[Git][security-tracker-team/security-tracker][master] new dmitry issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c5ba8ef9 by Moritz Muehlenhoff at 2024-04-30T15:16:30+02:00 new dmitry issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36,7 +36,10 @@ CVE-2024-33401 (Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote at ...) NOT-FOR-US: TaoCMS CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...) - TODO: check + - dmitry + [bookworm] - dmitry (Minor issue) + [bullseye] - dmitry (Minor issue) + NOTE: https://github.com/jaygreig86/dmitry/pull/12 CVE-2024-28294 (Limbas up to v5.2.14 was discovered to contain a SQL injection vulnera ...) NOT-FOR-US: Limbas CVE-2024-27518 (An issue in SUPERAntiSyware Professional X 10.0.1262 and 10.0.1264 all ...) @@ -288826,7 +288829,11 @@ CVE-2020-14932 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $ma - squirrelmail NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1 CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information Gatheri ...) - NOT-FOR-US: DMitry + - dmitry + [bookworm] - dmitry (Minor issue) + [bullseye] - dmitry (Minor issue) + NOTE: https://github.com/jaygreig86/dmitry/issues/4 + NOTE: https://github.com/jaygreig86/dmitry/pull/6 CVE-2020-14930 (An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464. A ...) NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464 CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateRefer ...) @@ -468958,7 +468965,11 @@ CVE-2017-7940 (The iw_read_gif_file function in imagew-gif.c in libimageworsener CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...) - NOT-FOR-US: DMitry + - dmitry + [bookworm] - dmitry (Minor issue) + [bullseye] - dmitry (Minor issue) + NOTE: https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html + NOTE: https://github.com/jaygreig86/dmitry/pull/12 CVE-2017-7937 (An Improper Authentication issue was discovered in Phoenix Contact Gmb ...) NOT-FOR-US: Phoenix Contact CVE-2017-7936 (A stack-based buffer overflow issue was discovered in NXP i.MX 50, i.M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ba8ef9655e2749c865c436f07613f13f715f2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ba8ef9655e2749c865c436f07613f13f715f2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libkf5ksieve spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 58f12d99 by Moritz Muehlenhoff at 2024-04-30T12:22:23+02:00 libkf5ksieve spu/ospu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -315,6 +315,8 @@ CVE-2024-1905 (The Smart Forms WordPress plugin before 2.6.96 does not sanitise NOT-FOR-US: WordPress plugin CVE-2023-52723 (In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cl ...) - libkf5ksieve 4:22.12.3-2 (bug #1069163) + [bookworm] - libkf5ksieve (Minor issue, will be fixed via spu) + [bullseye] - libkf5ksieve (Minor issue, will be fixed via ospu) NOTE: https://www.openwall.com/lists/oss-security/2024/04/25/1 NOTE: Fixed by: https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1 (v23.03.80) CVE-2024-4294 (A vulnerability, which was classified as critical, has been found in P ...) @@ -6276,7 +6278,6 @@ CVE-2024-2201 [Native Branch History Injection] [bookworm] - xen (Minor issue, fix along in next DSA) [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) - NOTE: https://www.openwall.com/lists/oss-security/2024/04/09/15 NOTE: https://vusec.net/projects/native-bhi NOTE: https://download.vusec.net/papers/inspectre_sec24.pdf NOTE: https://xenbits.xen.org/xsa/advisory-456.html = data/next-oldstable-point-update.txt = @@ -93,3 +93,5 @@ CVE-2024-30204 [bullseye] - emacs 1:27.1+1-3.1+deb11u3 CVE-2024-30205 [bullseye] - emacs 1:27.1+1-3.1+deb11u3 +CVE-2023-52723 + [bullseye] - libkf5ksieve 4:20.08.3-1+deb11u1 = data/next-point-update.txt = @@ -122,3 +122,5 @@ CVE-2024-30204 [bookworm] - emacs 1:28.2+1-15+deb12u1 CVE-2024-30205 [bookworm] - emacs 1:28.2+1-15+deb12u1 +CVE-2023-52723 + [bookworm] - libkf5ksieve 4:22.12.3-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58f12d9954dd7e440a34a0c10f4a572ff497258d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58f12d9954dd7e440a34a0c10f4a572ff497258d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e21e522e by Moritz Muehlenhoff at 2024-04-30T10:43:40+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,59 +5,59 @@ CVE-2024-4226 (It was identified that in certain versions of Octopus Server, tha CVE-2024-4225 (Multiple security vulnerabilities has been discovered in web interface ...) NOT-FOR-US: NetGuardian DIN Remote Telemetry Unit (RTU) CVE-2024-34050 (Open Networking Foundation SD-RAN Rimedo rimedo-ts 0.1.1 has a slice b ...) - TODO: check + NOT-FOR-US: Open Networking Foundation SD-RAN Rimedo rimedo-ts CVE-2024-34049 (Open Networking Foundation SD-RAN Rimedo rimedo-ts 0.1.1 has a slice b ...) - TODO: check + NOT-FOR-US: Open Networking Foundation SD-RAN Rimedo rimedo-ts CVE-2024-34048 (O-RAN RIC I-Release e2mgr lacks array size checks in E2nodeConfigUpdat ...) NOT-FOR-US: O-RAN RIC I-Release e2mgr CVE-2024-34047 (O-RAN RIC I-Release e2mgr lacks array size checks in RicServiceUpdateH ...) NOT-FOR-US: O-RAN RIC I-Release e2mgr CVE-2024-34046 (The O-RAN E2T I-Release Prometheus metric Increment function can crash ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2024-34045 (The O-RAN E2T I-Release Prometheus metric Increment function can crash ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2024-34044 (The O-RAN E2T I-Release buildPrometheusList function can have a NULL p ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2024-34043 (O-RAN RICAPP kpimon-go I-Release has a segmentation violation via a ce ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2024-33522 (In vulnerable versions of Calico (v3.27.2 and below), Calico Enterpris ...) TODO: check CVE-2024-33401 (Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remot ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote at ...) - TODO: check + NOT-FOR-US: TaoCMS CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...) TODO: check CVE-2024-28294 (Limbas up to v5.2.14 was discovered to contain a SQL injection vulnera ...) - TODO: check + NOT-FOR-US: Limbas CVE-2024-27518 (An issue in SUPERAntiSyware Professional X 10.0.1262 and 10.0.1264 all ...) - TODO: check + NOT-FOR-US: SUPERAntiSyware Professional X CVE-2024-1371 (The LeadConnector plugin for WordPress is vulnerable to unauthorized m ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-0216 (The Google Doc Embedder plugin for WordPress is vulnerable to Server S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52728 (Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.25 allows an i ...) - TODO: check + NOT-FOR-US: onos-lib-go CVE-2023-52727 (Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.25 allows an i ...) - TODO: check + NOT-FOR-US: onos-lib-go CVE-2023-52726 (Open Networking Foundation SD-RAN ONOS onos-ric-sdk-go 0.8.12 allows i ...) - TODO: check + NOT-FOR-US: onos-ric-sdk-go CVE-2023-52725 (Open Networking Foundation SD-RAN ONOS onos-kpimon 0.4.7 allows blocki ...) - TODO: check + NOT-FOR-US: onos-kpimon CVE-2023-52724 (Open Networking Foundation SD-RAN onos-kpimon 0.4.7 allows out-of-boun ...) - TODO: check + NOT-FOR-US: onos-kpimon CVE-2023-50434 (emdns_resolve_raw in emdns.c in emdns through fbd1eef calls strlen wit ...) - TODO: check + NOT-FOR-US: emdns CVE-2023-50433 (marshall in dhcp_packet.c in simple-dhcp-server through ec976d2 allows ...) - TODO: check + NOT-FOR-US: simple-dhcp-server CVE-2023-50432 (simple-dhcp-server through ec976d2 allows remote attackers to cause a ...) - TODO: check + NOT-FOR-US: simple-dhcp-server CVE-2023-46960 (Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote attacke ...) TODO: check CVE-2023-46566 (Buffer Overflow vulnerability in msoulier tftpy commit 467017b844bf6e3 ...) TODO: check CVE-2023-31889 (An issue discovered in httpd in ASUS RT-AC51U with firmware version up ...) - TODO: check + NOT-FOR-US: ASUS CVE-2024-4310 (Cross-site Scripting (XSS) vulnerability in HubBank affecting version ...) NOT-FOR-US: HubBank CVE-2024-4309 (SQL injection vulnerability in HubBank affecting version 1.0.2. This v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e21e522e802fe281b76ffd02aec9554b9339bba4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e21e522e802fe281b76ffd02aec9554b9339bba4 You're receiving this email because of your account
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f9575ae by Moritz Muehlenhoff at 2024-04-30T10:21:11+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -316,6 +316,8 @@ CVE-2024-4292 (A vulnerability classified as critical has been found in Contempo NOT-FOR-US: Contemporary Controls BASrouter BACnet BASRT-B CVE-2024-33883 (The ejs (aka Embedded JavaScript templates) package before 3.1.10 for ...) - node-ejs 3.1.10+~3.1.5-1 + [bookworm] - node-ejs (Minor issue) + [bullseye] - node-ejs (Minor issue) NOTE: https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5 (v3.1.10) CVE-2024-33851 (phpecc, as used in paragonie/phpecc before 2.0.1, has a branch-based t ...) TODO: check @@ -4129,6 +4131,8 @@ CVE-2023-38511 (iTop is an IT service management platform. Dashboard editor : c NOT-FOR-US: iTop CVE-2024- [validate a server certificate in a TLS-based server-server connection] - ngircd 27~rc1-1 + [bookworm] - ngircd (Minor issue, will be fixed via point update) + [bullseye] - ngircd (Minor issue, will be fixed via point update) NOTE: https://github.com/ngircd/ngircd/issues/120 NOTE: https://github.com/ngircd/ngircd/commit/817937b218c4b57515f54216ebc936cd69df0aae (rel-27-rc1) CVE-2024-3778 (The file upload functionality of Ai3 QbiBot does not properly restrict ...) @@ -15354,6 +15358,8 @@ CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integr NOT-FOR-US: cloudevents/sdk-go CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...) - python-jwcrypto (bug #1065688) + [bookworm] - python-jwcrypto (Minor issue) + [bullseye] - python-jwcrypto (Minor issue) NOTE: https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97 NOTE: https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f (v1.5.6) CVE-2024-28101 (The Apollo Router is a graph router written in Rust to run a federated ...) @@ -141409,8 +141415,8 @@ CVE-2022-32744 (A flaw was found in Samba. The KDC accepts kpasswd requests encr CVE-2022-32743 (Samba does not validate the Validated-DNS-Host-Name right for the dNSH ...) [experimental] - samba 2:4.17.0+dfsg-1 - samba 2:4.17.2+dfsg-3 (bug #1021022) - [bullseye] - samba (Minor issue) - [buster] - samba (Minor issue) + [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) + [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14833 CVE-2022-32742 (A flaw was found in Samba. Some SMB1 write requests were not correctly ...) {DSA-5205-1 DLA-3792-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f9575ae0e7f5912bbd29f038baaf027732053af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f9575ae0e7f5912bbd29f038baaf027732053af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new fdupes issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fc357bb by Moritz Muehlenhoff at 2024-04-27T20:47:27+02:00 new fdupes issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -320,7 +320,10 @@ CVE-2023-6095 (Vladimir Kononovich, a Security Researcher has found a flaw that CVE-2023-47252 (An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 ...) NOT-FOR-US: InsydeH2O CVE-2022-48682 (In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows ...) - TODO: check + - fdupes 1:2.2.1-1 + [bullseye] - fdupes (Minor issue) + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1200381 + NOTE: https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f (v2.2.0) CVE-2024-27282 - ruby3.2 - ruby3.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc357bb5ac04c9937b1e63c612d7c8837f36335 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc357bb5ac04c9937b1e63c612d7c8837f36335 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ffmpeg issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a92ad0de by Moritz Muehlenhoff at 2024-04-27T20:43:48+02:00 new ffmpeg issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -176,7 +176,12 @@ CVE-2024-1789 (The WP SMTP plugin for WordPress is vulnerable to SQL Injection v CVE-2024-0740 (Eclipse Target Management: Terminal and Remote System Explorer (RSE) v ...) NOT-FOR-US: Eclipse Target Management: Terminal and Remote System Explorer CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10746 + NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07 (n7.0) CVE-2023-51365 (A path traversal vulnerability has been reported to affect several QNA ...) NOT-FOR-US: QNAP CVE-2023-51364 (A path traversal vulnerability has been reported to affect several QNA ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92ad0de956889c8b5b6a56f5a669d9e69e52d09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92ad0de956889c8b5b6a56f5a669d9e69e52d09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new quickjs issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3194f122 by Moritz Muehlenhoff at 2024-04-27T20:40:30+02:00 new quickjs issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -111,7 +111,8 @@ CVE-2024-33343 (D-Link DIR-822+ V1.0.5 was found to contain a command injection CVE-2024-33342 (D-Link DIR-822+ V1.0.5 was found to contain a command injection in Set ...) NOT-FOR-US: D-Link CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Failure ...) - TODO: check + - quickjs + NOTE: https://github.com/bellard/quickjs/issues/277 CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3194f12209e3b0b7d7e03627a3ed7636ddc8e930 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3194f12209e3b0b7d7e03627a3ed7636ddc8e930 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new iotjs issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 49f266ee by Moritz Muehlenhoff at 2024-04-27T20:38:49+02:00 new iotjs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113,13 +113,21 @@ CVE-2024-33342 (D-Link DIR-822+ V1.0.5 was found to contain a command injection CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Failure ...) TODO: check CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - TODO: check + - iotjs + [bullseye] - iotjs (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/5133 CVE-2024-33259 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - TODO: check + - iotjs + [bullseye] - iotjs (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/5132 CVE-2024-33258 (Jerryscript commit ff9ff8f was discovered to contain a segmentation vi ...) - TODO: check + - iotjs + [bullseye] - iotjs (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/5144 CVE-2024-33255 (Jerryscript commit cefd391 was discovered to contain an Assertion Fail ...) - TODO: check + - iotjs + [bullseye] - iotjs (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/5135 CVE-2024-32957 (Missing Authorization vulnerability in Live Composer Team Page Builder ...) NOT-FOR-US: WordPress plugin CVE-2024-32884 (gitoxide is a pure Rust implementation of Git. `gix-transport` does no ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49f266eec5dd761e2d3e77c067e2aa68d4b9fd20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49f266eec5dd761e2d3e77c067e2aa68d4b9fd20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ruby-sidekiq issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1c309c by Moritz Muehlenhoff at 2024-04-27T20:35:34+02:00 new ruby-sidekiq issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,9 @@ CVE-2024-3051 (Malformed Device Reset Locally command classes can be sent to tem CVE-2024-3034 (The BackUpWordPress plugin for WordPress is vulnerable to Directory Tr ...) NOT-FOR-US: WordPress plugin CVE-2024-32887 (Sidekiq is simple, efficient background processing for Ruby. Sidekiq i ...) - TODO: check + - ruby-sidekiq + NOTE: https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d (v7.2.4) + NOTE: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq CVE-2024-32883 (MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot u ...) NOT-FOR-US: mcuboot CVE-2024-32881 (Danswer is the AI Assistant connected to company's docs, apps, and peo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1c309c51ee60f3504ea4aeae9fadf457400395 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1c309c51ee60f3504ea4aeae9fadf457400395 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bf1d023 by Moritz Muehlenhoff at 2024-04-27T20:34:16+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,113 +1,113 @@ CVE-2024-4245 (A vulnerability, which was classified as critical, has been found in T ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4244 (A vulnerability classified as critical was found in Tenda W9 1.0.0.7(4 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4243 (A vulnerability classified as critical has been found in Tenda W9 1.0. ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4242 (A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been rated ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4241 (A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been decla ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4240 (A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been class ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4239 (A vulnerability was found in Tenda AX1806 1.0.0.1 and classified as cr ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-3052 (Malformed S2 Nonce Get command classes can be sent to crash the gatewa ...) - TODO: check + NOT-FOR-US: silabs CVE-2024-3051 (Malformed Device Reset Locally command classes can be sent to temporar ...) - TODO: check + NOT-FOR-US: silabs CVE-2024-3034 (The BackUpWordPress plugin for WordPress is vulnerable to Directory Tr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32887 (Sidekiq is simple, efficient background processing for Ruby. Sidekiq i ...) TODO: check CVE-2024-32883 (MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot u ...) - TODO: check + NOT-FOR-US: mcuboot CVE-2024-32881 (Danswer is the AI Assistant connected to company's docs, apps, and peo ...) - TODO: check + NOT-FOR-US: Danswer CVE-2024-32878 (Llama.cpp is LLM inference in C/C++. There is a use of uninitialized h ...) - TODO: check + NOT-FOR-US: llama.cpp CVE-2024-31828 (Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows att ...) - TODO: check + NOT-FOR-US: Lavalite CMS CVE-2024-31741 (Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote a ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2024-31601 (An issue in Beijing Panabit Network Software Co., Ltd Panalog big data ...) - TODO: check + NOT-FOR-US: Panabit CVE-2024-31551 (Directory Traversal vulnerability in lib/admin/image.admin.php in cmse ...) - TODO: check + NOT-FOR-US: cmseasy CVE-2024-31502 (An issue in Insurance Management System v.1.0.0 and before allows a re ...) - TODO: check + NOT-FOR-US: Insurance Management System CVE-2024-30804 (An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert ...) - TODO: check + NOT-FOR-US: ASUS CVE-2024-2859 (By default, SANnav OVA is shipped with root user login enabled. While ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-2838 (The WPC Composite Products for WooCommerce plugin for WordPress is vul ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2258 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact For ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-28322 (SQL Injection vulnerability in /event-management-master/backend/regist ...) - TODO: check + NOT-FOR-US: PuneethReddyHC Event Management CVE-2024-4238 (A vulnerability has been found in Tenda AX1806 1.0.0.1 and classified ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4237 (A vulnerability, which was classified as critical, was found in Tenda ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4236 (A vulnerability, which was classified as critical, has been found in T ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-4235 (A vulnerability classified as problematic was found in Netgear DG834Gv ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-4234 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Sayful Islam Filterable Portfolio CVE-2024-4198 (Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-4195 (Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-4183 (Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x bef ...) - TODO: check + - mattermost-server (bug #823556) CVE-2024-4182 (Mattermost versions 9
[Git][security-tracker-team/security-tracker][master] wireshark fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 43fef690 by Moritz Muehlenhoff at 2024-04-27T20:20:56+02:00 wireshark fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9951,7 +9951,7 @@ CVE-2024-30232 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2024-30231 (Unrestricted Upload of File with Dangerous Type vulnerability in WebTo ...) NOT-FOR-US: WordPress plugin CVE-2024-2955 (T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 a ...) - - wireshark (bug #1068111) + - wireshark 4.2.4-1 (bug #1068111) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue; can be fixed in next update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43fef690b1681b46aff8b64a4bc4ca1d53debf68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43fef690b1681b46aff8b64a4bc4ca1d53debf68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libyang2 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: da96caa4 by Moritz Muehlenhoff at 2024-04-27T20:19:38+02:00 libyang2 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78652,13 +78652,13 @@ CVE-2023-26919 (delight-nashorn-sandbox 0.2.4 and 0.2.5 is vulnerable to sandbox CVE-2023-26918 (Diasoft File Replication Pro 7.5.0 allows attackers to escalate privil ...) NOT-FOR-US: Diasoft File Replication Pro CVE-2023-26917 (libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL poin ...) - - libyang2 (bug #1034724) + - libyang2 2.1.148-0.1 (bug #1034724) [bookworm] - libyang2 (Minor issue) [bullseye] - libyang2 (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1987 NOTE: https://github.com/CESNET/libyang/commit/cfa1a965a429e4bfc5ae1539a8e87a9cf71c3090 (v2.1.55) CVE-2023-26916 (libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL poin ...) - - libyang2 (bug #1034154) + - libyang2 2.1.148-0.1 (bug #1034154) [bookworm] - libyang2 (Minor issue) [bullseye] - libyang2 (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1979 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da96caa4ff8d1ce11cb701c90698af042f2bba8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da96caa4ff8d1ce11cb701c90698af042f2bba8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libdata-uuid-perl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d3edff15 by Moritz Muehlenhoff at 2024-04-27T20:18:03+02:00 libdata-uuid-perl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -581107,7 +581107,7 @@ CVE-2013-4185 (Algorithmic complexity vulnerability in OpenStack Compute (Nova) - nova 2013.1.2-3 (low; bug #718907) [wheezy] - nova (Minor issue) CVE-2013-4184 (Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink a ...) - - libdata-uuid-perl (unimportant; bug #718949) + - libdata-uuid-perl 1.227-1 (unimportant; bug #718949) NOTE: https://github.com/rjbs/Data-UUID/issues/5 NOTE: Neutralised by kernel temp hardening CVE-2013-4183 (The clear_volume function in LVMVolumeDriver driver in OpenStack Cinde ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3edff150da1ad942ca0ac8ed5dbbf03a9e963f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3edff150da1ad942ca0ac8ed5dbbf03a9e963f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a6e4e2cb by Moritz Muehlenhoff at 2024-04-26T16:16:18+02:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -294,15 +294,15 @@ CVE-2024-26923 (In the Linux kernel, the following vulnerability has been resolv - linux NOTE: https://git.kernel.org/linus/47d8ac011fe1c9251070e1bd64cb10b48193ec51 (6.9-rc4) CVE-2024-4060 - - chromium + - chromium 124.0.6367.78-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4059 - - chromium + - chromium 124.0.6367.78-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4058 - - chromium + - chromium 124.0.6367.78-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6e4e2cbf8b5ce23e04f9084a9c7f2d7e76f03bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6e4e2cbf8b5ce23e04f9084a9c7f2d7e76f03bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2104f73 by Moritz Muehlenhoff at 2024-04-26T08:26:21+02:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,9 +49,9 @@ CVE-2024-4077 (Improper Neutralization of Input During Web Page Generation ('Cro CVE-2024-4035 (The Photo Gallery \u2013 GT3 Image Gallery & Gutenberg Block Gallery p ...) NOT-FOR-US: WordPress plugin CVE-2024-4024 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - TODO: check + - gitlab CVE-2024-4006 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - TODO: check + - gitlab CVE-2024-3994 (The Tutor LMS \u2013 eLearning and online course solution plugin for W ...) NOT-FOR-US: WordPress plugin CVE-2024-3733 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...) @@ -99,9 +99,9 @@ CVE-2024-30890 (Cross Site Scripting vulnerability in ED01-CMS v.1.0 allows an a CVE-2024-30560 (Cross-Site Request Forgery (CSRF) vulnerability in \u5927\u4fa0WP DX-W ...) NOT-FOR-US: WordPress plugin CVE-2024-2829 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - TODO: check + - gitlab CVE-2024-2434 (An issue has been discovered in GitLab affecting all versions of GitLa ...) - TODO: check + - gitlab CVE-2024-29660 (Cross Site Scripting vulnerability in DedeCMS v.5.7 allows a local att ...) NOT-FOR-US: DedeCMS CVE-2024-28241 (The GLPI Agent is a generic management agent. Prior to version 1.7.2, ...) @@ -127,7 +127,7 @@ CVE-2024-22373 (An out-of-bounds write vulnerability exists in the JPEG2000Codec CVE-2024-22144 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) TODO: check CVE-2024-1347 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) - TODO: check + - gitlab CVE-2023-52220 (Missing Authorization vulnerability in MonsterInsights Google Analytic ...) TODO: check CVE-2023-51484 (Improper Authentication vulnerability in wp-buy Login as User or Custo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2104f734959ca6ff2836d8ec1b416d0c362f741 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2104f734959ca6ff2836d8ec1b416d0c362f741 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pdns-rec DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: acac53b9 by Moritz Mühlenhoff at 2024-04-25T21:24:27+02:00 pdns-rec DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[25 Apr 2024] DSA-5674-1 pdns-recursor - security update + {CVE-2024-25583} + [bookworm] - pdns-recursor 4.8.8-1 [23 Apr 2024] DSA-5673-1 glibc - security update {CVE-2024-2961} [bullseye] - glibc 2.31-13+deb11u9 = data/dsa-needed.txt = @@ -50,8 +50,6 @@ opennds/stable -- org-mode -- -pdns-recursor (jmm) --- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acac53b9ca9f524044d9e29a33f6916ec9b0950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acac53b9ca9f524044d9e29a33f6916ec9b0950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e0bccad by Moritz Muehlenhoff at 2024-04-25T17:44:51+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -130,6 +130,8 @@ CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline NOT-FOR-US: WordPress plugin CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism. ...) - social-auth-app-django + [bookworm] - social-auth-app-django (Minor issue) + [bullseye] - social-auth-app-django (Minor issue) - python-social-auth NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 NOTE: https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) @@ -331,6 +333,8 @@ CVE-2024-3154 - cri-o (bug #979702) CVE-2024-30171 - bouncycastle + [bookworm] - bouncycastle (Minor issue) + [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/issues/1528 CVE-2024-4065 (A vulnerability was found in Tenda AC8 16.03.34.09. It has been rated ...) NOT-FOR-US: Tenda @@ -7186,7 +7190,8 @@ CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated a CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...) NOT-FOR-US: ermig1979 Simd CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classified a ...) - - libyaml + NOTE: Non issue reported for libyaml: + NOTE: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931 NOTE: https://vuldb.com/?submit.304561 NOTE: https://github.com/yaml/libyaml/issues/289 CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ...) @@ -11964,6 +11969,8 @@ CVE-2024-2567 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classi NOT-FOR-US: AndroidWeatherApp CVE-2024-29156 (In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, th ...) - murano (bug #1068459) + [bookworm] - murano (To be removed in point release) + [bullseye] - murano (To be removed in point release) NOTE: https://bugs.launchpad.net/murano/+bug/2048114 NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0093 NOTE: No fix in Murano, but a change in src:yaql renders this unexploitable: @@ -49444,6 +49451,8 @@ CVE-2023-36382 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i NOT-FOR-US: WordPress plugin CVE-2023-36308 (disintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...) - golang-github-disintegration-imaging (bug #1069062) + [bookworm] - golang-github-disintegration-imaging (Minor issue) + [bullseye] - golang-github-disintegration-imaging (Minor issue) NOTE: https://github.com/disintegration/imaging/issues/165 CVE-2023-36307 (ZPLGFA 1.1.1 allows attackers to cause a panic (because of an integer ...) NOT-FOR-US: ZPLGFA = data/dsa-needed.txt = @@ -12,11 +12,11 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -atril +atril (jmm) -- chromium (dilinger) -- -dav1d +dav1d (jmm) -- dnsdist (jmm) -- @@ -50,7 +50,7 @@ opennds/stable -- org-mode -- -pdns-recursor +pdns-recursor (jmm) -- php-cas/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0bccad6269ecf94ccfd67828a9b4372b2acdf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0bccad6269ecf94ccfd67828a9b4372b2acdf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] radare2 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d1fbd69 by Moritz Muehlenhoff at 2024-04-25T17:05:01+02:00 radare2 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12496,7 +12496,7 @@ CVE-2024-26540 (A heap-based buffer overflow in Clmg before 3.3.3 can occur via CVE-2024-26503 (Unrestricted File Upload vulnerability in Greek Universities Network O ...) NOT-FOR-US: Greek Universities Network Open eClass CVE-2024-26475 (An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5 ...) - - radare2 + - radare2 5.9.0+dfsg-1 NOTE: https://github.com/TronciuVlad/CVE-2024-26475 NOTE: https://github.com/radareorg/radare2/commit/8419d7d0cbe61c687dcb8a35de0acccb2ee4c220 (5.9.0) CVE-2024-26454 (A Cross Site Scripting vulnerability in Healthcare-Chatbot through 9b7 ...) @@ -36446,7 +36446,7 @@ CVE-2023-47393 (An access control issue in Mercedes me IOS APP v1.34.0 and below CVE-2023-47392 (An access control issue in Mercedes me IOS APP v1.34.0 and below allow ...) NOT-FOR-US: Mercedes me IOS APP CVE-2023-47016 (radare2 5.8.9 has an out-of-bounds read in r_bin_object_set_items in l ...) - - radare2 (bug #1056930) + - radare2 5.9.0+dfsg-1 (bug #1056930) NOTE: https://github.com/radareorg/radare2/issues/22349 NOTE: https://github.com/radareorg/radare2/commit/40c9f50e127be80b9d816bce2ab2ee790831aefd CVE-2023-46814 (A binary hijacking vulnerability exists within the VideoLAN VLC media ...) @@ -40292,11 +40292,11 @@ CVE-2023-5830 (A vulnerability classified as critical has been found in Columbia CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a loca ...) NOT-FOR-US: XnView CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 (bug #1054908) + - radare2 5.9.0+dfsg-1 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22333 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8 CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 (bug #1054908) + - radare2 5.9.0+dfsg-1 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22334 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 ...) @@ -41843,7 +41843,7 @@ CVE-2023-5688 (Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/mod CVE-2023-5687 (Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo ...) NOT-FOR-US: mosparo CVE-2023-5686 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - - radare2 (bug #1055854) + - radare2 5.9.0+dfsg-1 (bug #1055854) NOTE: https://huntr.com/bounties/bbfe1f76-8fa1-4a8c-909d-65b16e970be0 NOTE: https://github.com/radareorg/radare2/commit/1bdda93e348c160c84e30da3637acef26d0348de CVE-2023-5618 (The Modern Footnotes plugin for WordPress is vulnerable to Stored Cros ...) @@ -52297,7 +52297,7 @@ CVE-2023-35689 (In checkDebuggingDisallowed of DeviceVersionFragment.java, there CVE-2023-32358 (A type confusion issue was addressed with improved checks. This issue ...) NOT-FOR-US: Apple CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - - radare2 (bug #1051898) + - radare2 5.9.0+dfsg-1 (bug #1051898) NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) @@ -72231,7 +72231,7 @@ CVE-2023-1607 (A vulnerability was found in novel-plus 3.6.2. It has been classi CVE-2023-1606 (A vulnerability was found in novel-plus 3.6.2 and classified as critic ...) NOT-FOR-US: novel-plus CVE-2023-1605 (Denial of Service in GitHub repository radareorg/radare2 prior to 5.8. ...) - - radare2 (bug #1034180) + - radare2 5.9.0+dfsg-1 (bug #1034180) NOTE: https://huntr.dev/bounties/9dddcf5b-7dd4-46cc-abf9-172dce20bab2 NOTE: https://github.com/radareorg/radare2/commit/508a6307045441defd1bef0999a1f7052097613f CVE-2023-1604 @@ -77735,7 +77735,7 @@ CVE-2023-27115 (WebAssembly v1.0.29 was discovered to contain a segmentation fau NOTE: https://github.com/WebAssembly/wabt/issues/1938 NOTE: https://github.com/WebAssembly/wabt/issues/1992 CVE-2023-27114 (radare2 v5.8.3 was discovered to contain a segmentation fault via the ...) - - radare2 (bug #1032667
[Git][security-tracker-team/security-tracker][master] new social-auth-app-django issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a13af993 by Moritz Muehlenhoff at 2024-04-25T16:49:52+02:00 new social-auth-app-django issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -129,7 +129,10 @@ CVE-2024-32948 (Missing Authorization vulnerability in Repute Infosystems ARMemb CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Se ...) NOT-FOR-US: WordPress plugin CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism. ...) - TODO: check + - social-auth-app-django + - python-social-auth + NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 + NOTE: https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) CVE-2024-32876 (NewPipe is an Android app for video streaming written in Java. It supp ...) NOT-FOR-US: NewPipe Android app CVE-2024-32875 (Hugo is a static site generator. Starting in version 0.123.0 and prior ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a13af993b6cc268d62dd773bdde58dd82700598d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a13af993b6cc268d62dd773bdde58dd82700598d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d66e81d2 by Moritz Muehlenhoff at 2024-04-25T14:35:15+02:00 qemu fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3855,12 +3855,14 @@ CVE-2024-3569 (A Denial of Service (DoS) vulnerability exists in the mintplex-la CVE-2024-3568 (The huggingface/transformers library is vulnerable to arbitrary code e ...) NOT-FOR-US: huggingface/transformers CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the upda ...) - - qemu (bug #1068822) + - qemu 1:8.2.3+ds-1 (bug #1068822) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/83ddb3dbba2ee0f1767442ae6ee665058aeb1093 (v9.0.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/1cfe45956e03070f894e91b304e233b4d5b99719 (v8.2.3) CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) - nodejs (Only affects Windows) CVE-2024-3516 (Heap buffer overflow in ANGLE in Google Chrome prior to 123.0.6312.122 ...) @@ -4279,13 +4281,15 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1) CVE-2024-3447 - - qemu (bug #1068821) + - qemu 1:8.2.3+ds-1 (bug #1068821) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/9e4b27ca6bf4974f169bbca7f3dca117b1208b6f (v9.0.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e (v8.2.3) CVE-2024-2905 NOT-FOR-US: rpm-ostree CVE-2024-2243 (A vulnerability was found in csmock where a regular user of the OSH se ...) @@ -4447,12 +4451,18 @@ CVE-2024-3514 CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) NOT-FOR-US: WordPress plugin CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...) - - qemu (bug #1068820) + - qemu 1:8.2.3+ds-1 (bug #1068820) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc (v9.0.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/b4295bff25f7b50de1d9cc94a9c6effd40056bca (v9.0.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/ba28e0ff4d95b56dc334aac2730ab3651ffc3132 (v9.0.0-rc3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/4f01537ced3e787bd985b8f8de5869b92657160a (v8.2.3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/fbeb0a160cbcc067c0e1f0d380cea4a31de213e3 (v8.2.3) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/1b2a52712b249e14d246cd9c7db126088e6e64db (v8.2.3) CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) NOT-FOR-US: HP CVE-2024-3267 (The Bold Page Builder plugin for WordPress is vulnerable to Stored Cro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66e81d2f69e126c4e75d7f96a0f6a616663412a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66e81d2f69e126c4e75d7f96a0f6a616663412a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b19b629f by Moritz Muehlenhoff at 2024-04-25T14:02:55+02:00 qemu fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19414,18 +19414,22 @@ CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel SQL Co ...) NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu (bug #1068819) + - qemu 1:8.2.3+ds-1 (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/91bb64a8d2014fda33a81fcf0fce37340f0d3b0c (v9.0.0-rc0) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/98f3488c1b6090024299f8d6362aa6aac03fe26d (v8.2.3) NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu (bug #1068819) + - qemu 1:8.2.3+ds-1 (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/6081b4243cd64dff1b2cf5b0c215c71e9d7e753b (v9.0.0-rc0) + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/313e746958967a4b941ad4bbb80726727318edfa (v8.2.3) NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ CVE-2024-26318 (Serenity before 6.8.0 allows XSS via an email link because LoginPage.t ...) NOT-FOR-US: Serenity View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b629f44b01172a82d4260443f176753f965d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b629f44b01172a82d4260443f176753f965d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nodejs n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d18510ec by Moritz Muehlenhoff at 2024-04-25T13:37:25+02:00 nodejs n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3862,7 +3862,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) - TODO: check + - nodejs (Only affects Windows) CVE-2024-3516 (Heap buffer overflow in ANGLE in Google Chrome prior to 123.0.6312.122 ...) {DSA-5656-1} - chromium 123.0.6312.122-1 @@ -22362,10 +22362,12 @@ CVE-2024-24858 (A race condition was found in the Linux kernel's net/bluetooth i {DSA-5658-1} - linux NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8154 + NOTE: https://git.kernel.org/linus/7835fcfd132eb88b87e8eb901f88436f63ab60f7 (v6.9-rc3) CVE-2024-24857 (A race condition was found in the Linux kernel's net/bluetooth device ...) {DSA-5658-1} - linux NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8155 + NOTE: https://git.kernel.org/linus/7835fcfd132eb88b87e8eb901f88436f63ab60f7 (v6.9-rc3) CVE-2024-24855 (A race condition was found in the Linux kernel's scsi device driver in ...) - linux 6.5.3-1 NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8149 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18510ec410989ac8d5a702b59d7ffc1f311032b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18510ec410989ac8d5a702b59d7ffc1f311032b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1409aa55 by Moritz Muehlenhoff at 2024-04-25T11:17:39+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,25 +1,25 @@ CVE-2024-4173 (A vulnerability in Brocade SANnav ova versions before Brocade SANnav v ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-4161 (In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic receiv ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-4159 (Brocade SANnav before Brocade SANnav v2.3.1 lacks protection mechanism ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-3988 (The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data T ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3929 (The Content Views \u2013 Post Grid & Filter, Recent Posts, Category Po ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3893 (The Classified Listing \u2013 Classified ads & Business Directory Plug ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2907 (The AGCA WordPress plugin before 7.2.2 does not sanitise and escape s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29205 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-23527 (An out-of-bounds read vulnerability in WLAvalancheService component of ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-20313 (A vulnerability in the OSPF version 2 (OSPFv2) feature of Cisco IOS XE ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-51478 (Improper Authentication vulnerability in Abdul Hakeem Build App Online ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-26926 (In the Linux kernel, the following vulnerability has been resolved: b ...) - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1409aa55264f4ca7c48e248816fb9cf588ecd2e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1409aa55264f4ca7c48e248816fb9cf588ecd2e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 410bf268 by Moritz Muehlenhoff at 2024-04-25T09:40:17+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,11 +81,11 @@ CVE-2024-4069 (A vulnerability, which was classified as critical, was found in K CVE-2024-4066 (A vulnerability classified as critical has been found in Tenda AC8 16. ...) NOT-FOR-US: Tenda CVE-2024-3371 (MongoDB Compass may accept and use insufficiently validated input from ...) - TODO: check + NOT-FOR-US: MongoDB Compass CVE-2024-3261 (The Strong Testimonials WordPress plugin before 3.1.12 does not valida ...) NOT-FOR-US: WordPress plugin CVE-2024-33531 (cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsi ...) - TODO: check + NOT-FOR-US: lua-resty-jwt CVE-2024-32958 (Cross-Site Request Forgery (CSRF) vulnerability in Giorgos Sarigiannid ...) NOT-FOR-US: WordPress plugin CVE-2024-32956 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) @@ -121,7 +121,7 @@ CVE-2024-32872 (Umbraco workflow provides workflows for the Umbraco content mana CVE-2024-32869 (Hono is a Web application framework that provides support for any Java ...) NOT-FOR-US: Hono CVE-2024-32866 (Conform, a type-safe form validation library, allows the parsing of ne ...) - TODO: check + NOT-FOR-US: Conform CVE-2024-32836 (Unrestricted Upload of File with Dangerous Type vulnerability in WP La ...) NOT-FOR-US: WordPress plugin CVE-2024-32835 (Deserialization of Untrusted Data vulnerability in WebToffee Import Ex ...) @@ -226,17 +226,17 @@ CVE-2024-32078 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit CVE-2024-32051 (Insertion of sensitive information into log file issue exists in RoamW ...) NOT-FOR-US: RoamWiFi CVE-2024-31616 (An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S ro ...) - TODO: check + NOT-FOR-US: RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers CVE-2024-31406 (Active debug code vulnerability exists in RoamWiFi R10 prior to 4.8.45 ...) NOT-FOR-US: RoamWiFi CVE-2024-30886 (A stored cross-site scripting (XSS) vulnerability in the remotelink fu ...) NOT-FOR-US: HadSky CVE-2024-2972 (The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2404 (The Better Comments WordPress plugin before 1.5.6 does not sanitise an ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2402 (The Better Comments WordPress plugin before 1.5.6 does not sanitise an ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-28977 (Dell Repository Manager, versions 3.4.2 through 3.4.4,contains a Path ...) NOT-FOR-US: Dell CVE-2024-28976 (Dell Repository Manager, versions prior to 3.4.5, contains a Path Trav ...) @@ -244,61 +244,61 @@ CVE-2024-28976 (Dell Repository Manager, versions prior to 3.4.5, contains a Pat CVE-2024-28963 (Telemetry Dashboard v1.0.0.7 for Dell ThinOS 2402 contains a sensitive ...) NOT-FOR-US: Dell CVE-2024-28825 (Improper restriction of excessive authentication attempts on some auth ...) - TODO: check + - check-mk CVE-2024-28613 (SQL Injection vulnerability in PHP Task Management System v.1.0 allows ...) NOT-FOR-US: PHP Task Management System CVE-2024-27791 (The issue was addressed with improved checks. This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-27537 REJECTED CVE-2024-27536 REJECTED CVE-2024-23271 (A logic issue was addressed with improved checks. This issue is fixed ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23228 (This issue was addressed through improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-20359 (A vulnerability in a legacy capability that allowed for the preloading ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20358 (A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20356 (A vulnerability in the web-based management interface of Cisco Integra ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20353 (A vulnerability in the management and VPN web servers for Cisco Adapti ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20295 (A vulnerability in the CLI of the Cisco Integrated Management Controll ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-1756 (The WooCommerce Customers Manager WordPress plugin before 29.8 does no ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1743 (The WooCommerce Customers Manager WordPress plugin
[Git][security-tracker-team/security-tracker][master] new xpdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a3c6d23 by Moritz Muehlenhoff at 2024-04-25T09:35:05+02:00 new xpdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,7 +26,8 @@ CVE-2024-4058 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an in ...) - TODO: check + - poppler + NOTE: Might possibly affect poppler, xpdf in Debian uses it CVE-2024-4127 (A vulnerability was found in Tenda W15E 15.11.0.14. It has been classi ...) NOT-FOR-US: Tenda CVE-2024-4126 (A vulnerability was found in Tenda W15E 15.11.0.14 and classified as c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a3c6d2357f046914a4077b8bdc15c4e429b60ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a3c6d2357f046914a4077b8bdc15c4e429b60ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 89dea128 by Moritz Muehlenhoff at 2024-04-24T22:30:40+02:00 new chromium issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2024-4060 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) +CVE-2024-4059 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) +CVE-2024-4058 + - chromium + [bullseye] - chromium (see #1061268) + [buster] - chromium (see DSA 5046) CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an in ...) TODO: check CVE-2024-4127 (A vulnerability was found in Tenda W15E 15.11.0.14. It has been classi ...) = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- atril -- +chromium (dilinger) +-- dav1d -- dnsdist (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dea12856acad42ac395f682dff06d416afb1fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dea12856acad42ac395f682dff06d416afb1fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mysql-connector-python issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ecb2787 by Moritz Muehlenhoff at 2024-04-24T16:07:13+02:00 new mysql-connector-python issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1980,7 +1980,7 @@ CVE-2024-21092 (Vulnerability in the Oracle Agile Product Lifecycle Management f CVE-2024-21091 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) NOT-FOR-US: Oracle CVE-2024-21090 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) - TODO: check + - mysql-connector-python CVE-2024-21089 (Vulnerability in the Oracle Concurrent Processing product of Oracle E- ...) NOT-FOR-US: Oracle CVE-2024-21088 (Vulnerability in the Oracle Production Scheduling product of Oracle E- ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ecb2787e891dbbd0a1887b5ca17b06c5329dc28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ecb2787e891dbbd0a1887b5ca17b06c5329dc28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one mor vbox issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aa8a89da by Moritz Muehlenhoff at 2024-04-24T16:02:43+02:00 one mor vbox issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1949,7 +1949,7 @@ CVE-2024-21105 (Vulnerability in the Oracle Solaris product of Oracle Systems (c CVE-2024-21104 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...) NOT-FOR-US: Oracle CVE-2024-21103 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21102 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 (bug #1069189) CVE-2024-21101 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa8a89da557299d7c42b9dc98d1c0f69e4c019a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa8a89da557299d7c42b9dc98d1c0f69e4c019a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dcmtk
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f03043c9 by Moritz Muehlenhoff at 2024-04-24T15:55:22+02:00 dcmtk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,7 +78,10 @@ CVE-2024-2477 (The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-S CVE-2024-28627 (An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain s ...) NOT-FOR-US: Flipsnack CVE-2024-28130 (An incorrect type conversion vulnerability exists in the DVPSSoftcopyV ...) - TODO: check + - dcmtk + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957 + NOTE: https://github.com/DCMTK/dcmtk/commit/601b227eecaab33a3a3a11dc256d84b1a62f63af + NOTE: https://github.com/DCMTK/dcmtk/commit/7d54f8efec995e5601d089fa17b0625c2b41af23 CVE-2024-21979 (An out of bounds write vulnerability in the AMD Radeon\u2122 user mode ...) NOT-FOR-US: AMD Radeon Windows driver CVE-2024-21972 (An out of bounds write vulnerability in the AMD Radeon\u2122 user mode ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f03043c950fc05c959ca78fb8defa17cd30c508a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f03043c950fc05c959ca78fb8defa17cd30c508a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pdns-rec fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dffc98bd by Moritz Muehlenhoff at 2024-04-24T15:40:29+02:00 pdns-rec fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-25583 - - pdns-recursor (bug #1069762) + - pdns-recursor 4.9.5-1 (bug #1069762) NOTE: https://www.openwall.com/lists/oss-security/2024/04/24/1 CVE-2024-3154 - cri-o (bug #979702) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dffc98bd40243b5bb5cdf469b3ad11c7cfb79200 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dffc98bd40243b5bb5cdf469b3ad11c7cfb79200 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac1e8043 by Moritz Muehlenhoff at 2024-04-24T15:06:19+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,7 +68,7 @@ CVE-2024-32258 (The network server of fceux 2.7.0 has a path traversal vulnerabi CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.2 ...) NOT-FOR-US: Terratec CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix user with ...) - - matrix-synapse + - matrix-synapse (bug #1069763) NOTE: https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v NOTE: https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) CVE-2024-30800 (PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly z ...) @@ -550,7 +550,7 @@ CVE-2024-21872 (The device allows an unauthenticated attacker to bypass authenti CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmitter ...) NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - - python-flask-cors + - python-flask-cors (bug #1069764) NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 NOTE: https://github.com/corydolphin/flask-cors/issues/349 CVE-2024-1491 (The devices allow access to an unprotected endpoint that allows MPFS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e8043aa4c5c51116bfda1be3737947b1b550c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e8043aa4c5c51116bfda1be3737947b1b550c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pdns-rec issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 02c8b5e8 by Moritz Muehlenhoff at 2024-04-24T14:02:03+02:00 new pdns-rec issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-25583 + - pdns-recursor (bug #1069762) + NOTE: https://www.openwall.com/lists/oss-security/2024/04/24/1 CVE-2024-3154 - cri-o (bug #979702) CVE-2024-30171 = data/dsa-needed.txt = @@ -48,6 +48,8 @@ opennds/stable -- org-mode -- +pdns-recursor +-- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02c8b5e835dd1c9f7672f01364c0cf5b64592dd7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02c8b5e835dd1c9f7672f01364c0cf5b64592dd7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new matrix-synapse issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 149b237f by Moritz Muehlenhoff at 2024-04-24T10:14:52+02:00 new matrix-synapse issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65,7 +65,9 @@ CVE-2024-32258 (The network server of fceux 2.7.0 has a path traversal vulnerabi CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.2 ...) NOT-FOR-US: Terratec CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix user with ...) - TODO: check + - matrix-synapse + NOTE: https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v + NOTE: https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) CVE-2024-30800 (PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly z ...) NOT-FOR-US: PX4 Autopilot CVE-2024-2477 (The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149b237f08488a6468c09e0fc736da89b59057b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149b237f08488a6468c09e0fc736da89b59057b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fceux n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d224cdf by Moritz Muehlenhoff at 2024-04-24T10:13:25+02:00 fceux n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,7 +58,10 @@ CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop Protocol. CVE-2024-32482 (The Tillitis TKey signer device application is an ed25519 signing tool ...) NOT-FOR-US: Tillitis TKey CVE-2024-32258 (The network server of fceux 2.7.0 has a path traversal vulnerability, ...) - TODO: check + - fceux (Vulnerable code never uploaded to the archive) + NOTE: https://github.com/TASEmulators/fceux/issues/727 + NOTE: Introduced in https://github.com/TASEmulators/fceux/commit/798c5a1d9c73b899cdbe3d613c0022588281979f + NOTE: Fixed in https://github.com/TASEmulators/fceux/commit/48b48e7c13be1b949074f42660a33c7ef57135e1 CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.2 ...) NOT-FOR-US: Terratec CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix user with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d224cdf51c23ef3fd4192a22365cbc0c5cc4ac6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d224cdf51c23ef3fd4192a22365cbc0c5cc4ac6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c5fad303 by Moritz Muehlenhoff at 2024-04-24T10:00:08+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,7 @@ CVE-2024-3665 (The Rank Math SEO with AI SEO Tools plugin for WordPress is vulne CVE-2024-3491 (The Schema & Structured Data for WP & AMP plugin for WordPress is vuln ...) NOT-FOR-US: WordPress plugin CVE-2024-3185 (A key used in logging.json does not follow the least privilege princip ...) - TODO: check + NOT-FOR-US: Rapid7 CVE-2024-33217 (Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based ...) NOT-FOR-US: Tenda CVE-2024-33215 (Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based ...) @@ -56,11 +56,11 @@ CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop Protocol. NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1a755d898ddc028cc818d0dd9d49d5acff4c44bf (3.5.1) CVE-2024-32482 (The Tillitis TKey signer device application is an ed25519 signing tool ...) - TODO: check + NOT-FOR-US: Tillitis TKey CVE-2024-32258 (The network server of fceux 2.7.0 has a path traversal vulnerability, ...) TODO: check CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.2 ...) - TODO: check + NOT-FOR-US: Terratec CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix user with ...) TODO: check CVE-2024-30800 (PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly z ...) @@ -72,9 +72,9 @@ CVE-2024-28627 (An issue in Flipsnack v.18/03/2024 allows a local attacker to ob CVE-2024-28130 (An incorrect type conversion vulnerability exists in the DVPSSoftcopyV ...) TODO: check CVE-2024-21979 (An out of bounds write vulnerability in the AMD Radeon\u2122 user mode ...) - TODO: check + NOT-FOR-US: AMD Radeon Windows driver CVE-2024-21972 (An out of bounds write vulnerability in the AMD Radeon\u2122 user mode ...) - TODO: check + NOT-FOR-US: AMD Radeon Windows driver CVE-2024-0900 (The Elespare \u2013 Build Your Blog, News & Magazine Websites with Exp ...) NOT-FOR-US: WordPress plugin CVE-2023-47731 (IBM QRadar Suite Software 1.10.12.0 through 1.10.19.0 and IBM Cloud Pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fad30314e892f1bb374ad9c1e8441185c47208 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fad30314e892f1bb374ad9c1e8441185c47208 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new cri-o issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 022b80f8 by Moritz Muehlenhoff at 2024-04-24T08:32:49+02:00 new cri-o issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2024-3154 + - cri-o (bug #979702) CVE-2024-30171 - bouncycastle NOTE: https://github.com/bcgit/bc-java/issues/1528 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/022b80f80f8e8aa217be377d16ce2da63097635a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/022b80f80f8e8aa217be377d16ce2da63097635a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new bouncycastle issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca7dae6 by Moritz Muehlenhoff at 2024-04-24T08:31:19+02:00 new bouncycastle issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-30171 + - bouncycastle + NOTE: https://github.com/bcgit/bc-java/issues/1528 CVE-2024-4065 (A vulnerability was found in Tenda AC8 16.03.34.09. It has been rated ...) NOT-FOR-US: Tenda CVE-2024-4064 (A vulnerability was found in Tenda AC8 16.03.34.09. It has been declar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca7dae6e1a52048f1ef961445b86667ca62b54f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca7dae6e1a52048f1ef961445b86667ca62b54f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] murano removed from sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 26f3ab1f by Moritz Muehlenhoff at 2024-04-23T21:09:10+02:00 murano removed from sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11526,7 +11526,7 @@ CVE-2024-2568 (A vulnerability has been found in heyewei JFinalCMS 5.0.0 and cla CVE-2024-2567 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified ...) NOT-FOR-US: AndroidWeatherApp CVE-2024-29156 (In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, th ...) - - murano (bug #1068459) + - murano (bug #1068459) NOTE: https://bugs.launchpad.net/murano/+bug/2048114 NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0093 NOTE: No fix in Murano, but a change in src:yaql renders this unexploitable: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26f3ab1f3d8909cc876c21786e8f10635521c95f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26f3ab1f3d8909cc876c21786e8f10635521c95f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] salt removed from unstable
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b455aaed by Moritz Muehlenhoff at 2024-04-23T21:08:10+02:00 salt removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39677,7 +39677,7 @@ CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks CVE-2015-20110 (JHipster generator-jhipster before 2.23.0 allows a timing attack again ...) NOT-FOR-US: JHipster generator-jhipster CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script] - - salt (bug #1055179) + - salt (bug #1055179) [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-10-27-advisory/index.html CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...) @@ -62051,7 +62051,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie [bookworm] - python-tornado (Minor issue) [bullseye] - python-tornado (Minor issue) [buster] - python-tornado (Minor issue) - - salt (bug #1059297) + - salt (bug #1059297) [buster] - salt (EOL in buster LTS) NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) @@ -105648,11 +105648,11 @@ CVE-2023-20900 (A malicious actor that has been granted Guest Operation Privile CVE-2023-20899 (VMware SD-WAN (Edge) contains a bypass authentication vulnerability. A ...) NOT-FOR-US: VMware CVE-2023-20898 (Git Providers can read from the wrong environment because they get the ...) - - salt (bug #1051504) + - salt (bug #1051504) [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/ CVE-2023-20897 (Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. ...) - - salt (bug #1051504) + - salt (bug #1051504) [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/ NOTE: https://github.com/saltstack/salt/issues/64061 @@ -170263,7 +170263,7 @@ CVE-2022-22968 (In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and NOTE: https://tanzu.vmware.com/security/cve-2022-22968 NOTE: Only supported for building applications shipped in Debian, see README.Debian.security CVE-2022-22967 (An issue was discovered in SaltStack Salt in versions before 3002.9, 3 ...) - - salt (bug #1013872) + - salt (bug #1013872) [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/ NOTE: Fixed by: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8 (v3004.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b455aaedf7f58353495d8c6904cdaf3f149f2f08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b455aaedf7f58353495d8c6904cdaf3f149f2f08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 03f7fdcc by Moritz Muehlenhoff at 2024-04-23T13:37:56+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -279,6 +279,7 @@ CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono applic NOT-FOR-US: @hono/node-server CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...) - rust-rustls (bug #1069677) + [bookworm] - rust-rustls (Minor issue) NOTE: github.com: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj NOTE: github.com: https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) NOTE: github.com: https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) @@ -4770,6 +4771,7 @@ CVE-2024-2201 [Native Branch History Injection] {DSA-5658-1} - linux - xen + [bookworm] - xen (Minor issue, fix along in next DSA) [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://www.openwall.com/lists/oss-security/2024/04/09/15 @@ -8603,6 +8605,7 @@ CVE-2024-28247 (The Pi-hole is a DNS sinkhole that protects your devices from un NOT-FOR-US: Pi-Hole CVE-2024-28233 (JupyterHub is an open source multi-user server for Jupyter notebooks. ...) - jupyterhub + [bookworm] - jupyterhub (Minor issue) NOTE: https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g NOTE: https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f CVE-2024-27270 (IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is ...) @@ -11732,6 +11735,7 @@ CVE-2024-23298 (A logic issue was addressed with improved state management.) NOT-FOR-US: Apple CVE-2024-22513 (djangorestframework-simplejwt version 5.3.1 and before is vulnerable t ...) - python-djangorestframework-simplejwt (bug #1067641) + [bookworm] - python-djangorestframework-simplejwt (Minor issue) NOTE: https://github.com/dmdhrumilmistry/CVEs/tree/main/CVE-2024-22513 CVE-2024-22259 (Applications that use UriComponentsBuilder in Spring Frameworkto parse ...) - libspring-java (unimportant) @@ -50465,11 +50469,10 @@ CVE-2023-40579 (OpenFGA is an authorization/permission engine built for develope NOT-FOR-US: OpenFGA CVE-2023-40577 (Alertmanager handles alerts sent by client applications such as the Pr ...) {DLA-3609-1} - - prometheus-alertmanager 0.26.0+ds-1 (bug #1050558) - [bookworm] - prometheus-alertmanager (Minor issue) - [bullseye] - prometheus-alertmanager (Minor issue) + - prometheus-alertmanager 0.26.0+ds-1 (unimportant; bug #1050558) NOTE: https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j NOTE: https://github.com/prometheus/alertmanager/commit/8b9f2fd20c25e0d1e76aa0b407f7e354996d8e72 (v0.25.1) + NOTE: Debian package doesn't ship the UI CVE-2023-40576 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x3x5-r7jm-5pq2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03f7fdcca93c5ee671c2241382d8060970e80d55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03f7fdcca93c5ee671c2241382d8060970e80d55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one chromium issue already fixed in earlier updates
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a8cd9768 by Moritz Muehlenhoff at 2024-04-23T13:19:14+02:00 one chromium issue already fixed in earlier updates - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -858,7 +858,7 @@ CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A s - ofono NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2024-3914 (Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a ...) - - chromium + - chromium 124.0.6367.60-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-3910 (A vulnerability, which was classified as critical, has been found in T ...) = data/DSA/list = @@ -18,7 +18,7 @@ [bullseye] - guix 1.2.0-4+deb11u2 [bookworm] - guix 1.4.0-3+deb12u1 [20 Apr 2024] DSA-5668-1 chromium - security update - {CVE-2024-3832 CVE-2024-3833 CVE-2024-3834 CVE-2024-3837 CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847} + {CVE-2024-3832 CVE-2024-3833 CVE-2024-3834 CVE-2024-3837 CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847 CVE-2024-3914} [bookworm] - chromium 124.0.6367.60-1~deb12u1 [19 Apr 2024] DSA-5667-1 tomcat9 - security update {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8cd9768d66654c30607321ffa6122cecf0f06ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8cd9768d66654c30607321ffa6122cecf0f06ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new flask-cors issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ac41b4e by Moritz Muehlenhoff at 2024-04-23T12:31:17+02:00 new flask-cors issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -457,7 +457,9 @@ CVE-2024-21872 (The device allows an unauthenticated attacker to bypass authenti CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmitter ...) NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - TODO: check + - python-flask-cors + NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 + NOTE: https://github.com/corydolphin/flask-cors/issues/349 CVE-2024-1491 (The devices allow access to an unprotected endpoint that allows MPFS ...) NOT-FOR-US: Electrolink CVE-2024-1065 (Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac41b4e03b49d71285707b8895c13cd9eef8833 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac41b4e03b49d71285707b8895c13cd9eef8833 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bcddd417 by Moritz Muehlenhoff at 2024-04-23T12:28:02+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -96,7 +96,9 @@ CVE-2024-29376 (Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via t CVE-2024-28717 (An issue in OpenStack Storlets yoga-eom allows a remote attacker to ex ...) NOT-FOR-US: OpenStack Storlets yoga-eom CVE-2024-28699 (A buffer overflow vulnerability in pdf2json v0.70 allows a local attac ...) - TODO: check + NOT-FOR-US: pdf2json + NOTE: pdf2json bundles a 14 year old xpdf release (3.0.2), there's no point in + NOTE: tracking whether this affects src:poppler CVE-2024-28436 (Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DA ...) NOT-FOR-US: D-Link CVE-2024-22856 (A SQL injection vulnerability via the Save Favorite Search function in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcddd4171491dae7001c3857918e2119481992e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcddd4171491dae7001c3857918e2119481992e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new quickjs issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 121afe4e by Moritz Muehlenhoff at 2024-04-23T12:23:59+02:00 new quickjs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,9 +47,14 @@ CVE-2024-1241 (Watchdog Antivirus v1.6.415 is vulnerable to a Denial of Service CVE-2023-6833 (Insertion of Sensitive Information into Log File vulnerability in Hita ...) NOT-FOR-US: Hitachi CVE-2023-48184 (QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free b ...) - TODO: check + - quickjs 2024.01.13-1 + NOTE: https://github.com/bellard/quickjs/issues/198 + NOTE: https://github.com/bellard/quickjs/issues/156 + NOTE: https://github.com/bellard/quickjs/commit/7414e5f67f9a404f3cf91ffa69d0c93bf46d099e CVE-2023-48183 (QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer derefe ...) - TODO: check + - quickjs 2024.01.13-1 + NOTE: https://github.com/bellard/quickjs/issues/192 + NOTE: https://github.com/bellard/quickjs/commit/c4cdd61a3ed284cd760faf6b00bbf0cb908da077 CVE-2024-4040 (VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1. ...) NOT-FOR-US: CrushFTP CVE-2024-4026 (Cross-Site Scripting (XSS) vulnerability in the Holded application. Th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121afe4ed6a8101c3be9cfb41a94c205c21286b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121afe4ed6a8101c3be9cfb41a94c205c21286b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88871c05 by Moritz Muehlenhoff at 2024-04-23T12:18:21+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -200,7 +200,6 @@ CVE-2024-32493 [SQL injection issue regarding Form IDs when cleaning up drafts] NOTE: https://www.znuny.org/en/advisories/zsa-2024-03 CVE-2024-32492 [Cross Site Scripting (XSS) in the Customer Portal Ticket View] - znuny (Only affects Znuny from 7.0.1 up to including 7.0.16) - [bookworm] - znuny (Non-free not supported) NOTE: https://www.znuny.org/en/advisories/zsa-2024-02 CVE-2024-32491 [Directory Traversal via File Upload] - znuny 6.5.8-1 @@ -764,6 +763,8 @@ CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Gr NOT-FOR-US: WordPress plugin CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is not co ...) - sssd + [bookworm] - sssd (Minor issue) + [bullseye] - sssd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2223762 NOTE: https://github.com/SSSD/sssd/pull/7302 NOTE: https://github.com/SSSD/sssd/commit/d7db7971682da2dbf7642ac94940d6b0577ec35a (master) @@ -1043,8 +1044,11 @@ CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function in CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause un ...) - libcoap - libcoap2 + [bullseye] - libcoap2 (Minor issue) - libcoap3 + [bookworm] - libcoap3 (Minor issue) NOTE: https://github.com/obgm/libcoap/issues/1351 + NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...) NOT-FOR-US: phpgurukul Client Management System CVE-2024-30989 (Cross Site Scripting vulnerability in /edit-client-details.php of phpg ...) @@ -2263,6 +2267,8 @@ CVE-2024-3575 (Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb) NOT-FOR-US: mindsdb CVE-2024-3574 (In scrapy version 2.10.1, an issue was identified where the Authorizat ...) - python-scrapy 2.11.1-1 + [bookworm] - python-scrapy (Minor issue) + [bullseye] - python-scrapy (Minor issue) NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv NOTE: https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9 NOTE: https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1) @@ -2270,6 +2276,8 @@ CVE-2024-3573 (mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to NOT-FOR-US: mlflow CVE-2024-3572 (The scrapy/scrapy project is vulnerable to XML External Entity (XXE) a ...) - python-scrapy 2.11.1-1 + [bookworm] - python-scrapy (Minor issue) + [bullseye] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb NOTE: https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1) NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 @@ -2683,6 +2691,8 @@ CVE-2024-3505 (JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerab NOT-FOR-US: JFrog Artifactory Self-Hosted CVE-2024-32489 (TCPDF before 6.7.4 mishandles calls that use HTML syntax.) - tcpdf 6.7.4+dfsg-1 + [bookworm] - tcpdf (Minor issue) + [bullseye] - tcpdf (Minor issue) NOTE: Fixed by: https://github.com/tecnickcom/TCPDF/commit/51cd1b39de5643836e62661d162c472d63167df7 NOTE: Fixed by: https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262 (6.7.4) CVE-2024-32488 (In Foxit PDF Reader and Editor before 2024.1, Local Privilege Escalati ...) @@ -23530,6 +23540,8 @@ CVE-2024-22922 (An issue in Projectworlds Vistor Management Systemin PHP v.1.0 a NOT-FOR-US: Projectworlds Vistor Management Systemin PHP CVE-2024-22640 (TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denia ...) - tcpdf 6.7.5+dfsg-1 + [bookworm] - tcpdf (Minor issue) + [bullseye] - tcpdf (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2276090 NOTE: https://github.com/zunak/CVE-2024-22640 NOTE: https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679 (6.7.5) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88871c05d500fef5ff492c740b29161b3c507821 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88871c05d500fef5ff492c740b29161b3c507821 You're receiving this email because of
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b770f25 by Moritz Muehlenhoff at 2024-04-23T11:15:32+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,51 +1,51 @@ CVE-2024-4031 (Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM ...) - TODO: check + NOT-FOR-US: Logitech CVE-2024-3889 (The Royal Elementor Addons and Templates plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3664 (The Quick Featured Images plugin for WordPress is vulnerable to unauth ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3293 (The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32657 (Hydra is a Continuous Integration service for Nix based projects. Atta ...) - TODO: check + NOT-FOR-US: Hydra CVE-2024-32656 (Ant Media Server is live streaming engine software. A local privilege ...) - TODO: check + NOT-FOR-US: Ant Media Server CVE-2024-32653 (jadx is a Dex to Java decompiler. Prior to version 1.5.0, the packag ...) - TODO: check + NOT-FOR-US: jadx CVE-2024-32480 (LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring sy ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2024-32479 (LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring sy ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2024-32461 (LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring sy ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2024-32394 (An issue in ruijie.com/cn RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01 ...) - TODO: check + NOT-FOR-US: ruijie.com/cn CVE-2024-31857 (Forminator prior to 1.15.4 contains a cross-site scripting vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31077 (Forminator prior to 1.29.3 contains a SQL injection vulnerability. If ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31036 (A heap-buffer-overflow vulnerability in the read_byte function in Nano ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2024-2799 (The Royal Elementor Addons and Templates plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2798 (The Royal Elementor Addons and Templates plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2760 (Bkav Home v7816, build 2403161130 is vulnerable to a Memory Informatio ...) - TODO: check + NOT-FOR-US: Bkac CVE-2024-2493 (Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This is ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2024-29368 (An issue discovered in moziloCMS v2.0 allows attackers to bypass file ...) - TODO: check + NOT-FOR-US: moziloCMS CVE-2024-28890 (Forminator prior to 1.29.0 contains an unrestricted upload of file wit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-27574 (SQL Injection vulnerability in Trainme Academy version Ichin v.1.3.2 a ...) - TODO: check + NOT-FOR-US: Trainme Academy CVE-2024-21511 (Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrar ...) - TODO: check + NOT-FOR-US: Node mysql2 CVE-2024-1241 (Watchdog Antivirus v1.6.415 is vulnerable to a Denial of Service vulne ...) - TODO: check + NOT-FOR-US: Watchdog Antivirus CVE-2023-6833 (Insertion of Sensitive Information into Log File vulnerability in Hita ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2023-48184 (QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free b ...) TODO: check CVE-2023-48183 (QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer derefe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b770f259ccabac896d8718b266fa14b3b6d1815 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b770f259ccabac896d8718b266fa14b3b6d1815 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc17027b by Moritz Muehlenhoff at 2024-04-23T11:05:09+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -499,6 +499,8 @@ CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al NOTE: https://trac.ffmpeg.org/ticket/10743 CVE-2023-51792 (Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attac ...) - libde265 1.0.13-1 + [bookworm] - libde265 (Minor issue) + [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/427 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/221e767136b8c46c748ae35b79ec9b976b3da301 (v1.0.13) CVE-2023-51791 (Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) @@ -11067,11 +11069,14 @@ CVE-2024-24042 (Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 a NOT-FOR-US: Devan-Kerman ARRP CVE-2024-2 (LDAP Account Manager (LAM) is a webfrontend for managing entries store ...) - ldap-account-manager 8.7-1 (bug #1067179) + [bookworm] - ldap-account-manager (Minor issue) + [bullseye] - ldap-account-manager (Minor issue) NOTE: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv CVE-2024-22453 (Dell PowerEdge Server BIOS contains a heap-based buffer overflow vulne ...) NOT-FOR-US: Dell CVE-2024-22412 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1067178) + [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) [buster] - clickhouse (Minor issue; can be fixed in next update) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc17027b7be61dfc809c1a9ce3f6c19738ace80f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc17027b7be61dfc809c1a9ce3f6c19738ace80f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-8 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 505db058 by Moritz Muehlenhoff at 2024-04-23T09:10:20+02:00 openjdk-8 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1803,7 +1803,7 @@ CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio M NOT-FOR-US: Oracle CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) {DSA-5672-1 DSA-5671-1 DLA-3793-1} - - openjdk-8 (bug #1069678) + - openjdk-8 8u412-ga-1 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1826,7 +1826,7 @@ CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of NOT-FOR-US: Oracle CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5671-1 DLA-3793-1} - - openjdk-8 (bug #1069678) + - openjdk-8 8u412-ga-1 (bug #1069678) - openjdk-11 11.0.23+9-1 CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) NOT-FOR-US: Oracle @@ -1862,7 +1862,7 @@ CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 (bug #1069189) CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) {DSA-5672-1 DSA-5671-1 DLA-3793-1} - - openjdk-8 (bug #1069678) + - openjdk-8 8u412-ga-1 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1983,7 +1983,7 @@ CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) {DSA-5672-1 DSA-5671-1 DLA-3793-1} - - openjdk-8 (bug #1069678) + - openjdk-8 8u412-ga-1 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505db05881ccb71ca32c77de517606256f3ffadc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505db05881ccb71ca32c77de517606256f3ffadc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 31bf8786 by Moritz Muehlenhoff at 2024-04-22T23:27:47+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,87 +1,87 @@ CVE-2024-4040 (VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1. ...) - TODO: check + NOT-FOR-US: CrushFTP CVE-2024-4026 (Cross-Site Scripting (XSS) vulnerability in the Holded application. Th ...) - TODO: check + NOT-FOR-US: Holded CVE-2024-3645 (The Essential Addons for Elementor Pro plugin for WordPress is vulnera ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32691 (Missing Authorization vulnerability in realmag777 Active Products Tabl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32688 (Missing Authorization vulnerability in Long Watch Studio MyRewards.Thi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32687 (Missing Authorization vulnerability in WPClever WPC Frequently Bought ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32684 (Missing Authorization vulnerability in Wpmet Wp Ultimate Review.This i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32682 (Missing Authorization vulnerability in BdThemes Prime Slider \u2013 Ad ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32681 (Missing Authorization vulnerability in BdThemes Prime Slider \u2013 Ad ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32407 (An issue in inducer relate before v.2024.1 allows a remote attacker to ...) - TODO: check + NOT-FOR-US: inducer relate CVE-2024-32405 (Cross Site Scripting vulnerability in inducer relate before v.2024.1 a ...) - TODO: check + NOT-FOR-US: inducer relate CVE-2024-32399 (Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 a ...) - TODO: check + NOT-FOR-US: RaidenMAILD Mail Server CVE-2024-32368 (Insecure Permission vulnerability in Agasta Sanketlife 2.0 Pocket 12-L ...) - TODO: check + NOT-FOR-US: Agasta Sanketlife CVE-2024-32238 (H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password ...) - TODO: check + NOT-FOR-US: H3C ER8300G2-X CVE-2024-32205 REJECTED CVE-2024-31666 (An issue in flusity-CMS v.2.33 allows a remote attacker to execute arb ...) - TODO: check + NOT-FOR-US: flusity-CMS CVE-2024-31545 (Computer Laboratory Management System v1.0 is vulnerable to SQL Inject ...) - TODO: check + NOT-FOR-US: Computer Laboratory Management System CVE-2024-29661 (A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2024-29376 (Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Pr ...) - TODO: check + NOT-FOR-US: Sylius CVE-2024-28717 (An issue in OpenStack Storlets yoga-eom allows a remote attacker to ex ...) - TODO: check + NOT-FOR-US: OpenStack Storlets yoga-eom CVE-2024-28699 (A buffer overflow vulnerability in pdf2json v0.70 allows a local attac ...) TODO: check CVE-2024-28436 (Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DA ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-22856 (A SQL injection vulnerability via the Save Favorite Search function in ...) - TODO: check + NOT-FOR-US: Axefinance Axe Credit Portal CVE-2024-22815 (An issue in the communication protocol of Tormach xsTECH CNC Router, P ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2024-22813 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2024-22811 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2024-22809 (Incorrect access control in Tormach xsTECH CNC Router, PathPilot Contr ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2024-22808 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2024-22807 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...) - TODO: check + NOT-FOR-US: Tormach xsTECH CVE-2023-38302 (A certain software build for the Sharp Rouvo V device (SHARP/VZW_STTM2 ...) - TODO: check + NOT-FOR-US: Sharp CVE-2023-38301 (An issue was discovered in a third-party component related to vendor.g ...) - TODO: check + NOT-FOR-US: vendor.gsm.serial, CVE-2023-38300 (A certain software build for the Orbic Maui device (Orbic/RC545L/RC545 ...) - TODO: check + NOT-FOR-US: Orbic Maui CVE-2023-
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ef30adf5 by Moritz Muehlenhoff at 2024-04-22T18:51:58+02:00 bookworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2505,6 +2505,8 @@ CVE-2024-3774 (aEnrich Technology a+HRD's functionality for front-end retrieval NOT-FOR-US: aEnrich Technology CVE-2024-3772 (Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 all ...) - pydantic 1.10.13-0.1 + [bookworm] - pydantic (Minor issue) + [bullseye] - pydantic (Minor issue) NOTE: https://github.com/pydantic/pydantic/pull/7360 NOTE: https://github.com/pydantic/pydantic/commit/e4393ae6145c4dadff739990bb0116c6dec3441b (v2.4.0) NOTE: https://github.com/pydantic/pydantic/pull/7673 @@ -5188,6 +5190,8 @@ CVE-2024-23592 (An authentication bypass vulnerability was reported in Lenovo de NOT-FOR-US: Lenovo CVE-2024-21506 (Versions of the package pymongo before 4.6.3 are vulnerable to Out-of- ...) - pymongo (bug #1069581) + [bookworm] - pymongo (Minor issue) + [bullseye] - pymongo (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597 NOTE: https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03 CVE-2024-1994 (The Image Watermark plugin for WordPress is vulnerable to unauthorized ...) @@ -7853,6 +7857,8 @@ CVE-2024-3039 (A vulnerability classified as critical has been found in Shanghai NOT-FOR-US: Shanghai Brad Technology BladeX CVE-2024-3019 (A flaw was found in PCP. The default pmproxy configuration exposes the ...) - pcp (bug #1068112) + [bookworm] - pcp (Minor issue) + [bullseye] - pcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2271898 NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e CVE-2024-31140 (In JetBrains TeamCity before 2024.03 server administrators could remov ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef30adf52af159a2b0d2c8e751b0fcbd67983904 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef30adf52af159a2b0d2c8e751b0fcbd67983904 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b3748e5 by Moritz Muehlenhoff at 2024-04-22T16:49:52+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -136,7 +136,7 @@ CVE-2024-32683 (Authorization Bypass Through User-Controlled Key vulnerability i CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono application ...) NOT-FOR-US: @hono/node-server CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...) - - rust-rustls + - rust-rustls (bug #1069677) NOTE: github.com: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj NOTE: github.com: https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) NOTE: github.com: https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) @@ -1716,7 +1716,7 @@ CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1738,7 +1738,7 @@ CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) NOT-FOR-US: Oracle @@ -1773,7 +1773,7 @@ CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 (bug #1069189) CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1892,7 +1892,7 @@ CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -3510,7 +3510,7 @@ CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive informat CVE-2023-52070 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) NOT-FOR-US: Disputed JFreeChart issue CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono + - ofono (bug #1069679) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255387 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b3748e5ed9d52fa24b774406cb5ef50750cfa99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b3748e5ed9d52fa24b774406cb5ef50750cfa99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-17 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 10e00d82 by Moritz Mühlenhoff at 2024-04-22T16:11:35+02:00 openjdk-17 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[22 Apr 2024] DSA-5672-1 openjdk-17 - security update + {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094} + [bullseye] - openjdk-17 17.0.11+9-1~deb11u1 + [bookworm] - openjdk-17 17.0.11+9-1~deb12u1 [22 Apr 2024] DSA-5671-1 openjdk-11 - security update {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094} [bullseye] - openjdk-11 11.0.23+9-1~deb11u1 = data/dsa-needed.txt = @@ -47,8 +47,6 @@ nbconvert/oldstable -- nodejs -- -openjdk-17 (jmm) --- opennds/stable -- org-mode View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10e00d82d45e53ca79d87fabefcd90e400db7382 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10e00d82d45e53ca79d87fabefcd90e400db7382 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a7a1fda4 by Moritz Muehlenhoff at 2024-04-22T15:51:46+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-27349 + NOT-FOR-US: Apache HugeGraph-Hubble +CVE-2024-27348 + NOT-FOR-US: Apache HugeGraph-Hubble +CVE-2024-27347 + NOT-FOR-US: Apache HugeGraph-Hubble CVE-2024-4022 (A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-18 ...) NOT-FOR-US: Keenetic router CVE-2024-4021 (A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-18 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7a1fda4da097e201f51b2b705e0b67a02144825 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7a1fda4da097e201f51b2b705e0b67a02144825 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two ffmpeg upstream fixes
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b37837d by Moritz Muehlenhoff at 2024-04-22T15:19:16+02:00 two ffmpeg upstream fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -317,15 +317,19 @@ CVE-2024-1065 (Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver CVE-2024-0671 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) NOT-FOR-US: Arm CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) + [experimental] - ffmpeg 7:7.0-1 - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: https://trac.ffmpeg.org/ticket/10758 + NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/68146f06f852078866b3ef1564556e3a272920c7 (n7.0) CVE-2023-51797 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) + [experimental] - ffmpeg 7:7.0-1 - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: https://trac.ffmpeg.org/ticket/10756 + NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/08bd2cbfeb34717d60ec62bcbaeb7996206df906 (n7.0) CVE-2023-51796 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b37837d0851441d45e55aef3a51393dddfe5347 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b37837d0851441d45e55aef3a51393dddfe5347 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ffmpeg issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ad372d31 by Moritz Muehlenhoff at 2024-04-22T15:10:49+02:00 new ffmpeg issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -363,19 +363,47 @@ CVE-2023-51791 (Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 al CVE-2023-50260 (Wazuh is a free and open source platform used for threat prevention, d ...) NOT-FOR-US: Wazuh CVE-2023-50010 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10702 + NOTE: https://github.com/FFmpeg/FFmpeg/commit/e4d2666bdc3dbd177a81bbf428654a5f2fa3787a (n7.0) CVE-2023-50009 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://github.com/FFmpeg/FFmpeg/commit/c443658d26d2b8e19901f9507a890e0efca79056 (n7.0) + NOTE: https://trac.ffmpeg.org/ticket/10699 CVE-2023-50008 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://github.com/FFmpeg/FFmpeg/commit/5f87a68cf70dafeab2fb89b42e41a4c29053b89b (n7.0) + NOTE: https://trac.ffmpeg.org/ticket/10701 CVE-2023-50007 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47 (n7.0) + NOTE: https://trac.ffmpeg.org/ticket/10700 CVE-2023-49963 (DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-c ...) NOT-FOR-US: DYMO LabelWriter Print Server CVE-2023-49502 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://github.com/FFmpeg/FFmpeg/commit/737ede405b11a37fdd61d19cf25df296a0cb0b75 (n7.0) + NOTE: https://trac.ffmpeg.org/ticket/10688 CVE-2023-49501 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) - TODO: check + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10686 CVE-2023-49275 (Wazuh is a free and open source platform used for threat prevention, d ...) NOT-FOR-US: Wazuh CVE-2023-47435 (An issue in the verifyPassword function of hexo-theme-matery v2.0.0 al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad372d31aeb4c0cd6b8d198a07a6079779c3cfc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad372d31aeb4c0cd6b8d198a07a6079779c3cfc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] no bugs needed for ffmpeg, usually they all end up in managed releases
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c24d6aef by Moritz Muehlenhoff at 2024-04-22T14:54:44+02:00 no bugs needed for ffmpeg, usually they all end up in managed releases - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -15,3 +15,4 @@ wpewebkit xen gcc-9 gcc-10 +ffmpeg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24d6aef845d5612f20e71c025c0041c7444ece3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24d6aef845d5612f20e71c025c0041c7444ece3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ffmpeg issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e3399c9 by Moritz Muehlenhoff at 2024-04-22T14:48:58+02:00 new ffmpeg issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -317,19 +317,49 @@ CVE-2024-1065 (Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver CVE-2024-0671 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) NOT-FOR-US: Arm CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10758 CVE-2023-51797 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10756 CVE-2023-51796 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Vulnerable code not present) + [buster] - ffmpeg (Vulnerable code not present) + NOTE: https://trac.ffmpeg.org/ticket/10753 + NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/61e73851a33f0b4cb7662f8578a4695e77bd3c19 (n7.0) + NOTE: Introduced in https://github.com/FFmpeg/FFmpeg/commit/45dc668aea0edac34969b5a1ff76cf9ad3a09be1 (n5.0) CVE-2023-51795 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Vulnerable code not present) + [buster] - ffmpeg (Vulnerable code not present) + NOTE: https://trac.ffmpeg.org/ticket/10749 + NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) + NOTE: Introduced in https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62 (n7.0) + NOTE: https://trac.ffmpeg.org/ticket/10743 CVE-2023-51792 (Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attac ...) TODO: check CVE-2023-51791 (Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: https://trac.ffmpeg.org/ticket/10738 + NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/fb54c89a0df3d63198678b17d64aef4dbb599109 (n7.0) CVE-2023-50260 (Wazuh is a free and open source platform used for threat prevention, d ...) NOT-FOR-US: Wazuh CVE-2023-50010 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e3399c9b21eb04b7a36dfbe33e08a7a09c14535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e3399c9b21eb04b7a36dfbe33e08a7a09c14535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rustls issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 97b773b8 by Moritz Muehlenhoff at 2024-04-22T14:04:08+02:00 new rustls issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130,7 +130,12 @@ CVE-2024-32683 (Authorization Bypass Through User-Controlled Key vulnerability i CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono application ...) NOT-FOR-US: @hono/node-server CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...) - TODO: check + - rust-rustls + NOTE: github.com: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj + NOTE: github.com: https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) + NOTE: github.com: https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) + NOTE: github.com: https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e (v/0.23.5) + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0336.html CVE-2024-32644 (Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain tha ...) NOT-FOR-US: Evmos CVE-2024-32478 (Git Credential Manager (GCM) is a secure Git credential helper. Prior ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97b773b80b1227e919829161854c071bef8585c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97b773b80b1227e919829161854c071bef8585c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pytorch issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f700cc5a by Moritz Muehlenhoff at 2024-04-22T13:35:07+02:00 new pytorch issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87,7 +87,8 @@ CVE-2024-31992 (Mealie is a self hosted recipe manager and meal planner. Prior t CVE-2024-31991 (Mealie is a self hosted recipe manager and meal planner. Prior to 1.4. ...) NOT-FOR-US: Mealie CVE-2024-31584 (Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 CVE-2024-30974 (SQL Injection vulnerability in autoexpress v.1.3.0 allows attackers to ...) NOT-FOR-US: autoexpress CVE-2024-22905 (Buffer Overflow vulnerability in ARM mbed-os v.6.17.0 allows a remote ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f700cc5a068b214bdb5c7970f26dab3ce585e8c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f700cc5a068b214bdb5c7970f26dab3ce585e8c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 868ccb12 by Moritz Muehlenhoff at 2024-04-22T12:48:59+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,17 +17,17 @@ CVE-2024-32693 (Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Au CVE-2024-32690 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-32418 (An issue in flusity CMS v2.33 allows a remote attacker to execute arbi ...) - TODO: check + NOT-FOR-US: flusity CMS CVE-2024-30799 (An issue in PX4 Autopilot v1.14 and before allows a remote attacker to ...) - TODO: check + NOT-FOR-US: PX4 Autopilot CVE-2024-28722 (Cross Site Scripting vulnerability in Innovaphone myPBX v.14r1, v.13r3 ...) - TODO: check + NOT-FOR-US: Innovaphone CVE-2023-7252 (The Tickera WordPress plugin before 3.5.2.5 does not prevent users fr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2018-25101 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Koha Library Management System CVE-2015-10132 (A vulnerability classified as problematic was found in Thimo Grauerhol ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32041 [OutOfBound Read in zgfx_decompress_segment] - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 @@ -89,7 +89,7 @@ CVE-2024-31991 (Mealie is a self hosted recipe manager and meal planner. Prior t CVE-2024-31584 (Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the ...) TODO: check CVE-2024-30974 (SQL Injection vulnerability in autoexpress v.1.3.0 allows attackers to ...) - TODO: check + NOT-FOR-US: autoexpress CVE-2024-22905 (Buffer Overflow vulnerability in ARM mbed-os v.6.17.0 allows a remote ...) NOT-FOR-US: ARM mbed-os CVE-2024-1730 (The Prime Slider \u2013 Addons For Elementor (Revolution of a slider, ...) @@ -127,7 +127,7 @@ CVE-2024-3470 (An Improper Privilege Management vulnerability was identified in CVE-2024-32683 (Authorization Bypass Through User-Controlled Key vulnerability in Wpme ...) NOT-FOR-US: WordPress plugin CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono application ...) - TODO: check + NOT-FOR-US: @hono/node-server CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...) TODO: check CVE-2024-32644 (Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain tha ...) @@ -144,7 +144,7 @@ CVE-2024-32409 (An issue in SEMCMS v.4.8 allows a remote attacker to execute arb CVE-2024-32206 (A stored cross-site scripting (XSS) vulnerability in the component \af ...) NOT-FOR-US: WUZHICMS CVE-2024-32166 (Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - ...) - TODO: check + NOT-FOR-US: Webid CVE-2024-32038 (Wazuh is a free and open source platform used for threat prevention, d ...) NOT-FOR-US: Wazuh CVE-2024-31846 (An issue was discovered in Italtel Embrace 1.6.4. The web application ...) @@ -235,13 +235,13 @@ CVE-2024-29957 (When Brocade SANnav before v2.3.1 and v2.3.0a servers are config CVE-2024-29204 (A Heap Overflow vulnerability in WLAvalancheService component of Ivant ...) NOT-FOR-US: Ivanti CVE-2024-29183 (OpenRASP is a RASP solution that directly integrates its protection en ...) - TODO: check + NOT-FOR-US: OpenRASP CVE-2024-29030 (memos is a privacy-first, lightweight note-taking service. In memos 0. ...) - TODO: check + NOT-FOR-US: memos CVE-2024-29029 (memos is a privacy-first, lightweight note-taking service. In memos 0. ...) - TODO: check + NOT-FOR-US: memos CVE-2024-29028 (memos is a privacy-first, lightweight note-taking service. In memos 0. ...) - TODO: check + NOT-FOR-US: memos CVE-2024-27984 (A Path Traversal vulnerability in web component of Ivanti Avalanche be ...) NOT-FOR-US: Ivanti CVE-2024-27978 (A Null Pointer Dereference vulnerability in WLAvalancheService compone ...) @@ -307,9 +307,9 @@ CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the lo CVE-2024-1491 (The devices allow access to an unprotected endpoint that allows MPFS ...) NOT-FOR-US: Electrolink CVE-2024-1065 (Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm ...) - TODO: check + NOT-FOR-US: Arm CVE-2024-0671 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) - TODO: check + NOT-FOR-US: Arm CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) TODO: check CVE-2023-51797 (Buffer
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb445d82 by Moritz Muehlenhoff at 2024-04-22T11:02:14+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -54,12 +54,15 @@ CVE-2024-32460 [Low] OutOfBound Read in interleaved_decompress] NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release CVE-2024-32493 [SQL injection issue regarding Form IDs when cleaning up drafts] - znuny 6.5.8-1 + [bookworm] - znuny (Non-free not supported) NOTE: https://www.znuny.org/en/advisories/zsa-2024-03 CVE-2024-32492 [Cross Site Scripting (XSS) in the Customer Portal Ticket View] - znuny (Only affects Znuny from 7.0.1 up to including 7.0.16) + [bookworm] - znuny (Non-free not supported) NOTE: https://www.znuny.org/en/advisories/zsa-2024-02 CVE-2024-32491 [Directory Traversal via File Upload] - znuny 6.5.8-1 + [bookworm] - znuny (Non-free not supported) NOTE: https://www.znuny.org/en/advisories/zsa-2024-01 CVE-2024-4020 (A vulnerability was found in Tenda FH1206 1.2.0.8(8155) and classified ...) NOT-FOR-US: Tenda @@ -3676,9 +3679,13 @@ CVE-2024-3210 (The Paid Membership Plugin, Ecommerce, User Registration Form, Lo NOT-FOR-US: WordPress plugin CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of sngrep ...) - sngrep 1.8.1-1 (bug #1068818) + [bookworm] - sngrep (Minor issue) + [bullseye] - sngrep (Minor issue) NOTE: https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of sngrep since ...) - sngrep 1.8.1-1 (bug #1068818) + [bookworm] - sngrep (Minor issue) + [bullseye] - sngrep (Minor issue) NOTE: https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up to and ...) NOT-FOR-US: WordPress plugin @@ -4530,6 +4537,7 @@ CVE-2024-2201 [Native Branch History Injection] NOTE: https://xenbits.xen.org/xsa/advisory-456.html CVE-2024-31142 [x86: Incorrect logic for BTC/SRSO mitigations] - xen + [bookworm] - xen (Minor issue, fix along in next DSA) [bullseye] - xen (EOLed in Bullseye) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-455.html @@ -5055,6 +5063,7 @@ CVE-2024-22328 (IBM Maximo Application Suite 8.10 and 8.11 could allow a remote NOT-FOR-US: IBM CVE-2024- [RUSTSEC-2024-0332: Degradation of service in h2 servers with CONTINUATION Flood] - rust-h2 0.4.4-1 + [bookworm] - rust-h2 (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0332.html NOTE: https://github.com/advisories/GHSA-q6cp-qfwq-4gcv CVE-2024-3362 (A vulnerability was found in SourceCodester Online Library System 1.0 ...) @@ -24250,6 +24259,7 @@ CVE-2020-36771 (CloudLinux CageFS 7.1.1-1 or below passes the authentication tok NOT-FOR-US: CloudLinux CageFS CVE-2023-46842 [x86 HVM hypercalls may trigger Xen bug check] - xen + [bookworm] - xen (Minor issue, fix along in next DSA) [bullseye] - xen (EOLed in Bullseye) [buster] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-454.html @@ -39975,6 +39985,8 @@ CVE-2023-46345 (Catdoc v0.95 was discovered to contain a NULL pointer dereferenc CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior to versio ...) {DLA-3669-1} - cryptojs 3.1.2+dfsg-4 (bug #1055525) + [bookworm] - cryptojs (Minor issue) + [bullseye] - cryptojs (Minor issue) NOTE: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf NOTE: https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a (4.2.0) CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer ...) = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- atril -- -cryptojs --- dav1d -- dnsdist (jmm) @@ -71,7 +69,7 @@ python-asyncssh -- redmine/stable -- -ring +ring/oldstable might make sense to rebase to current version -- ruby2.7/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7 You're receiving this email because of your account
[Git][security-tracker-team/security-tracker][master] openjdk-11 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e81da1de by Moritz Mühlenhoff at 2024-04-22T10:26:25+02:00 openjdk-11 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[22 Apr 2024] DSA-5671-1 openjdk-11 - security update + {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094} + [bullseye] - openjdk-11 11.0.23+9-1~deb11u1 [22 Apr 2024] DSA-5670-1 thunderbird - security update {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [bullseye] - thunderbird 1:115.10.1-1~deb11u1 = data/dsa-needed.txt = @@ -49,8 +49,6 @@ nbconvert/oldstable -- nodejs -- -openjdk-11 (jmm) --- openjdk-17 (jmm) -- opennds/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81da1dedf86fba2e7423fe9871701014ee07852 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81da1dedf86fba2e7423fe9871701014ee07852 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix CVE list
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 803a517e by Moritz Mühlenhoff at 2024-04-22T09:30:01+02:00 fix CVE list - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,4 +1,5 @@ [22 Apr 2024] DSA-5670-1 thunderbird - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [bullseye] - thunderbird 1:115.10.1-1~deb11u1 [bookworm] - thunderbird 1:115.10.1-1~deb12u1 [22 Apr 2024] DSA-5669-1 guix - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/803a517ed9e5fc212971b512a2bddd2fc45da78d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/803a517ed9e5fc212971b512a2bddd2fc45da78d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] guix/thunderbird DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f7e52b3b by Moritz Mühlenhoff at 2024-04-22T09:14:16+02:00 guix/thunderbird DSAs - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -12824,8 +12824,6 @@ CVE-2024-27900 (Due to missing authorization check, attacker with business user NOT-FOR-US: SAP CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fixed-out ...) - guix 1.4.0-6 (bug #1066113) - [bookworm] - guix (Minor issue) - [bullseye] - guix (Minor issue) - nix (bug #1066812) [bookworm] - nix (Minor issue) [bullseye] - nix (Minor issue) = data/DSA/list = @@ -1,3 +1,10 @@ +[22 Apr 2024] DSA-5670-1 thunderbird - security update + [bullseye] - thunderbird 1:115.10.1-1~deb11u1 + [bookworm] - thunderbird 1:115.10.1-1~deb12u1 +[22 Apr 2024] DSA-5669-1 guix - security update + {CVE-2024-27297} + [bullseye] - guix 1.2.0-4+deb11u2 + [bookworm] - guix 1.4.0-3+deb12u1 [20 Apr 2024] DSA-5668-1 chromium - security update {CVE-2024-3832 CVE-2024-3833 CVE-2024-3834 CVE-2024-3837 CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847} [bookworm] - chromium 124.0.6367.60-1~deb12u1 = data/dsa-needed.txt = @@ -33,9 +33,6 @@ glibc (carnil) -- gpac/oldstable -- -guix (jmm) - Maintainer has proposed to handle this as DSA, proposed debdiffs --- h2o (jmm) -- less (carnil) @@ -99,8 +96,6 @@ salt/oldstable -- squid -- -thunderbird (jmm) --- webkit2gtk (berto) -- wpa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e52b3ba0c27a2f06be639da04d8320e75d32d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e52b3ba0c27a2f06be639da04d8320e75d32d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 23a75858 by Moritz Muehlenhoff at 2024-04-21T19:59:55+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3098,6 +3098,8 @@ CVE-2024-3568 (The huggingface/transformers library is vulnerable to arbitrary c NOT-FOR-US: huggingface/transformers CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the upda ...) - qemu (bug #1068822) + [bookworm] - qemu (Minor issue) + [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -3519,6 +3521,8 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1) CVE-2024-3447 - qemu (bug #1068821) + [bookworm] - qemu (Minor issue) + [bullseye] - qemu (Minor issue) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -3680,6 +3684,8 @@ CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for Wo NOT-FOR-US: WordPress plugin CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...) - qemu (bug #1068820) + [bookworm] - qemu (Minor issue) + [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -4442,6 +4448,8 @@ CVE-2024-31365 (Improper Neutralization of Input During Web Page Generation ('Cr NOT-FOR-US: WordPress plugin CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and before all ...) - openexr (bug #1068939) + [bookworm] - openexr (Minor issue) + [bullseye] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 @@ -23398,27 +23406,39 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger NOTE: Issue fixed by providing a documentation update CVE-2023-40551 (A flaw was found in the MZ binary format in Shim. An out-of-bounds rea ...) - shim (bug #1061519) + [bookworm] - shim (Minor issue, fix with a point release) + [bullseye] - shim (Minor issue, fix with a point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918 NOTE: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab (15.8) CVE-2023-40550 (An out-of-bounds read flaw was found in Shim when it tried to validate ...) - shim (bug #1061519) + [bookworm] - shim (Minor issue, fix with a point release) + [bullseye] - shim (Minor issue, fix with a point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259915 NOTE: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d (15.8) NOTE: Followup: https://github.com/rhboot/shim/commit/e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 (15.8) CVE-2023-40549 (An out-of-bounds read flaw was found in Shim due to the lack of proper ...) - shim (bug #1061519) + [bookworm] - shim (Minor issue, fix with a point release) + [bullseye] - shim (Minor issue, fix with a point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241797 NOTE: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09 (15.8) CVE-2023-40548 (A buffer overflow was found in Shim in the 32-bit system. The overflow ...) - shim (bug #1061519) + [bookworm] - shim (Minor issue, fix with a point release) + [bullseye] - shim (Minor issue, fix with a point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241782 NOTE: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8 (15.8) CVE-2023-40547 (A remote code execution vulnerability was found in Shim. The Shim boot ...) - shim (bug #1061519) + [bookworm] - shim (Minor issue, fix with a point release) + [bullseye] - shim (Minor issue, fix with a point release) NOTE: https
[Git][security-tracker-team/security-tracker][master] putty issue also affects filezilla
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 697ad5f9 by Moritz Mühlenhoff at 2024-04-21T17:00:39+02:00 putty issue also affects filezilla - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -2059,6 +2059,9 @@ CVE-2023-3597 NOT-FOR-US: Keycloak CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation ...) - putty 0.81-1 + - filezilla 3.67.0-1 + [bookworm] - filezilla (Minor issue) + [bullseye] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) = data/next-point-update.txt = @@ -112,3 +112,5 @@ CVE-2024-23944 [bookworm] - zookeeper 3.8.0-11+deb12u2 CVE-2024-24814: [bookworm] - libapache2-mod-auth-openidc 2.4.12.3-2+deb12u1 +CVE-2024-31497 + [bookworm] - filezilla 3.63.0-1+deb12u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697ad5f9138d454a32239e9dbbde4cacc5f717e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697ad5f9138d454a32239e9dbbde4cacc5f717e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] flatpak DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dfcbcb4 by Moritz Mühlenhoff at 2024-04-19T19:35:14+02:00 flatpak DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[19 Apr 2024] DSA-5666-1 flatpak - security update + {CVE-2024-32462} + [bullseye] - flatpak 1.10.8-0+deb11u2 + [bookworm] - flatpak 1.14.4-1+deb12u1 [17 Apr 2024] DSA-5665-1 tomcat10 - security update {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} [bookworm] - tomcat10 10.1.6-1+deb12u2 = data/dsa-needed.txt = @@ -26,8 +26,6 @@ emacs -- expat (carnil) -- -flatpak (jmm) --- frr -- glibc (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dfcbcb46a0f1611be37c692945c063719038e63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dfcbcb46a0f1611be37c692945c063719038e63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b181450 by Moritz Muehlenhoff at 2024-04-19T15:23:58+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1270,7 +1270,7 @@ CVE-2024-21100 (Vulnerability in the Oracle Commerce Platform product of Oracle CVE-2024-21099 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2024-21098 (Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -1501,7 +1501,7 @@ CVE-2024-20990 (Vulnerability in the Oracle Applications Technology product of O CVE-2024-20989 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) NOT-FOR-US: Oracle CVE-2024-20954 (Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-1357 (The Shortcodes and extra features for Phlox theme plugin for WordPress ...) NOT-FOR-US: WordPress plugin CVE-2024-1219 (The Easy Social Feed WordPress plugin before 6.5.6 does not validate ...) @@ -6188,7 +6188,7 @@ CVE-2024-2322 (The WooCommerce Cart Abandonment Recovery WordPress plugin before CVE-2024-29734 (Uncontrolled search path element issue exists in SonicDICOM Media View ...) NOT-FOR-US: SonicDICOM Media Viewer CVE-2024-29733 - - airflow (bug #819700) + NOT-FOR-US: Airflow FTP provider CVE-2024-29434 (An issue in the system image upload interface of Alldata v0.4.6 allows ...) NOT-FOR-US: Alldata CVE-2024-29432 (Alldata v0.4.6 was discovered to contain a SQL injection vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b181450d83981c79e9b143b89b4ebd2ed749df9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b181450d83981c79e9b143b89b4ebd2ed749df9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new sssd issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fc09672 by Moritz Muehlenhoff at 2024-04-19T11:26:45+02:00 new sssd issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -191,7 +191,9 @@ CVE-2023-47843 (Improper Limitation of a Pathname to a Restricted Directory ('Pa CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Group Pe ...) NOT-FOR-US: WordPress plugin CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is not co ...) - TODO: check + - sssd + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2223762 + NOTE: https://github.com/SSSD/sssd/pull/7302 CVE-2023-3675 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) NOT-FOR-US: Secomea GateManager CVE-2024- [tryton zipbomb DoS] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc0967274aa4b1a954a8614ce9d64b23c2c213c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc0967274aa4b1a954a8614ce9d64b23c2c213c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] black fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1112658e by Moritz Muehlenhoff at 2024-04-19T10:23:16+02:00 black fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10429,7 +10429,7 @@ CVE-2024-22412 (ClickHouse is an open-source column-oriented database management CVE-2024-21504 (Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 ...) NOT-FOR-US: livewire CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Regular ...) - - black (bug #1067177) + - black 24.4.0-1 (bug #1067177) [bookworm] - black (Minor issue) [bullseye] - black (Minor issue) [buster] - black (Minor issue; can be fixed in next update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1112658e56a0959bd58f4630e35caaf937a48dd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1112658e56a0959bd58f4630e35caaf937a48dd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 45fd8b11 by Moritz Muehlenhoff at 2024-04-19T10:22:16+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107,15 +107,15 @@ CVE-2024-32552 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2024-32551 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2024-32477 (Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure ...) - TODO: check + NOT-FOR-US: Deno CVE-2024-32475 (Envoy is a cloud-native, open source edge and service proxy. When an u ...) - envoyproxy (bug #987544) CVE-2024-32474 (Sentry is an error tracking and performance monitoring platform. Prior ...) NOT-FOR-US: Sentry CVE-2024-32470 (Tolgee is an open-source localization platform. When API key created b ...) - TODO: check + NOT-FOR-US: Tolgee CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/projects/ ...) - TODO: check + NOT-FOR-US: Tolgee CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.6-1 NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 @@ -145,55 +145,55 @@ CVE-2024-32126 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2024-31229 (Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plug ...) NOT-FOR-US: WordPress plugin CVE-2024-30564 (An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1. ...) - TODO: check + NOT-FOR-US: nora-firebase-common CVE-2024-30257 (1Panel is an open source Linux server operation and maintenance manage ...) - TODO: check + NOT-FOR-US: 1Panel CVE-2024-2833 (The Jobs for WordPress plugin for WordPress is vulnerable to Reflected ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2796 (A server-side request forgery (SSRF) was discovered in the Akana Commu ...) - TODO: check + NOT-FOR-US: Akana Community Manager Developer Portal CVE-2024-29987 (Microsoft Edge (Chromium-based) Information Disclosure Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-29986 (Microsoft Edge for Android (Chromium-based) Information Disclosure Vul ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-29021 (Judge0 is an open-source online code execution system. The default con ...) - TODO: check + NOT-FOR-US: Judge0 CVE-2024-29003 (The SolarWinds Platform was susceptible to a XSS vulnerability that af ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2024-29001 (A SolarWinds Platform SWQL Injection Vulnerability was identified in t ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2024-28189 (Judge0 is an open-source online code execution system. The application ...) - TODO: check + NOT-FOR-US: Judge0 CVE-2024-28185 (Judge0 is an open-source online code execution system. The application ...) - TODO: check + NOT-FOR-US: Judge0 CVE-2024-28076 (The SolarWinds Platform was susceptible to a Arbitrary Open Redirectio ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2024-27306 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) TODO: check CVE-2024-24910 (A local attacker can escalate privileges on affected Check Point ZoneA ...) - TODO: check + NOT-FOR-US: Check Point CVE-2024-23557 (HCL Connections contains a user enumeration vulnerability. Certain act ...) - TODO: check + NOT-FOR-US: HCL CVE-2024-20380 (A vulnerability in the HTML parser of ClamAV could allow an unauthenti ...) TODO: check CVE-2023-6897 (The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6892 (The EAN for WooCommerce plugin for WordPress is vulnerable to Stored C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50885 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49768 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49742 (Missing Authorization vulnerability in Support Genix.This issue affect ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47843 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Group Pe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3758
[Git][security-tracker-team/security-tracker][master] new tryton issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 639a8e6b by Moritz Muehlenhoff at 2024-04-18T20:57:09+02:00 new tryton issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [tryton zipbomb DoS] + - tryton-server 6.0.45-1 + [bookworm] - tryton-server (Minor issue) + [bullseye] - tryton-server (Minor issue) + NOTE: https://discuss.tryton.org/t/security-release-for-issue-13142/7196 + NOTE: https://foss.heptapod.net/tryton/tryton/-/issues/13142 CVE-2024-3246 - flatpak NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/639a8e6b8d57ab9a8cc7a57d2202c0419eb3e122 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/639a8e6b8d57ab9a8cc7a57d2202c0419eb3e122 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new flatpak issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32a8a8bd by Moritz Muehlenhoff at 2024-04-18T20:54:45+02:00 new flatpak issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-3246 + - flatpak + NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj CVE-2024-26921 [inet: inet_defrag: prevent sk release while still in use] - linux [bookworm] - linux 6.1.85-1 = data/dsa-needed.txt = @@ -26,6 +26,8 @@ emacs -- expat (carnil) -- +flatpak (jmm) +-- frr -- glibc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32a8a8bdd1eb26d710b71642c344b54144093cbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32a8a8bdd1eb26d710b71642c344b54144093cbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libapache2-mod-auth-openidc fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c3b9f671 by Moritz Muehlenhoff at 2024-04-18T16:45:21+02:00 libapache2-mod-auth-openidc fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19054,7 +19054,7 @@ CVE-2024-24920 (A vulnerability has been identified in Simcenter Femap (All vers NOT-FOR-US: Siemens CVE-2024-24814 (mod_auth_openidc is an OpenID Certified\u2122 authentication and autho ...) {DLA-3751-1} - - libapache2-mod-auth-openidc (bug #1064183) + - libapache2-mod-auth-openidc 2.4.15.7-1 (bug #1064183) NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv NOTE: https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d (v2.4.15.2) CVE-2024-24782 (An unauthenticated attacker can send a ping request from one network t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b9f671ac7631f8573de411f4cdef7636651f6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b9f671ac7631f8573de411f4cdef7636651f6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pytorch issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: af55eea0 by Moritz Muehlenhoff at 2024-04-18T16:44:35+02:00 new pytorch issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -229,7 +229,8 @@ CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by- NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer overflow v ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg @@ -243,7 +244,8 @@ CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper valida [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after-free ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af55eea0987f8adcaa93fb57751916b0a3365535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af55eea0987f8adcaa93fb57751916b0a3365535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ffmpeg issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cc056ba by Moritz Muehlenhoff at 2024-04-18T13:51:59+02:00 new ffmpeg issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -217,17 +217,35 @@ CVE-2024-32161 (jizhiCMS 2.5 suffers from a File upload vulnerability.) CVE-2024-32130 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Er ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Vulnerable code not present) + [buster] - ffmpeg (Vulnerable code not present) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) + NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...) TODO: check CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer overflow v ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) TODO: check CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after-free ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check CVE-2024-31041 (Null Pointer Dereference vulnerability in topic_filtern function in mq ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc056baf3e1754446afa5144ad328417e850041 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc056baf3e1754446afa5144ad328417e850041 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] additional unclear xpdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 92b648f5 by Moritz Muehlenhoff at 2024-04-18T13:10:39+02:00 additional unclear xpdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,7 +81,8 @@ CVE-2024-3906 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has been cl ...) NOT-FOR-US: Tenda CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...) - TODO: check + - poppler + NOTE: Might possibly affect poppler, pdf in Debian uses it CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...) NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b648f51af971e8b75b3ae1a7a42fd2ab4ee4c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b648f51af971e8b75b3ae1a7a42fd2ab4ee4c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: da7f04e4 by Moritz Muehlenhoff at 2024-04-18T12:51:06+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1521,6 +1521,8 @@ CVE-2024-1183 (An SSRF (Server-Side Request Forgery) vulnerability exists in the NOT-FOR-US: Gradio CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, leading ...) - gunicorn (bug #1069126) + [bookworm] - gunicorn (Minor issue) + [bullseye] - gunicorn (Minor issue) NOTE: https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1 NOTE: https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d CVE-2024-0549 (mintplex-labs/anything-llm is vulnerable to a relative path traversal ...) @@ -10440,8 +10442,10 @@ CVE-2024-20745 (Premiere Pro versions 24.1, 23.6.2 and earlier are affected by a NOT-FOR-US: Adobe CVE-2024-1753 (A flaw was found in Buildah (and subsequently Podman Build) which allo ...) - golang-github-containers-buildah 1.33.7+ds1-1 (bug #1067800) + [bookworm] - golang-github-containers-buildah (Minor issue) + [bullseye] - golang-github-containers-buildah (Minor issue) NOTE: https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf - TODO: check, at least podman will need a rebuild with a fixed buildah + NOTE: at least podman will need a rebuild with a fixed buildah CVE-2024-1658 (The Grid Shortcodes WordPress plugin before 1.1.1 does not validate an ...) NOT-FOR-US: WordPress plugin CVE-2024-1606 (Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.2 ...) = data/dsa-needed.txt = @@ -28,6 +28,8 @@ expat (carnil) -- frr -- +glibc +-- gpac/oldstable -- guix (jmm) @@ -35,6 +37,8 @@ guix (jmm) -- h2o (jmm) -- +less +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da7f04e4e2160a8f5b96c8c0610a2ff264c539da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da7f04e4e2160a8f5b96c8c0610a2ff264c539da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ansible-core fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2007fd23 by Moritz Muehlenhoff at 2024-04-18T12:21:00+02:00 ansible-core fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23996,7 +23996,7 @@ CVE-2023-35020 (IBM Sterling Control Center 6.3.0 could allow a remote attacker CVE-2023-32337 (IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side ...) NOT-FOR-US: IBM CVE-2024-0690 (An information disclosure flaw was found in ansible-core due to a fail ...) - - ansible-core (bug #1061156) + - ansible-core 2.16.5-1 (bug #1061156) [bookworm] - ansible-core (Minor issue) - ansible 5.4.0-1 [bullseye] - ansible (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2007fd230d3f647898ae2cd69e015341aa017818 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2007fd230d3f647898ae2cd69e015341aa017818 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fastdds fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ac3e867 by Moritz Muehlenhoff at 2024-04-18T12:19:37+02:00 fastdds fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9509,7 +9509,7 @@ CVE-2024-28286 (In mz-automation libiec61850 v1.4.0, a NULL Pointer Dereference NOT-FOR-US: libIEC61850 CVE-2024-28231 (eprosima Fast DDS is a C++ implementation of the Data Distribution Ser ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1067393) + - fastdds 2.14.0+ds-2 (bug #1067393) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w NOTE: https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b (v2.14.0) CVE-2024-28179 (Jupyter Server Proxy allows users to run arbitrary external processes ...) @@ -10173,7 +10173,7 @@ CVE-2024-28237 (OctoPrint provides a web interface for controlling consumer 3D p NOT-FOR-US: OctoPrint CVE-2024-26369 (An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1067180) + - fastdds 2.14.0+ds-2 (bug #1067180) NOTE: https://github.com/eProsima/Fast-DDS/issues/4365 NOTE: https://github.com/eProsima/Fast-DDS/pull/4375 CVE-2024-25942 (Dell PowerEdge Server BIOS contains an Improper SMM communication buff ...) @@ -13065,7 +13065,7 @@ CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remo NOT-FOR-US: Sonatype CVE-2023-50716 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1066119) + - fastdds 2.14.0+ds-2 (bug #1066119) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h CVE-2023-50167 (Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with ed ...) NOT-FOR-US: Pega Platform @@ -18054,7 +18054,7 @@ CVE-2024-1343 (A weak permission was found in the backup directory in LaborOffic NOT-FOR-US: LaborOfficeFree CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1064515) + - fastdds 2.14.0+ds-2 (bug #1064515) [bookworm] - fastdds (Minor issue) [bullseye] - fastdds (Minor issue) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ac3e867d79cd59e5e8997b92273e4abd3db3a5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ac3e867d79cd59e5e8997b92273e4abd3db3a5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a876ec28 by Moritz Muehlenhoff at 2024-04-18T11:33:26+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,55 +3,55 @@ CVE-2024-3177 NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2024-3932 (A vulnerability classified as problematic has been found in Totara LMS ...) - TODO: check + NOT-FOR-US: Totara LMS CVE-2024-3931 (A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It h ...) - TODO: check + NOT-FOR-US: Totara LMS CVE-2024-3928 (A vulnerability was found in Dromara open-capacity-platform 2.0.1. It ...) - TODO: check + NOT-FOR-US: Dromara open-capacity-platform CVE-2024-32746 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32745 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32744 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32743 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32472 (excalidraw is an open source virtual hand-drawn style whiteboard. A st ...) - TODO: check + NOT-FOR-US: excalidraw CVE-2024-32345 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) - TODO: check + NOT-FOR-US: CMSimple CVE-2024-32344 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) - TODO: check + NOT-FOR-US: CMSimple CVE-2024-32343 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) - TODO: check + NOT-FOR-US: Boid CMS CVE-2024-32342 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) - TODO: check + NOT-FOR-US: Boid CMS CVE-2024-32341 (Multiple cross-site scripting (XSS) vulnerabilities in the Home page o ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32340 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32339 (Multiple cross-site scripting (XSS) vulnerabilities in the HOW TO page ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32338 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32337 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-31869 (Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows ...) - TODO: check + - airflow (bug #819700) CVE-2024-2729 (The Otter Blocks WordPress plugin before 2.6.6 does not properly esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29956 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-29955 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-29952 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-1429 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) TODO: check CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) @@ -79,7 +79,7 @@ CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...) TODO: check CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) - golang-github-hashicorp-go-getter NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter
[Git][security-tracker-team/security-tracker][master] ansible fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 87c93034 by Moritz Muehlenhoff at 2024-04-18T11:05:12+02:00 ansible fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46045,7 +46045,7 @@ CVE-2023-38255 (A potential attacker with or without (cookie theft) access to th CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a re ...) NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - - ansible (bug #1055300) + - ansible 9.4.0+dfsg-1 (bug #1055300) [bookworm] - ansible (Minor issue) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c930349e0764906cfaca20b4f38076a63e84a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c930349e0764906cfaca20b4f38076a63e84a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new k8s issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54d66d6f by Moritz Muehlenhoff at 2024-04-18T10:22:30+02:00 new k8s issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-3177 + - kubernetes 1.20.5+really1.20.2-1 + NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version + NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2024-3932 (A vulnerability classified as problematic has been found in Totara LMS ...) TODO: check CVE-2024-3931 (A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It h ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d66d6f173401115c7f00844a101c9c642e6258 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d66d6f173401115c7f00844a101c9c642e6258 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mysql-8.0 bugnum
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 24d71f3a by Moritz Muehlenhoff at 2024-04-17T19:35:23+02:00 mysql-8.0 bugnum - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -177,7 +177,7 @@ CVE-2024-21104 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of CVE-2024-21103 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) TODO: check CVE-2024-21102 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21101 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) NOT-FOR-US: MySQL Cluster CVE-2024-21100 (Vulnerability in the Oracle Commerce Platform product of Oracle Commer ...) @@ -189,7 +189,7 @@ CVE-2024-21098 (Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Ente CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) @@ -211,7 +211,7 @@ CVE-2024-21089 (Vulnerability in the Oracle Concurrent Processing product of Ora CVE-2024-21088 (Vulnerability in the Oracle Production Scheduling product of Oracle E- ...) NOT-FOR-US: Oracle CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) @@ -248,7 +248,7 @@ CVE-2024-21071 (Vulnerability in the Oracle Workflow product of Oracle E-Busines CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 11.0.23+9-1 @@ -265,11 +265,11 @@ CVE-2024-21064 (Vulnerability in the Oracle Business Intelligence Enterprise Edi CVE-2024-21063 (Vulnerability in the PeopleSoft Enterprise HCM Benefits Administration ...) NOT-FOR-US: Oracle CVE-2024-21062 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21061 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.36-1 CVE-2024-21060 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21059 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2024-21058 (Vulnerability in the Unified Audit component of Oracle Database Server ...) @@ -281,7 +281,7 @@ CVE-2024-21056 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21055 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.36-1 CVE-2024-21054 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21053 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.35-1 CVE-2024-21052 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -295,7 +295,7 @@ CVE-2024-21049 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21048 (Vulnerability in the Oracle Web Applications Desktop Integrator produc ...) NOT-FOR-US: Oracle CVE-2024-21047 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1069189) CVE-2024-21046 (Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul ...) NOT-FOR-US: Oracle CVE-2024-21045 (Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul ...) @@ -363,7 +363,7 @@ CVE-2024-21015 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21014 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) NOT-FOR-US: Oracle CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql
[Git][security-tracker-team/security-tracker][master] firefox DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c7ee6d61 by Moritz Mühlenhoff at 2024-04-17T19:11:08+02:00 firefox DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[17 Apr 2024] DSA-5663-1 firefox-esr - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} + [bullseye] - firefox-esr 115.10.0esr-1~deb11u1 + [bookworm] - firefox-esr 115.10.0esr-1~deb12u1 [16 Apr 2024] DSA-5655-2 cockpit - regression update [bookworm] - cockpit 287.1-0+deb12u2 [16 Apr 2024] DSA-5662-1 apache2 - security update = data/dsa-needed.txt = @@ -26,8 +26,6 @@ emacs -- expat (carnil) -- -firefox-esr (jmm) --- frr -- gpac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7ee6d612d441e25c74b78aff81f8ec7aeec6771 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7ee6d612d441e25c74b78aff81f8ec7aeec6771 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-11 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 463dd43a by Moritz Muehlenhoff at 2024-04-17T17:28:49+02:00 openjdk-11 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -194,7 +194,7 @@ CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio M NOT-FOR-US: Oracle CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 NOTE: https://bugs.openjdk.org/browse/JDK-8317507 @@ -216,7 +216,7 @@ CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of NOT-FOR-US: Oracle CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.23+9-1 CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) NOT-FOR-US: Oracle CVE-2024-21083 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) @@ -251,7 +251,7 @@ CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21067 (Vulnerability in the Oracle Enterprise Manager Base Platform product o ...) @@ -365,12 +365,12 @@ CVE-2024-21014 (Vulnerability in the Oracle Hospitality Simphony product of Orac CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-11 + - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21010 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/463dd43aa21574772ade7f654f9b7b2ed8b9790c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/463dd43aa21574772ade7f654f9b7b2ed8b9790c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-17 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e6137bbf by Moritz Muehlenhoff at 2024-04-17T16:04:05+02:00 openjdk-17 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195,7 +195,7 @@ CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio M CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 NOTE: https://bugs.openjdk.org/browse/JDK-8317507 CVE-2024-21093 (Vulnerability in the Java VM component of Oracle Database Server. Sup ...) @@ -252,7 +252,7 @@ CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21067 (Vulnerability in the Oracle Enterprise Manager Base Platform product o ...) NOT-FOR-US: Oracle @@ -366,12 +366,12 @@ CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21010 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) NOT-FOR-US: Oracle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6137bbf95058f0d8848421bc28dd7e5062fc879 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6137bbf95058f0d8848421bc28dd7e5062fc879 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-21 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cce5ffa by Moritz Muehlenhoff at 2024-04-17T15:13:55+02:00 openjdk-21 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -196,7 +196,8 @@ CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora - openjdk-8 - openjdk-11 - openjdk-17 - - openjdk-21 + - openjdk-21 21.0.3+9-1 + NOTE: https://bugs.openjdk.org/browse/JDK-8317507 CVE-2024-21093 (Vulnerability in the Java VM component of Oracle Database Server. Sup ...) NOT-FOR-US: Oracle CVE-2024-21092 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) @@ -252,7 +253,7 @@ CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora - openjdk-8 - openjdk-11 - openjdk-17 - - openjdk-21 + - openjdk-21 21.0.3+9-1 CVE-2024-21067 (Vulnerability in the Oracle Enterprise Manager Base Platform product o ...) NOT-FOR-US: Oracle CVE-2024-21066 (Vulnerability in the RDBMS component of Oracle Database Server. Suppo ...) @@ -366,12 +367,12 @@ CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-11 - openjdk-17 - - openjdk-21 + - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - openjdk-17 - - openjdk-21 + - openjdk-21 21.0.3+9-1 CVE-2024-21010 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) NOT-FOR-US: Oracle CVE-2024-21009 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cce5ffab0dc2e6f1fd2d3504f3bb9093f3893d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cce5ffab0dc2e6f1fd2d3504f3bb9093f3893d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] azure-uamqp-python fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f40dc4c by Moritz Muehlenhoff at 2024-04-17T15:09:19+02:00 azure-uamqp-python fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7565,7 +7565,7 @@ CVE-2024-29199 (Nautobot is a Network Source of Truth and Network Automation Pla CVE-2024-29196 (phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, ...) NOT-FOR-US: phpMyFAQ CVE-2024-29195 (The azure-c-shared-utility is a C library for AMQP/MQTT communication ...) - - azure-uamqp-python (bug #1068457) + - azure-uamqp-python 1.6.9-2 (bug #1068457) NOTE: https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg NOTE: https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 CVE-2024-29189 (PyAnsys Geometry is a Python client library for the Ansys Geometry ser ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f40dc4cc32a3832afbdf9fdaaaed9d7cfdc1f73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f40dc4cc32a3832afbdf9fdaaaed9d7cfdc1f73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 409e87f7 by Moritz Muehlenhoff at 2024-04-17T13:47:47+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2024-3867 (The archive-tainacan-collection theme for WordPress is vulnerable CVE-2024-3672 (The BA Book Everything plugin for WordPress is vulnerable to Stored Cr ...) NOT-FOR-US: WordPress plugin CVE-2024-3660 (A arbitrary code injection vulnerability in TensorFlow's Keras framewo ...) - TODO: check + - tensorflow (bug #804612) CVE-2024-3367 (Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1. ...) - check-mk CVE-2024-3243 (The Customer Reviews for WooCommerce plugin for WordPress is vulnerabl ...) @@ -37,15 +37,15 @@ CVE-2024-3243 (The Customer Reviews for WooCommerce plugin for WordPress is vuln CVE-2024-3067 (The WooCommerce Google Feed Manager plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin CVE-2024-32634 (In huge memory get unmapped area check, code can never be reached beca ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2024-32633 (An unsigned value can never be negative, so eMMC full disk test will a ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2024-32632 (A value in ATCMD will be misinterpreted by printf, causing incorrect o ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2024-32631 (Out-of-Bounds read in ciCCIOTOPT in ASR180X will cause incorrect compu ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2024-32625 (In OffloadAMRWriter, a scalar field is not initialized so will contain ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2024-32532 (Missing Authorization vulnerability in SiteGround Speed Optimizer.This ...) NOT-FOR-US: WordPress plugin CVE-2024-32525 (Missing Authorization vulnerability in Theme My Login.This issue affec ...) @@ -113,7 +113,7 @@ CVE-2024-30380 (An Improper Handling of Exceptional Conditions vulnerability in CVE-2024-30378 (A Use After Free vulnerability in command processing of Juniper Networ ...) NOT-FOR-US: Juniper CVE-2024-30256 (Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable ...) - TODO: check + NOT-FOR-US: Open WebUI CVE-2024-2309 (The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, ...) NOT-FOR-US: WordPress plugin CVE-2024-2118 (The Social Media Share Buttons & Social Sharing Icons WordPress plugin ...) @@ -127,7 +127,7 @@ CVE-2024-29402 (cskefu v7 suffers from Insufficient Session Expiration, which al CVE-2024-29291 (An issue in Laravel Framework 8 through 11 might allow a remote attack ...) TODO: check CVE-2024-27086 (The MSAL library enabled acquisition of security tokens to call protec ...) - TODO: check + NOT-FOR-US: microsoft-authentication-library-for-dotnet CVE-2024-25911 (Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue ...) NOT-FOR-US: WordPress plugin CVE-2024-22440 (A potential security vulnerability has been identified in HPE Compute ...) @@ -179,7 +179,7 @@ CVE-2024-21103 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2024-21102 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-21101 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) - TODO: check + NOT-FOR-US: MySQL Cluster CVE-2024-21100 (Vulnerability in the Oracle Commerce Platform product of Oracle Commer ...) NOT-FOR-US: Oracle CVE-2024-21099 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) @@ -423,13 +423,13 @@ CVE-2024-1219 (The Easy Social Feed WordPress plugin before 6.5.6 does not vali CVE-2024-0868 (The coreActivity: Activity Logging plugin for WordPress plugin before ...) NOT-FOR-US: WordPress plugin CVE-2023-51391 (A bug in Micrium OS Network HTTP Server permits an invalid pointer der ...) - TODO: check + NOT-FOR-US: Micrium OS Network HTTP Server CVE-2023-50872 (The API in Accredible Credential.net December 6th, 2023 allows an Inse ...) - TODO: check + NOT-FOR-US: Accredible Credential.net API CVE-2023-45000 (Missing Authorization vulnerability in LiteSpeed Technologies LiteSpee ...) - TODO: check + NOT-FOR-US: LiteSpeed Technologies CVE-2023-4 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: LiteSpeed Technologies CVE-2024- [gix-transport indirect code execution via malicious username] - rust-gix-transport 0.42.0-1 NOTE: https://github.com/advisories/GHSA-98p4-xjmm-8mfh View it on GitLab: https://salsa.debian.org/security-tra
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13471cfc by Moritz Muehlenhoff at 2024-04-17T13:11:58+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2024-3875 (A vulnerability was found in Tenda F1202 1.2.0.20(408). It has be CVE-2024-3874 (A vulnerability was found in Tenda W20E 15.11.0.6. It has been declare ...) NOT-FOR-US: Tenda CVE-2024-3873 (A vulnerability was found in SMI SMI-EX-5414W up to 1.0.03. It has bee ...) - TODO: check + NOT-FOR-US: SMI-EX-5414W CVE-2024-3872 (Mattermost Mobile app versions 2.13.0 and earlier use a regular expres ...) NOT-FOR-US: Mattermost Mobile app CVE-2024-3871 (The Delta Electronics DVW-W02W2-E2 devices expose a web administration ...) @@ -81,17 +81,17 @@ CVE-2024-32254 (Phpgurukul Tourism Management System v2.0 is vulnerable to Unres CVE-2024-32086 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin CVE-2024-32027 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss v22. ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-32026 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is v ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-32025 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is v ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-32024 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is v ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-32023 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is v ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-32022 (Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is ...) - TODO: check + NOT-FOR-US: Kohya_ss CVE-2024-31887 (IBM Security Verify Privilege 11.6.25 could allow an unauthenticated a ...) NOT-FOR-US: IBM CVE-2024-31760 (An issue in sanluan flipped-aurora gin-vue-admin 2.4.x allows an attac ...) @@ -107,7 +107,7 @@ CVE-2024-31452 (OpenFGA is a high-performance and flexible authorization/permiss CVE-2024-31451 (DocsGPT is a GPT-powered chat for documentation. DocsGPT is vulnerable ...) NOT-FOR-US: DocsGPT CVE-2024-31446 (OpenComputers is a Minecraft mod that adds programmable computers and ...) - TODO: check + NOT-FOR-US: OpenComputers Minecraft mod CVE-2024-30380 (An Improper Handling of Exceptional Conditions vulnerability in Junipe ...) NOT-FOR-US: Juniper CVE-2024-30378 (A Use After Free vulnerability in command processing of Juniper Networ ...) @@ -119,9 +119,9 @@ CVE-2024-2309 (The WP STAGING WordPress Backup Plugin WordPress plugin before 3 CVE-2024-2118 (The Social Media Share Buttons & Social Sharing Icons WordPress plugin ...) NOT-FOR-US: WordPress plugin CVE-2024-2102 (The Salon booking system WordPress plugin before 9.6.3 does not proper ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2101 (The Salon booking system WordPress plugin before 9.6.3 does not proper ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29402 (cskefu v7 suffers from Insufficient Session Expiration, which allows a ...) NOT-FOR-US: cskefu CVE-2024-29291 (An issue in Laravel Framework 8 through 11 might allow a remote attack ...) @@ -141,13 +141,13 @@ CVE-2024-21676 (This High severity Injection vulnerability was introduced in ver CVE-2024-21121 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.16-dfsg-1 CVE-2024-21120 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21119 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21118 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21117 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21116 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.16-dfsg-1 CVE-2024-21115 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) @@ -171,9 +171,9 @@ CVE-2024-21107 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2024-21106 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.16-dfsg-1 CVE-2024-21105 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-21104 (Vulnerability in the Or
[Git][security-tracker-team/security-tracker][master] new vbox issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 478cb97f by Moritz Muehlenhoff at 2024-04-17T12:39:52+02:00 new vbox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,7 +139,7 @@ CVE-2024-22329 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Appl CVE-2024-21676 (This High severity Injection vulnerability was introduced in versions ...) NOT-FOR-US: Atlassian CVE-2024-21121 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21120 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) TODO: check CVE-2024-21119 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) @@ -149,27 +149,27 @@ CVE-2024-21118 (Vulnerability in the Oracle Outside In Technology product of Ora CVE-2024-21117 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) TODO: check CVE-2024-21116 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21115 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21114 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21113 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21112 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-2 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21110 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21109 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21108 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21107 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21106 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - TODO: check + - virtualbox 7.0.16-dfsg-1 CVE-2024-21105 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) TODO: check CVE-2024-21104 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/478cb97f127a8d3aad3929789faee83f03c489d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/478cb97f127a8d3aad3929789faee83f03c489d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mysql issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cc818688 by Moritz Muehlenhoff at 2024-04-17T12:36:13+02:00 new mysql issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -177,7 +177,7 @@ CVE-2024-21104 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of CVE-2024-21103 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) TODO: check CVE-2024-21102 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21101 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) TODO: check CVE-2024-21100 (Vulnerability in the Oracle Commerce Platform product of Oracle Commer ...) @@ -189,7 +189,7 @@ CVE-2024-21098 (Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Ente CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) TODO: check CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) TODO: check CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) @@ -210,7 +210,7 @@ CVE-2024-21089 (Vulnerability in the Oracle Concurrent Processing product of Ora CVE-2024-21088 (Vulnerability in the Oracle Production Scheduling product of Oracle E- ...) TODO: check CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) TODO: check CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) @@ -247,7 +247,7 @@ CVE-2024-21071 (Vulnerability in the Oracle Workflow product of Oracle E-Busines CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) TODO: check CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 @@ -264,37 +264,37 @@ CVE-2024-21064 (Vulnerability in the Oracle Business Intelligence Enterprise Edi CVE-2024-21063 (Vulnerability in the PeopleSoft Enterprise HCM Benefits Administration ...) TODO: check CVE-2024-21062 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21061 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.36-1 CVE-2024-21060 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21059 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) TODO: check CVE-2024-21058 (Vulnerability in the Unified Audit component of Oracle Database Server ...) TODO: check CVE-2024-21057 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.36-1 CVE-2024-21056 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21055 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.36-1 CVE-2024-21054 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21053 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21052 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21051 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21050 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21049 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-21048 (Vulnerability in the Oracle Web Applications Desktop Integrator produc ...) TODO: check CVE-2024-21047 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-21046 (Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul ...) TODO: check CVE
[Git][security-tracker-team/security-tracker][master] new java issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 962c5cf1 by Moritz Muehlenhoff at 2024-04-17T12:00:53+02:00 new java issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -193,7 +193,10 @@ CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) TODO: check CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - TODO: check + - openjdk-8 + - openjdk-11 + - openjdk-17 + - openjdk-21 CVE-2024-21093 (Vulnerability in the Java VM component of Oracle Database Server. Sup ...) TODO: check CVE-2024-21092 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) @@ -211,7 +214,8 @@ CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) TODO: check CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - TODO: check + - openjdk-8 + - openjdk-11 CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) TODO: check CVE-2024-21083 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) @@ -245,7 +249,10 @@ CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) TODO: check CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - TODO: check + - openjdk-8 + - openjdk-11 + - openjdk-17 + - openjdk-21 CVE-2024-21067 (Vulnerability in the Oracle Enterprise Manager Base Platform product o ...) TODO: check CVE-2024-21066 (Vulnerability in the RDBMS component of Oracle Database Server. Suppo ...) @@ -357,9 +364,14 @@ CVE-2024-21014 (Vulnerability in the Oracle Hospitality Simphony product of Orac CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) TODO: check CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - TODO: check + - openjdk-11 + - openjdk-17 + - openjdk-21 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - TODO: check + - openjdk-8 + - openjdk-11 + - openjdk-17 + - openjdk-21 CVE-2024-21010 (Vulnerability in the Oracle Hospitality Simphony product of Oracle Foo ...) TODO: check CVE-2024-21009 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962c5cf1e1e5abf5e5f1f1c4190030c5f06153b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962c5cf1e1e5abf5e5f1f1c4190030c5f06153b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-gix-transport issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b89e495 by Moritz Muehlenhoff at 2024-04-17T09:44:10+02:00 new rust-gix-transport issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024- [gix-transport indirect code execution via malicious username] + - rust-gix-transport 0.42.0-1 + NOTE: https://github.com/advisories/GHSA-98p4-xjmm-8mfh + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0335.html CVE-2024-27980 - nodejs (Only affects Windows) CVE-2024-3847 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b89e4954774bd45d42e7c9ec83cddc5c2301af4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b89e4954774bd45d42e7c9ec83cddc5c2301af4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] apache2 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e466e74 by Moritz Mühlenhoff at 2024-04-16T20:28:15+02:00 apache2 DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -39354,16 +39354,12 @@ CVE-2020-36698 (The Security & Malware scan by CleanTalk plugin for WordPress is NOT-FOR-US: WordPress plugin CVE-2023-45802 (When a HTTP/2 stream was reset (RST frame) by a client, there was a ti ...) - apache2 2.4.58-1 - [bookworm] - apache2 (Minor issue) - [bullseye] - apache2 (Minor issue) [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802 NOTE: https://github.com/icing/blog/blob/main/h2-rapid-reset.md#cve-2023-45802 CVE-2023-43622 (An attacker, opening a HTTP/2 connection with an initial window size o ...) - apache2 2.4.58-1 - [bookworm] - apache2 (Minor issue) - [bullseye] - apache2 (Minor issue) [buster] - apache2 (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622 @@ -62180,8 +62176,6 @@ CVE-2023-2258 (Improper Neutralization of Formula Elements in a CSV File in GitH NOT-FOR-US: Alf.io CVE-2023-31122 (Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.Th ...) - apache2 2.4.58-1 - [bookworm] - apache2 (Minor issue) - [bullseye] - apache2 (Minor issue) [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-31122 = data/DSA/list = @@ -1,3 +1,7 @@ +[16 Apr 2024] DSA-5662-1 apache2 - security update + {CVE-2023-31122 CVE-2023-38709 CVE-2023-43622 CVE-2023-45802 CVE-2024-24795 CVE-2024-27316} + [bullseye] - apache2 2.4.59-1~deb11u1 + [bookworm] - apache2 2.4.59-1~deb12u1 [15 Apr 2024] DSA-5661-1 php8.2 - security update {CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096} [bookworm] - php8.2 8.2.18-1~deb12u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -apache2 (jmm) --- cryptojs -- dav1d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e466e744c1279408b3abfddd88f7825cf68f06b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e466e744c1279408b3abfddd88f7825cf68f06b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new firefox-esr issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b9f3f0d6 by Moritz Muehlenhoff at 2024-04-16T18:19:04+02:00 new firefox-esr issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,33 +1,45 @@ CVE-2024-3302 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3302 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3302 CVE-2024-3865 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3865 CVE-2024-3864 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3864 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3864 CVE-2024-3863 - firefox (Windows-specific) + - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3863 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3863 CVE-2024-3862 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3862 CVE-2024-3861 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3861 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3861 CVE-2024-3860 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3860 CVE-2024-3859 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3859 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3859 CVE-2024-3858 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3858 CVE-2024-3857 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3857 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3857 CVE-2024-3856 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3856 @@ -36,13 +48,17 @@ CVE-2024-3855 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3855 CVE-2024-3854 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3854 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3854 CVE-2024-3853 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3853 CVE-2024-3852 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3852 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-3852 CVE-2024-3575 (Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb) NOT-FOR-US: mindsdb CVE-2024-3574 (In scrapy version 2.10.1, an issue was identified where the Authorizat ...) @@ -8734,7 +8750,9 @@ CVE-2024-2610 (Using a markup injection an attacker could have stolen nonce valu NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/#CVE-2024-2610 CVE-2024-2609 (The permission prompt input delay could have expired while the window ...) - firefox 124.0-1 + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-12/#CVE-2024-2609 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/#CVE-2024-2609 CVE-2024-2608 (`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and ...) {DSA-5644-1 DSA-5643-1 DLA-3775-1 DLA-3769-1} - firefox 124.0-1 = data/dsa-needed.txt = @@ -25,11 +25,13 @@ emacs -- expat (carnil) -- +firefox-esr (jmm) +-- frr -- gpac/oldstable -- -guix +guix (jmm) Maintainer has proposed to handle this as DSA, proposed debdiffs -- h2o (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9f3f0d61f4a48c56b5e53797a947dde2a7aff61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9f3f0d61f4a48c56b5e53797a947dde2a7aff61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker
[Git][security-tracker-team/security-tracker][master] new firefox issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 07416eed by Moritz Muehlenhoff at 2024-04-16T18:15:30+02:00 new firefox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,48 @@ +CVE-2024-3302 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3302 +CVE-2024-3865 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3865 +CVE-2024-3864 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3864 +CVE-2024-3863 + - firefox (Windows-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3863 +CVE-2024-3862 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3862 +CVE-2024-3861 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3861 +CVE-2024-3860 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3860 +CVE-2024-3859 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3859 +CVE-2024-3858 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3858 +CVE-2024-3857 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3857 +CVE-2024-3856 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3856 +CVE-2024-3855 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3855 +CVE-2024-3854 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3854 +CVE-2024-3853 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3853 +CVE-2024-3852 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3852 CVE-2024-3575 (Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb) NOT-FOR-US: mindsdb CVE-2024-3574 (In scrapy version 2.10.1, an issue was identified where the Authorizat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07416eed69b3c971910bec10804f38aa49e07a16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07416eed69b3c971910bec10804f38aa49e07a16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] zk spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 12ebff45 by Moritz Mühlenhoff at 2024-04-16T17:54:30+02:00 zk spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -9764,6 +9764,8 @@ CVE-2024-28752 (A SSRF vulnerability using the Aegis DataBinding in versions of NOT-FOR-US: Apache CXF CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache ZooKe ...) - zookeeper 3.9.2-1 (bug #1066947) + [bookworm] - zookeeper (Minor issue) + [bullseye] - zookeeper (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/03/14/2 NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 NOTE: Fixed by: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d (release-3.8.4-0) = data/next-point-update.txt = @@ -108,3 +108,5 @@ CVE-2021-31684 [bookworm] - json-smart 2.2-2+deb12u1 CVE-2023-1370 [bookworm] - json-smart 2.2-2+deb12u1 +CVE-2024-23944 + [bookworm] - zookeeper 3.8.0-11+deb12u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ebff459dc96ee5ddfd4ed2e2183daaa264ed8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ebff459dc96ee5ddfd4ed2e2183daaa264ed8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad138db by Moritz Mühlenhoff at 2024-04-16T17:51:51+02:00 curl ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -83,3 +83,5 @@ CVE-2021-31684 [bullseye] - json-smart 2.2-2+deb11u1 CVE-2023-1370 [bullseye] - json-smart 2.2-2+deb11u1 +CVE-2024-2398 + [bullseye] - curl 7.74.0-1.3+deb11u12 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad138db3ccf6faffc20bc288ff087cb8e4728f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad138db3ccf6faffc20bc288ff087cb8e4728f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits