2215af5b0ccbbe86e4a7854f174c230f4d6e27a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2215af5b0ccbbe86e4a7854f174c230f4d6e27a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-25262 via unstable

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
616c01fc by Salvatore Bonaccorso at 2024-02-24T11:24:49+01:00
Track fixed version for CVE-2024-25262 via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -894,7 +894,7 @@ CVE-2024-25366 (Buffer Overflow vulnerability in 
mz-automation.de libiec61859 v.
 CVE-2024-25274 (An arbitrary file upload vulnerability in the component 
/sysFile/uploa ...)
NOT-FOR-US: Novel-Plus
 CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer 
overflo ...)
-   - texlive-bin  (bug #1064517)
+   - texlive-bin 2023.20230311.66589-9 (bug #1064517)
[bookworm] - texlive-bin  (Minor issue)
[bullseye] - texlive-bin  (Minor issue)
NOTE: 
https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/616c01fc81611fed47825af4221cb0d5dfc6074b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/616c01fc81611fed47825af4221cb0d5dfc6074b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc6843ed by Salvatore Bonaccorso at 2024-02-24T10:59:31+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,33 +1,33 @@
 CVE-2024-27133 (Insufficient sanitization in MLflow leads to XSS when running 
a recipe ...)
-   TODO: check
+   NOT-FOR-US: mlflow
 CVE-2024-27132 (Insufficient sanitization in MLflow leads to XSS when running 
an untru ...)
-   TODO: check
+   NOT-FOR-US: mlflow
 CVE-2024-26192 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2024-26188 (Microsoft Edge (Chromium-based) Spoofing Vulnerability)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2024-25730 (Hitron CODA-4582 and CODA-4589 devices have default PSKs that 
are gene ...)
-   TODO: check
+   NOT-FOR-US: Hitron CODA-4582 and CODA-4589 devices
 CVE-2024-25469 (SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and 
before all ...)
-   TODO: check
+   NOT-FOR-US: CRMEB crmeb_java
 CVE-2024-24681 (Insecure AES key in Yealink Configuration Encrypt Tool below 
verrsion  ...)
-   TODO: check
+   NOT-FOR-US: Yealink
 CVE-2024-24310 (In the module "Generate barcode on invoice / delivery slip" 
(ecgenerat ...)
-   TODO: check
+   NOT-FOR-US: PrestaShop module
 CVE-2024-24309 (In the module "Survey TMA" (ecomiz_survey_tma) up to version 
2.0.0 fro ...)
-   TODO: check
+   NOT-FOR-US: PrestaShop module
 CVE-2024-22988 (An issue in zkteco zkbio WDMS v.8.0.5 allows an attacker to 
execute ar ...)
-   TODO: check
+   NOT-FOR-US: zkteco zkbio WDMS
 CVE-2024-22395 (Improper access control vulnerability has been identified in 
the SMA10 ...)
-   TODO: check
+   NOT-FOR-US: SMA100 SSL-VPN virtual office portal
 CVE-2024-21502 (Versions of the package fastecdsa before 2.3.2 are vulnerable 
to Use o ...)
TODO: check
 CVE-2024-21501 (Versions of the package sanitize-html before 2.12.1 are 
vulnerable to  ...)
TODO: check
 CVE-2024-21423 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2024-1810 (The Archivist \u2013 Custom Archive Templates plugin for 
WordPress is  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22371
NOT-FOR-US: Apache Camel
 CVE-2024-27319 (Versions of the package onnx before and including 1.15.0 are 
vulnerabl ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc6843ed6bb0e2d509751dd426e92a542ef9d3f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc6843ed6bb0e2d509751dd426e92a542ef9d3f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes for CVE-2023-52071

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8ffcd4f9 by Salvatore Bonaccorso at 2024-02-24T10:55:09+01:00
Remove notes for CVE-2023-52071

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5366,14 +5366,6 @@ CVE-2023-5372 (The post-authentication command injection 
vulnerability in Zyxel
NOT-FOR-US: Zyxel
 CVE-2023-52071
REJECTED
-   - curl 8.4.0-1 (unimportant)
-   [bookworm] - curl  (Vulnerable code not present)
-   [bullseye] - curl  (Vulnerable code not present)
-   [buster] - curl  (Vulnerable code not present)
-   NOTE: https://curl.se/docs/CVE-2023-52071.html
-   NOTE: Introduced by: 
https://github.com/curl/curl/commit/af3f4e419b9f339790de281c871640a773c391c0 
(curl-8_3_0)
-   NOTE: Fixed by: 
https://github.com/curl/curl/commit/73980f9ace6c7577e7fcab8008bbde8a0a231692 
(curl-8_4_0)
-   NOTE: Windows only issue in Debug builds, and basically no security 
impact (CVE to be REJECTED)
 CVE-2023-51982 (CrateDB 5.5.1 is contains an authentication bypass 
vulnerability in th ...)
NOT-FOR-US: CrateDB
 CVE-2023-51843 (react-dashboard 1.4.0 is vulnerable to Cross Site Scripting 
(XSS) as h ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffcd4f98f768b86b6d212e1c32edc2379397342

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffcd4f98f768b86b6d212e1c32edc2379397342
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3be2670 by security tracker role at 2024-02-24T08:11:52+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,33 @@
+CVE-2024-27133 (Insufficient sanitization in MLflow leads to XSS when running 
a recipe ...)
+   TODO: check
+CVE-2024-27132 (Insufficient sanitization in MLflow leads to XSS when running 
an untru ...)
+   TODO: check
+CVE-2024-26192 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
+   TODO: check
+CVE-2024-26188 (Microsoft Edge (Chromium-based) Spoofing Vulnerability)
+   TODO: check
+CVE-2024-25730 (Hitron CODA-4582 and CODA-4589 devices have default PSKs that 
are gene ...)
+   TODO: check
+CVE-2024-25469 (SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and 
before all ...)
+   TODO: check
+CVE-2024-24681 (Insecure AES key in Yealink Configuration Encrypt Tool below 
verrsion  ...)
+   TODO: check
+CVE-2024-24310 (In the module "Generate barcode on invoice / delivery slip" 
(ecgenerat ...)
+   TODO: check
+CVE-2024-24309 (In the module "Survey TMA" (ecomiz_survey_tma) up to version 
2.0.0 fro ...)
+   TODO: check
+CVE-2024-22988 (An issue in zkteco zkbio WDMS v.8.0.5 allows an attacker to 
execute ar ...)
+   TODO: check
+CVE-2024-22395 (Improper access control vulnerability has been identified in 
the SMA10 ...)
+   TODO: check
+CVE-2024-21502 (Versions of the package fastecdsa before 2.3.2 are vulnerable 
to Use o ...)
+   TODO: check
+CVE-2024-21501 (Versions of the package sanitize-html before 2.12.1 are 
vulnerable to  ...)
+   TODO: check
+CVE-2024-21423 (Microsoft Edge (Chromium-based) Information Disclosure 
Vulnerability)
+   TODO: check
+CVE-2024-1810 (The Archivist \u2013 Custom Archive Templates plugin for 
WordPress is  ...)
+   TODO: check
 CVE-2024-22371
NOT-FOR-US: Apache Camel
 CVE-2024-27319 (Versions of the package onnx before and including 1.15.0 are 
vulnerabl ...)
@@ -159826,11 +159856,11 @@ CVE-2021-44545 (Improper input validation for some 
Intel(R) PROSet/Wireless WiFi
NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=140beaf7d770ea8320c12b6e31a067f9e9d6d441
NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=e6185d5197fd1d8015f1c7663582158b9945c075
 CVE-2021-44457
-   RESERVED
+   REJECTED
 CVE-2021-44454 (Improper input validation in a third-party component for 
Intel(R) Quar ...)
NOT-FOR-US: Intel
 CVE-2021-43351
-   RESERVED
+   REJECTED
 CVE-2021-4080 (crater is vulnerable to Unrestricted Upload of File with 
Dangerous Typ ...)
NOT-FOR-US: Crater
 CVE-2021-26946
@@ -160854,7 +160884,7 @@ CVE-2021-37409 (Improper access control for some 
Intel(R) PROSet/Wireless WiFi a
NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=140beaf7d770ea8320c12b6e31a067f9e9d6d441
NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=e6185d5197fd1d8015f1c7663582158b9945c075
 CVE-2021-37405
-   RESERVED
+   REJECTED
 CVE-2021-33847 (Improper buffer restrictions in firmware for some Intel(R) 
Wireless Bl ...)
NOT-FOR-US: Intel
 CVE-2021-26950 (Out of bounds read in firmware for some Intel(R) Wireless 
Bluetooth(R) ...)
@@ -170087,7 +170117,7 @@ CVE-2021-42341 (checkpath in OpenRC before 0.44.7 
uses the direct output of strl
 CVE-2021-3886
REJECTED
 CVE-2021-3885
-   RESERVED
+   REJECTED
 CVE-2021-42340 (The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 
10.1.0-M5, ...)
{DSA-5009-1}
- tomcat9 9.0.54-1
@@ -171507,25 +171537,25 @@ CVE-2021-41862 (AviatorScript through 5.2.7 allows 
code execution via an express
 CVE-2021-41861 (The Telegram application 7.5.0 through 7.8.0 for Android does 
not prop ...)
NOT-FOR-US: Telegram for Android
 CVE-2021-41860
-   RESERVED
+   REJECTED
 CVE-2021-41859
-   RESERVED
+   REJECTED
 CVE-2021-41858
-   RESERVED
+   REJECTED
 CVE-2021-41857
-   RESERVED
+   REJECTED
 CVE-2021-41856
-   RESERVED
+   REJECTED
 CVE-2021-41855
-   RESERVED
+   REJECTED
 CVE-2021-41854
-   RESERVED
+   REJECTED
 CVE-2021-41853
-   RESERVED
+   REJECTED
 CVE-2021-41852
-   RESERVED
+   REJECTED
 CVE-2021-41851
-   RESERVED
+   REJECTED
 CVE-2021-3851 (firefly-iii is vulnerable to URL Redirection to Untrusted Site)
NOT-FOR-US: firefly-iii
 CVE-2021-3850 (Authentication Bypass by Primary Weakness in GitHub repository 
adodb/a ...)
@@ -193534,69 +193564,69 @@ CVE-2021-33169
 CVE-2021-33168
RESERVED
 CVE-2021-33167
-   RESERVED
+   REJECTED