[Git][security-tracker-team/security-tracker][master] Patch prepared for bind9 and unclaim to allow someone else to complete it.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 17e946dc by Ola Lundqvist at 2024-04-18T20:48:30+02:00 Patch prepared for bind9 and unclaim to allow someone else to complete it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,12 +39,12 @@ atril NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- -bind9 (Ola Lundqvist) +bind9 NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) - NOTE: 20240417: Patch created for CVE-2023-50387 and CVE-2023-50868 but it fail to build. - NOTE: 20240417: https://inguza.com/reportdoc/debian-lts/0041-CVE-2023-50387-CVE-2023-50868.patch - NOTE: 20240417: task.c needs to be reworked more for it to build. + NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and package builds fine. + NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 + NOTE: 20240418: All testing activities remains. -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17e946dc4b1984ff07ea5cc1ea70332391f5ce1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17e946dc4b1984ff07ea5cc1ea70332391f5ce1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added more information about bind9 work.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 808ec670 by Ola Lundqvist at 2024-04-17T23:41:03+02:00 Added more information about bind9 work. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,6 +39,9 @@ atril bind9 (Ola Lundqvist) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) + NOTE: 20240417: Patch created for CVE-2023-50387 and CVE-2023-50868 but it fail to build. + NOTE: 20240417: https://inguza.com/reportdoc/debian-lts/0041-CVE-2023-50387-CVE-2023-50868.patch + NOTE: 20240417: task.c needs to be reworked more for it to build. -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808ec670e4c2623e153eb3c2a0f06c1036199822 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808ec670e4c2623e153eb3c2a0f06c1036199822 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-12214 update for openjpeg and freeimage
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 08bd7be3 by Ola Lundqvist at 2024-04-14T13:48:42+02:00 CVE-2019-12214 update for openjpeg and freeimage Updated the information for CVE-2019-12214 based on information in https://lists.debian.org/debian-lts/2024/04/msg00081.html - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -347217,13 +347217,17 @@ CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of m - freeimage (bug #947478) [bookworm] - freeimage (Revisit when upstream fixes are available) [bullseye] - freeimage (Revisit when upstream fixes are available) - [buster] - freeimage (Revisit when upstream fixes are available) + [buster] - freeimage (Do not include openjpeg copy since 3.10.0-3) + [buster] - openjpeg2 2.1.0-1 [stretch] - freeimage (Revisit when upstream fixes are available) [jessie] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ NOTE: very few information regarding this vulnerability, which is seemingly located NOTE: in libopenjpeg, not freeimage. Without reproducer or stacktrace, this is NOTE: nearly unfixable. + NOTE: Turned out that the issue is not in freeimage at all, but rather in openjpeg. + NOTE: For more information see https://lists.debian.org/debian-lts/2024/04/msg00058.html + NOTE: and more specifically https://lists.debian.org/debian-lts/2024/04/msg00081.html CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) {DSA-4593-1 DLA-2031-1} - freeimage 3.18.0+ds2-3 (bug #929597) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08bd7be3935f565a9252bc5f9581885b405cc758 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08bd7be3935f565a9252bc5f9581885b405cc758 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim bind9
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d2ce1cd by Ola Lundqvist at 2024-04-13T00:26:56+02:00 Claim bind9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,7 +36,7 @@ atril NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- -bind9 +bind9 (Ola Lundqvist) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d2ce1cd8b0b7dc24c00ea1cece130990252c1de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d2ce1cd8b0b7dc24c00ea1cece130990252c1de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Minor date correction.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4325ceef by Ola Lundqvist at 2024-04-13T00:25:56+02:00 Minor date correction. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ nova nss NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. - NOTE: 20230310: see also: Message-ID: (tobi) + NOTE: 20240310: see also: Message-ID: (tobi) -- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4325ceef64852c98c2180b7ce5ab1dd91464f0d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4325ceef64852c98c2180b7ce5ab1dd91464f0d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added some notes about freeimage.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 98b77fac by Ola Lundqvist at 2024-04-12T10:37:34+02:00 Added some notes about freeimage. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,6 +84,8 @@ freeimage NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012 NOTE: 20240411: Added some postpone tags for DoS class and removed some where NOTE: 20240411: patch is available and has arbitrary code exec class. (ola) + NOTE: 20240412: ELTS also have a need to update this package. + NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98b77fac09855d3eb79dee7d218c1f58f5285b9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98b77fac09855d3eb79dee7d218c1f58f5285b9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removing claim since I will likely not have the time to work on the package for a few days.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b2c0ac9 by Ola Lundqvist at 2024-04-11T23:15:47+02:00 Removing claim since I will likely not have the time to work on the package for a few days. Do not want to prevent anyone from doing useful work. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,12 +76,14 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -freeimage (Ola Lundqvist) +freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well NOTE: 20240325: Lack of upstream activity, NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012 + NOTE: 20240411: Added some postpone tags for DoS class and removed some where + NOTE: 20240411: patch is available and has arbitrary code exec class. (ola) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2c0ac91ebc6dfa945bd9f5997c9d98e87c9dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2c0ac91ebc6dfa945bd9f5997c9d98e87c9dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Changed wording since the term tool can be misunderstood.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f1d2047 by Ola Lundqvist at 2024-04-11T22:34:48+02:00 Changed wording since the term tool can be misunderstood. - - - - - 4a0e4e2a by Ola Lundqvist at 2024-04-11T22:34:50+02:00 Changed a some CVEs from no-dsa to postponed for freeimage. At the same time clarified that they can be fixed when uploading a correction for other vulnerabilities since there are patches available. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7204,7 +7204,7 @@ CVE-2024-28584 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28583 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7230,7 +7230,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28578 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7241,37 +7241,37 @@ CVE-2024-28577 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28576 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28575 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28574 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28573 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28572 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool
[Git][security-tracker-team/security-tracker][master] Removed postpone tag for buster freeimage CVEs since patches are available in fedora.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d965e06 by Ola Lundqvist at 2024-04-11T22:26:16+02:00 Removed postpone tag for buster freeimage CVEs since patches are available in fedora. The postpone tag should probably be removed for later releases as well but that is not up to the LTS team to decide so keeping them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23543,7 +23543,6 @@ CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitma - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) @@ -23556,7 +23555,6 @@ CVE-2023-47995 (Memory Allocation with Excessive Size Value discovered in Bitmap - freeimage (bug #1060862) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47995 NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) @@ -262889,7 +262887,6 @@ CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) @@ -262902,7 +262899,6 @@ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d965e06c8c87c4f7c9f6b01122b193881971cc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d965e06c8c87c4f7c9f6b01122b193881971cc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed postpone tag for buster freeimage CVE since patch is available in fedora.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 30068ece by Ola Lundqvist at 2024-04-11T22:11:20+02:00 Removed postpone tag for buster freeimage CVE since patch is available in fedora. The postpone tag should probably be removed for later releases as well but that is not up to the LTS team to decide so keeping them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262807,7 +262807,6 @@ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch CVE-2020-24291 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30068ece2273e922e99bed42fdc80af1d470d01f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30068ece2273e922e99bed42fdc80af1d470d01f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tagged a few CVEs for freeimage as postponed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d20822ee by Ola Lundqvist at 2024-04-10T22:19:21+02:00 Tagged a few CVEs for freeimage as postponed. Postponed because they are of DoS class and all reverse dependencies are tools used by a human that should know the input data. One can even question whether that should even be considered a security issue. In any case it is nothing that warrant any immediate attention. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6974,6 +6974,7 @@ CVE-2024-28584 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28583 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28578 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7009,31 +7011,37 @@ CVE-2024-28577 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28576 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28575 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28574 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28573 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28572 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28571 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7044,6 +7052,7 @@ CVE-2024-28570 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28569 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage
[Git][security-tracker-team/security-tracker][master] Claim freeimage for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 51ecda99 by Ola Lundqvist at 2024-04-08T00:06:53+02:00 Claim freeimage for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -freeimage +freeimage (Ola Lundqvist) NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well NOTE: 20240325: Lack of upstream activity, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51ecda9986c9e0cd7acd2ce491e9039284eed5bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51ecda9986c9e0cd7acd2ce491e9039284eed5bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove runc from dla-needed
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c41e578 by Ola Lundqvist at 2024-04-07T23:50:33+02:00 Remove runc from dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -75305,7 +75305,7 @@ CVE-2023-25810 (Uptime Kuma is a self-hosted monitoring tool. In versions prior CVE-2023-25809 (runc is a CLI tool for spawning and running containers according to th ...) - runc 1.1.5+ds1-1 [bullseye] - runc (Minor issue) - [buster] - runc (Minor issue) + [buster] - runc (Minor issue) NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc NOTE: https://github.com/opencontainers/runc/commit/0e6b818a2b0d24fdb6697614e5c5f115bbe8e3a5 (v1.1.5) CVE-2023-25808 = data/dla-needed.txt = @@ -239,11 +239,6 @@ ring ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- -runc - NOTE: 20240312: Added by coordinator (roberto) - NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. - NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) --- samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c41e578160845c9f84e1a335d5266011e542869 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c41e578160845c9f84e1a335d5266011e542869 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tinymce is not affected in buster, removing from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 21503da9 by Ola Lundqvist at 2024-03-14T23:21:32+01:00 Tinymce is not affected in buster, removing from dla-needed. Checked the version difference for each CVE where the issue is claimed to be implemented. It was not trivial to find the fix but I think I did that in all the cases. What is clear that none of the surrounding code existed in the buster version. This is why I concluded that the vulnerable code is not present in buster. This does not mean that the buster version is free of this issue but the vulnerable code is not present. If the vulnerability is possible to trigger the code would be very hard to back-port since the code in buster is completely different from the version fixed. In that case the CVE would have been marked as ignored instead of not-affected. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15870,14 +15870,17 @@ CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 [buster] - chromium (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce + [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65 CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site scripting ...) - tinymce + [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39 CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of ...) NOT-FOR-US: PeterO.Cbor CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored cross-site scri ...) - tinymce + [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandling of ...) NOT-FOR-US: Newtonsoft.Json @@ -24498,6 +24501,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected NOT-FOR-US: WordPress plugin CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce + [buster] - tinymce (Vulnerable code not present) CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) NOT-FOR-US: XXL-Job CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) = data/dla-needed.txt = @@ -297,13 +297,6 @@ tiff NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- -tinymce (Ola) - NOTE: 20231123: Added by Front-Desk (ola) - NOTE: 20231216: Someone with more XSS experience needed to assess the - NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that - NOTE: 20231216: upstream's patch is backportable, as the code has changed a - NOTE: 20231216: lot. (spwhitton) --- tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21503da906963c312a371bf78d64f3c95b8ec67a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21503da906963c312a371bf78d64f3c95b8ec67a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tinymce.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4df8d8a9 by Ola Lundqvist at 2024-03-12T20:49:26+01:00 Claim tinymce. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -278,7 +278,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- -tinymce +tinymce (Ola) NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df8d8a9fae5eab770d3abfe500c2d4a9d090cf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df8d8a9fae5eab770d3abfe500c2d4a9d090cf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ed2cc5c0 by Ola Lundqvist at 2024-03-12T20:44:33+01:00 Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,6 +128,10 @@ jenkins-htmlunit-core-js jetty9 NOTE: 20240303: Added by Front-Desk (apo) -- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. +-- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed2cc5c0026e4a6feab14a5900932f24d138e0ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed2cc5c0026e4a6feab14a5900932f24d138e0ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Noted reason for a few revert decisions in dla-needed for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e1a0971 by Ola Lundqvist at 2024-03-12T20:40:41+01:00 Noted reason for a few revert decisions in dla-needed for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,7 @@ cacti (Sylvain Beucler) cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20240311: CVE-2020-10755 is fixed in bullseye -- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) @@ -74,6 +75,7 @@ docker.io NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case + NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. -- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) @@ -188,6 +190,7 @@ nvidia-cuda-toolkit NOTE: 20230514: piled up. (utkarsh) NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) + NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. -- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e1a0971cd2ab97ef0e8eb9036646adbe58dc497 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e1a0971cd2ab97ef0e8eb9036646adbe58dc497 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to remove python-os-brick from dla-needed since...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b945d184 by Ola Lundqvist at 2024-03-12T20:36:42+01:00 Reverted decision to remove python-os-brick from dla-needed since CVE-2020-10755 is fixed in bullseye. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -212,6 +212,11 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +python-os-brick + NOTE: 20230525: Added by Front-Desk (lamby) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20240311: Reverted decision to remove from this file since CVE-2020-10755 is fixed in bullseye. +--- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b945d184b880d75c585ecc49d461377bb2bae7cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b945d184b880d75c585ecc49d461377bb2bae7cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted the decision to remove docker.io from dla-needed while keeping the...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 58e9fdae by Ola Lundqvist at 2024-03-12T20:30:53+01:00 Reverted the decision to remove docker.io from dla-needed while keeping the no-dsa note for some CVEs. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,14 @@ curl dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) -- +docker.io + NOTE: 20230303: Added by Front-Desk (Beuc) + NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) + NOTE: 20230424: Is in preparation. (gladk) + NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html + NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) + NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case +-- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e9fdae9833257fdb632f9ddc43af66e893ff1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e9fdae9833257fdb632f9ddc43af66e893ff1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted the decision to remove cinder from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: cc51d2ec by Ola Lundqvist at 2024-03-12T20:25:02+01:00 Reverted the decision to remove cinder from dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,10 @@ cacti (Sylvain Beucler) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- +cinder + NOTE: 20230525: Added by Front-Desk (lamby) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. +-- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc51d2ec1b00152842a3c3bc3441392ea2a2e051 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc51d2ec1b00152842a3c3bc3441392ea2a2e051 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted nvidia-cuda-toolkit removal from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a60f675a by Ola Lundqvist at 2024-03-12T20:22:03+01:00 Reverted nvidia-cuda-toolkit removal from dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,6 +170,13 @@ nss NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. NOTE: 20230310: see also: Message-ID: -- +nvidia-cuda-toolkit + NOTE: 20230514: Added by Front-Desk (utkarsh) + NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have + NOTE: 20230514: piled up. (utkarsh) + NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html + NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) +-- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a60f675a09da625f0139b121c0e1201ea9ca7525 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a60f675a09da625f0139b121c0e1201ea9ca7525 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to mark CVEs as ignored back to no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aadc7a2 by Ola Lundqvist at 2024-03-12T20:07:38+01:00 Reverted decision to mark CVEs as ignored back to no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16541,7 +16541,7 @@ CVE-2023-52322 (ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x befo - spip 4.1.13+dfsg-1 (bug #1059331) [bookworm] - spip 4.1.9+dfsg-1+deb12u4 [bullseye] - spip 3.2.11-3+deb11u10 - [buster] - spip (Minor issue) + [buster] - spip (Minor issue) NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html?lang=fr NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) @@ -27660,7 +27660,7 @@ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf 0.19-2.1+deb12u1 [bullseye] - weborf 0.17-3+deb11u1 - [buster] - weborf (Minor issue) + [buster] - weborf (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) @@ -67400,7 +67400,7 @@ CVE-2023-0843 CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) [bullseye] - node-xml2js 0.2.8-1+deb11u1 - [buster] - node-xml2js (Minor issue) + [buster] - node-xml2js (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 @@ -174617,7 +174617,7 @@ CVE-2021-42344 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 - [buster] - dask.distributed (Minor issue; unreproducible with <2.0) + [buster] - dask.distributed (Minor issue; unreproducible with <2.0) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab @@ -504571,7 +504571,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...) @@ -504579,7 +504579,7 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aadc7a2025ae1660d066cf78615d8cac3be2cad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aadc7a2025ae1660d066cf78615d8cac3be2cad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f95d3ce8 by Ola Lundqvist at 2024-03-10T23:20:12+01:00 Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -220,11 +220,6 @@ ruby-rack (Adrian Bunk) samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail - NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches - NOTE: 20240217: Patch extracted and being reviewed (rouca) --- shim NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Removed runc from dla-needed since no CVEs remain to be fixed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f20876c2 by Ola Lundqvist at 2024-03-10T23:07:51+01:00 Removed runc from dla-needed since no CVEs remain to be fixed. - - - - - e722a127 by Ola Lundqvist at 2024-03-10T23:09:22+01:00 Reverted decision to remove qemu from dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9128,6 +9128,8 @@ CVE-2024-21626 (runc is a CLI tool for spawning and running containers on Linux NOTE: https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48 NOTE: https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780 NOTE: https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea + NOTE: For buster DLA-3735-1 do not completely fix the issue. The rest requires + NOTE: backport that is hard to do so that will not be done. CVE-2024-24579 (stereoscope is a go library for processing container images and simula ...) NOT-FOR-US: stereoscope CVE-2024-24566 (Lobe Chat is a chatbot framework that supports speech synthesis, multi ...) @@ -44668,7 +44670,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 - [buster] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4) = data/dla-needed.txt = @@ -192,6 +192,10 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +qemu (Adrian Bunk) + NOTE: 20240119: Added by Front-Desk (lamby) + NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) @@ -213,13 +217,6 @@ ring ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- -runc - NOTE: 20240204: Added by Front-Desk (ta) - NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of - NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and - NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951. - NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert). --- samba NOTE: 20230918: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed qemu from dla-needed. Ignored one CVE instead of no-dsa.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 40854a51 by Ola Lundqvist at 2024-03-10T00:26:32+01:00 Removed qemu from dla-needed. Ignored one CVE instead of no-dsa. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -44648,7 +44648,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 - [buster] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4) = data/dla-needed.txt = @@ -196,10 +196,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -qemu (Adrian Bunk) - NOTE: 20240119: Added by Front-Desk (lamby) - NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40854a51ea2e408eba790ee59ce785d35931889a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40854a51ea2e408eba790ee59ce785d35931889a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Removed python-glance-store when marking CVE-2024-1141 as no-dsa following buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 542ce46a by Ola Lundqvist at 2024-03-10T00:21:35+01:00 Removed python-glance-store when marking CVE-2024-1141 as no-dsa following buster. - - - - - 37959a54 by Ola Lundqvist at 2024-03-10T00:24:10+01:00 Removed python-os-brick from dla-needed. The CVE that could potentially warrant a fix was not fixed in jessie and stretch either. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8968,6 +8968,7 @@ CVE-2024-1141 (A vulnerability was found in python-glance-store. The issue occur - python-glance-store (bug #1063795) [bookworm] - python-glance-store (Minor issue) [bullseye] - python-glance-store (Minor issue) + [buster] - python-glance-store (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2258836 NOTE: https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2 NOTE: https://github.com/openstack/glance_store/commit/a5ba027922ba1230b4ae9abb810f36427be6354a = data/dla-needed.txt = @@ -196,16 +196,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-glance-store - NOTE: 20230525: Added by Front-Desk (lamby) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. - NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke) - NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke) --- -python-os-brick - NOTE: 20230525: Added by Front-Desk (lamby) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. --- qemu (Adrian Bunk) NOTE: 20240119: Added by Front-Desk (lamby) NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/baecd314bdf3293e6b637984e5d08c466238986f...37959a54babf8a1d7ab8e6a1c1eadd1955f61000 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/baecd314bdf3293e6b637984e5d08c466238986f...37959a54babf8a1d7ab8e6a1c1eadd1955f61000 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed nvidia-cuda-toolkit from dla-needed since there were no CVEs...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: baecd314 by Ola Lundqvist at 2024-03-10T00:13:02+01:00 Removed nvidia-cuda-toolkit from dla-needed since there were no CVEs indicating that a fix is needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -173,13 +173,6 @@ nss (tobi) NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. -- -nvidia-cuda-toolkit - NOTE: 20230514: Added by Front-Desk (utkarsh) - NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have - NOTE: 20230514: piled up. (utkarsh) - NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html - NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) --- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baecd314bdf3293e6b637984e5d08c466238986f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baecd314bdf3293e6b637984e5d08c466238986f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Removed knot-resolver from dla-needed and marked CVEs as either no-dsa or...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d002f8b by Ola Lundqvist at 2024-03-10T00:05:39+01:00 Removed knot-resolver from dla-needed and marked CVEs as either no-dsa or ignored following bullseye. - - - - - 039a4be0 by Ola Lundqvist at 2024-03-10T00:09:37+01:00 Removed libstb from dla-needed and marked all its CVEs as no-dsa following buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6732,6 +6732,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4 - dnsmasq 2.90-1 - knot-resolver 5.7.1-1 [bullseye] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) + [buster] - knot-resolver (Too intrusive to backport) - pdns-recursor 4.9.3-1 (bug #1063852) - unbound 1.19.1-1 (bug #1063845) - systemd 255.4-1 @@ -6771,6 +6772,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51 - dnsmasq 2.90-1 - knot-resolver 5.7.1-1 [bullseye] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) + [buster] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) - pdns-recursor 4.9.3-1 (bug #1063852) - unbound 1.19.1-1 (bug #1063845) - systemd 255.4-1 @@ -27389,6 +27391,7 @@ CVE-2023-46317 (Knot Resolver before 5.7.0 performs many TCP reconnections upon {DSA-5633-1} - knot-resolver 5.7.0-1 [bullseye] - knot-resolver (Minor issue) + [buster] - knot-resolver (Minor issue) NOTE: https://www.knot-resolver.cz/2023-08-22-knot-resolver-5.7.0.html NOTE: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1448 NOTE: https://github.com/CZ-NIC/knot-resolver/commit/7aec8ebdf1428afcb7f5bc62764149ffeaf3d3fe (v6.0.6) @@ -27556,48 +27559,56 @@ CVE-2023-45682 (stb_vorbis is a single file MIT licensed library for processing - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 15) NOTE: https://github.com/nothings/stb/pull/1560 CVE-2023-45681 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 14) NOTE: https://github.com/nothings/stb/pull/1559 CVE-2023-45680 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 13) NOTE: https://github.com/nothings/stb/pull/1558 CVE-2023-45679 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 12) NOTE: https://github.com/nothings/stb/pull/1557 CVE-2023-45678 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 11) NOTE: https://github.com/nothings/stb/pull/1556 CVE-2023-45677 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 10) NOTE: https://github.com/nothings/stb/pull/1555 CVE-2023-45676 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) + [buster] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 9) NOTE: https://github.com/nothings/stb/pull/1554 CVE-2023-45675
[Git][security-tracker-team/security-tracker][master] Removed golang-go.crypto from dla-needed and marked one CVE as no-dsa for...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: dbde6826 by Ola Lundqvist at 2024-03-10T00:00:28+01:00 Removed golang-go.crypto from dla-needed and marked one CVE as no-dsa for buster following bullseye. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -17344,6 +17344,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - golang-go.crypto 1:0.17.0-1 (bug #1059003) [bookworm] - golang-go.crypto (Minor issue) [bullseye] - golang-go.crypto (Minor issue) + [buster] - golang-go.crypto (Minor issue) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh 0.10.6-1 (bug #1059004) - libssh2 1.11.0-4 (bug #1059005) = data/dla-needed.txt = @@ -85,9 +85,6 @@ frr (Abhijith PA) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -golang-go.crypto - NOTE: 20231219: Added by Front-Desk (ta) --- gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbde68266ab01179bc528f5a569140f7dbe09b58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbde68266ab01179bc528f5a569140f7dbe09b58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed freeimage from dla-needed and marked its CVEs as postponed for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b7eb714 by Ola Lundqvist at 2024-03-09T23:57:45+01:00 Removed freeimage from dla-needed and marked its CVEs as postponed for buster following bullseye. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -13459,31 +13459,37 @@ CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitma - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 CVE-2023-47995 (Memory Allocation with Excessive Size Value discovered in BitmapAccess ...) - freeimage (bug #1060862) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47995 CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 CVE-2023-47993 (A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in Fre ...) - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 CVE-2023-47992 (An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc ...) - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) + [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 CVE-2023-41781 (There is a Cross-sitescripting (XSS) vulnerability in ZTE MF258. Due t ...) NOT-FOR-US: ZTE = data/dla-needed.txt = @@ -77,9 +77,6 @@ edk2 expat NOTE: 20240306: Added by Front-Desk (opal) -- -freeimage - NOTE: 20240121: Added by Front-Desk (apo) --- freeipa (Chris Lamb) NOTE: 20240307: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7eb714928909dabbd6342f9277a31cb1f7eb1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7eb714928909dabbd6342f9277a31cb1f7eb1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed exiftags from dla-needed and marked one CVE as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: e215b731 by Ola Lundqvist at 2024-03-09T23:55:05+01:00 Removed exiftags from dla-needed and marked one CVE as no-dsa for buster following bullseye. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -12068,54 +12068,63 @@ CVE-2023-45237 (EDK2's Network Package is susceptible to a predictable TCP Initi - edk2 (bug #1063727) [bookworm] - edk2 (Minor issue) [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45236 (EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...) - edk2 (bug #1063726) [bookworm] - edk2 (Minor issue) [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45235 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45234 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45233 (EDK2's Network Package is susceptible to an infinite lop vulnerability ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45232 (EDK2's Network Package is susceptible to an infinite loop vulnerabilit ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45231 (EDK2's Network Package is susceptible to an out-of-bounds read vulner ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45230 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-45229 (EDK2's Network Package is susceptible to an out-of-bounds read vulner ...) - edk2 2023.11-6 (bug #1061256) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker could p ...) @@ -12990,6 +12999,7 @@ CVE-2023-50671 (In exiftags 1.01, nikon_prop1 in nikon.c has a heap-based buffer - exiftags (bug #1060753) [bookworm] - exiftags (Minor issue) [bullseye] - exiftags (Minor issue) + [buster] - exiftags (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-exiftags/ CVE-2023-50159 (In ScaleFusion (Windows Desktop App) agent 10.5.2, Kiosk mode applicat ...) NOT-FOR-US: ScaleFusion
[Git][security-tracker-team/security-tracker][master] Marked most CVEs for edk2 as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: bf6cd7b0 by Ola Lundqvist at 2024-03-09T23:52:46+01:00 Marked most CVEs for edk2 as no-dsa for buster following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115202,18 +115202,21 @@ CVE-2022-36765 (EDK2 is susceptible to a vulnerability in the CreateHob() functi - edk2 2023.11-5 (bug #1060408) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 CVE-2022-36764 (EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() fun ...) - edk2 2023.11-5 (bug #1060408) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4118 CVE-2022-36763 (EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() fu ...) - edk2 2023.11-5 (bug #1060408) [bookworm] - edk2 2022.11-6+deb12u1 [bullseye] - edk2 (Minor issue) + [buster] - edk2 (Minor issue) NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4117 CVE-2022-36762 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf6cd7b08bf8f2a32563a74fcadc0361d3f1d9eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf6cd7b08bf8f2a32563a74fcadc0361d3f1d9eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVEs for docker.io as no-dsa for buster and removed from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ebad433e by Ola Lundqvist at 2024-03-09T23:46:43+01:00 Marked CVEs for docker.io as no-dsa for buster and removed from dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -57775,11 +57775,13 @@ CVE-2023-28843 (PrestaShop/paypal is an open source module for the PrestaShop we CVE-2023-28842 (Moby) is an open source container framework developed by Docker Inc. t ...) - docker.io 20.10.24+dfsg1-1 [bullseye] - docker.io (Minor issue) + [buster] - docker.io (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p NOTE: https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333 CVE-2023-28841 (Moby is an open source container framework developed by Docker Inc. th ...) - docker.io 20.10.24+dfsg1-1 [bullseye] - docker.io (Minor issue) + [buster] - docker.io (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237 NOTE: https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333 NOTE: https://github.com/moby/moby/issues/43382 @@ -57787,6 +57789,7 @@ CVE-2023-28841 (Moby is an open source container framework developed by Docker I CVE-2023-28840 (Moby is an open source container framework developed by Docker Inc. th ...) - docker.io 20.10.24+dfsg1-1 [bullseye] - docker.io (Minor issue) + [buster] - docker.io (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp NOTE: https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333 NOTE: https://github.com/moby/moby/issues/43382 = data/dla-needed.txt = @@ -63,14 +63,6 @@ curl dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) -- -docker.io - NOTE: 20230303: Added by Front-Desk (Beuc) - NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) - NOTE: 20230424: Is in preparation. (gladk) - NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html - NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) - NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case --- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebad433e4d23b94ef7ae8f3671a991fbaca5ec97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebad433e4d23b94ef7ae8f3671a991fbaca5ec97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed cinder from dla-needed since all CVEs are no-dsa.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 202d1034 by Ola Lundqvist at 2024-03-09T23:31:58+01:00 Removed cinder from dla-needed since all CVEs are no-dsa. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -51955,12 +51955,16 @@ CVE-2023-2089 (A vulnerability was found in SourceCodester Complaint Management CVE-2023-2088 (A flaw was found in OpenStack due to an inconsistency between Cinder a ...) - cinder 2:21.1.0-3 (bug #1035961) [bullseye] - cinder (Minor issue) + [buster] - cinder (Minor issue) - python-glance-store 4.1.0-4 (bug #1035962; bug #1035978) [bullseye] - python-glance-store (Minor issue) + [buster] - python-glance-store (Minor issue) - nova 2:26.1.0-4 (bug #1035963; bug #1035981) [bullseye] - nova (Minor issue) + [buster] - nova (Minor issue) - python-os-brick 4.1.0-3 (bug #1035932) [bullseye] - python-os-brick (Minor issue) + [buster] - python-os-brick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/05/10/5 NOTE: https://bugs.launchpad.net/nova/+bug/2004555 CVE-2023-2087 (The Essential Blocks plugin for WordPress is vulnerable to Cross-Site ...) = data/dla-needed.txt = @@ -51,10 +51,6 @@ cacti (Sylvain Beucler) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- -cinder - NOTE: 20230525: Added by Front-Desk (lamby) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. --- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/202d103430cac9b4648801cc626cd8a2af686cf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/202d103430cac9b4648801cc626cd8a2af686cf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed cairosvg from dla-needed since CVE-2023-27586 is too intrusive to fix in buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4414c335 by Ola Lundqvist at 2024-03-09T23:27:28+01:00 Removed cairosvg from dla-needed since CVE-2023-27586 is too intrusive to fix in buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -62082,7 +62082,7 @@ CVE-2023-27587 (ReadtoMyShoe, a web app that lets users upload articles and list CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Pr ...) {DSA-5382-1} - cairosvg 2.5.2-1.1 (bug #1033295) - [buster] - cairosvg (Minor issue; fix would require backporting entire --unsafe mechanism) + [buster] - cairosvg (Minor issue; fix would require backporting entire --unsafe mechanism) NOTE: https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 (2.7.0) NOTE: https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3) = data/dla-needed.txt = @@ -51,11 +51,6 @@ cacti (Sylvain Beucler) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- -cairosvg - NOTE: 20230323: Added by Front-Desk (gladk) - NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) - NOTE: 20240212: Could have side effects, though (#1050643). I'm not going forward with the upload. (dleidert) --- cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4414c3353b2410fd7a1c67069daa99ed2dcae218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4414c3353b2410fd7a1c67069daa99ed2dcae218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed cpio from dla-needed since there is no CVE to fix.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 38b460a8 by Ola Lundqvist at 2024-03-09T23:20:12+01:00 Removed cpio from dla-needed since there is no CVE to fix. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,6 @@ composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye -- -cpio - NOTE: 20240303: Added by Front-Desk (apo) - NOTE: 20240304: Likely no work to do since upstream considers CVE-2023-7216 normal behavior. (bunk) --- curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38b460a87ec870d6f3fac890445b2d727648f772 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38b460a87ec870d6f3fac890445b2d727648f772 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-46426 and CVE-2023-46427 end-of-life for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d882f249 by Ola Lundqvist at 2024-03-09T23:14:28+01:00 Marked CVE-2023-46426 and CVE-2023-46427 end-of-life for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,10 +53,12 @@ CVE-2023-49340 (An issue was discovered in Newland Nquire 1000 Interactive Kiosk NOT-FOR-US: Newland Nquire 1000 Interactive Kiosk CVE-2023-46427 (An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-mast ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2641 NOTE: https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2023-46426 (Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV-rev58 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2642 NOTE: https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-32264 (CWE-1385 vulnerability in OpenText Documentum D2 affecting versions16. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d882f249a7dde05b4f043b463b3ee34ce23397be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d882f249a7dde05b4f043b463b3ee34ce23397be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2023-52322 instead of no-dsa in buster even if fixed in bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c2265f4e by Ola Lundqvist at 2024-03-08T23:02:02+01:00 Ignore CVE-2023-52322 instead of no-dsa in buster even if fixed in bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16154,7 +16154,7 @@ CVE-2023-52322 (ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x befo - spip 4.1.13+dfsg-1 (bug #1059331) [bookworm] - spip 4.1.9+dfsg-1+deb12u4 [bullseye] - spip 3.2.11-3+deb11u10 - [buster] - spip (Minor issue) + [buster] - spip (Minor issue) NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html?lang=fr NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2265f4eb6a490215f883db498aedfdb29ba0222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2265f4eb6a490215f883db498aedfdb29ba0222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Added libpgjava to dla-needed. Better to be safe than sorrow.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4309d77c by Ola Lundqvist at 2024-03-08T22:59:25+01:00 Added libpgjava to dla-needed. Better to be safe than sorrow. - - - - - 2c8bb864 by Ola Lundqvist at 2024-03-08T22:59:27+01:00 Ignore CVE-2023-0842 instead of no-dsa. - - - - - 9947f15e by Ola Lundqvist at 2024-03-08T22:59:28+01:00 Ignore CVE-2021-42343 instead of no-dsa in buster. - - - - - 8230aab3 by Ola Lundqvist at 2024-03-08T22:59:30+01:00 Ignore CVE-2016-1243 and CVE-2016-1244 instead of no-dsa in buster. - - - - - 1f0a9ef4 by Ola Lundqvist at 2024-03-08T22:59:31+01:00 Ignore CVE-2023-46586 instead of no-dsa in buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -27268,7 +27268,7 @@ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf 0.19-2.1+deb12u1 [bullseye] - weborf 0.17-3+deb11u1 - [buster] - weborf (Minor issue) + [buster] - weborf (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) @@ -66978,7 +66978,7 @@ CVE-2023-0843 CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) [bullseye] - node-xml2js 0.2.8-1+deb11u1 - [buster] - node-xml2js (Minor issue) + [buster] - node-xml2js (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 @@ -174193,7 +174193,7 @@ CVE-2021-42344 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 - [buster] - dask.distributed (Minor issue; unreproducible with <2.0) + [buster] - dask.distributed (Minor issue; unreproducible with <2.0) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab @@ -504145,7 +504145,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...) @@ -504153,7 +504153,7 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...) = data/dla-needed.txt = @@ -149,6 +149,9 @@ knot-resolver libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- +libpgjava + NOTE: 20240308: Added by Front-Desk (opal) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/184920cbaa17cfc22cd9483f7e85360958127c50...1f0a9ef43a0930b9e0f2e553f7007bed982fa384 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/184920cbaa17cfc22cd9483f7e85360958127c50...1f0a9ef43a0930b9e0f2e553f7007bed982fa384 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Marked CVE-2014-7250 (kfreebsd-10) as end-of-life for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ea883b0b by Ola Lundqvist at 2024-03-08T22:35:57+01:00 Marked CVE-2014-7250 (kfreebsd-10) as end-of-life for buster. - - - - - a3bbeff1 by Ola Lundqvist at 2024-03-08T22:35:58+01:00 CVE-2015-1554 concluded to be a minor for buster issue since it is not reproducible. - - - - - 995adf46 by Ola Lundqvist at 2024-03-08T22:36:00+01:00 Decided that CVE-2023-39804 (tar) is worth fixing in buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19164,7 +19164,6 @@ CVE-2023-39804 [Incorrectly handled extension attributes in PAX archives can lea - tar 1.34+dfsg-1.3 (bug #1058079) [bookworm] - tar 1.34+dfsg-1.2+deb12u1 [bullseye] - tar 1.34+dfsg-1+deb11u1 - [buster] - tar (Minor issue) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (v1.35) CVE-2023-6679 (A null pointer dereference vulnerability was found in dpll_pin_parent_ ...) - linux (Vulnerable code not present) @@ -528821,6 +528820,7 @@ CVE-2015-1401 (Improper Authentication vulnerability in the "LDAP / SSO Authenti NOT-FOR-US: typo3 extension CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service (c ...) - kgb-bot (low; bug #776424) + [buster] - kgb-bot (Minor issue, not reproducible) NOTE: 20190201: random crash still not reproducible CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...) NOT-FOR-US: sequelize @@ -539383,6 +539383,7 @@ CVE-2014-7250 (The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD pos - kfreebsd-9 [wheezy] - kfreebsd-9 (Not supported in wheezy LTS) - kfreebsd-10 (bug #778367) + [buster] - kfreebsd-10 (Not supported in Jessie LTS) [jessie] - kfreebsd-10 (Not supported in Jessie LTS) CVE-2014-7249 (Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, A ...) NOT-FOR-US: Allied Telesis = data/dla-needed.txt = @@ -309,6 +309,12 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +tar + NOTE: 20240308: Added by Front-Desk (opal) + NOTE: 20240308: It was previously no-dsa but since it has been fixed in + NOTE: 20240308: bullseye and the fix is trivial it is worth fixing in buster + NOTE: 20240308: too. Low priority though. +-- thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b4ec3f8d93fd654b975fb2b705e693414a8b5a38...995adf463cfec5b4b27b74b878f6ce372ede4419 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b4ec3f8d93fd654b975fb2b705e693414a8b5a38...995adf463cfec5b4b27b74b878f6ce372ede4419 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVEs for nvidia-graphics-drivers-legacy-340xx as ignored for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: fc30ba59 by Ola Lundqvist at 2024-03-07T23:54:31+01:00 Marked CVEs for nvidia-graphics-drivers-legacy-340xx as ignored for buster. - - - - - c7598151 by Ola Lundqvist at 2024-03-07T23:54:32+01:00 Analyzed freeipa further and concluded that it is safest to fix in buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2053,6 +2053,7 @@ CVE-2024-0074 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -2076,6 +2077,7 @@ CVE-2024-42265 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -2095,6 +2097,7 @@ CVE-2024-0078 [bookworm] - nvidia-graphics-drivers (Non-free not supported) [bullseye] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1064984) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx (bug #1064985) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1064986) @@ -4627,6 +4630,10 @@ CVE-2024-1481 [specially crafted HTTP requests potentially lead to DoS or data e NOTE: ipa-4.10: https://pagure.io/freeipa/c/204011dc0514681511275a4b70a13bfa85c1a538 NOTE: ipa-4.9: https://pagure.io/freeipa/c/b039f3087a13de3f34b230dbe29a7cfb1965700d NOTE: ipa-4.9: https://pagure.io/freeipa/c/96a478bbedd49c31e0f078f00f2d1cb55bb952fd + NOTE: For buster (and most likely later versions) the vulnerable rpcserver.py code + NOTE: is not part of the provided binary packages. The kinit.py file is however and + NOTE: it is not entirelly clear whether this may be used in a vulnerable way when + NOTE: the client is used for authentication purposes. CVE-2024-26270 (The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, ...) NOT-FOR-US: Liferay CVE-2024-26268 (User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.2 ...) = data/dla-needed.txt = @@ -107,6 +107,9 @@ fontforge (Adrian Bunk) freeimage NOTE: 20240121: Added by Front-Desk (apo) -- +freeipa + NOTE: 20240307: Added by Front-Desk (opal) +-- frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1...c7598151ce5abc8f421106343ee505caa98c0db8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a5e90b49c6c4a2acc4af8b4d02620ba98dcdf1...c7598151ce5abc8f421106343ee505caa98c0db8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2024-2236 as no-dsa following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3264f217 by Ola Lundqvist at 2024-03-07T22:57:54+01:00 Marked CVE-2024-2236 as no-dsa following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -168,6 +168,7 @@ CVE-2024-2236 (A timing-based side-channel flaw was found in libgcrypt's RSA imp - libgcrypt20 [bookworm] - libgcrypt20 (Minor issue) [bullseye] - libgcrypt20 (Minor issue) + [buster] - libgcrypt20 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268 CVE-2024-1299 (A privilege escalation vulnerability was discovered in GitLab affectin ...) - gitlab View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3264f21787b5d3e2c426c34ad2573921badaacf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3264f21787b5d3e2c426c34ad2573921badaacf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Treat CVE-2024-2002 as minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 256a9424 by Ola Lundqvist at 2024-03-06T21:56:38+01:00 Treat CVE-2024-2002 as minor issue for buster. - - - - - 9cc8914a by Ola Lundqvist at 2024-03-06T21:56:38+01:00 Added expat to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -589,6 +589,7 @@ CVE-2023-41827 (An improper export vulnerability was reported in the Motorola OT NOT-FOR-US: Motorola CVE-2024-2002 - dwarfutils (bug #1065511) + [buster] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW202402-002 NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] = data/dla-needed.txt = @@ -102,6 +102,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +expat + NOTE: 20240306: Added by Front-Desk (opal) +-- fontforge NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a40a82117256760ce6a04c471294c059cefc53c...9cc8914a108290641956fbf617d852579223c6df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a40a82117256760ce6a04c471294c059cefc53c...9cc8914a108290641956fbf617d852579223c6df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Treat CVE-2024-27351 as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b498faf by Ola Lundqvist at 2024-03-06T21:51:53+01:00 Treat CVE-2024-27351 as a minor issue for buster. - - - - - 73dedb18 by Ola Lundqvist at 2024-03-06T21:51:53+01:00 Added ruby-rack to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -591,6 +591,7 @@ CVE-2024-2002 NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] - python-django 3:4.2.11-1 + [buster] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ NOTE: https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e (5.0.3) NOTE: https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a (4.2.11) = data/dla-needed.txt = @@ -274,6 +274,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +ruby-rack + NOTE: 20240306: Added by Front-Desk (opal) +-- runc NOTE: 20240204: Added by Front-Desk (ta) NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/426c289a0216367ef5eccf220234906db282329d...73dedb18d9cf68d1327125f6c252a37a4cb0d846 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/426c289a0216367ef5eccf220234906db282329d...73dedb18d9cf68d1327125f6c252a37a4cb0d846 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked three CVEs for suricata as minor issues for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: caf78ea3 by Ola Lundqvist at 2024-03-06T21:37:13+01:00 Marked three CVEs for suricata as minor issues for buster following bullseye. - - - - - 233c5ee0 by Ola Lundqvist at 2024-03-06T21:37:14+01:00 Marked CVE-2024-23837 as minor issue for buster. Suricata is the only tool in reverse depends for buster and suricata has many similar vulnerabilities as this. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3302,6 +3302,7 @@ CVE-2024-23839 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: https://redmine.openinfosecfoundation.org/issues/6657 CVE-2024-23837 (LibHTP is a security-aware parser for the HTTP protocol. Crafted traff ...) - libhtp 1:0.5.46-1 + [buster] - libhtp (Minor issue) NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-f9wf-rrjj-qx8m NOTE: https://github.com/OISF/libhtp/commit/20ac301d801cdf01b3f021cca08a22a87f477c4a (0.5.46) NOTE: https://redmine.openinfosecfoundation.org/issues/6444 @@ -3309,6 +3310,7 @@ CVE-2024-23836 (Suricata is a network Intrusion Detection System, Intrusion Prev - suricata 1:7.0.3-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-q33q-45cr-3cpc NOTE: https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7 (suricata-6.0.16) NOTE: https://github.com/OISF/suricata/commit/8efaebe293e2a74c8e323fa85a6f5fadf82801bc (suricata-6.0.16) @@ -45073,11 +45075,13 @@ CVE-2023-35853 (In Suricata before 6.0.13, an adversary who controls an external - suricata 1:6.0.13-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da CVE-2023-35852 (In Suricata before 6.0.13 (when there is an adversary who controls an ...) - suricata 1:6.0.13-1 [bookworm] - suricata (Minor issue) [bullseye] - suricata (Minor issue) + [buster] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335 NOTE: https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17 CVE-2023-35849 (VirtualSquare picoTCP (aka PicoTCP-NG) through 2.1 does not properly c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d...233c5ee019074dbce8d30b0dae81e0f61310e461 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ffebe25b9dbe3c1bf27f28f7f35625ef3d8b555d...233c5ee019074dbce8d30b0dae81e0f61310e461 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Treat CVE-2024-25269 as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c1ad0d65 by Ola Lundqvist at 2024-03-06T21:29:21+01:00 Treat CVE-2024-25269 as a minor issue for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -490,6 +490,7 @@ CVE-2024-25731 (The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for NOT-FOR-US: Elink Smart eSmartCam (com.cn.dq.ipc) application CVE-2024-25269 (libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:: ...) - libheif + [buster] - libheif (Minor issue) NOTE: https://github.com/strukturag/libheif/issues/1073 NOTE: https://github.com/strukturag/libheif/pull/1074 NOTE: https://github.com/strukturag/libheif/commit/877de6b398198bca387df791b9232922c5721c80 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1ad0d65002bd8cee03507975bb81dd49df28c97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1ad0d65002bd8cee03507975bb81dd49df28c97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Treat CVE-2023-5685 as minor issue in buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d6e6b82e by Ola Lundqvist at 2024-03-06T21:24:02+01:00 Treat CVE-2023-5685 as minor issue in buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -253,6 +253,7 @@ CVE-2024-1979 NOT-FOR-US: Quarkus CVE-2023-5685 [StackOverflowException when the chain of notifier states becomes problematically big] - jboss-xnio + [buster] - jboss-xnio (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241822 CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.ParseMul ...) - golang-1.22 1.22.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e6b82e869c644af6eded49c5fc4f0a8c37d4a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e6b82e869c644af6eded49c5fc4f0a8c37d4a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added thunderbird to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e85cf6c by Ola Lundqvist at 2024-03-06T21:19:02+01:00 Added thunderbird to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -310,6 +310,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird + NOTE: 20240306: Added by Front-Desk (opal) +-- tiff (Abhijith PA) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e85cf6c5ff025b3ed2ad28ba86be66a1b017211 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e85cf6c5ff025b3ed2ad28ba86be66a1b017211 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added wordpress to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 8446e86f by Ola Lundqvist at 2024-03-06T21:17:01+01:00 Added wordpress to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -332,6 +332,9 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- +wordpress + NOTE: 20240306: Added by Front-Desk (opal) +-- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8446e86f67fd396b3f5b806c15c27250230e0c92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8446e86f67fd396b3f5b806c15c27250230e0c92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Added iwd to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d22028c4 by Ola Lundqvist at 2024-03-06T21:03:48+01:00 Added iwd to dla-needed. - - - - - ccb877a4 by Ola Lundqvist at 2024-03-06T21:09:22+01:00 Added pdns-recursor to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,6 +133,9 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- +iwd + NOTE: 20240306: Added by Front-Desk (opal) +-- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance @@ -228,6 +231,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. -- +pdns-recursor + NOTE: 20240306: Added by Front-Desk (opal) +-- postgresql-11 NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e44b0e5eac812ef5938a46fb981d9e9ba6a04090...ccb877a4ba87c3d0b6ccdea15b7d61409a3fa66a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e44b0e5eac812ef5938a46fb981d9e9ba6a04090...ccb877a4ba87c3d0b6ccdea15b7d61409a3fa66a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added shim to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: e44b0e5e by Ola Lundqvist at 2024-03-06T21:00:57+01:00 Added shim to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -286,6 +286,9 @@ sendmail NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches NOTE: 20240217: Patch extracted and being reviewed (rouca) -- +shim + NOTE: 20240306: Added by Front-Desk (opal) +-- squid NOTE: 20240109: Added by Front-Desk (apo) NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e44b0e5eac812ef5938a46fb981d9e9ba6a04090 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e44b0e5eac812ef5938a46fb981d9e9ba6a04090 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-27507 concluded as a minor issue for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 560f20fe by Ola Lundqvist at 2024-03-06T20:48:52+01:00 CVE-2024-27507 concluded as a minor issue for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2749,6 +2749,7 @@ CVE-2024-27508 (Atheme 7.2.12 contains a memory leak vulnerability in /atheme/sr NOTE: Also not a real issue: https://github.com/atheme/atheme/issues/921 CVE-2024-27507 (libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/apps/ts2l ...) - liblas + [buster] - liblas (Minor issue) CVE-2024-27099 (The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Ser ...) - azure-uamqp-python (bug #1064996) NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560f20fe4374ce70e7a149cf6482e73be19d57ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560f20fe4374ce70e7a149cf6482e73be19d57ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVEs for golang-1.11 as postponed with limited support.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ba3d969f by Ola Lundqvist at 2024-03-06T20:45:06+01:00 Marked CVEs for golang-1.11 as postponed with limited support. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225,6 +225,7 @@ CVE-2024-24785 (If errors returned from MarshalJSON methods contain user control - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65697 NOTE: https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992 (go1.22.1) NOTE: https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e (go1.21.8) @@ -234,6 +235,7 @@ CVE-2024-24784 (The ParseAddressList function incorrectly handles comments (text - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65083 NOTE: https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c (go1.22.1) NOTE: https://github.com/golang/go/commit/263c059b09fdd40d9dd945f2ecb20c89ea28efe5 (go1.21.8) @@ -243,6 +245,7 @@ CVE-2024-24783 (Verifying a certificate chain which contains a certificate with - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65390 NOTE: https://github.com/golang/go/commit/337b8e9cbfa749d9d5c899e0dc358e2208d5e54f (go1.22.1) NOTE: https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (go1.21.8) @@ -257,6 +260,7 @@ CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.Pa - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65383 NOTE: https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82 (go1.22.1) NOTE: https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 (go1.21.8) @@ -266,6 +270,7 @@ CVE-2023-45289 (When following an HTTP redirect to a domain which is not a subdo - golang-1.19 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65065 NOTE: https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be (go1.22.1) NOTE: https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 (go1.21.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba3d969f7990add7ae54e9dec101c27dd55357c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba3d969f7990add7ae54e9dec101c27dd55357c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Added fontforge to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 42024d4f by Ola Lundqvist at 2024-03-06T20:42:23+01:00 Added fontforge to dla-needed. Arbitrary command execution is tricky even if this is an editor application and you should not load untrusted files. - - - - - 85dcb981 by Ola Lundqvist at 2024-03-06T20:42:25+01:00 Marked CVE-2019-9515 as minor issue for buster following bookworm decision. - - - - - e69488da by Ola Lundqvist at 2024-03-06T20:42:25+01:00 Added postgresql-11 to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -344479,6 +344479,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote - h2o 2.2.5+dfsg2-3 (bug #934886) - rust-h2 0.3.24-1 (bug #1062667) [bookworm] - rust-h2 (Minor issue) + [buster] - rust-h2 (Minor issue) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) = data/dla-needed.txt = @@ -102,6 +102,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +fontforge + NOTE: 20240306: Added by Front-Desk (opal) +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- @@ -225,6 +228,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. -- +postgresql-11 + NOTE: 20240306: Added by Front-Desk (opal) +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0112cce0c6cf71931b7319a1dffb32e463f0fc06...e69488dacb99e1f4cd63a5b9bb1c8ca65f1197cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0112cce0c6cf71931b7319a1dffb32e463f0fc06...e69488dacb99e1f4cd63a5b9bb1c8ca65f1197cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added libapache2-mod-auth-openidc to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: cebf4215 by Ola Lundqvist at 2024-03-05T00:19:10+01:00 Added libapache2-mod-auth-openidc to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,6 +144,9 @@ jetty9 knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libapache2-mod-auth-openidc + NOTE: 20240305: Added by Front-Desk (opal) +-- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cebf4215d80c124fa2d5b48f26d05bb002ce3567 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cebf4215d80c124fa2d5b48f26d05bb002ce3567 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Concluded that CVE-2024-25768 is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4da981b2 by Ola Lundqvist at 2024-03-05T00:08:30+01:00 Concluded that CVE-2024-25768 is a minor issue. The issue occurs if a null list buffer is provided but a non-zero length of that buffer is provided. In opendmarc itself this will never happen because the list buffer is always provided with null value and zero length. When opendmarc is used as a library it is reasonable to assume that providing a null list and non-zero value for such a list is a programming error. There are no reverse dependencies for libopendmarc-dev in buster. If someone builds an application that have such an error it is likely going to have other more severe problems. It is still a vulnerability but the vulnerability is more in the application calling this function than something else. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2653,6 +2653,7 @@ CVE-2024-25770 (libming 0.4.8 contains a memory leak vulnerability in /libming/s - ming CVE-2024-25768 (OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in / ...) - opendmarc + [buster] - opendmarc (Minor issue) NOTE: https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md CVE-2024-25767 (nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq/nng/s ...) NOT-FOR-US: NanoMQ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked two CVEs for wireshark as no-dsa for buster following bookworm and bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a623b0d4 by Ola Lundqvist at 2024-03-04T23:48:05+01:00 Marked two CVEs for wireshark as no-dsa for buster following bookworm and bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13573,6 +13573,7 @@ CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of servic - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) @@ -13586,6 +13587,7 @@ CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19501 NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a623b0d449144a3bbf7a2db21c4508cd552ed236 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a623b0d449144a3bbf7a2db21c4508cd552ed236 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-6917 as no-dsa for buster following bookworm and bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: aa87e4a0 by Ola Lundqvist at 2024-03-04T23:46:11+01:00 Marked CVE-2023-6917 as no-dsa for buster following bookworm and bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1666,6 +1666,7 @@ CVE-2023-6917 (A vulnerability has been identified in the Performance Co-Pilot ( - pcp 6.2.0-1 [bookworm] - pcp (Minor issue) [bullseye] - pcp (Minor issue) + [buster] - pcp (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/28/1 NOTE: https://github.com/performancecopilot/pcp/pull/1873 CVE-2023-52226 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa87e4a02c53a187addf99c0ee06b8338a25e666 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa87e4a02c53a187addf99c0ee06b8338a25e666 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-36774 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a684666c by Ola Lundqvist at 2024-03-04T23:40:54+01:00 Marked CVE-2020-36774 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4411,6 +4411,7 @@ CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) - glade 3.38.2-1 + [buster] - glade (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/glade/-/issues/479 NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/7acdd3c6f6934f47b8974ebc2190a59ea5d2ed17 (GLADE_3_40_0) NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/2e2475bb27f891d3ad71cbd5b7152b4751da5874 (GLADE_3_38_1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a684666c01b5a64a6e0dde1c7b2321febd2134fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a684666c01b5a64a6e0dde1c7b2321febd2134fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Postponed CVEs for buster just as for bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a7dd83b1 by Ola Lundqvist at 2023-11-24T20:12:29+00:00 Postponed CVEs for buster just as for bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -230235,21 +230235,25 @@ CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp i ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24291 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7dd83b17e3c96fbeb23a8084ca2a20353f3cb10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7dd83b17e3c96fbeb23a8084ca2a20353f3cb10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-49208 as not affected for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f4a918a4 by Ola Lundqvist at 2023-11-23T21:50:05+00:00 Marked CVE-2023-49208 as not affected for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,6 +21,7 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was cha NOT-FOR-US: malicious node module CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) - glewlwyd 2.7.6+ds-1 + [buster] - glewlwyd (Vulnerable code not present) NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6) CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) NOT-FOR-US: Pandora FMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4a918a491b7b3da3375d1708cb0c4ffcb71a1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4a918a491b7b3da3375d1708cb0c4ffcb71a1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added tinymce to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 8905071c by Ola Lundqvist at 2023-11-23T21:44:06+00:00 Added tinymce to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -264,6 +264,9 @@ symfony (Markus Koschany) thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- +tinymce + NOTE: 20231123: Added by Front-Desk (ola) +-- tor NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8905071c2ab66288080a9a2655cdf7799a08cd1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8905071c2ab66288080a9a2655cdf7799a08cd1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-40030 as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ffc07270 by Ola Lundqvist at 2023-11-23T21:41:14+00:00 Marked CVE-2023-40030 as no-dsa for buster following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14583,9 +14583,11 @@ CVE-2023-40030 (Cargo downloads a Rust project\u2019s dependencies and compiles - cargo [bookworm] - cargo (Minor issue) [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bookworm] - rust-cargo (Minor issue) [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p NOTE: https://github.com/rust-lang/cargo/pull/12291 NOTE: https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc07270565352d6ed9d3bd0ef57e3e0bcaa3558 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc07270565352d6ed9d3bd0ef57e3e0bcaa3558 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-20246 as not affected for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e7dc086 by Ola Lundqvist at 2023-11-23T21:29:24+00:00 Marked CVE-2023-20246 as not affected for buster. It should be marked as not affected for all versions since the vulnerability is only in snort 3.x, but Ill leave that to the regular security team to do. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72399,6 +72399,7 @@ CVE-2023-20247 (A vulnerability in the remote access SSL VPN feature of Cisco Ad NOT-FOR-US: Cisco CVE-2023-20246 (Multiple Cisco products are affected by a vulnerability in Snort acces ...) - snort (bug #1056281) + [buster] - snort (only affects 3.x) NOTE: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3acp-bypass-3bdR2BEh CVE-2023-20245 (Multiple vulnerabilities in the per-user-override feature of Cisco Ada ...) NOT-FOR-US: Cisco View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7dc086640f001045f40767ab048f35c21f9ba6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7dc086640f001045f40767ab048f35c21f9ba6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added notes for httpie CVE-2023-48052.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 916163b2 by Ola Lundqvist at 2023-11-22T23:27:47+00:00 Added notes for httpie CVE-2023-48052. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -845,7 +845,12 @@ CVE-2023-48053 (Archery v1.10.0 uses a non-random or static IV for Cipher Block NOT-FOR-US: Archery CVE-2023-48052 (Missing SSL certificate validation in HTTPie v3.2.2 allows attackers t ...) - httpie - TODO: check details + TODO: check details further + NOTE: https://gxx777.github.io/HTTPie_3.2.2_Cryptographic_API_Misuse_Vulnerability.md + NOTE: update_warnings.py is about package update and can be considered minor + NOTE: The client.py note tells that this line effectively disables host verification + NOTE: but when the tool is tested using a valid and self-signed cert it showed + NOTE: the page for the valid cert and gave an error on the self-signed cert. CVE-2023-47514 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in lawrence ...) NOT-FOR-US: WordPress plugin CVE-2023-47512 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Gravity ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/916163b25acb075b019922e8b347c60023698936 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/916163b25acb075b019922e8b347c60023698936 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: Added firefox-esr to dla-needed. Already fixed in bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 68cf3b09 by Ola Lundqvist at 2023-11-22T22:32:12+00:00 Added firefox-esr to dla-needed. Already fixed in bullseye. - - - - - bcdde0f6 by Ola Lundqvist at 2023-11-22T22:32:12+00:00 Added thunderbird to dla-needed. Same problems as in firefox-esr and firefox-esr has already been fixed in bullseye. - - - - - 73956283 by Ola Lundqvist at 2023-11-22T22:32:16+00:00 Marked CVE-2022-46337 as no-dsa for buster following decision for bullseye. - - - - - a0670f71 by Ola Lundqvist at 2023-11-22T22:32:19+00:00 Marked CVE-2023-48161 as no-dsa for buster following decision for bullseye. - - - - - 9b53ab53 by Ola Lundqvist at 2023-11-22T22:32:23+00:00 Marked CVE-2023-46445 and CVE-2023-46446 as no-dsa for buster following decision for bullseye. - - - - - 0d8cb229 by Ola Lundqvist at 2023-11-22T22:32:26+00:00 Marked CVE-2023-5557 as no-dsa for buster following decision for bullseye. - - - - - 042d8823 by Ola Lundqvist at 2023-11-22T22:32:30+00:00 Marked CVE-2016-1243 and CVE-2016-1244 as no-dsa for buster following decision for bullseye. - - - - - 76b566a4 by Ola Lundqvist at 2023-11-22T22:32:33+00:00 Marked CVE-2023-48039 and CVE-2023-48090 as EOL for buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -234,6 +234,7 @@ CVE-2023-48161 (Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 a - giflib [bookworm] - giflib (Minor issue) [bullseye] - giflib (Minor issue) + [buster] - giflib (Minor issue) NOTE: https://sourceforge.net/p/giflib/bugs/167/ CVE-2023-47393 (An access control issue in Mercedes me IOS APP v1.34.0 and below allow ...) NOT-FOR-US: Mercedes me IOS APP @@ -473,9 +474,11 @@ CVE-2023-48109 (Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow NOT-FOR-US: Tenda CVE-2023-48090 (GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2680 CVE-2023-48039 (GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2679 CVE-2023-47772 (Contributor+Stored Cross-Site Scripting (XSS) vulnerability in Slider ...) NOT-FOR-US: WordPress plugin @@ -1737,11 +1740,13 @@ CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to con - python-asyncssh (bug #1055999) [bookworm] - python-asyncssh (Minor issue) [bullseye] - python-asyncssh (Minor issue) + [buster] - python-asyncssh (Minor issue) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...) - python-asyncssh (bug #1056000) [bookworm] - python-asyncssh (Minor issue) [bullseye] - python-asyncssh (Minor issue) + [buster] - python-asyncssh (Minor issue) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5 CVE-2023-46021 (SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank ...) NOT-FOR-US: Code-Projects Blood Bank @@ -6764,6 +6769,7 @@ CVE-2023-5557 (A flaw was found in the tracker-miners package. A weakness in the - tracker-miners 3.4.5-1 (bug #1053881) [bookworm] - tracker-miners (Minor issue) [bullseye] - tracker-miners (Minor issue) + [buster] - tracker-miners (Minor issue) NOTE: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/#tracker-miners-seccomp-sandbox-escape NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277 NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/merge_requests/480 @@ -63209,6 +63215,7 @@ CVE-2022-46337 (A cleverly devised username might bypass LDAP authentication che - derby [bookworm] - derby (Minor issue) [bullseye] - derby (Minor issue) + [buster] - derby (Minor issue) NOTE: https://issues.apache.org/jira/browse/DERBY-7147 NOTE: https://www.openwall.com/lists/oss-security/2023/11/19/3 CVE-2022-46336 @@ -481625,6 +481632,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf (Minor issue) [bullseye] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1243 (Stack-based buffer overflow
[Git][security-tracker-team/security-tracker][master] Added strongswan to be fixed for LTS.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: deb0f964 by Ola Lundqvist at 2023-11-21T10:50:56+00:00 Added strongswan to be fixed for LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -248,6 +248,9 @@ samba squid NOTE: 20231102: Added by Front-Desk (lamby) -- +strongswan + NOTE: 20231121: Added by Front-Desk (ola) +-- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb0f9647143aaa2caf6b3f84c10f19645c11756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb0f9647143aaa2caf6b3f84c10f19645c11756 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked composer CVE-2023-43655 as minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c196dbfe by Ola Lundqvist at 2023-10-01T19:52:12+00:00 Marked composer CVE-2023-43655 as minor issue. This is only a vulnerability on an improper configuration. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -209,6 +209,7 @@ CVE-2023-43909 (Hospital Management System thru commit 4770d was discovered to c NOT-FOR-US: Hospital Management System CVE-2023-43655 (Composer is a dependency manager for PHP. Users publishing a composer. ...) - composer + [buster] - composer (Minor issue, only a problem when configured improperly) NOTE: https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf NOTE: https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d (1.10.27) NOTE: https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c (2.2.22) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c196dbfe469a19c1ebdde2ddcb8600186a81ff6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c196dbfe469a19c1ebdde2ddcb8600186a81ff6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked golang-golang-x-image CVEs as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 76ca393a by Ola Lundqvist at 2023-10-01T19:46:41+00:00 Marked golang-golang-x-image CVEs as no-dsa for buster. it is a DoS vulnerability, rather minor and the package has limited support. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23997,11 +23997,13 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...) - golang-golang-x-image (bug #1043159) + [buster] - golang-golang-x-image (Limited support, minor issue, DoS) NOTE: https://go.dev/issue/61582 NOTE: https://go.dev/cl/514897 NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...) - golang-golang-x-image (bug #1043159) + [buster] - golang-golang-x-image (Limited support, minor issue, DoS) NOTE: https://go.dev/issue/61581 NOTE: https://go.dev/cl/514897 NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76ca393a095a3c5c8c1190185cb94c04f40d42a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76ca393a095a3c5c8c1190185cb94c04f40d42a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Buster no-dsa for gcc-7 and gcc-8 following bullseye decision.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: aee2a5c4 by Ola Lundqvist at 2023-10-01T19:31:36+00:00 Buster no-dsa for gcc-7 and gcc-8 following bullseye decision. - - - - - 4a2dfb1a by Ola Lundqvist at 2023-10-01T19:38:24+00:00 Marked CVE-2023-39417 as no-dsa. It was postponed for bullseye with motivation minor issue. - - - - - 51dd0620 by Ola Lundqvist at 2023-10-01T19:40:08+00:00 Marked golang-1.11 CVEs as no-dsa following decision for bullseye for later go version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2418,7 +2418,9 @@ CVE-2023-4039 (A failure in the -fstack-protector feature in GCC-based toolchain - gcc-9 [bullseye] - gcc-9 (Minor issue) - gcc-8 + [buster] - gcc-8 (Minor issue) - gcc-7 + [buster] - gcc-7 (Minor issue) NOTE: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) NOT-FOR-US: icms2 @@ -7042,6 +7044,7 @@ CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found - postgresql-13 [bullseye] - postgresql-13 (Minor issue, fix along with next round of updates) - postgresql-11 + [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/ NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4) @@ -23963,6 +23966,7 @@ CVE-2023-39319 (The html/template package does not apply the proper rules for ha - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://go.dev/issue/62197 NOTE: https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a (go1.21.1) NOTE: https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5 (go1.20.8) @@ -23975,6 +23979,7 @@ CVE-2023-39318 (The html/template package does not properly handle HTML-like "" - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://go.dev/issue/62196 NOTE: https://github.com/golang/go/commit/b0e1d3ea26e8e8fce7726690c9ef0597e60739fb (go1.21.1) NOTE: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c (go1.20.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/66bd8cb9d6566f04fab416420beda244574afbe2...51dd0620884170f6b55b366bd729ece9e8d95a0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/66bd8cb9d6566f04fab416420beda244574afbe2...51dd0620884170f6b55b366bd729ece9e8d95a0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Added a note about the work needed after upgrade of borgbackup.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 345ff70f by Ola Lundqvist at 2023-10-01T19:18:20+00:00 Added a note about the work needed after upgrade of borgbackup. - - - - - 66bd8cb9 by Ola Lundqvist at 2023-10-01T19:28:31+00:00 Marked a few CVEs as no-dsa for buster following decision for bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -257,6 +257,7 @@ CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer - lemonldap-ng 2.17.1+ds-1 [bookworm] - lemonldap-ng (Minor issue) [bullseye] - lemonldap-ng (Minor issue) + [buster] - lemonldap-ng (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 NOTE: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ CVE-2023-44466 (An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel ...) @@ -1581,26 +1582,32 @@ CVE-2023-43377 (A cross-site scripting (XSS) vulnerability in /hoteldruid/visual - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43376 (A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php ...) - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43375 (Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vul ...) - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43374 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...) - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43373 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...) - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43371 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...) - hoteldruid (bug #1052572) [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2023-43207 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...) NOT-FOR-US: D-Link CVE-2023-43206 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...) @@ -2455,6 +2462,7 @@ CVE-2023-3865 [ksmbd: fix out-of-bound read in smb2_write] CVE-2023-4813 (A flaw was found in glibc. In an uncommon situation, the gaih_inet fun ...) - glibc 2.36-3 [bullseye] - glibc (Minor issue) + [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215 (glibc-2.36) CVE-2023-4806 (A flaw was found in glibc. In an extremely rare situation, the getaddr ...) @@ -10449,6 +10457,7 @@ CVE-2023-36811 (borgbackup is an opensource, deduplicating archiver with compres NOTE: https://github.com/borgbackup/borg/commit/449cd51b73b0710a940af8cefe74793ce81563f4 NOTE: https://github.com/borgbackup/borg/commit/f334ef1b4de2f8a359ededa41ce13358b81e63c1 NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811 + NOTE: Requires significant work to check and repair a repo after the upgrade. CVE-2023-36466 (Discourse is an open source discussion platform. When editing a topic, ...) NOT-FOR-US: Discourse CVE-2023-35802 (IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Ove ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93bfc42850c9f06c82dc245db2e046ab3b68def0...66bd8cb9d6566f04fab416420beda244574afbe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93bfc42850c9f06c82dc245db2e046ab3b68def0...66bd8cb9d6566f04fab416420beda244574afbe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked a few CVEs as end-of-life for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 56490f6a by Ola Lundqvist at 2023-09-29T18:46:49+00:00 Marked a few CVEs as end-of-life for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -519,6 +519,7 @@ CVE-2023-41078 (An authorization issue was addressed with improved state managem TODO: check CVE-2023-41074 (The issue was addressed with improved checks. This issue is fixed in t ...) - webkit2gtk 2.42.0-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.42.0-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html @@ -575,6 +576,7 @@ CVE-2023-40452 (The issue was addressed with improved bounds checks. This issue CVE-2023-40451 (This issue was addressed with improved iframe sandbox enforcement. Thi ...) {DSA-5468-1} - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html @@ -649,6 +651,7 @@ CVE-2023-40330 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Mi CVE-2023-39434 (A use-after-free issue was addressed with improved memory management. ...) {DSA-5468-1} - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html @@ -671,6 +674,7 @@ CVE-2023-35793 (An issue was discovered in Cassia Access Controller 2.1.1.230327 CVE-2023-35074 (The issue was addressed with improved memory handling. This issue is f ...) {DSA-5396-1} - webkit2gtk 2.40.0-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.40.2-2 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html @@ -1210,6 +1214,7 @@ CVE-2023-42279 (Dreamer CMS 4.1.3 is vulnerable to SQL Injection.) NOT-FOR-US: Dreamer CMS CVE-2023-41993 (The issue was addressed with improved checks. This issue is fixed in S ...) - webkit2gtk 2.42.1-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.42.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html @@ -2090,6 +2095,7 @@ CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks C NOT-FOR-US: Palo Alto Networks CVE-2023-39928 [A malicious web page can cause memory corruption and potentially arbitrary code execution] - webkit2gtk 2.42.0-1 + [buster] - webkit2gtk (EOL in buster LTS) - wpewebkit 2.42.0-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0009.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56490f6ace0a0e70202d214015e58c73229b93f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56490f6ace0a0e70202d214015e58c73229b93f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added gst-plugins-bad1.0 to dla-needed following decision for bookworm.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 55bc8f67 by Ola Lundqvist at 2023-09-28T21:12:17+00:00 Added gst-plugins-bad1.0 to dla-needed following decision for bookworm. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,6 +90,9 @@ gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230918: DLA coming soon. (bunk) -- +gst-plugins-bad1.0 + NOTE: 20230928: Added by Frond-Desk (ola) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55bc8f6749516574fd86d87f0a1a85d029bffb4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55bc8f6749516574fd86d87f0a1a85d029bffb4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added exim4 to dla-needed following decision for bookworm.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: e8e75c4c by Ola Lundqvist at 2023-09-28T20:54:35+00:00 Added exim4 to dla-needed following decision for bookworm. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,9 @@ dogecoin exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- +exim4 + NOTE: 20230928: Added by Front-Desk (ola) +-- firefox-esr (Emilio) NOTE: 20230926: Added by pochu NOTE: 20230926: updating to ESR 115.3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8e75c4caff976f5190794e8fb9afb1abe56e127 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8e75c4caff976f5190794e8fb9afb1abe56e127 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added python-reportlab to dla-needed since it has been fixed in all later...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a978d068 by Ola Lundqvist at 2023-09-26T14:24:52+00:00 Added python-reportlab to dla-needed since it has been fixed in all later releases and seems to be important. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -181,6 +181,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python-reportlab + NOTE: 20230926: Added by Front-Desk (ola) +-- qemu NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Consider fixing postponed issues as well. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a978d0687ced6aeb538ab720b57495df3a65a23b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a978d0687ced6aeb538ab720b57495df3a65a23b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Added trafficserver to dla-needed with a note about low prio due to few users.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: abd42ec2 by Ola Lundqvist at 2023-06-19T07:17:24+02:00 Added trafficserver to dla-needed with a note about low prio due to few users. - - - - - c6fd8a48 by Ola Lundqvist at 2023-06-19T07:17:24+02:00 Marked a number of no-dsa entries for gpac in buster as end-of-life insead. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -69862,7 +69862,7 @@ CVE-2022-36127 (A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1 CVE-2022-2454 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-4 (bug #1015788) - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) NOTE: https://huntr.dev/bounties/105d40d0-46d7-461e-9f8e-20c4cdea925f NOTE: https://github.com/gpac/gpac/commit/faa75edde3dfeba1e2cf6ffa48e45a50f1042096 CVE-2022-2453 (Use After Free in GitHub repository gpac/gpac prior to 2.1-DEV.) @@ -88632,7 +88632,7 @@ CVE-2022-29538 (RESI Gemini-Net Web 4.2 is affected by Improper Access Control i CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a hea ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-4 (bug #1016443) - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2173 NOTE: Fixed by: https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a @@ -96271,7 +96271,7 @@ CVE-2022-26968 CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-4 (bug #1007224) - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2138 NOTE: https://github.com/gpac/gpac/commit/ea1eca00fd92fa17f0e25ac25652622924a9a6a0 @@ -111818,7 +111818,7 @@ CVE-2021-46052 (A Denial of Service vulnerability exists in Binaryen 104 due to CVE-2021-46051 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the Media ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2011 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f (v2.0.0) @@ -111829,7 +111829,7 @@ CVE-2021-46050 (A Stack Overflow vulnerability exists in Binaryen 103 via the pr CVE-2021-46049 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_fi ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2013 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f (v2.0.0) @@ -111840,70 +111840,70 @@ CVE-2021-46048 (A Denial of Service vulnerability exists in Binaryen 104 due to CVE-2021-46047 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_hi ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2008 NOTE: https://github.com/gpac/gpac/commit/dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd (v2.0.0) CVE-2021-46046 (A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_si ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2005 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f (v2.0.0) CVE-2021-46045 (GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial ...) {DSA-5411-1} - gpac 2.0.0+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (No longer supported in LTS; Minor issue) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2007 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f (v2.0.0) CVE-2021-46044 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via ShiftMetaOf ...) {DSA
[Git][security-tracker-team/security-tracker][master] Added php-dompdf to dla-needed with a note about low prio.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 15d8fb71 by Ola Lundqvist at 2023-06-18T22:25:11+02:00 Added php-dompdf to dla-needed with a note about low prio. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -140,6 +140,10 @@ php-cas (tobi) NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) NOTE: 20221110: a DSA is planned (Beuc/front-desk) -- +php-dompdf + NOTE: 20230618: Added by Front-Desk (opal) + NOTE: 20230618: Low priority but higher than to not fix it. +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15d8fb714be841a1ba4859903f5d5e8dffe24c26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15d8fb714be841a1ba4859903f5d5e8dffe24c26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Added sabnzbdplus to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 61a98063 by Ola Lundqvist at 2023-06-18T22:06:32+02:00 Added sabnzbdplus to dla-needed. - - - - - 75065857 by Ola Lundqvist at 2023-06-18T22:10:18+02:00 Added ruby-doorkeeper to dla-needed. - - - - - 166b377d by Ola Lundqvist at 2023-06-18T22:13:44+02:00 Marked tomcat9 CVE-2023-23998 as no-dsa for buster. The reasoning is that the same CVE for libcommons-fileupload-java is declared as no-dsa and minor issue. Since that will not be fixed there is no point to try to fix tomcat9 since it depends on libcommons-fileupload-java to be fixed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23244,6 +23244,7 @@ CVE-2023-24999 (HashiCorp Vault and Vault Enterprise\u2019s approle auth method CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number of requ ...) - tomcat10 10.1.5-1 - tomcat9 9.0.70-2 + [buster] - tomcat9 (Minor issue) - libcommons-fileupload-java 1.4-2 (bug #1031733) [bullseye] - libcommons-fileupload-java (Minor issue) [buster] - libcommons-fileupload-java (Minor issue) = data/dla-needed.txt = @@ -185,6 +185,9 @@ ring (Thorsten Alteholz) NOTE: 20230507: testing package NOTE: 20230605: upload timing could be improved here -- +ruby-doorkeeper + NOTE: 20230618: Added by Front-Desk (opal) +-- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) @@ -198,6 +201,9 @@ ruby-rails-html-sanitizer ruby-redcloth NOTE: 20230612: Added by Front-Desk (apo) -- +sabnzbdplus + NOTE: 20230618: Added by Front-Desk (opal) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/077def48d552c9589362dbc35fd97d8679d74065...166b377d5a04c11b210e8a9b5c0d92f409144d19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/077def48d552c9589362dbc35fd97d8679d74065...166b377d5a04c11b210e8a9b5c0d92f409144d19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Marked golang-1.11 CVEs as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bc45273 by Ola Lundqvist at 2023-06-18T21:46:34+02:00 Marked golang-1.11 CVEs as no-dsa for buster following bullseye. - - - - - 22287c80 by Ola Lundqvist at 2023-06-18T21:49:11+02:00 Marked golang-1.11 CVE-29403 as no-dsa in buster due to limited support. - - - - - b6da7d0e by Ola Lundqvist at 2023-06-18T21:51:30+02:00 Marked golang-1.11 CVEs as postponed due to limited support. - - - - - 077def48 by Ola Lundqvist at 2023-06-18T22:00:40+02:00 Marked node-matrix-js-sdk as postponed for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9601,6 +9601,7 @@ CVE-2023-29405 (The go command may execute arbitrary code at build time when usi [bookworm] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60306 NOTE: https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 (go1.20.5) @@ -9614,6 +9615,7 @@ CVE-2023-29404 (The go command may execute arbitrary code at build time when usi [bookworm] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60305 NOTE: https://github.com/golang/go/commit/356a419e2f811b65d227abcea1a346f8dcb154e0 (go1.20.5) @@ -9624,6 +9626,7 @@ CVE-2023-29403 (On Unix platforms, the Go runtime does not behave differently wh - golang-1.19 1.19.10-2 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60272 NOTE: https://github.com/golang/go/commit/36144ba429ef2650940c72e7a0b932af3612d420 (go1.20.5) @@ -9634,6 +9637,7 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u - golang-1.19 1.19.10-2 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60167 NOTE: https://github.com/golang/go/commit/c0ed873cd8259f16d0da67eee783fda49f45ef61 (go1.20.5) @@ -9651,6 +9655,7 @@ CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. " [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU NOTE: https://github.com/golang/go/issues/59722 NOTE: https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 (go1.19.9) @@ -24585,6 +24590,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace characters are considered to [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU NOTE: https://github.com/golang/go/issues/59721 NOTE: https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go1.19.9) @@ -24597,6 +24603,7 @@ CVE-2023-24539 (Angle brackets (<>) are not considered dangerous characters when [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU NOTE: https://github.com/golang/go/issues/59720 NOTE: https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80 (go1.19.9) @@ -61025,16 +61032,19 @@ CVE-2022-39252 (matrix-rust-sdk is an implementation of a Matrix client-server l NOT-FOR-US: matrix-rust-sdk CVE-2022-39251 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. ...) - node-matrix-js-sdk (bug #1021136) + [buster] - node-matrix-js-sdk (Can wait for next update) NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients CVE-2022-39250 (Matrix JavaScript SDK is the Matrix Client-Server software development ...) - node-matrix-js-sdk (bug #1021136) + [buster] - node-matrix-js-sdk (Can wait for next update) NOTE: https://github.com/matrix
[Git][security-tracker-team/security-tracker][master] Marked golang-golang-x-net-dev CVE-2022-41717 and CVE-2022-27664 as postponed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 00d9ac0a by Ola Lundqvist at 2023-06-18T21:41:44+02:00 Marked golang-golang-x-net-dev CVE-2022-41717 and CVE-2022-27664 as postponed. Following the decision for golang-1.11 package. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54866,6 +54866,7 @@ CVE-2022-41717 (An attacker can cause excessive memory growth in a Go server acc [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) - golang-golang-x-net 1:0.4.0+dfsg-1 - golang-golang-x-net-dev + [buster] - golang-golang-x-net-dev (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU NOTE: https://go.dev/issue/56350 NOTE: https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27 (go1.19.4) @@ -94168,6 +94169,7 @@ CVE-2022-27664 (In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attack [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-golang-x-net 1:0.0+git20221012.0b7e1fb+dfsg-1 - golang-golang-x-net-dev + [buster] - golang-golang-x-net-dev (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s NOTE: https://github.com/golang/go/issues/54658 NOTE: https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824 (go1.19.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00d9ac0a31fd26db3ef729e75113317349fa51dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00d9ac0a31fd26db3ef729e75113317349fa51dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Marked gpac CVE-2023-3291 end-of-life.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 08297450 by Ola Lundqvist at 2023-06-18T21:34:53+02:00 Marked gpac CVE-2023-3291 end-of-life. - - - - - f19d2d30 by Ola Lundqvist at 2023-06-18T21:34:54+02:00 Marked librabbitmq CVE-2023-35789 no-dsa for buster. - - - - - e7c1e16b by Ola Lundqvist at 2023-06-18T21:34:56+02:00 Marked nuget CVE-2023-29337 as postponed for buster. - - - - - 43f72ef6 by Ola Lundqvist at 2023-06-18T21:34:57+02:00 Marked renderdoc CVE-2023-33865 as postponed for buster. - - - - - 931ea83c by Ola Lundqvist at 2023-06-18T21:34:59+02:00 Marked php-react-http CVE-2023-26044 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28,6 +28,7 @@ CVE-2023-35789 (An issue was discovered in the C AMQP client library (aka rabbit - librabbitmq (bug #1037322) [bookworm] - librabbitmq (Minor issue) [bullseye] - librabbitmq (Minor issue) + [buster] - librabbitmq (Minor issue) NOTE: https://github.com/alanxz/rabbitmq-c/issues/575 NOTE: https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0 CVE-2023-34459 (OpenZeppelin Contracts is a library for smart contract development. St ...) @@ -92,6 +93,7 @@ CVE-2023-2783 (Mattermost Apps Framework fails to verify that a secret provided - mattermost-server (bug #823556) CVE-2023-3291 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/526954e6-8683-4697-bfa2-886c3204a1d5/ NOTE: https://github.com/gpac/gpac/commit/6a748ccc3f76ff10e3ae43014967ea4b0c088aaf CVE-2023-3268 (An out of bounds (OOB) memory access flaw was found in the Linux kerne ...) @@ -990,6 +992,7 @@ CVE-2020-36705 (The Adning Advertising plugin for WordPress is vulnerable to arb NOT-FOR-US: Adning Advertising plugin for WordPress CVE-2023-33865 (RenderDoc through 1.26 allows local privilege escalation via a symlink ...) - renderdoc (bug #1037208) + [buster] - renderdoc (Can wait for next update) NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3 NOTE: https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856 (v1.27) NOTE: https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862 (v1.27) @@ -9906,6 +9909,7 @@ CVE-2023-29338 (Visual Studio Code Information Disclosure Vulnerability) NOT-FOR-US: Microsoft CVE-2023-29337 (NuGet Client Remote Code Execution Vulnerability) - nuget + [buster] - nuget (Can wait for next update) NOTE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337 CVE-2023-29336 (Win32k Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft @@ -20042,6 +20046,7 @@ CVE-2023-26045 RESERVED CVE-2023-26044 (react/http is an event-driven, streaming HTTP client and server implem ...) - php-react-http + [buster] - php-react-http (Minor issue) NOTE: https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf NOTE: https://github.com/reactphp/http/commit/b3594f7936b92f9fc2d5f9e84dc01bdb95a72167 (v1.9.0) TODO: check, is embedded inicinga-php-thirdparty, icingaweb2-module-reactbundle possibly affected View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76306029fa98d8a35037fd5816c2465eacaa3997...931ea83cef1093b2aa3cbb44b921de8c6f16b7ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76306029fa98d8a35037fd5816c2465eacaa3997...931ea83cef1093b2aa3cbb44b921de8c6f16b7ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked qtsvg-opensource-src CVE-2023-32573 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f871edfc by Ola Lundqvist at 2023-06-18T10:30:15+02:00 Marked qtsvg-opensource-src CVE-2023-32573 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3741,6 +3741,7 @@ CVE-2023- [several critical memory corruption vulnerabilities] CVE-2023-32573 (In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x thro ...) - qt6-svg 6.4.2-2 - qtsvg-opensource-src 5.15.8-3 + [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 NOTE: https://codereview.qt-project.org/c/qt/qtsvg/+/474093 NOTE: https://lists.qt-project.org/pipermail/announce/2023-May/000411.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f871edfc00c58a1a1ff9127769627f517ceb75e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f871edfc00c58a1a1ff9127769627f517ceb75e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked qtbase-opensource-src CVEs as no-dsa following decision for bullseye or bookworm.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 1497f27f by Ola Lundqvist at 2023-06-18T10:26:21+02:00 Marked qtbase-opensource-src CVEs as no-dsa following decision for bullseye or bookworm. CVE-2023-34410 CVE-2023-33285 and CVE-2023-32763 - - - - - dbb2afa8 by Ola Lundqvist at 2023-06-18T10:26:22+02:00 Marked qtbase-opensource-src CVE-2023-32762 as postponed for buster. It is a little problematic but is not important enough to be fixed on its own. It is not an issue with the most common string casing and also it is only a problem together with http links. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1469,6 +1469,7 @@ CVE-2023-34410 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, - qt6-base 6.4.2+dfsg-11 (bug #1037209) [bookworm] - qt6-base (Minor issue) - qtbase-opensource-src 5.15.8+dfsg-12 (bug #1037210) + [buster] - qtbase-opensource-src (Minor issue) - qtbase-opensource-src-gles [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) @@ -2787,6 +2788,7 @@ CVE-2023-33285 (An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2 - qt6-base 6.4.2+dfsg-10 (bug #1036848) [bookworm] - qt6-base (Minor issue) - qtbase-opensource-src 5.15.8+dfsg-11 + [buster] - qtbase-opensource-src (Minor issue) - qtbase-opensource-src-gles [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) @@ -2948,6 +2950,7 @@ CVE-2019-25137 (Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Co CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6. ...) - qt6-base 6.4.2+dfsg-8 - qtbase-opensource-src 5.15.8+dfsg-10 + [buster] - qtbase-opensource-src (Minor issue) - qtbase-opensource-src-gles 5.15.8+dfsg-3 (bug #1036702) [bullseye] - qtbase-opensource-src-gles (Minor issue) - qt4-x11 @@ -2959,6 +2962,7 @@ CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, CVE-2023-32762 (An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6. ...) - qt6-base 6.4.2+dfsg-9 - qtbase-opensource-src 5.15.8+dfsg-10 + [buster] - qtbase-opensource-src (Can wait for next upload) - qtbase-opensource-src-gles (Not built in GLES variant) NOTE: https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305 CVE-2023-34408 (DokuWiki before 2023-04-04a allows XSS via RSS titles.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5627e3f626e0fa4af12d3dbd617cff2395b3386c...dbb2afa8aa38900e49363bcfd7f68e10386e11af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5627e3f626e0fa4af12d3dbd617cff2395b3386c...dbb2afa8aa38900e49363bcfd7f68e10386e11af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Marked nagvis CVE-2022-46945 as no-dsa following bullseye decision.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 618740db by Ola Lundqvist at 2023-06-16T23:42:14+02:00 Marked nagvis CVE-2022-46945 as no-dsa following bullseye decision. - - - - - 3682307e by Ola Lundqvist at 2023-06-16T23:42:16+02:00 Marked wireshark CVE-2023-0667 as no-dsa for buster following bullseye decision. - - - - - 1679961e by Ola Lundqvist at 2023-06-16T23:42:16+02:00 Added syncthing to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22674,6 +22674,7 @@ CVE-2023-0667 (Due to failure in validating the length provided by an attacker-c {DSA-5429-1} - wireshark 4.0.6-1 [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://takeonme.org/cves/CVE-2023-0667.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19086 CVE-2023-0666 (Due to failure in validating the length provided by an attacker-crafte ...) @@ -36772,6 +36773,7 @@ CVE-2022-46946 (Helmet Store Showroom Site v1.0 was discovered to contain a SQL CVE-2022-46945 (Nagvis before 1.9.34 was discovered to contain an arbitrary file read ...) - nagvis 1:1.9.34-1 [bullseye] - nagvis (Minor issue) + [buster] - nagvis (Minor issue) NOTE: https://github.com/NagVis/nagvis/commit/71aba7f46f79d846e1df037f165d206a2cd1d22a (nagvis-1.9.34) CVE-2022-46944 RESERVED = data/dla-needed.txt = @@ -207,6 +207,9 @@ samba (Lee Garrett) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) -- +syncthing + NOTE: 20230616: Added by Front-Desk (opal) +-- webkit2gtk (Emilio) NOTE: 20230512: Re-added (pochu) NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/178e878ea2a0dc1108234306f9dc67844d0ab7aa...1679961e87a6e74aaee6f44dd4c81105af295fd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/178e878ea2a0dc1108234306f9dc67844d0ab7aa...1679961e87a6e74aaee6f44dd4c81105af295fd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added libx11 to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 944fcbc4 by Ola Lundqvist at 2023-06-15T22:45:06+02:00 Added libx11 to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,9 @@ libreoffice (Abhijith PA) libusrsctp NOTE: 20230612: Added by Front-Desk (opal) -- +libx11 + NOTE: 20230615: Added by Front-Desk (opal) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/944fcbc4102d24d68fd0336271653bad4bdfee87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/944fcbc4102d24d68fd0336271653bad4bdfee87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked golang-gihub-gib-gonic-gin CVE-2023-29401 as no-dsa (minor issue) for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d2ec5a05 by Ola Lundqvist at 2023-06-15T22:36:50+02:00 Marked golang-gihub-gib-gonic-gin CVE-2023-29401 as no-dsa (minor issue) for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9475,6 +9475,7 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u NOTE: https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f (go.1.19.10) CVE-2023-29401 (The filename parameter of the Context.FileAttachment function is not p ...) - golang-github-gin-gonic-gin (bug #1037530) + [buster] - golang-github-gin-gonic-gin (Minor issue) NOTE: https://github.com/gin-gonic/gin/issues/3555 NOTE: https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72 (v1.9.1) CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. "attr={ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ec5a0555ef9d261c6f61a6d24426508219a601 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ec5a0555ef9d261c6f61a6d24426508219a601 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Added python-mechanize to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 01c88224 by Ola Lundqvist at 2023-06-15T22:23:45+02:00 Added python-mechanize to dla-needed. - - - - - 1b93beb5 by Ola Lundqvist at 2023-06-15T22:23:46+02:00 Marked rust-h2 CVE-2023-26964 as no-dsa (minor issue) for buster. - - - - - a3aae462 by Ola Lundqvist at 2023-06-15T22:23:48+02:00 Marked jackson-databind CVE-2023-35116 as no-dsa (minor issue) for buster. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -89,6 +89,7 @@ CVE-2023-3036 (An unchecked read in NTP server in github.com/cloudflare/cfnts pr TODO: check CVE-2023-35116 (An issue was discovered jackson-databind thru 2.15.2 allows attackers ...) - jackson-databind + [buster] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3972 CVE-2023-35110 (An issue was discovered jjson thru 0.1.7 allows attackers to cause a d ...) TODO: check @@ -17401,6 +17402,7 @@ CVE-2023-26965 (loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a h TODO: check CVE-2023-26964 (An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occ ...) - rust-h2 0.3.13-2 (bug #1034723) + [buster] - rust-h2 (Minor issue) NOTE: https://github.com/hyperium/hyper/issues/2877 NOTE: https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 (v0.3.17) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0034.html = data/dla-needed.txt = @@ -141,6 +141,9 @@ python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python-mechanize + NOTE: 20230614: Added by Front-Desk (opal) +-- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95f32127b4f4527bfec3a21ad4c836171d5aa0f...a3aae462df9892ff4ebd50712952c8d8e7c04e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95f32127b4f4527bfec3a21ad4c836171d5aa0f...a3aae462df9892ff4ebd50712952c8d8e7c04e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked yajl CVE-2023-33460 as postponed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: defddfbb by Ola Lundqvist at 2023-06-14T23:19:29+02:00 Marked yajl CVE-2023-33460 as postponed. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1042,6 +1042,7 @@ CVE-2023-33477 (In Harmonic NSG 9000-6G devices, an authenticated remote user ca NOT-FOR-US: Harmonic NSG 9000-6G devices CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse functi ...) - yajl + [buster] - yajl (Minor issue) NOTE: https://github.com/lloyd/yajl/issues/250 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/defddfbb8f457128e03ef60feb5f6c6be56f771d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/defddfbb8f457128e03ef60feb5f6c6be56f771d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added wordpress to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f5a29e4e by Ola Lundqvist at 2023-06-14T23:07:22+02:00 Added wordpress to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -212,6 +212,9 @@ webkit2gtk (Emilio) NOTE: 20230606: one issue remaining (cmake), but call for testing sent out already: NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) -- +wordpress + NOTE: 20230614: Added by Front-Desk (opal) +-- xmltooling (Santiago) NOTE: 20230613: Added by Santiago NOTE: 20230613: According to dsa-needed, maintainers will prepare updates. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5a29e4e89ea67dfed237e91eb5c4508db7f4bed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5a29e4e89ea67dfed237e91eb5c4508db7f4bed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added opensc to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 43340316 by Ola Lundqvist at 2023-06-14T22:40:24+02:00 Added opensc to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -123,6 +123,9 @@ openjdk-11 (Emilio) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) -- +opensc + NOTE: 20230614: Added by Front-Desk (opal) +-- owslib (Adrian Bunk) NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: also in dsa-needed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43340316ba95ca70bd9c25ee1e24ef30814442ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43340316ba95ca70bd9c25ee1e24ef30814442ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added minidlna to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b5d1c8c6 by Ola Lundqvist at 2023-06-14T22:07:28+02:00 Added minidlna to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ linux (Ben Hutchings) maradns NOTE: 20230614: Added by Front-Desk (opal) -- +minidlna + NOTE: 20230614: Added by Front-Desk (opal) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5d1c8c6681acb4abd6f4d7c28fbeb85474d4b7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5d1c8c6681acb4abd6f4d7c28fbeb85474d4b7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added maradns to dla-needed with a note of low prio.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a51aaeea by Ola Lundqvist at 2023-06-14T21:53:11+02:00 Added maradns to dla-needed with a note of low prio. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,9 @@ libusrsctp linux (Ben Hutchings) NOTE: 20230111: perma-added (bwh) -- +maradns + NOTE: 20230614: Added by Front-Desk (opal) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a51aaeea6927e209192a449f8191e87e8b918fbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a51aaeea6927e209192a449f8191e87e8b918fbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked imagemagick CVE-2023-3195 as no-dsa.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ca1db473 by Ola Lundqvist at 2023-06-14T21:43:23+02:00 Marked imagemagick CVE-2023-3195 as no-dsa. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -404,6 +404,7 @@ CVE-2015-10118 (A vulnerability classified as problematic was found in cchetanon NOT-FOR-US: WordPress plugin CVE-2023-3195 [stack overflow when parsing malicious tiff image] - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023 (6.9.12-26) NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/f620340935777b28fa3f7b0ed7ed6bd86946934c (7.1.0-11) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1db4735533faf2204ed8f34a3fbbc63eb7a47e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1db4735533faf2204ed8f34a3fbbc63eb7a47e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked hoteldruid CVE-2023-34537 as no-dsa (minor issue).
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c4868c6 by Ola Lundqvist at 2023-06-14T21:32:24+02:00 Marked hoteldruid CVE-2023-34537 as no-dsa (minor issue). This follows the practice for many other CVEs with XSS class. - - - - - fd9d2737 by Ola Lundqvist at 2023-06-14T21:34:47+02:00 Marked hoteldruid CVE-2023-33817 as no-dsa (minor issue). SQL injection is a fairly severe issue but this is only for authenticated users. In hotel management they should be trusted enough to not break things. What is more there is another CVE-2021-37832 marked as no-dsa. So leaving this do not cause the system to be more vulnerable than before. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60,6 +60,7 @@ CVE-2023-34944 (An arbitrary file upload vulnerability in the /fileUpload.lib.ph NOT-FOR-US: Chamilo LMS CVE-2023-34537 (A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacke ...) - hoteldruid + [buster] - hoteldruid (Minor issue) NOTE: https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5 CVE-2023-34396 (Allocation of Resources Without Limits or Throttling vulnerability in ...) - libstruts1.2-java @@ -77,6 +78,7 @@ CVE-2023-33933 (Exposure of Sensitive Information to an Unauthorized Actor vulne NOTE: https://github.com/apache/trafficserver/commit/496fa2c4cbdf2b3d6c61760a3fb6675b74b549f0 (8.1.x) CVE-2023-33817 (hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...) - hoteldruid + [buster] - hoteldruid (Minor issue) NOTE: https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5 CVE-2023-33146 (Microsoft Office Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d39061dc961caa5ce769d7285fde225c27673e3...fd9d2737eebad69a4254e1d30ea78353994ddc9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d39061dc961caa5ce769d7285fde225c27673e3...fd9d2737eebad69a4254e1d30ea78353994ddc9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added grpc to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d39061d by Ola Lundqvist at 2023-06-14T21:26:43+02:00 Added grpc to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,6 +62,9 @@ golang-yaml.v2 (sgmoore) NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. -- +grpc + NOTE: 20230614: Added by Front-Desk (opal) +-- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d39061dc961caa5ce769d7285fde225c27673e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d39061dc961caa5ce769d7285fde225c27673e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked several frr CVEs as no-dsa (minor issue).
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c5f1c2c5 by Ola Lundqvist at 2023-06-14T21:15:15+02:00 Marked several frr CVEs as no-dsa (minor issue). This follows the practice for similar CVEs in the past for the same package. They are all Denial of Service class and there are plenty of those that were marked as mior issues in the past for this package. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3588,11 +3588,13 @@ CVE-2023-31799 (Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.1 NOT-FOR-US: Chamilo LMS CVE-2023-31490 (An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to c ...) - frr (bug #1036062) + [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/13099 NOTE: https://github.com/FRRouting/frr/pull/12454 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/06431bfa7570f169637ebb5898f0b0cc3b010802 CVE-2023-31489 (An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to c ...) - frr (bug #1036061) + [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/13098 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce CVE-2023-31476 (An issue was discovered on GL.iNet devices running firmware before 3.2 ...) @@ -48757,7 +48759,8 @@ CVE-2022-43682 RESERVED CVE-2022-43681 (An out-of-bounds read exists in the BGP daemon of FRRouting FRR throug ...) - frr (bug #1035829) - NOTE: https://github.com/FRRouting/frr/issues/13427 + [buster] - frr (Minor issue) + NOTE: <https://github.com/FRRouting/frr/issues/13427 NOTE: https://github.com/FRRouting/frr/issues/13480 NOTE: Fixes for CVE-2022-43681/CVE-2022-40318/CVE-2022-40302: NOTE: https://github.com/FRRouting/frr/commit/1117baca3c592877a4d8a13ed6a1d9bd83977487 (base_8.4) @@ -58032,6 +58035,7 @@ CVE-2022-40319 (The LISTSERV 17 web interface allows remote attackers to conduct NOT-FOR-US: LISTSERV CVE-2022-40318 (An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By cra ...) - frr (bug #1035829) + [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/13427 NOTE: https://github.com/FRRouting/frr/issues/13480 NOTE: Fixes for CVE-2022-43681/CVE-2022-40318/CVE-2022-40302: @@ -58101,6 +58105,7 @@ CVE-2022-40303 (An issue was discovered in libxml2 before 2.10.3. When parsing a NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2336 CVE-2022-40302 (An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By cra ...) - frr (bug #1035829) + [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/13427 NOTE: https://github.com/FRRouting/frr/issues/13480 NOTE: Fixes for CVE-2022-43681/CVE-2022-40318/CVE-2022-40302: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5f1c2c585360bcb3c29348b6c4806ad3d661b7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5f1c2c585360bcb3c29348b6c4806ad3d661b7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked tang CVE-2023-1672 as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d7d9296a by Ola Lundqvist at 2023-06-14T21:01:52+02:00 Marked tang CVE-2023-1672 as no-dsa for buster following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10870,6 +10870,7 @@ CVE-2023-1672 [Fix race condition when creating/rotating keys] - tang [bookworm] - tang (Minor issue) [bullseye] - tang (Minor issue) + [buster] - tang (Minor issue) NOTE: Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096 CVE-2023-1671 (A pre-auth command injection vulnerability in the warn-proceed handler ...) NOT-FOR-US: Sophos View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d9296ac83476231d72a71d43d798844ef6cced -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7d9296ac83476231d72a71d43d798844ef6cced You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-1055 (389-ds-base) as no-dsa for buster folloring decision for bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ba7b9288 by Ola Lundqvist at 2023-06-12T23:05:57+02:00 Marked CVE-2023-1055 (389-ds-base) as no-dsa for buster folloring decision for bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16226,6 +16226,7 @@ CVE-2023-1055 (A flaw was found in RHDS 11 and RHDS 12. While browsing entries L - 389-ds-base (bug #1034891) [bookworm] - 389-ds-base (Minor issue) [bullseye] - 389-ds-base (Minor issue) + [buster] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2173517 CVE-2023-1054 (A vulnerability was found in SourceCodester Music Gallery Site 1.0. It ...) NOT-FOR-US: SourceCodester Music Gallery Site View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba7b9288b48b5e897f4be7bcd72a4b2c610c6564 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba7b9288b48b5e897f4be7bcd72a4b2c610c6564 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added libusrsctp to the packages to fix for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: fdca6ddf by Ola Lundqvist at 2023-06-12T23:00:32+02:00 Added libusrsctp to the packages to fix for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,6 +89,9 @@ libfastjson (Thorsten Alteholz) libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) -- +libusrsctp + NOTE: 20230612: Added by Front-Desk (opal) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdca6ddf4a5a1383c5e942919a2ac52e2721fe44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdca6ddf4a5a1383c5e942919a2ac52e2721fe44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add epiphany-browser to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ad382ea0 by Ola Lundqvist at 2023-04-23T22:56:28+02:00 LTS: add epiphany-browser to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,6 +59,9 @@ emacs NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression NOTE: 20230228: is fixed. (bunk) -- +epiphany-browser + NOTE: 20230423: Programming language: C. +-- erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad382ea0a4605ea89f3175ec7891ff8bcc2096fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad382ea0a4605ea89f3175ec7891ff8bcc2096fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits