[Git][security-tracker-team/security-tracker][master] dla: take postgresql
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe5852f by Adrian Bunk at 2024-03-08T01:03:36+02:00 dla: take postgresql - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -230,7 +230,7 @@ nvidia-graphics-drivers-legacy-390xx pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) -- -postgresql-11 +postgresql-11 (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe5852fbf8c5a88d7439703ef5a8a74e7609de3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe5852fbf8c5a88d7439703ef5a8a74e7609de3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3754-1 for fontforge
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: afd03b29 by Adrian Bunk at 2024-03-08T01:02:57+02:00 Reserve DLA-3754-1 for fontforge - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -299331,7 +299331,6 @@ CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect t NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - fontforge 1:20201107~dfsg-1 (bug #948231) - [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 @@ -299549,7 +299548,6 @@ CVE-2020-5396 (VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, NOT-FOR-US: VMware CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - fontforge 1:20201107~dfsg-1 (bug #948231) - [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Mar 2024] DLA-3754-1 fontforge - security update + {CVE-2020-5395 CVE-2020-5496 CVE-2024-25081 CVE-2024-25082} + [buster] - fontforge 1:20170731~dfsg-1+deb10u1 [06 Mar 2024] DLA-3753-1 yard - security update {CVE-2019-1020001 CVE-2024-27285} [buster] - yard 0.9.16-1+deb10u1 = data/dla-needed.txt = @@ -101,9 +101,6 @@ exiftags expat NOTE: 20240306: Added by Front-Desk (opal) -- -fontforge (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afd03b2915fb9afbb3ac5849fd89f01080b8714e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afd03b2915fb9afbb3ac5849fd89f01080b8714e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVEs for nvidia-graphics-drivers-legacy-340xx as ignored for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: fc30ba59 by Ola Lundqvist at 2024-03-07T23:54:31+01:00 Marked CVEs for nvidia-graphics-drivers-legacy-340xx as ignored for buster. - - - - - c7598151 by Ola Lundqvist at 2024-03-07T23:54:32+01:00 Analyzed freeipa further and concluded that it is safest to fix in buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2053,6 +2053,7 @@ CVE-2024-0074 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -2076,6 +2077,7 @@ CVE-2024-42265 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -2095,6 +2097,7 @@ CVE-2024-0078 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -4627,6 +4630,10 @@ CVE-2024-1481 [specially crafted HTTP requests potentially lead to DoS or data e NOTE: ipa-4.10: https://pagure.io/freeipa/c/204011dc0514681511275a4b70a13bfa85c1a538 NOTE: ipa-4.9: https://pagure.io/freeipa/c/b039f3087a13de3f34b230dbe29a7cfb1965700d NOTE: ipa-4.9: https://pagure.io/freeipa/c/96a478bbedd49c31e0f078f00f2d1cb55bb952fd + NOTE: For buster (and most likely later versions) the vulnerable rpcserver.py code + NOTE: is not part of the provided binary packages. The kinit.py file is however and + NOTE: it is not entirelly clear whether this may be used in a vulnerable way when + NOTE: the client is used for authentication purposes. CVE-2024-26270 (The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, ...) NOT-FOR-US: Liferay CVE-2024-26268 (User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.2 ...) = data/dla-needed.txt = @@ -107,6 +107,9 @@ fontforge (Adrian Bunk) freeimage NOTE: 20240121: Added by Front-Desk (apo) -- +freeipa + NOTE: 20240307: Added by Front-Desk (opal) +-- frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1...c7598151ce5abc8f421106343ee505caa98c0db8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1...c7598151ce5abc8f421106343ee505caa98c0db8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-1931/unbound
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7a5e90b by Salvatore Bonaccorso at 2024-03-07T23:06:18+01:00 Track fixed version for CVE-2024-1931/unbound - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2024-22752 (Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 CVE-2024-22256 (VMware Cloud Director contains a partial information disclosure vulner ...) NOT-FOR-US: VMware CVE-2024-1931 (NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 c ...) - - unbound + - unbound 1.19.2-1 [bookworm] - unbound (Vulnerable code introduced later) [bullseye] - unbound (Vulnerable code introduced later) [buster] - unbound (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim dnsmasq in dla-needed.txt
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 008b7da4 by Daniel Leidert at 2024-03-07T22:59:10+01:00 LTS: claim dnsmasq in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,7 +73,7 @@ curl NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 -- -dnsmasq +dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) -- docker.io View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008b7da402f73a31c64f4bd4c9fa1462e22b9ca6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008b7da402f73a31c64f4bd4c9fa1462e22b9ca6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2024-2236 as no-dsa following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3264f217 by Ola Lundqvist at 2024-03-07T22:57:54+01:00 Marked CVE-2024-2236 as no-dsa following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -168,6 +168,7 @@ CVE-2024-2236 (A timing-based side-channel flaw was found in libgcrypt's RSA imp - libgcrypt20 [bookworm] - libgcrypt20 (Minor issue) [bullseye] - libgcrypt20 (Minor issue) + [buster] - libgcrypt20 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268 CVE-2024-1299 (A privilege escalation vulnerability was discovered in GitLab affectin ...) - gitlab View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3264f21787b5d3e2c426c34ad2573921badaacf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3264f21787b5d3e2c426c34ad2573921badaacf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52592 (rejected)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee3f59f2 by Salvatore Bonaccorso at 2024-03-07T21:46:46+01:00 Remove notes from CVE-2023-52592 (rejected) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -464,9 +464,8 @@ CVE-2023-52594 (In the Linux kernel, the following vulnerability has been resolv CVE-2023-52593 (In the Linux kernel, the following vulnerability has been resolved: w ...) - linux 6.7.7-1 NOTE: https://git.kernel.org/linus/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d (6.8-rc1) -CVE-2023-52592 (In the Linux kernel, the following vulnerability has been resolved: l ...) - - linux 6.7.7-1 - NOTE: https://git.kernel.org/linus/fc3a5534e2a8855427403113cbeb54af5837bbe0 (6.8-rc1) +CVE-2023-52592 + REJECTED CVE-2023-52591 (In the Linux kernel, the following vulnerability has been resolved: r ...) - linux 6.7.7-1 NOTE: https://git.kernel.org/linus/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed (6.8-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee3f59f294a47a4fd11a248d8a717da75f124c64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee3f59f294a47a4fd11a248d8a717da75f124c64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-1931/unbound
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 36f398c9 by Salvatore Bonaccorso at 2024-03-07T21:45:36+01:00 Add CVE-2024-1931/unbound - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,11 @@ CVE-2024-22752 (Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 CVE-2024-22256 (VMware Cloud Director contains a partial information disclosure vulner ...) NOT-FOR-US: VMware CVE-2024-1931 (NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 c ...) - TODO: check + - unbound + [bookworm] - unbound (Vulnerable code introduced later) + [bullseye] - unbound (Vulnerable code introduced later) + [buster] - unbound (Vulnerable code introduced later) + NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt CVE-2024-1773 (The PDF Invoices and Packing Slips For WooCommerce plugin for WordPres ...) NOT-FOR-US: WordPress plugin CVE-2024-1725 (A flaw was found in the kubevirt-csi component of OpenShift Virtualiza ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36f398c946533dd75f95e3bb78102d85cf6f6c24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36f398c946533dd75f95e3bb78102d85cf6f6c24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-25817/rust-eza
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af07412b by Salvatore Bonaccorso at 2024-03-07T21:41:51+01:00 Add CVE-2024-25817/rust-eza - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -311,7 +311,8 @@ CVE-2024-27278 (OpenPNE Plugin "opTimelinePlugin" 1.2.11 and earlier contains a CVE-2024-25858 (In Foxit PDF Reader before 2024.1 and PDF Editor before 2024.1, code e ...) NOT-FOR-US: Foxit PDF Reader CVE-2024-25817 (Buffer Overflow vulnerability in eza before version 0.18.2, allows loc ...) - TODO: check + - rust-eza 0.18.2-1 + NOTE: https://github.com/advisories/GHSA-3qx3-6hxr-j2ch CVE-2024-25616 (Aruba has identified certain configurations of ArubaOS that can lead t ...) NOT-FOR-US: Aruba CVE-2024-25615 (An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af07412ba0a3b416ac37bde10afd15ca383eb311 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af07412ba0a3b416ac37bde10afd15ca383eb311 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28102/python-jwcrypto
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3cddc1f by Salvatore Bonaccorso at 2024-03-07T21:37:23+01:00 Add CVE-2024-28102/python-jwcrypto - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,7 +85,9 @@ CVE-2024-28111 (Canarytokens helps track activity and actions on a network. Cana CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integrate ap ...) TODO: check CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...) - TODO: check + - python-jwcrypto + NOTE: https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97 + NOTE: https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f (v1.5.6) CVE-2024-28101 (The Apollo Router is a graph router written in Rust to run a federated ...) NOT-FOR-US: Apollo Router CVE-2024-28097 (Calendar functionality in Schoolbox application before version 23.1.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3cddc1fcef83c220a8ec1aed2f870eac65fefbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3cddc1fcef83c220a8ec1aed2f870eac65fefbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b28e94c by Salvatore Bonaccorso at 2024-03-07T21:36:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,51 +1,51 @@ CVE-2024-2245 (Cross-Site Scripting vulnerability in moziloCMS version 2.0. By sendin ...) - TODO: check + NOT-FOR-US: moziloCMS CVE-2024-2241 (Improper access control in the user interface in Devolutions Workspace ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2024-2136 (The WPKoi Templates for Elementor plugin for WordPress is vulnerable t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2128 (The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed You ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2127 (The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-28230 (In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2024-28229 (In JetBrains YouTrack before 2024.1.25893 user without appropriate per ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2024-28228 (In JetBrains YouTrack before 2024.1.25893 creation comments on behalf ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2024-27733 (File Upload vulnerability in Byzro Network Smart s42 Management Platfo ...) - TODO: check + NOT-FOR-US: Byzro Network Smart s42 Management Platform CVE-2024-22752 (Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allow ...) - TODO: check + NOT-FOR-US: EaseUS MobiMover CVE-2024-22256 (VMware Cloud Director contains a partial information disclosure vulner ...) - TODO: check + NOT-FOR-US: VMware CVE-2024-1931 (NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 c ...) TODO: check CVE-2024-1773 (The PDF Invoices and Packing Slips For WooCommerce plugin for WordPres ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1725 (A flaw was found in the kubevirt-csi component of OpenShift Virtualiza ...) TODO: check CVE-2024-1534 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1442 (A user with the permissions to create a data source can use Grafana AP ...) TODO: check CVE-2024-1382 (The Restaurant Reservations plugin for WordPress is vulnerable to Loca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1351 (Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Se ...) TODO: check CVE-2024-1170 (The Post Form \u2013 Registration Form \u2013 Profile Form for User Pr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1169 (The Post Form \u2013 Registration Form \u2013 Profile Form for User Pr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-0917 (remote code execution in paddlepaddle/paddle 2.6.0) - TODO: check + NOT-FOR-US: PaddlePaddle CVE-2024-0818 (Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle bef ...) - TODO: check + NOT-FOR-US: PaddlePaddle CVE-2024-0203 (The Digits plugin for WordPress is vulnerable to Cross-Site Request Fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48725 (A stack-based buffer overflow vulnerability exists in the JSON Parsing ...) - TODO: check + NOT-FOR-US: Netgear CVE-2023-47691 (Missing Authorization vulnerability in Podlove Podlove Web Player.This ...) TODO: check CVE-2023-42662 (JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, ...) @@ -81,13 +81,13 @@ CVE-2024-28212 (nGrinder before 3.5.9 uses old version of SnakeYAML, which could CVE-2024-28211 (nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by ...) NOT-FOR-US: nGrinder CVE-2024-28111 (Canarytokens helps track activity and actions on a network. Canarytoke ...) - TODO: check + NOT-FOR-US: Canarytokens CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integrate ap ...) TODO: check CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...) TODO: check CVE-2024-28101 (The Apollo Router is a graph router written in Rust to run a federated ...) - TODO: check + NOT-FOR-US: Apollo Router CVE-2024-28097 (Calendar functionality in Schoolbox application before version 23.1.3 ...) NOT-FOR-US: Schoolbox application CVE-2024-28096 (Class functionality in Schoolbox application before version 23.1.3 is ...) @@ -107,13 +107,13 @@
[Git][security-tracker-team/security-tracker][master] Update information for rust-eyre issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c4d9018 by Salvatore Bonaccorso at 2024-03-07T21:21:01+01:00 Update information for rust-eyre issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,7 +63,7 @@ CVE-2023-41014 (code-projects.org Online Job Portal 1.0 is vulnerable to SQL Inj CVE-2023-33676 (Sourcecodester Lost and Found Information System's Version 1.0 is vuln ...) TODO: check CVE-2024- [RUSTSEC-2024-0021] - - rust-eyre + - rust-eyre (Vulnerable code introduce in 0.6.9) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0021.html NOTE: https://github.com/eyre-rs/eyre/issues/141 CVE-2024-28222 (In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c4d90182b5d1e8ed6bbd917832584a26eadd68f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c4d90182b5d1e8ed6bbd917832584a26eadd68f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee4d351b by security tracker role at 2024-03-07T20:12:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,67 @@ +CVE-2024-2245 (Cross-Site Scripting vulnerability in moziloCMS version 2.0. By sendin ...) + TODO: check +CVE-2024-2241 (Improper access control in the user interface in Devolutions Workspace ...) + TODO: check +CVE-2024-2136 (The WPKoi Templates for Elementor plugin for WordPress is vulnerable t ...) + TODO: check +CVE-2024-2128 (The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed You ...) + TODO: check +CVE-2024-2127 (The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugi ...) + TODO: check +CVE-2024-28230 (In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow ...) + TODO: check +CVE-2024-28229 (In JetBrains YouTrack before 2024.1.25893 user without appropriate per ...) + TODO: check +CVE-2024-28228 (In JetBrains YouTrack before 2024.1.25893 creation comments on behalf ...) + TODO: check +CVE-2024-27733 (File Upload vulnerability in Byzro Network Smart s42 Management Platfo ...) + TODO: check +CVE-2024-22752 (Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allow ...) + TODO: check +CVE-2024-22256 (VMware Cloud Director contains a partial information disclosure vulner ...) + TODO: check +CVE-2024-1931 (NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 c ...) + TODO: check +CVE-2024-1773 (The PDF Invoices and Packing Slips For WooCommerce plugin for WordPres ...) + TODO: check +CVE-2024-1725 (A flaw was found in the kubevirt-csi component of OpenShift Virtualiza ...) + TODO: check +CVE-2024-1534 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) + TODO: check +CVE-2024-1442 (A user with the permissions to create a data source can use Grafana AP ...) + TODO: check +CVE-2024-1382 (The Restaurant Reservations plugin for WordPress is vulnerable to Loca ...) + TODO: check +CVE-2024-1351 (Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Se ...) + TODO: check +CVE-2024-1170 (The Post Form \u2013 Registration Form \u2013 Profile Form for User Pr ...) + TODO: check +CVE-2024-1169 (The Post Form \u2013 Registration Form \u2013 Profile Form for User Pr ...) + TODO: check +CVE-2024-0917 (remote code execution in paddlepaddle/paddle 2.6.0) + TODO: check +CVE-2024-0818 (Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle bef ...) + TODO: check +CVE-2024-0203 (The Digits plugin for WordPress is vulnerable to Cross-Site Request Fo ...) + TODO: check +CVE-2023-48725 (A stack-based buffer overflow vulnerability exists in the JSON Parsing ...) + TODO: check +CVE-2023-47691 (Missing Authorization vulnerability in Podlove Podlove Web Player.This ...) + TODO: check +CVE-2023-42662 (JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, ...) + TODO: check +CVE-2023-42661 (JFrog Artifactory prior to version 7.76.2 is vulnerable to Arbitrary F ...) + TODO: check +CVE-2023-42509 (JFrog Artifactory later than version 7.17.4 but prior to version 7.77. ...) + TODO: check +CVE-2023-41503 (Student Enrollment In PHP v1.0 was discovered to contain a SQL injecti ...) + TODO: check +CVE-2023-41015 (code-projects.org Online Job Portal 1.0 is vulnerable to SQL Injection ...) + TODO: check +CVE-2023-41014 (code-projects.org Online Job Portal 1.0 is vulnerable to SQL Injection ...) + TODO: check +CVE-2023-33676 (Sourcecodester Lost and Found Information System's Version 1.0 is vuln ...) + TODO: check CVE-2024- [RUSTSEC-2024-0021] - rust-eyre NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0021.html @@ -36330,7 +36394,7 @@ CVE-2023-40798 (In Tenda AC23 v16.03.07.45_cn, the formSetIPv6status and formGet NOT-FOR-US: Tenda CVE-2023-40797 (In Tenda AC23 v16.03.07.45_cn, the sub_4781A4 function does not valida ...) NOT-FOR-US: Tenda -CVE-2023-40796 (Phicomm k2 v22.6.529.216 is vulnerable to command injection.) +CVE-2023-40796 (Phicomm k2 v22.6.529.216 was discovered to contain a command injection ...) NOT-FOR-US: Phicomm CVE-2023-40599 (Regular expression Denial-of-Service (ReDoS) exists in multiple add-on ...) NOT-FOR-US: multiple addons for Mailform Pro CGI @@ -45226,7 +45290,7 @@ CVE-2023-35844 (packages/backend/src/routers in Lightdash before 0.510.3 has ins NOT-FOR-US: Lightdash CVE-2023-35840 (_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder befor ...) NOT-FOR-US: elFinder -CVE-2023-35839 (Solon before 2.3.3 allows
[Git][security-tracker-team/security-tracker][master] Reference upstream tag for CVE-2024-22201
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dc7abf9 by Salvatore Bonaccorso at 2024-03-07T21:02:18+01:00 Reference upstream tag for CVE-2024-22201 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3478,7 +3478,7 @@ CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 S - jetty9 (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 - NOTE: 9.4.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b + NOTE: Fixed by: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b (jetty-9.4.54.v20240208) CVE-2024-21836 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) NOT-FOR-US: llama.cpp CVE-2024-21825 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc7abf98742f3c482a4ca843b579754c62c645e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc7abf98742f3c482a4ca843b579754c62c645e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-eyre issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e1c9a21 by Moritz Muehlenhoff at 2024-03-07T18:04:02+01:00 new rust-eyre issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024- [RUSTSEC-2024-0021] + - rust-eyre + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0021.html + NOTE: https://github.com/eyre-rs/eyre/issues/141 CVE-2024-28222 (In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2 ...) NOT-FOR-US: Veritas CVE-2024-28216 (nGrinder before 3.5.9 allows an attacker to obtain the results of webh ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e1c9a21764f73e6df565a861275fb5aafaf1361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e1c9a21764f73e6df565a861275fb5aafaf1361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookwor/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f472822 by Moritz Muehlenhoff at 2024-03-07T17:08:08+01:00 bookwor/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92,6 +92,8 @@ CVE-2023-47415 (Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered t TODO: check CVE-2024-2236 (A timing-based side-channel flaw was found in libgcrypt's RSA implemen ...) - libgcrypt20 + [bookworm] - libgcrypt20 (Minor issue) + [bullseye] - libgcrypt20 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268 CVE-2024-1299 (A privilege escalation vulnerability was discovered in GitLab affectin ...) - gitlab @@ -113,6 +115,8 @@ CVE-2024-27307 (JSONata is a JSON query and transformation language. Starting in TODO: check CVE-2024-27304 (pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur ...) - golang-github-jackc-pgx + [bookworm] - golang-github-jackc-pgx (Minor issue) + [bullseye] - golang-github-jackc-pgx (Minor issue) NOTE: https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv NOTE: https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4 (v5.5.4) NOTE: https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8 (v5.5.4) @@ -123,6 +127,8 @@ CVE-2024-27302 (go-zero is a web and rpc framework. Go-zero allows user to speci TODO: check CVE-2024-27289 (pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2 ...) - golang-github-jackc-pgx + [bookworm] - golang-github-jackc-pgx (Minor issue) + [bullseye] - golang-github-jackc-pgx (Minor issue) NOTE: https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p NOTE: https://github.com/jackc/pgx/commit/826a89229b8b1cdf18e4190afa437d3df9901b9c (v4.18.2) CVE-2024-27288 (1Panel is an open source Linux server operation and maintenance manage ...) @@ -447,6 +453,8 @@ CVE-2024-1979 NOT-FOR-US: Quarkus CVE-2023-5685 [StackOverflowException when the chain of notifier states becomes problematically big] - jboss-xnio + [bookworm] - jboss-xnio (Minor issue) + [bullseye] - jboss-xnio (Minor issue) [buster] - jboss-xnio (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241822 CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.ParseMul ...) @@ -597,6 +605,8 @@ CVE-2024-25731 (The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for NOT-FOR-US: Elink Smart eSmartCam (com.cn.dq.ipc) application CVE-2024-25269 (libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:: ...) - libheif + [bookworm] - libheif (Minor issue) + [bullseye] - libheif (Minor issue) [buster] - libheif (Minor issue) NOTE: https://github.com/strukturag/libheif/issues/1073 NOTE: https://github.com/strukturag/libheif/pull/1074 @@ -639,6 +649,8 @@ CVE-2024-20829 (Missing proper interaction for opening deeplink in Samsung Inter NOT-FOR-US: Samsung CVE-2024-1936 (The encrypted subject of an email message could be incorrectly and per ...) - thunderbird 1:115.8.1-1 + [bookworm] - thunderbird (Fix alongside in next DSA) + [bullseye] - thunderbird (Fix alongside in next DSA) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/#CVE-2024-1936 CVE-2024-1782 (The Blue Triad EZAnalytics plugin for WordPress is vulnerable to Refle ...) NOT-FOR-US: WordPress plugin @@ -690,11 +702,15 @@ CVE-2023-41827 (An improper export vulnerability was reported in the Motorola OT NOT-FOR-US: Motorola CVE-2024-2002 - dwarfutils (bug #1065511) + [bookworm] - dwarfutils (Minor issue) + [bullseye] - dwarfutils (Minor issue) [buster] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW202402-002 NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] - python-django 3:4.2.11-1 + [bookworm] - python-django (Minor issue, fix along in future update) + [bullseye] - python-django (Minor issue, fix along in future update) [buster] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ NOTE: https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e (5.0.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f4728226ea8d3ee68129d025b329a231fe31a81 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-42343/dask.distributed for buster LTS.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 72180b0e by Guilhem Moulin at 2024-03-07T15:13:16+01:00 Triage CVE-2021-42343/dask.distributed for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -173852,9 +173852,10 @@ CVE-2021-42344 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 - [buster] - dask.distributed (Minor issue; can be fixed via point release) + [buster] - dask.distributed (Minor issue; unreproducible with <2.0) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr + NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the fi ...) NOT-FOR-US: Embedthis GoAhead CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of strlen() t ...) = data/dla-needed.txt = @@ -73,10 +73,6 @@ curl NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 -- -dask.distributed (guilhem) - NOTE: 20231228: Added by Front-Desk (lamby) - NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby) --- dnsmasq NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72180b0eadf7b78f7b8a78087c4578ea2c589730 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72180b0eadf7b78f7b8a78087c4578ea2c589730 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6110/python-openstackclient: buster no-dsa -> not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dd2e31c by Sylvain Beucler at 2024-03-07T10:59:39+01:00 CVE-2023-6110/python-openstackclient: buster no-dsa - not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6619,7 +6619,7 @@ CVE-2023-6110 [deleting a non existing access rule deletes another existing acce - python-openstackclient 6.3.0-2 [bookworm] - python-openstackclient (Minor issue) [bullseye] - python-openstackclient (Minor issue) - [buster] - python-openstackclient (Minor issue) + [buster] - python-openstackclient (app cred access rules introduced in v5) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2212960 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209607 NOTE: https://review.opendev.org/888697 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dd2e31c15f4db09d326841c90a7ad8678b68588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dd2e31c15f4db09d326841c90a7ad8678b68588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d01a78cb by Emilio Pozuelo Monfort at 2024-03-07T10:43:53+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -313,7 +313,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- tiff (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-25126/ruby-rack: reference upstream patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 039bf355 by Sylvain Beucler at 2024-03-07T10:24:23+01:00 CVE-2024-25126/ruby-rack: reference upstream patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3990,6 +3990,7 @@ CVE-2024-26141 (Rack is a modular Ruby web server interface. Carefully crafted R CVE-2024-25126 (Rack is a modular Ruby web server interface. Carefully crafted content ...) - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 + NOTE: https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 (v2.2.8.1) CVE-2024-26146 (Rack is a modular Ruby web server interface. Carefully crafted headers ...) - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039bf355bc8d15fd30bb0131640f9030ef169ce8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039bf355bc8d15fd30bb0131640f9030ef169ce8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22201/jetty9: precision
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cfbf8d9d by Sylvain Beucler at 2024-03-07T09:44:05+01:00 CVE-2024-22201/jetty9: precision - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3458,7 +3458,7 @@ CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 S - jetty9 (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 - NOTE: 9.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b + NOTE: 9.4.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b CVE-2024-21836 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) NOT-FOR-US: llama.cpp CVE-2024-21825 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfbf8d9dbe56b5cc99b37e0d2803d60f7af15095 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfbf8d9dbe56b5cc99b37e0d2803d60f7af15095 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b131c9cf by Salvatore Bonaccorso at 2024-03-07T09:36:41+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2024-28222 (In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2 ...) NOT-FOR-US: Veritas CVE-2024-28216 (nGrinder before 3.5.9 allows an attacker to obtain the results of webh ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28215 (nGrinder before 3.5.9 allows an attacker to create or update webhook c ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28214 (nGrinder before 3.5.9 allows to set delay without limitation, which co ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28213 (nGrinder before 3.5.9 allows to accept serialized Java objects from un ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28212 (nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28211 (nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by ...) - TODO: check + NOT-FOR-US: nGrinder CVE-2024-28111 (Canarytokens helps track activity and actions on a network. Canarytoke ...) TODO: check CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integrate ap ...) @@ -43,51 +43,51 @@ CVE-2024-27927 (RSSHub is an open source RSS feed generator. Prior to version 1. CVE-2024-27926 (RSSHub is an open source RSS feed generator. Starting in version 1.0.0 ...) TODO: check CVE-2024-27923 (Grav is a content management system (CMS). Prior to version 1.7.43, us ...) - TODO: check + NOT-FOR-US: Grav CMS CVE-2024-27922 (TOMP Bare Server implements the TompHTTP bare server. A vulnerability ...) TODO: check CVE-2024-27918 (Coder allows oragnizations to provision remote development environment ...) TODO: check CVE-2024-26566 (An issue in Cute Http File Server v.3.1 allows a remote attacker to es ...) - TODO: check + NOT-FOR-US: Cute Http File Server CVE-2024-24389 (A cross-site scripting (XSS) vulnerability in XunRuiCMS up to v4.6.2 a ...) - TODO: check + NOT-FOR-US: XunRuiCMS CVE-2024-24375 (SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attac ...) - TODO: check + NOT-FOR-US: Jfinalcms CVE-2024-1761 (The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Sit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1720 (The User Registration \u2013 Custom Registration Form, Login Form, and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1506 (The Prime Slider \u2013 Addons For Elementor plugin for WordPress is v ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1500 (The Royal Elementor Addons and Templates plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1460 (MSI Afterburner v4.6.5.16370 is vulnerable to a Kernel Memory Leak vul ...) TODO: check CVE-2024-1443 (MSI Afterburner v4.6.5.16370 is vulnerable to a Denial of Service vuln ...) TODO: check CVE-2024-1419 (The The Plus Addons for Elementor plugin for WordPress is vulnerable t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1377 (The Happy Addons for Elementor plugin for WordPress is vulnerable to S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1366 (The Happy Addons for Elementor plugin for WordPress is vulnerable to S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-0817 (Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0) TODO: check CVE-2024-0815 (Command injection in paddle.utils.download._wget_download (bypass filt ...) TODO: check CVE-2023-51395 (The vulnerability described by CVE-2023-0972 has been additionally dis ...) - TODO: check + NOT-FOR-US: Silicon Labs CVE-2023-51281 (Cross Site Scripting vulnerability in Customer Support System v.1.0 al ...) - TODO: check + NOT-FOR-US: Customer Support System CVE-2023-49989 (Hotel Booking Management v1.0 was discovered to contain a SQL injectio ...) - TODO: check + NOT-FOR-US: Hotel Booking Management CVE-2023-49988 (Hotel Booking Management v1.0 was discovered to contain a SQL injectio ...) - TODO: check + NOT-FOR-US: Hotel Booking Management CVE-2023-49987 (A cross-site scripting (XSS) vulnerability in the component /managemen ...) - TODO: check + NOT-FOR-US: School Fees Management System CVE-2023-49986 (A cross-site scripting (XSS) vulnerability in the component /admin/par ...) - TODO: check + NOT-FOR-US: School Fees
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8defbac8 by Salvatore Bonaccorso at 2024-03-07T09:30:19+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-28222 (In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2024-28216 (nGrinder before 3.5.9 allows an attacker to obtain the results of webh ...) TODO: check CVE-2024-28215 (nGrinder before 3.5.9 allows an attacker to create or update webhook c ...) @@ -21,23 +21,23 @@ CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using pytho CVE-2024-28101 (The Apollo Router is a graph router written in Rust to run a federated ...) TODO: check CVE-2024-28097 (Calendar functionality in Schoolbox application before version 23.1.3 ...) - TODO: check + NOT-FOR-US: Schoolbox application CVE-2024-28096 (Class functionality in Schoolbox application before version 23.1.3 is ...) - TODO: check + NOT-FOR-US: Schoolbox application CVE-2024-28095 (News functionality in Schoolbox application before version 23.1.3 is ...) - TODO: check + NOT-FOR-US: Schoolbox application CVE-2024-28094 (Chat functionality in Schoolbox application before version 23.1.3 is ...) - TODO: check + NOT-FOR-US: Schoolbox application CVE-2024-27936 (Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-27935 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-27934 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-27933 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-27932 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-27927 (RSSHub is an open source RSS feed generator. Prior to version 1.0.0-ma ...) TODO: check CVE-2024-27926 (RSSHub is an open source RSS feed generator. Starting in version 1.0.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8defbac8e31f140b5163ac69d9ad7331cb1ed12e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8defbac8e31f140b5163ac69d9ad7331cb1ed12e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 80865560 by security tracker role at 2024-03-07T08:12:34+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,101 @@ -CVE-2024-2236 [timing based side-channel in RSA implementation] +CVE-2024-28222 (In Veritas NetBackup before 8.1.2 and NetBackup Appliance before 3.1.2 ...) + TODO: check +CVE-2024-28216 (nGrinder before 3.5.9 allows an attacker to obtain the results of webh ...) + TODO: check +CVE-2024-28215 (nGrinder before 3.5.9 allows an attacker to create or update webhook c ...) + TODO: check +CVE-2024-28214 (nGrinder before 3.5.9 allows to set delay without limitation, which co ...) + TODO: check +CVE-2024-28213 (nGrinder before 3.5.9 allows to accept serialized Java objects from un ...) + TODO: check +CVE-2024-28212 (nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow ...) + TODO: check +CVE-2024-28211 (nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by ...) + TODO: check +CVE-2024-28111 (Canarytokens helps track activity and actions on a network. Canarytoke ...) + TODO: check +CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integrate ap ...) + TODO: check +CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...) + TODO: check +CVE-2024-28101 (The Apollo Router is a graph router written in Rust to run a federated ...) + TODO: check +CVE-2024-28097 (Calendar functionality in Schoolbox application before version 23.1.3 ...) + TODO: check +CVE-2024-28096 (Class functionality in Schoolbox application before version 23.1.3 is ...) + TODO: check +CVE-2024-28095 (News functionality in Schoolbox application before version 23.1.3 is ...) + TODO: check +CVE-2024-28094 (Chat functionality in Schoolbox application before version 23.1.3 is ...) + TODO: check +CVE-2024-27936 (Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure ...) + TODO: check +CVE-2024-27935 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) + TODO: check +CVE-2024-27934 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) + TODO: check +CVE-2024-27933 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version ...) + TODO: check +CVE-2024-27932 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in ...) + TODO: check +CVE-2024-27927 (RSSHub is an open source RSS feed generator. Prior to version 1.0.0-ma ...) + TODO: check +CVE-2024-27926 (RSSHub is an open source RSS feed generator. Starting in version 1.0.0 ...) + TODO: check +CVE-2024-27923 (Grav is a content management system (CMS). Prior to version 1.7.43, us ...) + TODO: check +CVE-2024-27922 (TOMP Bare Server implements the TompHTTP bare server. A vulnerability ...) + TODO: check +CVE-2024-27918 (Coder allows oragnizations to provision remote development environment ...) + TODO: check +CVE-2024-26566 (An issue in Cute Http File Server v.3.1 allows a remote attacker to es ...) + TODO: check +CVE-2024-24389 (A cross-site scripting (XSS) vulnerability in XunRuiCMS up to v4.6.2 a ...) + TODO: check +CVE-2024-24375 (SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attac ...) + TODO: check +CVE-2024-1761 (The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Sit ...) + TODO: check +CVE-2024-1720 (The User Registration \u2013 Custom Registration Form, Login Form, and ...) + TODO: check +CVE-2024-1506 (The Prime Slider \u2013 Addons For Elementor plugin for WordPress is v ...) + TODO: check +CVE-2024-1500 (The Royal Elementor Addons and Templates plugin for WordPress is vulne ...) + TODO: check +CVE-2024-1460 (MSI Afterburner v4.6.5.16370 is vulnerable to a Kernel Memory Leak vul ...) + TODO: check +CVE-2024-1443 (MSI Afterburner v4.6.5.16370 is vulnerable to a Denial of Service vuln ...) + TODO: check +CVE-2024-1419 (The The Plus Addons for Elementor plugin for WordPress is vulnerable t ...) + TODO: check +CVE-2024-1377 (The Happy Addons for Elementor plugin for WordPress is vulnerable to S ...) + TODO: check +CVE-2024-1366 (The Happy Addons for Elementor plugin for WordPress is vulnerable to S ...) + TODO: check +CVE-2024-0817 (Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0) + TODO: check +CVE-2024-0815 (Command injection in paddle.utils.download._wget_download (bypass filt ...) + TODO: check +CVE-2023-51395 (The vulnerability described by CVE-2023-0972 has been additionally dis ...) + TODO: check +CVE-2023-51281 (Cross Site Scripting